Skip Navigation
BlackBerry Blog

Cybersecurity and Humans: 2 Solid Tips for Crossing that Great Divide

FEATURE / 06.12.19 / Pete Herzog

I was at a conference a couple months ago and this vendor tells me to come over and watch a demo of their security awareness training platform, it’s only two minutes long. And do you know why it’s only two minutes long? Because that’s exactly how long you can expect a security awareness training program to help keep your company secure.

There’s an idea that to be secure you need to have the right products installed and orchestrated with all the other products. And that’s absolutely right. But to do business, you need to be secured in a way that has nothing to do with your security products working in harmony with each other. They need to be working in harmony with your operations too. That’s why the Intrusion Prevention System (IPS) hasn’t done so well in the home market. You see, IPS is the positive name for it that they use in marketing to sell it to businesses. The name everyone at home uses for it is video stream ruiner.

And that, my friend, is the great divide between being a human being, a squishy unpleasant bag of liquid chemicals and hormones, and cybersecurity, a squishy, unpleasant bag of waiting for the worst to happen.

Why People Need Cybersecurity

People need cybersecurity to protect them from other people doing bad things and code programmed by people with bad intentions, all while doing their jobs the way they want to. Also, people say they need to circumvent cybersecurity to assure they can do their jobs the way they want to. Do you see the issue here?

It doesn’t matter if our security all works together in a perfectly SOAR way if we haven’t figured out how to harmonize with the people we’re protecting.

This goes further into not only are we neglecting the needs of the people because we’re conscripting them into our battles against the other bad people. But people are assets. They are a part of operations. They are not soldiers in the info wars. They are not trained to do that job and it’s not their primary job. Which is why the primary job of cybersecurity is to protect them and the operations they do.

Remember back when you were a kid and you wanted to be a pirate? Then when you told any adults, they told you that you couldn’t be because pirates are bad. They then put you into school where you had to learn stuff until you grew up and worked or had a family so that you were so busy trying to just have one damn minute to yourself that you never got around to being a pirate? Well, that’s how cybersecurity is built today. All these controls are put in place so you’re so busy jumping through controls to get stuff done that you don’t have time to be a pirate. And yet ironically, circumventing controls to get things done is kind of making you a pirate.

Cybersecurity should be about securing operations. Not changing operations so they can be secure. Not stopping operations which are insecure. Not forcing people into a life of piracy so they can get stuff done.

So here are two great tips for doing it right without the need for piracy or any kind of naval warfare.

Tip 1. Put in Controls, Not Products

You know what’s new in security? The name for something from ten years ago. Yes, the security industry likes to come up with new buzzwords to resell stuff that does the exact same thing. Some may call it simply an affinity for adverbs and buy into it anyway, but you wouldn’t know it because those people’s systems have already been turned into some bitcoin miner’s chattel.

Work around this by looking at what operational controls that security system or software provides for you. There’re just 12 operational controls so you can play mix and match like a school kid and still come out on top. The best thing is that having diverse operational controls across your network and protecting your systems brings you defense in width, a play on defense in depth where instead of having many different products with the same controls layered up you have a variety of them intertwined for increased effectiveness.

For example, if you need to know what’s coming in to your systems then don’t just buy a firewall, look for something that will provide identification and authentication of authorized packets. To some that may look like an Ivy League definition of a firewall, but if you look for something that brings you those three controls it greatly opens up your product search to include all sorts of solutions you may not have considered, and you may learn a few new buzzwords too. It also lets you find something that’s right for you.

So where you may have considered getting that $50,000 smart firewall to protect your intranet web servers you might opt for something much lighter like a combination of a screening router and a web application firewall for pocket change. Well, you’ll still need really big pockets, but you get the idea.

The point here is if you break down your operations into processes and think about which controls you need instead of which products you can afford, you’ll find ways to provide the protection you need without hampering operations. Like the small shop that wanted employees to use social networking, visit web boards, and do banking all on one system. There’s lots of behavior analysis software that’s all machine learned in machine school and stuff that I could have them sell a kidney and install. Instead, we locked the banking into a single, VM browser that does nothing else, the social networks in another, and everything else in a third. The main host ran a smart antivirus but with the use of cloud-based bookmarks, and we made sure the VMs could be chronically refreshed. Not a perfect solution, but perfect for them.

Tip 2. Plan for Employees as Operations, Not Security

You know what’s worse than that employee who clicks on a phishing link and loses you a few thousand dollars? Spending a few thousand dollars on training for an employee not to click on those things yet because it was a PDF from the contractor they get PDFs from every day - and they still cost you thousands when a fake one contains malware.

How about that employee who hosed your network because they brought in a USB key from home that contained the client report management needed so urgently today that you sent them home with it to work through the night. And it came back with a side-serving of malware.

Employees are not the weakest chain in the link. Because employees are NOT CHAIN LINKS. They’re the asset, not the security. That’s why they put first the whole “not getting fired for failing to do their job” thing. Second is security. No matter how much you spend on training for them, security will always be second. When they have to go to another interview and they’re asked why they left their last job, most people would rather say that they were fired for a security incident than because they suck at their job.

You know what else puts being an asset before being security? All your other assets. From the paperclips to the SQL server, each is optimized to do its job. So are people. So before you start throwing down security controls on them, ask them what they do online, what applications they access, what their routine looks like each day, and what they like to do on their breaks. Then secure their ability to do that. Because the nice thing about letting people do their jobs first is the value you get back for having them as assets in the first place. That’s the stuff that pays for those security products anyway.

Like the big financial company who made a draconian user contract to stop their employees from breaking security rules to do their jobs. Break the rules twice and you’re fired. Without stopping to wonder why the rules were getting broken, they decided enforcement was the only option. Then productivity slowed as some were afraid to do anything that might be considered breaking the rules, like how looking up how to solve a problem, which might be seen as “surfing web boards” which was forbidden in case of watering hole attacks.

But the bite-back didn’t stop there. The people who did get fired needed to be replaced and some had specific knowledge on how some things worked which didn’t get shared to the next person. Then the time to hire a replacement was essentially a self-imposed denial of service attack. So we had them back off the user contract and instead get to know their employees’ work processes. We then found ways to add controls, especially resilience, into those processes.

We let the employees do their jobs and we figured out how to secure them. Did it take more work for the security team? Yes. But we dropped security incidences to nearly nothing and didn’t lose business, or employees, because of it.

Security Isn’t Coloring by Numbers

Many university graduates clutching their cybersecurity degrees forgot to take their humanities classes on the way. What they know about people is that they are part of the problem. And they’re right. The typical user workstation is as infectious as the typical kindergarten classroom. You don’t even want to touch that thing without gloves. But what they didn’t learn is that addressing the people problem actually requires addressing the people. You can’t do that following cybersecurity best practices checklists. And people who make those checklists, do take note of that too.

The business depends on operations and while there’s some better security practices that employees should follow, learn to make that part of their operations instead of in contrary to them. 

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.