User Centric Security or 'Think like the User'

George Viegas, Chief Information Security Officer (CISO) and Privacy Champion, Chapman University

The term ‘think like a hacker’ has been used widely to indicate a mindset required for penetration testing among other things. The reasoning is that good guys think one way and in order to really explore the vulnerabilities in a system, one has to think differently and get into the mind and tools used by the fraudsters.

A good analogy is the physical equivalent wherein the homeowner views security by ensuring that the front and back door is locked, windows locked and curtains drawn. However the burglar (hacker) looking at the house sees a glass door that can be easily broken or a tree stump that can be used to vault to the 2nd floor door which maybe not locked.

In a like fashion it is time to also ‘think like the user’. Think –like-the-user or user centric security is the counterpoint to ‘think like a hacker’. If one can think – like-the-user then one is better able to protect against the ‘think like a hacker’ threats. Typically an organization would have a combination of the think like a hacker penetration attack testing and a user-centric defense setup to match.

Phishing training campaigns reach out to all parts of the organization and can be leveraged to inform users of how to connect to and work with the security team

Phishing

It is common for the security professional to be exasperated with the end user’s inability to identify the phish email. Wasn’t it clear that the sender’s email address came from a different email that that of the company email? However if one thinks like the user perhaps one realizes that some large number of users are reading email on mobile phones wherein the real estate is much smaller than desktop. Some phone email clients only show the spoofed display name of the email sender and not the full email address. With this understanding now it is much easier to understand why the user fell for the phish. Understanding the end user usage patterns help to better design preventative tools aimed at the usage pattern. For example adding a tag to email to indicate that email comes from an external source will be an additional warning to protect the mobile user.

End-user Training

Similar to the above example, a phishing training program aimed at the hover-over technique for desktop users may not be very effective if a majority of the phished users are on mobile, where they need to adapt the hover over technique to the unique mobile use case.

The user centric approaches also can identify the highest risk targets in the organization. For example, newest employees are most likely to not recognize the subtle differences in an email to help distinguish a fraudulent email request. These users should be prioritized for special and early new hire training.

‘Think like the business’

The think –like-the-user concept can be extended to ‘think like the business’. For example, when assessing risk of wire fraud, the user centric approach would expand the high risk areas from just the wire department to additional related departments. Traditionally, strengthening defenses around wire department is good, but what if a phished 3rd party vendor sends a bank account change to a facilities department who gets taken and then sends the change request to the wire department. Is the wire department prepared for an internal customer being phished and attesting to the change?

Connecting the user to security

In a majority of incidents the time to detect is critical. The faster a security or IT team is brought into the incident, the faster it is to address and fix the problem. Does the end user know how to recognize a security event? Does the end user know how to get to the security team? How does a security event get up the chain to security from a remote part of the business? Is the end user comfortable reaching out to the security team for help?

To this end, the security team has to create a culture of awareness and understanding which again depends on letting the user know it is ok to connect with security. A successful phishing training campaign is most useful for this. Phishing training campaigns reach out to all parts of the organization and can be leveraged to inform users of how to connect to and work with the security team. Users can be sent consistent messaging about security resources such as a webpage with contact information or current security status.

In the security industry we often refer to the ‘human firewall’ as being one of our layers of defense in a defense-in-depth strategy. However in order to leverage this human firewall and to maximize its effectiveness one has to also understand its weaknesses and strengths. Thinking like the user enables the security team to provide the right tools and training to strengthen the defense so that human firewall can truly reach its full potential.