Users have the reputation of being the weakest link in cybersecurity, because of their potential to undo the most fortified cyber setup with an exposed password or absent-minded click in a phishing email. They’re the guy who forgets to lock one door in an otherwise secure building, or the kid who unwittingly reveals where the family keeps an emergency house key.
But while the track record indicates that some of this reputation is earned, the blame shouldn’t fall entirely on users’ shoulders, some security experts say. Policies and practices that start at the top play a part, too.
The intelligence community’s lead research arm is looking at their employees’ working environment, aiming to make computer users themselves more secure by using the cloud to help give them a more secure environment. The Intelligence Advanced Research Projects Activity–IARPA–recently launched a program called Virtuous User Environment, or VirtUE, to protect users against cloud-based security vulnerabilities by tapping into practices that can be shared via the cloud.
“The commercial cloud and the numerous innovative technologies that it is spawning offers computer security professionals the ability to recreate a user environment that is fundamentally more secure than current workstation and virtual desktop offerings, while still being accessible and affordable,” IARPA’s program manager Kerry Long said.
VirtUE’s plan is to allow organizations to instantly share their security environments as a way of efficiently protecting against phishing and other web-based attacks. Using the cloud for collaboration–and making any software and documentation developed under VirtUE available as open-source products–will lower engineering costs of applying security, IARPA said.
IARPA plans two phases for VirtUE, which will run through May 2019. In the first, it plans to develop an interactive User Computing Environment–UCE–that, while operating like a current government, UCE will be a “more secure, capable sensor and defender in the cloud environment,” IARPA said. In the second phase, the program’s contractors will create new analytics and security controls to make use of the technologies developed in the first phase, ultimately giving users more dynamic detection and protection capabilities.
IARPA has hired teams led by Raytheon BBN, Siege Technologies, Star Labs, and Next Century to work on the program, with Johns Hopkins Applied Physics Laboratory acting as the test and evaluation advisor.
By focusing on the UCE, IARPA is addressing the fact that, for all the security training and education an organization provides, users are human, and mistakes will sometimes be made. It also recognizes that some of the responsibility for a user’s behavior starts higher up the chain. Ira Winkler, president of Secure Mentem and author of “Advanced Persistent Security,” has said that 80 percent of a successful phishing attack can be laid at the feet of poor security infrastructure, with only 20 percent of the blame going to user failure.
The user environments are also a factor. At last fall’s Infosecurity North America conference in Boston, Dr. Kelly Caine, director of the Humans and Technology Lab at Clemson University, told Tech Republic that the real weak links in security weren’t users so much as “executives, managers, system administrators, designers, and coders.” Caine said her research into human-centered computing found that usability, rather than being a bonus of a well-designed system, is essential to a secure system. “Every interaction trains users to behave securely or insecurely,” she said. “There is no middle ground.”
Providing users with a more secure environment could help prevent against accidental breeches, while also letting organizations focus on the more pernicious insider threats. IBM’s 2016 Cyber Security Intelligence Index found that, while 60 percent of all corporate attacks were carried out by insiders, three-quarters of those were the result of malicious intent, with only one-quarter attributed as being unintentional employee slip ups.