Embed Size (px)
Citation preview
Why blame the user?
1
Confusing the victim and the problem
“Users will click
anything!”
“Users are careless!”
“Users are the weak
link!”
PEBKAC
3
If already you know what can and will go wrong...
4…what’s the next logical step?
Kneejerk response: punish them
“Take away their access”
“Remove their rights”
“Lock them down”
Kneejerk response: results
• Death by Exception
• Support Fatigue
Removingadmin rights
• Death by Exception
• Support Fatigue
App Whitelisting
• Implementation complexity
• IncompatibilityNAC
6
Learning from posterity
7
App Whitelisting
2011: “By 2015, more than 50% of enterprises will have
instituted 'default deny' policies that restrict the applications
users can install.”
8
App Whitelisting
What went wrong?
• Static lists
• Manual maintenance
• Death by exception
• Users = snowflakes
App whitelisting exception creep: do your
profiles end up looking like this?
• Basic CC user
• Basic CC user + MS Office
• Basic CC user + MS Office + Skype
• Basic CC user + MS Office + Skype –
No Lync
• Basic CC user + MS Office + Skype,
Grande, No Whip, Half Caff…
9
Network Access Control: NAC
10
Network Access Control
What went wrong?
• Too much complexity
• Too many standards
• Integration/Implementation Nightmares
• Confused everyone
11
Meanwhile…
12
Phoenix impressions
13
Phoenix impressions: whitelisting is back
“There are no bad ideas in security, just bad implementations”
“A pessimist sees the difficulty in every opportunity. An optimist sees the
opportunity in every difficulty.”
14
Understand your users
Find empathy
Let the healing begin
15
Respect the pain threshold
16
First do no harm: the security UI/UX impact scale
Best• Be invisible – completely transparent to the user
Better• Visible, but zero impact to the user
Okay• Minor changes to user’s workflow are necessary
Failure• Emails arrive with subjects like “I can’t do my job”
17
What’s better than best?
18
Adrian’s rules for user-facing security
1. Don’t break the workflow
2. Don’t mess with the browser
3. Security must move with the user
4. Give the user more choices, not less
5. Simplify workflow; reduce complexity
6. Minimize static dependencies
7. Educate, empower and involve users
19
Beyond not disrupting the business• Security ROI: more than just the cost
of doing business?
• Deputizing users
• Trusting the user
20
What does it mean to trust the
user?
21
What does “trust” mean in this context?First, we need to adopt a term from the startup industry: MVP
Minimum Viable Product
Drawing and concept by Henrik Kniberg http://blog.crisp.se/2016/01/25/henrikkniberg/making-sense-of-mvp
MVS security example…
23
Security? Huh?
Native VPN Client
Native VPN client, native firewall,
Windows Defender
Native VPN client, native firewall,
Windows Defender, Windows
Bitlocker, UAC
A usable version of Vista
Users need a Minimum Safe Environment
So “Trust” in this context is the minimum safe environment necessary for the
average user to be able to do their job safely.
We need to make it difficult for them to make critical security mistakes
without making it difficult for them to do their job.
Don’t confuse “Trust” with the other extreme• Giving choices doesn’t mean no
control
• What does it mean to trust users
• Allowing users to install applications
doesn’t mean giving local admin
• Users may enjoy freedom, but will
still expect protection
25
Lessons Learned• When you layer security/defense,
compromise is easier
• Good security doesn’t mean going
to extremes
• Lock controls down too tight and
user will go around
• Shadow business users for a few
days
• learn their jobs
• understand needs and constraints
• appreciate the impact of trying to
use a heavily restricted system
26
