Upcoming SlideShare
451 AppSense Webinar - Why blame the user?
- 1. Why blame the user? 1
- 2. Confusing the victim and the problem “Users will click anything!” “Users are careless!” “Users are the weak link!”
- 3. PEBKAC 3
- 4. If already you know what can and will go wrong... 4 …what’s the next logical step?
- 5. Kneejerk response: punish them “Take away their access” “Remove their rights” “Lock them down”
- 6. Kneejerk response: results • Death by Exception • Support Fatigue Removing admin rights • Death by Exception • Support Fatigue App Whitelisting • Implementation complexity • IncompatibilityNAC 6
- 7. Learning from posterity 7
- 8. App Whitelisting 2011: “By 2015, more than 50% of enterprises will have instituted 'default deny' policies that restrict the applications users can install.” 8
- 9. App Whitelisting What went wrong? • Static lists • Manual maintenance • Death by exception • Users = snowflakes App whitelisting exception creep: do your profiles end up looking like this? • Basic CC user • Basic CC user + MS Office • Basic CC user + MS Office + Skype • Basic CC user + MS Office + Skype – No Lync • Basic CC user + MS Office + Skype, Grande, No Whip, Half Caff… 9
- 10. Network Access Control: NAC 10
- 11. Network Access Control What went wrong? • Too much complexity • Too many standards • Integration/Implementation Nightmares • Confused everyone 11
- 12. Meanwhile… 12
- 13. Phoenix impressions 13
- 14. Phoenix impressions: whitelisting is back “There are no bad ideas in security, just bad implementations” “A pessimist sees the difficulty in every opportunity. An optimist sees the opportunity in every difficulty.” 14
- 15. Understand your users Find empathy Let the healing begin 15
- 16. Respect the pain threshold 16
- 17. First do no harm: the security UI/UX impact scale Best • Be invisible – completely transparent to the user Better • Visible, but zero impact to the user Okay • Minor changes to user’s workflow are necessary Failure • Emails arrive with subjects like “I can’t do my job” 17
- 18. What’s better than best? 18
- 19. Adrian’s rules for user-facing security 1. Don’t break the workflow 2. Don’t mess with the browser 3. Security must move with the user 4. Give the user more choices, not less 5. Simplify workflow; reduce complexity 6. Minimize static dependencies 7. Educate, empower and involve users 19
- 20. Beyond not disrupting the business • Security ROI: more than just the cost of doing business? • Deputizing users • Trusting the user 20
- 21. What does it mean to trust the user? 21
- 22. What does “trust” mean in this context? First, we need to adopt a term from the startup industry: MVP Minimum Viable Product Drawing and concept by Henrik Kniberg http://blog.crisp.se/2016/01/25/henrikkniberg/making-sense-of-mvp
- 23. MVS security example… 23 Security? Huh? Native VPN Client Native VPN client, native firewall, Windows Defender Native VPN client, native firewall, Windows Defender, Windows Bitlocker, UAC A usable version of Vista
- 24. Users need a Minimum Safe Environment So “Trust” in this context is the minimum safe environment necessary for the average user to be able to do their job safely. We need to make it difficult for them to make critical security mistakes without making it difficult for them to do their job.
- 25. Don’t confuse “Trust” with the other extreme • Giving choices doesn’t mean no control • What does it mean to trust users • Allowing users to install applications doesn’t mean giving local admin • Users may enjoy freedom, but will still expect protection 25
- 26. Lessons Learned • When you layer security/defense, compromise is easier • Good security doesn’t mean going to extremes • Lock controls down too tight and user will go around • Shadow business users for a few days • learn their jobs • understand needs and constraints • appreciate the impact of trying to use a heavily restricted system 26
Login to see the comments