CyberSecurity: Ignorance is not an Excuse

Broadcast and recorded live from the NASDAQ Studios in San Francisco
11:30am - 12:30pm PT on Tuesday, February 14, 2017


Moderator: Sean Martin
Editor in Chief, ITSPmagazine


Jeremiah Grossman
Chief of Security Strategy, SentinelOne


Ian Glazer
Chairman, ID Professionals Working Group, Kantara Initiative

Uma Karmarkar
Decision Neuroscientist | Assistant Professor at Harvard Business School


Michael Landewe
Co-Founder, Avanan Cloud Security

We live in a society where we have to place warnings on cups that the coffee you’ve just knowingly purchased is hot, yet we hand out smartphones to kids like they’re candy without understanding the risks that these devices pose to our safety. We’ve become so dependent on digital technology that we don’t stop to consider the consequence of our choices.

A Black Hat survey showed that 28% of people felt that the weakest link in enterprise IT defenses was "end users who violate security policy and are too easily fooled by social engineering attacks.” Whether laziness, optimism or naiveté, it’s in our nature to trust - even when it puts us, our company or society in danger.

Trust is inherently a human character - we yearn to belong and trust. This panel explores the role of trust in cyber security, in defense and in our everyday lives. Can human be taught to make good decisions with security consequences given our desire to trust? Can we conceptualize trust into machine processable information so that machines can make better decisions on behalf of humans? Can we develop security and defense solutions that work on partial and uncertain information but still protect us in the face of uncertainty? 

We will also explore how the concept of identity plays into trust. Do certain aspects of identities deliver more trust than others? And can we associate assurance level with fine-grained aspects of identity data so that we can more dependable trust decisions? 

All these and more will be explored by our panelists, including a security researcher, an identity expert, a neuro-behavior expert, and a solution provider.


Question: I think a major contributor to this is the lack of IT security education at elementary schools. It is a huge gap that I think contributes to the lack of security awareness that people have. Do you agree and if so, what can we do to add this to the curriculum?

Grossman: Of course more and earlier awareness about computer security privacy is always a good idea, particularly in elementary schools where we’re preparing young minds to prosper in a fast change and complicated world. 

In my experience in speaking with educators, at every grade-level, one of their major challenges is curriculum load. To add new subject matter to the curriculum requires something be removed and getting agreement there is extremely difficult, as is navigating regulatory controls. Additionally, educators themselves must be proficient in the subject matter before teaching, which is an obvious precondition to introducing computer security and privacy content. For me, that’s where I’ve been focusing time lately. 



Question: Moving the focus from the user - what is the panels view on educating designer / developers earlier? To ensure they reduce the risks and vulnerabilities in the systems and the code? Does the panel have a view on how to provide incentives to start-ups and young designers to design in security up front?

Karmarkar: In many domains, there has already been a shift from product-based design to user-based design.  While that’s often framed as offering better interfaces, or designing a product that can address a specific user problem, a more broad version might be to think of designing a product that meets a user’s overall needs.  I certainly think that it would be beneficial to have developers start with this more integrated vision.  Providing incentives for this to happen is a complicated question, since it requires either firms or the market to actively recognize the additional value that this approach can offer.  However, it may be that the current climate is one where people are aware enough of security issues that it is possible to communicate that value more easily.



Question: As a long term and a interim term solution, would fixing the internet and strengthening internet protocols not help with IOT security. The Internet and transport protocol as common to all IOT implementations and universal improvement may help alleviate some of the issues. What is your view?

Rios: This is an interesting question. I agree that TCP/IP is a very common denominator in IoT implementations. I also agree that universal improvement in common protocols can help alleviate some issues (ex. DDOS). With that said, most of the issues I’ve encountered within IoT are at the application level. Mirai, for example, took advantage of default/hardcoded credentials within IoT devices. Vulnerabilities like default/hardcoded credentials have little to do with the networking protocols in use and more to do with secure development/deployment practices. The networking protocols just make it so these vulnerabilities are now remotely accessible, and in many cases, accessible across the Internet. Once the device is compromised, preventing the abuse of built in protocols becomes more difficult by orders of magnitude. So while improving our underlying networking protocols is a great thing, I don’t believe it’ll fundamentally change the landscape of IoT vulnerabilities or exploitation.