In-person conventions seem to be coming back this summer, which I guess means we need to revisit a security industry shibboleth. Go to any tech convention and you’re guaranteed to hear at least one speaker complain that “users are the weakest link in security.” The idea is that the most robust engineering solutions will inevitably be undone by a clutzy, ignorant, or indifferent worker. You can have the most secure network perimeter on earth, the thinking goes, but it’s all for nought when a bored user carelessly clicks a link in an obvious phishing email and opens the door wide to foreign ne’er-d0-wells.
I get the idea. I also hate it. It’s insulting to users though it’s mis-framing of the problem.
To be clear, I don’t entirely disagree with it as-stated. Humans can be the weakest component of any security program. That statement, though, misses the larger point: humans can be the weakest link in security while also being the strongest link at the same time … Human beings bring more capability to enterprise cybersecurity than any hardware solution, any software solution, and any managed service. Humans can be reckless and irresponsible, sure. No argument. They can also (I contend), be preternaturally insightful … able to perceive early indicators of compromise, make intuitive leaps, and suss out adversary action far better than any programmed system can.
As an example, I’d like to share an irritating story that my extended family still give me a hard time about. Twenty-five years ago, my in-laws sold their home in Arlington and moved to Fort Worth so my father-in-law could live a lot closer to his workplace. They found a cute house built in 1935 in a quiet, tree-lined neighbourhood near the historic Camp Bowie District.
As you’d expect, the original home had been extensively modified and added onto during its 60 years. What had originally looked like a number 6 from the air, by 1995 looked more like a 6 that had bene crudely changed to a 8 via clumsy penmanship. Still, it was a pretty place inside and out. Then again, it still had cloth-sheathed copper electric runs, so it needed a bit of work.
Still, the in-laws were eager to modernize it. The put in new windows, upgraded the kitchen, installed broadband, painted everything, added a new detached garage … the put in tons of upgrades. They seemed to have fun doing it, too. Good for them.
They were so eager to show the place off in fact that they insisted I drop in to visit when I flew back to Fort Worth during our relocation from Wright-Patterson AFB. I couldn’t exactly say no; it’s important to maintain family relationships. I flew in on a Friday night, looked at flats all day Saturday, then dropped by the in-laws’ new place for dinner on Saturday night.
My in-laws were beaming throughout the tour. They proudly showed me all the improvements they’d already made and discussed the ones they were planning. I got to walk the entire floorplan. By the time we retired to the living room, I felt … uneasy. Something about the place bugged me but I couldn’t put my finger on why.
When I returned home the next day, my wife asked me what the new house looked like. I did my best to describe it to her. She asked me if I liked it and I said “no.”
Surprised, she asked me why. I said I couldn’t explain why I didn’t like it; something about it just put me off. The nearest analogy that I could muster was that if “felt haunted.”
My wife looked at me like I’d sprouted a unicorn horn and asked me if thought it “really was haunted.”
“Of course not,” I said. “I didn’t say that it was haunted. You asked me why I didn’t like the place and that’s the nearest feeling I could think of that conveys the kind of creepy vibe it gives off. I felt like something was fundamentally wrong with the place.”
My wife thought my impression was hilarious. She passed the story on to her mother who passed it on to everyone else in the family. The next family meal we all had together after we moved back to Texas featured a parade of snide quips about my “belief in ghosts.” For the record, I did not stab anyone with a kitchen utensil (although the idea did cross my mind) (several times).
After several exchanges like this, I dragged my wife through the house after an extended family dinner so she could experience it for herself. Starting at the front door at the “top” of the number 6 shape, one entered directly into the living room. That room was separated from the dining room by a couch, not a wall; it was all one large space making up two thirds of the west side of the single-story structure. A door led to kitchen which took up the final third. From the bottom left of the number 6 shape, a very short hallway led east past a small bedroom to a corner bedroom that the in-laws had converted to a den. Then, turning north, was a small bathroom on the east side, then the entry to the owner’s bedroom with its private bath. The was the extent of the original house plan. Then, sometime in the distant past, someone had added a sunroom/studio in the empty space between the living room and the largest bedroom in the “gap” of the number 6 shape … completing the crude, retrofitted 8 shape it now possessed.
After walking the plan, I asked my wife directly if she could sense that something was wrong with the place. She said she couldn’t. So, I had her walk it again, counting steps this time. Again, she didn’t notice anything. Exasperated, I showed her how the interior of the house was markedly smaller than its exterior along it’s East-West axis. Only in the middle of the house, though; like a snail shell that still had some snail stuck in the deepest part of the inside of the spiral.
My wife didn’t believe me so the razzing continued for years … Right up until the in-laws decided to do some work renovating their owner’s suite bedroom closet and discovered an entire boarded up room in the centre of the house. It wasn’t a very large hidden space, but it was the entire “missing” interior volume that I’d unconsciously noticed in my first walk-through.
We never did figure out why the previous owners had boarded up an entire extra half bedroom’s worth of space and painted over the drywall. It wasn’t like the void held a corpse or a treasure chest or something appropriately cinematic. It was just an empty, unused, space. Very weird.
What’s important for this story is that I’d picked up on the fact that the room dimensions didn’t line up correctly. I’m guessing this was probably a result of the life-long overcompensation I’ve had to put in to mitigate my subpar depth perception. I’m slightly better attuned to room dimensions than my wife is because I’m more prone to run into walls and don’t much care for it. It wasn’t a matter of training or luck or professional experience. Nonetheless, I sussed the existence of the problem and communicated it to the homeowners … who never did apologize for their years of harassment. Not that I expected them too; traditions must be obeyed, etc.
Why does this matter? Because all of your workers have similar odd talents and abilities to notice things that most other people won’t. Together, a workgroup has an astonishing capability to detect and respond to weird security threats based on the flickering fringe of their presence in or movement through your network. Someone, somewhere in your organisation is likely to notice a ridiculous pattern amidst the endless noise of daily work life and alert the security department to a potential new risk.
Why this is depends a great deal on users’ lack of biases, preconceptions, and mental models about how technology works and how cybercriminals attack. Your non-technical users quickly pick up on changes in their environment. They might not understand why something changed, but they do notice. Seasoned technologists tend to rationalize away those same changes because they can think of many possible benign explanations for them.
That’s how I noticed the “missing” room in my in-laws’ new house. They were experts in construction and home renovation. I assume they rationalized the missing space as something to do with utilities or support beams or what-not. I, a soldier who knew more about blowing up structures than assembling, twigged to the skewed dimensions at the intersection of three rooms and didn’t have an explanation for what might have caused it. This is how amateurs can sometimes identify anomalies that veterans mistakenly dismiss.
That’s if, though, your security department accepts and appreciates the warning. For that to happen, your security staff must first accept that your people – including the non-technical ones – are a wonderful resource for anomaly detection … not just a mob of sullen, indifferent, security risks as industry aphorism would suggest.
It also requires your people to be capable of communications with folks who can’t directly articulate what they think might be wrong. Sure, a Tier 3 network engineer can intuitively identify an uncharacteristic traffic bottleneck as an indicator of compromise whereas a paralegal might just notice a sudden consistent error in her work processes. This doesn’t mean that we need to teach all of our people to become Tier 3 network engineers; it means we need to teach our Tier 3 network engineers and everyone else in the security department how to talk with regular users politely while keeping an open mind.
Pop Culture Allusion: Stephen King, The Shining (1977 horror classic)