Download to read offline
Uploaded byAdrian Sanabria
451 AppSense Webinar - Why blame the user?
The document critiques the tendency to blame users for security breaches, advocating instead for understanding their needs and behaviors. It discusses the failures of app whitelisting and network access control due to their complexities and user confusion, emphasizing the importance of user-friendly security measures. The key takeaway is that a balance must be struck between security and user autonomy to foster a productive environment.
More Related Content
Similar to 451 AppSense Webinar - Why blame the user?
![[Austria] Security by Design](https://cdn.slidesharecdn.com/ss_thumbnails/lvsecurityprivacy03securitybydesignen-151030083405-lva1-app6891-thumbnail.jpg?width=640&height=640&fit=bounds)
451 AppSense Webinar - Why blame the user?
- 1. Why blame theuser? 1
- 2. Confusing the victimand the problem “Users will click anything!” “Users are careless!” “Users are the weak link!”
- 3.
- 4. If already youknow what can and will go wrong... 4 …what’s the next logical step?
- 5. Kneejerk response: punishthem “Take away their access” “Remove their rights” “Lock them down”
- 6. Kneejerk response: results •Death by Exception • Support Fatigue Removing admin rights • Death by Exception • Support Fatigue App Whitelisting • Implementation complexity • IncompatibilityNAC 6
- 7.
- 8. App Whitelisting 2011: “By2015, more than 50% of enterprises will have instituted 'default deny' policies that restrict the applications users can install.” 8
- 9. App Whitelisting What wentwrong? • Static lists • Manual maintenance • Death by exception • Users = snowflakes App whitelisting exception creep: do your profiles end up looking like this? • Basic CC user • Basic CC user + MS Office • Basic CC user + MS Office + Skype • Basic CC user + MS Office + Skype – No Lync • Basic CC user + MS Office + Skype, Grande, No Whip, Half Caff… 9
- 10. Network Access Control:NAC 10
- 11. Network Access Control Whatwent wrong? • Too much complexity • Too many standards • Integration/Implementation Nightmares • Confused everyone 11
- 12.
- 13.
- 14. Phoenix impressions: whitelistingis back “There are no bad ideas in security, just bad implementations” “A pessimist sees the difficulty in every opportunity. An optimist sees the opportunity in every difficulty.” 14
- 15. Understand your users Findempathy Let the healing begin 15
- 16. Respect the painthreshold 16
- 17. First do noharm: the security UI/UX impact scale Best • Be invisible – completely transparent to the user Better • Visible, but zero impact to the user Okay • Minor changes to user’s workflow are necessary Failure • Emails arrive with subjects like “I can’t do my job” 17
- 18. What’s better thanbest? 18
- 19. Adrian’s rules foruser-facing security 1. Don’t break the workflow 2. Don’t mess with the browser 3. Security must move with the user 4. Give the user more choices, not less 5. Simplify workflow; reduce complexity 6. Minimize static dependencies 7. Educate, empower and involve users 19
- 20. Beyond not disruptingthe business • Security ROI: more than just the cost of doing business? • Deputizing users • Trusting the user 20
- 21. What does itmean to trust the user? 21
- 22. What does “trust”mean in this context? First, we need to adopt a term from the startup industry: MVP Minimum Viable Product Drawing and concept by Henrik Kniberg http://blog.crisp.se/2016/01/25/henrikkniberg/making-sense-of-mvp
- 23. MVS security example… 23 Security?Huh? Native VPN Client Native VPN client, native firewall, Windows Defender Native VPN client, native firewall, Windows Defender, Windows Bitlocker, UAC A usable version of Vista
- 24. Users need aMinimum Safe Environment So “Trust” in this context is the minimum safe environment necessary for the average user to be able to do their job safely. We need to make it difficult for them to make critical security mistakes without making it difficult for them to do their job.
- 25. Don’t confuse “Trust”with the other extreme • Giving choices doesn’t mean no control • What does it mean to trust users • Allowing users to install applications doesn’t mean giving local admin • Users may enjoy freedom, but will still expect protection 25
- 26. Lessons Learned • Whenyou layer security/defense, compromise is easier • Good security doesn’t mean going to extremes • Lock controls down too tight and user will go around • Shadow business users for a few days • learn their jobs • understand needs and constraints • appreciate the impact of trying to use a heavily restricted system 26
Editor's Notes
- #3 Blaming the user won’t get you anywhere. Sure, you can train them, but they’ll still be a weak point. Instead of blaming them, how about designing for them or even helping them?
- #4 Anyone know this acronym? Want to drop it in the comments for the others? Have you ever used it in trouble ticket notes? We’ve all poked fun at users because we needed to blow off some steam and frustration. Seriously though, you still have a problem to deal with, and blaming the user won’t get you any closer to solving it.
- #5 Blaming the user is missing the issue It isn’t users’ fault the tools provided to them are vulnerable and fragile. The user isn’t expected to be a security expert. We can’t fix this problem by training the user. Not entirely. The moment you get done training one batch of employees, some of them have left and you have new ones. I believe training the user can help, but security awareness is just one imperfect layer of defense. You need more layers.
- #6 Of course, the kneejerk response is to lock down users and take away access. None of this has really been very effective over the years. People are still looking for a solution.
- #7 Okay, everyone’s locked down. We’re secure, right? Nope – helpdesk email and phones are blowing up – no one can get their job done.
- #10 It all added up to an unmanageable mess. But it isn’t gone, what happened to it? Most of the original app control vendors found a niche in locking down environments that don’t change often: PCs in healthcare and retail, especially. This software has also been successfully used as an alternative to running anti-virus, which is handy when you have a system not connected to the Internet, and the auditor expects it to be up-to-date on AV signatures. A few others, like AppSense continued looking for a way to make app control work for the broader user base outside the niches.
- #11 Look at the dates here! NAC was dead, and people
- #13 We’re driving users nuts. Users are punished, and must suffer through our attempts to make the company “safer” by removing the “threat” they present. Who really suffered through all these failed security trends? How do we fix this?
- #14 NAC and App Control are back, with better implementation, manageability and user experiences. Whitelisting is back! Find a reference to someone/something to be back. Mobile was able to design for these issues – that’s why there really isn’t a demand for mobile ant—malware – these things aren’t set up where you can make an easy mistake with a malicious executable.
- #17 Understand your users. Understand their workflows. Understand their jobs. How much of a delay starts to cause a problem? Know where the security/productivity balance tips.
- #18 Aim for Zero (best). Users have a pretty low pain threshold for anything that makes their jobs harder.
- #19 There’s actually a level above “Best” called “Unicorn”. That’s where security not only avoids impacting the user, it actually helps them while making them secure. Security products that create non-security ROI deserve the title of unicorns. To avoid confusing these unicorns with startups that have >$1bn valuations, is there a better term we could use? Use the previous slide, but have a unicorn breaking out the top!
- #20 #3 – in other words, if the security solution only works on the corporate network and 40% of your employee computing assets leave the corporate office every day… you’ve got a problem. #4 – SaaS apps; mobile or laptop; configurations; mac or pc, etc
- #21 Where does this slide go? Talk about ROI potential & examples Deputizing users – if you see something say something; users as sensors New application Control tools create a partnership through enough granular control to empower both sides. Make the user a sensor Make users your first line of defense Why wouldn’t you want your users working for you? Trust and partner with users incorporate user responses into decisions users can be part of the security workflow – users as threat sensors, etc. Self-service opportunities
- #23 So how do we apply this to security? Unfortunately, security is nearly always deemed unnecessary for an MVP, and often still doesn’t exist in mature, polished products. That’s why a considerable chunk of the security industry exists – to address these gaps.
- #25 Short of completely reckless behavior, users should be able to do their jobs without worrying about losing data or getting hacked. In other words, we need visibility into what they’re doing and we need to make it difficult for them to mess up without making it difficult to do their job.
- #26 Giving choices doesn’t mean you don’t monitor or have ability to control Allowing users to install applications doesn’t mean giving local admin Sure, users will enjoy the freedom, but will still expect protection… and they’ll blame you! MC Escher sketch represents chaos and order Really go into the trust but verify and what it means to trust users, but also keep an eye on them
- #27 Put yourself in their shoes. Have YOU tried to do their job with whatever crazy security restrictions you put in place???