In increasingly complex technical defenses, threat actors frequently target the human element. This makes them a top attack vectors, but are they actually the weak leak in your defenses?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Christina Shannon, CIO, KIK Consumer Products.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our episode sponsor, SPHERE
By working with the IAM and PAM solutions organizations have in place, SPHEREboard automates discovery and remediation on an ongoing basis. Learn more at sphereco.com!
Full Transcript
[David Spark] With our increasingly complex and hardening technical defenses, the greatest variable is the human. This causes many security professionals to refer to people as the weakest link. But the reality is people are just the top attack vector. But it’s very hard for others to sympathize because when we do get hacked, their fallibility becomes so incredibly noticeable.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me for this great episode, it’s Geoff Belknap, the CISO of LinkedIn. Say hello, Geoff.
[Geoff Belknap] Hey, everybody. It’s me, Geoff, and definitely not a large language model that sounds like him.
[David Spark] Geoff, I said say hello, and then you said something completely different.
[Geoff Belknap] As a large language model, I’m not programmed to take commands from you, David.
[Christina Shannon] Laughter]
[David Spark] But just moments ago, you said you were not a large language model. What is the truth?
[Geoff Belknap] Error! Error! Does not compute!
[David Spark] [Laughter] Hey! Our sponsor for today’s episode, a brand-new sponsor, so thrilled they joined us. It’s SPHERE, pioneering identity hygiene. It’s more than just sort of identity, it’s this whole concept of hygiene around identity. Anyway, we’re going to talk more about that later in the show.
But first, I want to talk about our topic here, Geoff. A lot of leaks and breaches can be chalked up to things like human error, but should humans be treated like the biggest security problem your organization faces? Lance Spitzner of SANS Institute posted an image on LinkedIn that said, “People are not the weakest link.
They are the primary attack vector.” Now, hundreds responded with support of this statement. Have we been treating humans wrong in our environment? Is the blame on security professionals for failing to design systems to set humans up for success? What say you, Geoff?
[Geoff Belknap] I have found it to be very true that humans are wonderful pattern matchers, and our natural instinct is to go, “Oh. Between these two things that are similar, the human element is the common link.” And we would very much like to make it easy to blame humans, and I can’t strongly agree with Lance enough.
Humans are not the problem, we are the victim. And we really in security have to build stronger and stronger systems to protect the humans and to eliminate them from the attack chain, and I think we are going to have a fantastic conversation about that today.
[David Spark] I am looking very much to that as well, and the guest that we have is someone I had dinner with in St. Petersburg – or I think it was actually Clearwater, Florida, which is right next to St. Petersburg, anyways – at the beginning of this year and thrilled that she can join us right now.
She was a CISO and now – and we were debating whether this is a downgrade or an upgrade – but she’s now a CIO. Given that she’s got the CISO creds, we said, “Please, come, join us.” It is the CIO of KIK Consumer Products, Christina Shannon. Christina, thank you so much for joining us.
[Christina Shannon] Thank you very much, David. Excited to be here.
Can there ever be agreement on this?
3:14.494
[David Spark] Calvin Nobles of Illinois Tech College of Computing said, “I disagree that people are not the weakest link.” Oh, listen to this. “We all have our weaknesses and limitations and that is what malicious actors are attacking. Pilots, doctors, engineers, and others make errors but unlike other domains, we consistently make the argument that people are not the weakest link.
Understanding human behavior in cybersecurity is gaining attention but it requires a comprehensive approach.” So, an interesting twist on this. Bob Fabien of the US Navy Reserve said, “I believe that humans can be the weakest link while at the same time be the primary attack vector. This is why I think security awareness training is crucial to help patch the human.
This is why I believe every organization should have training that is relevant, engaging, and interactive.” And lastly, Patrick Coomans of Trusthackers said, “What is the weakest link? I’m convinced it is top management, as they make or break positive learning cybersecurity culture.” So, some very interesting takes on what the definition of weakest link is.
Geoff, grab any one you like here.
[Geoff Belknap] Boy. This is a broad cross-section.
[David Spark] It’s a potpourri of weakest link’s definitions.
[Geoff Belknap] There’s a bunch of things to dig into here.
[David Spark] Oh, potpourri, excuse me.
[Geoff Belknap] The most important thing is, let’s just acknowledge upfront, and I think Christina would agree with me, that yes, educating humans is important, but I think the gist of this conversation is there’s a point of diminishing returns. You cannot educate a human or a set of humans at scale to the point where they will just no longer fall for phishing attacks, or they will just no longer make mistakes.
You just can’t perfectly educate someone. So, the reality is, and if I kind of dig into Calvin’s analogy here, doctors can make mistakes, sure. But illnesses are not targeting doctors to try to be successfully destructive to their human host. But in cybersecurity that is absolutely happening. People on my team get targeted to try to be compromised so that they can be successful in their attack, an adversary can be.
So, I think we have to keep in mind that if we’re down to a human mistake or a human’s weakness being the thing that gets an attacker in, we haven’t thought hard enough about the controls we need to build and the adversary’s approach to what we’re trying to protect.
[David Spark] Very good point. Christina, this whole angle, how do you define weakest link?
[Christina Shannon] I mean, I would say that the actual statement in itself, I don’t necessarily have a problem with the statement. I mean, for the last 15, 20 years whether it was Bruce or whether it was Kevin Mitnick, they’ve all been saying humans are the weakest link in the security chain. I think the interpretation and then the actions that are taken from that insight is what can be harmful to the organization and to humans.
It’s a little humorous but Patrick’s comment on, “What is the weakest link? I’m convinced it’s top management,” a little twist to that in terms of how I see it is that is probably if there is a human that is the weakest link, it’s probably that there are just some cultures and some industries that are really hard to get people to be open to what you got to do to protect your crown jewels and to maintain a good security posture.
But I think that the majority of people are trying to do the right thing, and I think that using the statement in a manner that if we’re firing the Help Desk guy for getting tricked on the password reset by a bad actor, I’m not sure that that’s the best action to take.
[David Spark] Yeah, I think the history of that phrase – people are the weakest link – comes with a level of this sort of culture of cybersecurity of, “We’re smarter than you, you stupid idiot, look what you did.” And I think we’re just trying to eradicate that attitude that came with that phrase when it was first introduced.
[Christina Shannon] I agree with that.
[Geoff Belknap] I think that’s true. I think the reality is like, look, security people fall for phishing attacks too, and we should absolutely know better. But every security person has a story to tell about the time they clicked on something they shouldn’t have or run something they didn’t or went to a website they knew they shouldn’t have gone to and made a mistake.
And I think that just proves the point that everybody can make these mistakes which means we shouldn’t depend on people making decisions as the only security control in place.
[Christina Shannon] And I loved your callout, I was just going to say, Geoff, on you build the ecosystem or basically you do security by design as the model, right, for the org. I completely agree.
Why are we blaming users?
8:05.967
[David Spark] Lance Spitzner of SANS Institute said, “Emphasizing people are the weakest link only blames the very people we are trying to help and enable.” Gary Frank of DerCon Ventures said, “Weakest link always gets C levels thinking how to bypass, secure, or weld restrictions onto the link instead of making the link molecularly stronger.” And Josiah Dykstra of National Security Agency said, “The weakest link idiom is insufficiently contested.
It’s disingenuous to presume that cybersecurity would be perfect if not for users.” That I think sums it up, [Laughter] and that’s the derision we heard when it was first introduced like, “Well, if we didn’t have users, this wouldn’t be a problem.” Well, you wouldn’t have cybersecurity if you didn’t have users and you’d be out of a job, right?
This weakest link term is just so loaded. It really is. Christina?
[Christina Shannon] Yeah. I mean, the weakest link term is really loaded, and I think that Gary Frank was spot on, right? I think that humans sometimes, we’re looking for an Easy button to solve a problem and then get back to our day job. And I think that the more we educate and help people understand that it’s about awareness and about culture and about how we get people to understand that the weakest link isn’t tied to a human, I think that is really what we should be doing versus looking to a person for root cause for a security incident.
[David Spark] This weakest link is I think a holdover from how the brand of the security team was first presented, and I feel that it’s been taking years if not decades to kind of eradicate this brand of security’s in its own little place and now they’re trying to sort of meld into the rest of the company.
And I think this is kind of the last thing that’s still hanging on. What do you think, Geoff?
[Geoff Belknap] That’s pretty insightful. In the early days, so to speak, and we’ll just assume that I mean two or three years ago, but in the early days, humans were really a weak link because everything you did to attack a human was novel, right? There was still plenty of people attacking systems and routers and back end infrastructure.
I think it is definitely a holdover from an earlier time, and we sort of have not fully retired it yet.
I also think there’s some positive in this. It’s a very positive sign that now humans are the weakest link. The fact that we’ve built, and granted, we haven’t fully deployed it everywhere yet, but now that we have stronger Auth, we have fantastic, very effective firewalls, we have smart endpoint detection technology that’s available, we have all kinds of deception technologies, we have all these things that make an adversary’s job very challenging.
So, now the adversary realizes that we’re doing such a good job on all these technical boundaries that you have to attack the human because that’s the only thing that can be reliably attacked today. And that really just means we’re doing a great job on a lot of these fronts; we could do better but we’re doing great.
Now the next thing for us to consider is how do we wrap protections around people and processes that aren’t computers, that can’t just be built with pattern recognition.
[David Spark] I think you made a really good point in that the humans weren’t I think the top attack vector many years ago. And I remember interviewing a hacker at BSides who was part of a hackathon, and he actually won, he was one of the big winners, and I asked him, “Well, what’s the difference between hacking now and 10 years ago?” and his big answer was, “The amount I know about you is so much more.” And I think the reason it wasn’t the weakest link is they just knew so little about their targets.
And now, I mean, what don’t they know? Christina?
[Christina Shannon] Well, having just a quick visit on LinkedIn or Facebook or any of the social media sites pretty much give you probably at least half the information a bad actor would need to know. I think that if you think about the world we live in today with creators and influencers, right, we’re trying to make the world more connected and more open but with that, right, it increases the human risk.
Geoff, I thought you made a really good point in terms of we’ve done a really great job addressing the computers and the networking risk, but it’s shifted to the human risk. And then that made me wonder, I wonder if the budgets are going to start shifting too. [Laughter] Right?
[Geoff Belknap] We’ll see, we’ll see.
[David Spark] One can hope.
Sponsor – SPHERE
13:01.942
[David Spark] I want to tell you before we go on any further, talk about SPHERE. And this is actually, the fact that we’re having this conversation about individuals because SPHERE deals with identity. And there’s a lot of talk in the cybersecurity community about identity, especially about how identity is the new perimeter.
But most organizations have very little control over the identities, accounts, and groups in their environments. See, the problem is that many security tools are great at discovering these assets, but the task of remediating them is left to the organization’s security team. Generally, this is a painful manual process that can take days just to determine a small handful of owners and is usually overshadowed by other more pressing issues.
As people join the company, leave the company, or switch roles or responsibilities, these problems only persist, and they compound.
So, SPHERE, our sponsor, has set out to close the loop on the ownership, certification, and remediation challenge through an automated remediation process. By working with the IAM and PAM solutions organizations already have in place, the SPHEREboard platform automates discovery and remediation on an ongoing basis to help organizations achieve a sustainable state of identity hygiene.
You want your identities to be as clean as possible because we know it’s rare that that happens. So, learn more on how to actually do this over at sphereco.com, check it out.
What kind of experience do you need?
14:47.615
[David Spark] Tim W. said, “Any security initiative that does not consider user experience is bound to fail. We must find ways to make security a seamless integrated capability that isn’t a roadblock, but an enablement feature.” And Ulf Wollenweber of Deutsche Börse said, “Efficiency, automation, and usability – some things I like to emphasize to provide actionable and tangible added value.
Winning the hearts and minds also means enabling the business to operate with peace of mind, always delivered with kindness and empathy.”
So, Christina, we have talked about this a lot and that the desire to make security invisible, to make it user-friendly. I mean, we know the days a long time ago when it was a roadblock and nobody wanted to go to the security department because they knew it would slow it down. And again, part of the identity that security is trying to rid itself.
I’m sure you’re dealing with this on a daily basis also as a CIO, yes?
[Christina Shannon] Yeah, absolutely. I mean, on the one hand, you want to go fast when you’re implementing a new technology or when you’re implementing a new business capability, but on the other hand, you have to figure out how you do it where you’re incorporating the risk at the start, right? Whether that’s you’re shifting left in your DevOps world to where now the developers are part of the security team in a hybrid team.
There’s many different ways to do it but you really have to figure out how do you get to that seamless model or the security by design model so that security isn’t as cumbersome for the businesspeople, right? It’s actually an enabler, not a blocker.
[David Spark] Yeah, I mean, Geoff, it’s clear that your attitude toward cybersecurity is not that sort of historical Department of No attitude, and again, what we’ve all been trying to eradicate. Let me ask, I mean, I don’t even know because I’m not within security teams, but does that still linger around?
I mean, do you still see it, the Department of No?
[Geoff Belknap] I still see it in individuals. Look, when you’re early in your career or maybe even if you’re not early, if you’re sort of not quite far along in the maturity spectrum yet, it is easy and it is very tempting to just go to, “No,” right? Because it doesn’t…
[David Spark] Which, by the way, that is the easiest thing to do. To not do the work is very easy.
[Geoff Belknap] You don’t have to build anything, you don’t have to take any risk, you don’t have to worry or stay up late at night if you just say, “No.”
[David Spark] By the way, I could be the CISO of a company that was a Department of No. I could do that very well.
[Geoff Belknap] You wouldn’t last long. I think that’s what people realize and that’s why I don’t see whole departments that think or operate that way anymore. And I think Tim and Ulf really kind of teed this up, right? One of the things that I kind of came around to on my own many years ago was exactly what Tim specifies here.
If you don’t think about UX or user experience, your users will just work around whatever you’ve built and now your users are your adversary as well.
And I think it all comes down to – Ulf brings it home with exactly what I would say – is that we forget. We are not police, right? If you are the police, it is your job to fight crime and nothing else. You are not the police. You are, in many cases, a business or an organization that is trying to sell something, manufacture something.
You are operating a business. Your job in security is to make sure that business is as successful and sustainable as it can be while managing risk. It is not to just fight bad guys and to sort of not care about all the other things. And as soon as you realize that your job is to help people succeed, not to stop them from whatever they’re doing that might be dumb, but to do the hard work of helping them succeed even in a risky environment, you really will unlock how to build some better partners and how to stop being seen as the Department of No.
[Christina Shannon] I agree completely. When I think about how you add value, how you do break through, right, in terms of working with the business, it’s really, instead of telling them no or instead of saying, “There’s going to be a six-month delay,” it’s really figuring out what is the thing you’re doing, what’s the risk around it, but then also helping them understand that this exercise to quantify risk upfront is going to save them lots of time in the long run, right?
So, I think that one of the things you have to be able to do is you have to be able to translate technical terms to business risk, right? Today’s business, you’re talking to just as many businesspeople, especially in the agile world, as you are to technical people. And I was laughing when you said you had one or two people.
I was thinking about a past life, Geoff, where I had a few folks who they loved to play cops and robbers. That’s what I call it. [Laughter] Same thing where there’s the department and then also the strategy to support that. And so eventually they had to figure that out, but all that was was a blocker.
To your point, it gives security a really bad name.
What are the risks we’re dealing with?
20:02.522
[David Spark] Matt P. of the Picnic Corporation said, “Any discussion of managing human risk is incomplete without a focus on reducing the human attack surface beyond the firewall. We scan and patch technical vulnerabilities. Now the same thinking can be applied to digital footprints that fuel attacks.” So, this is making going after our employees less and less possible.
Where have you seen opportunities to make your own employees less of a target, either giving them more protections, giving them more warnings? What have you been able to do to essentially, like we were saying at the beginning, help them win and succeed?
[Christina Shannon] There’s a number of things that you can do to help them win, right? Like from the standpoint of a security awareness, you can institute or put in place security champions, and these aren’t even technical people. These are folks that really, they’re liaison to the business that helps the business understand the risk to their important assets and then they’re also helping the business go fast.
So, I mean, that’s something that we do security awareness annually, sometimes companies do it where they do the security phishing test. And all that’s fine and good, but I think we just have to continue – to Matt’s point – to put more emphasis on how do we educate the human, how do we enable the human to enter a secure environment upfront.
[David Spark] Geoff, what have you done to help your team win? And I’m not saying your cybersecurity team but your employees, let me say your employees win.
[Geoff Belknap] Yeah. And I think that’s a really important part, right? My team can’t succeed in a scenario where someone in sales or recruiting fails, right? That is a team failure. That is not a security success.
[David Spark] That’s a good point.
[Geoff Belknap] So, the way that we think about this or the way that I think about this internally is I can’t eliminate humans as an attack vector. In fact, I think I’m very bullish on the fact that they will become more and more an attack vector because we’ve gotten really good at security in many other ways.
So, what we have to do is reduce the cost and increase the likelihood that that human’s going to survive an attack. And those attacks, let’s be really frank, today the way they happen are the very common one, you get a text that says, “Hey, I’m the CEO. Please buy me some gift cards,” right?
[David Spark] Which is a common request from a CEO, all the time.
[Geoff Belknap] Very. Oh, yeah. And David sends me those all the time. I hope you’re getting the gift cards I’m sending.
[David Spark] Thank you. I appreciate all the gift cards you’ve been sending.
[Geoff Belknap] But that happens a lot. The other things that have been wildly successful without naming any recent names because frankly, it doesn’t matter. Whatever name I name now, if you listen to this podcast a year from now, there’ll be somebody else, where they call up somebody and they say, “Hey, this is the Help Desk.
There’s been a problem with your account. Why don’t you tell me your password?”
[David Spark] My mom fell for one of these.
[Geoff Belknap] And it’s awful and it makes you feel terrible but here’s the thing. Those things are – I don’t want to say fully preventable, so I’m going to say preventable with an asterisk after them – but they’re very easy to make frustrating or straightforward in that if you use password lists or a FIDO2 type password scheme, you literally can’t give your password away because there isn’t one.
It also makes it very, very difficult to phish. There’s ways to increase the cost of these attacks. Certainly not prevent them wholly, but you can make it very difficult for someone to be targeted in a way like that that would give away the keys to the kingdom. I think there’s also you’ve got to update your thinking about your 2FA so that it’s more modern.
You’ve got to update your thinking about access and access controls to things so that you don’t go, “Well, Christina’s one of us so she should just have administrative access to everything.” You should go like, “Maybe Christina doesn’t need administrative access to the virtualization environment or VMware or Kubernetes or anything like that.”
[Christina Shannon] Just domain admin everywhere.
[Geoff Belknap] Just, yeah, and get your email at christina-domainadmin@whatever. So, we have to start really thinking about these controls and how humans get attacked and upgrade them. As long as we’re also doing that in conjunction with education, I think we’re headed down the right path.
[David Spark] When I was in Nashville, I heard a great quote and it was a variation of you’ve heard the line of, “You don’t need to outrun the bear, you just need to outrun the other guy who the bear’s going after.” Which I’ve never liked that because it says, “Oh, you can lose but I’m not going to lose.”
[Geoff Belknap] And security’s a cooperative sport, so I don’t want to outrun my partner, right?
[David Spark] So, the quote that I thought was interesting, which still has the same end result, I’m sorry I’m forgetting the name of the person, I even asked them, “May I quote you on this?” and now I’m forgetting his name, but he said, “A criminal’s plan B is plan A with somebody else.” Which I thought was a good thing.
If they can’t get you, they’re not going to keep fighting to get you unless you really are a very specific needed target, which is often rare unless it’s a nation-state attack that has a specific objective. They’re going to move on and do the same thing with somebody else, which is not the same thing as, “I just want the other guy to get screwed over.” It’s just more of, “Let me protect the environment I’ve created.” Christina, I mean, your philosophy I’m hoping is not letting the other person get eaten by the bear.
[Christina Shannon] No. Not at all. [Laughter] So, I’m pretty scripted anymore. When I join an organization, I make it known upfront that we’re going to do MFA everywhere, we’re going to make sure we have 90, 95% of our assets accounted for, especially laptops and servers, and we’re going to do EDR or MDR with having a guaranteed SLA from one of these big forensics firms, right?
And then the other thing is we’re going to make sure we can recover from a backup. I do that now, like I said, it’s scripted in the sense of if all else fails, right, all of our – think of defense in depth – everything else fails, we have an emergency, disaster, I’m covered. [Laughter] That’s really, that’s the first thing I do.
And then after that, then we’ll go into looking at more in depth on the assets, the crown jewels, and the risk and all the other security controls.
[David Spark] Excellent.
Closing
26:30.072
[David Spark] Well, that brings us to the conclusion of this episode. But we have one thing that I want to ask you, Christina. All these wonderful quotes. Was there a quote that was your favorite and why?
[Christina Shannon] So, initially, I thought Bob Fabian’s. I kind of liked his thing that he said you could patch the human because I do think that humans are able to learn, and I think that they’re able to at least have a baseline foundation of what to do, what not to do. And the more we educate them, whether it’s crisis training, whether it’s doing more simulations, I mean, there’s a number of ways to where we can help the human.
And so that’s why I like his quote is that term – patch the human. [Laughter]
[David Spark] Yeah. And it feeds into the line of don’t let perfection be the enemy of good because we can get to good or better. Geoff, your favorite quote.
[Geoff Belknap] Yeah. Well, I’d just like to say I wish somebody could patch my knowledge and understanding of calculus. That would have been really helpful in college. But my favorite quote, honestly, is Ulf from Deutsche Börse which talks about reminding people that we’re here to enable the business and to help the business operate.
And I know I sound like a capitalist shill or whatever you want to say, but I think it’s so important for security teams and people in the security space to remember you’re doing security because the organization that is employing you or that you’re working with has a mission that it’s trying to complete.
And whether that be a commercial mission or maybe it’s a nonprofit or a charity, you’re trying to help the organization be successful and you’re not actually helping them if you just say no to everything. And if your only solution to managing risk is to not take the risk, you’re not actually helping.
Real security is figuring out how to do hard things in hard places under difficult circumstances. That is where we’re moving ourselves forward and that’s what we come to do this for.
[David Spark] Awesome. Well, that brings us to the very end of the show. Thank you very much, Geoff. Thank you very much, Christina. I want to thank our sponsor, that’s SPHERE. Remember – sphereco.com – pioneering identity hygiene, working with your IAM and your PAM solutions to have a cleaner identity surface.
Check them out, again, at sphereco.com. Christina, I’ll let you have the very last word here. Is there anything you’d like to say to our audience on this topic? Or we always ask do you have any positions open over at Kik Consumer Products?
[Christina Shannon] So, great topic. I think that it’s going to become a bigger topic as more organizations become security aware, as we become even more connected than we are today. So, I think that it’s a very important topic to talk about. How do we evolve, how do we help our organizations evolve, our security teams evolve.
So, thanks for having me. And yeah, by the way, I am hiring. I have a few open roles that are reporting actually directly to me. We have several roles, so check us out, www.kikcorp.com.
[David Spark] And Kik is spelled K-I-K, there’s no C in there, just kikcorp.com. Thank you very much, Christina. Thank you very much, Geoff. And thank you very much to our audience. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.