SESSIONID:

#RSAC

AdamShostack

Securingthe“WeakestLink”UsableSecurityLessonsFromStarWars

HUM-R05

@adamshostack

#RSAC

Intheroom,therewasvideofrom“StarWars”(fairlyused!)

It’stheboardroombriefingscene

Thegeneralsays“ThisbaRlestaSonisnowtheulSmatepowerintheuniverse,”

Vaderresponds“Don’tbesoproudofthistechnologicalterroryou’vecreated”

Myrealslideistoobigtodistribute

Lord Vader Was Right

USING THE FORCE•  Computersecurityisaboutpeople

•  PeopleareamoSvatedandstrugglinglink

•  Weignorethehumanelementatourownrisk

AGENDA•  Some threat models

•  How we make it worse•  How people are exploited

•  How to make it better

#RSAC

AThreatModel

#RSAC

” “ Given a choice between

dancing pigs and security the user will pick dancing pigs every time

ABadThreatModel

#RSAC

AnEvenWorseThreatModel

8

Declaretheproblemunsolvable!

OMGNOTOURFAULT!

Webproxies?RemoteDesktops?

LearnedHelplessness!

#RSAC

PeopleGetTricked:AThreatModel

9

HumanacSon(s)tochangethecomputer’sconfiguraSonNormalbehaviors

NoaRackersays“nowaddakeytotheregistry”becauseFAIL

Thecomputerhasachancetointervene/miSgateWarnings

Sandboxes

Architecture

#RSAC

HowPeopleAreTricked

CredenSalexposure(includingphishing)

IntenSonallyrunningorinstallingso]wareCodecs,doppelgangersand“Microso]Support”callsPiratedso]warewithextras

Accidentalso]wareexecuSonFileextensionhiding,icontricks(Salaries.xlsx.exe)Documentswithexploitpayload

Webfakery—clickjacking,XSRF,etc

#RSAC

HowPeopleAreTricked:Scamicry

11

Scamicry:Whenrealmessagesimitatescams

Peoplehaveasecuritygoallike“examinelinkscarefully”Storesendsemailwith<ahref=“http://cts.vrecc.com/ls?39389ee28a/64f53b0c9c/http%3A%2F…>SafeOnlineBanking</a>

Bankcallsandasksforyourpassword

“Butit’sthebank...I’mnotsmartenoughtounderstandthis”

#RSAC

HowPeopleAreOverwhelmed

12

Advicethatcan’tbefollowedinreasonableSme“ReadTOS,privacypoliciestounderstandhowwe’lluseyourdata”

AdvicethatrequirestoomuchskillSolvethiscaptcha!

ComplexityanddepthWhydoyouneedalongpassword?

Letmeexplainpasswordcracking…hRp://www.seosmarty.com/impossible-captcha-it-doesnt-really-maRer-if-you-are-human-or-not/

#RSAC

YouCanMakeItBeLer

#RSAC

FirefoxMalwareWarning

14

#RSAC

ChromeMalwareWarning

15

#RSAC

7.2%(FirefoxMalware)

23.2%(ChromeMalware)

9.1%(FirefoxPhishing)

18.0%(Chrome)

RealWorldClick-throughRates

AliceinWarningland:ALarge-ScaleFieldStudyofBrowserSecurityWarningEffec<veness

#RSAC

ThreatModeling&People

17

Amodelofthesystembeingdeveloped(whiteboard,DFD)

Amodelofthethreats(STRIDE,aRacktree)

[New!]Amodelofthepersonusingtheso]ware

#RSAC

ThreatModelingandPeople

18

#RSAC

ThreatModelingandPeople(2/2)

19

Amodelofthepersonusingtheso]wareBehavioristandcogniSvescienceKahneman’sSystem1/System2Reason’s“StrongHabitIntrusion”

ModelsforusablesecurityEllison:CeremoniesCranor:HumanintheloopSasse:ComplianceBudget

#RSAC

ThreatMi]ga]ons/PaLernsThatWork(So^waredevelopers)

20

#RSAC

WinbyBuildingbeLerdefenses

2KeypaRernsinInternetExplorer8+

NotwarningoneverydownloadPeoplebecomehabituated,clickthrough

Notmakingthedangerouschoicethedefault

#RSAC

PaLerns:GoldBar

•  AppearsinOffice,IE,Firefox,elsewhere

#RSAC

EngineerNEATWarnings

NEATisaneasywaytorememberkeysecurityUXguidance

NEATNecessary,Explained,AcSonable,Tested

Philosophy:Don’tinvolvethepersonifyoudon’thaveto

Ifyouinvolvetheperson,enablethemtomaketherightdecision

Doesthepersonhaveuniqueknowledgethesystemdoesn’t?

#RSAC

NEATWarnings:Necessary

AvoidinterrupSngtheuserwithsecuritydecisions,ifpossible

Whenpossible,automaScallytakethesafestopSonand,opSonally,noSfytheuserthatotheropSonsareavailable

IfpeoplehavenocourseofacSon&nouniqueknowledge,youshouldre-architectproduct

#RSAC

NEATWarnings:Explained

ProvidetheuserwithalltheinformaSonnecessarytomaketherightdecision

6keyelements:SPRUCESource:Whereisthisdecisioncomingfrom?Process:Whatstepsshouldtheytaketomakethedecision?Risk:Whatisthesecurityriskofgeongthedecisionwrong?UniqueKnowledgeUserHas:Whatdoestheuserknowthatwedon’tthathelpsmaketherightdecision?Choices:WhataretheiropSons?Whatdowerecommendtheydo?WhatwillhappenwhentheychooseeachopSon?Evidence:WhatinformaSonshouldtheyfactorin?

#RSAC

Good(long)exampleofexplana]on

Source

Risk

Choices

Process

#RSAC

27

ClearinstrucSon

ARracSvepreferredchoice

UnaRracSvealternatechoice

FromtheGoogleChrometeam—“ImprovingSSLWarningsComprehensionandAdherence”byAdriennePorterFelt&manycolleagues

Explana]on:OpinionatedDesign

#RSAC

NEATWarnings:Ac]onable

EnumeratescenariosatdesignSmeStepsthepersonmusttakeFigurethemoutWritethemdown

WordingcanbeatrickybalanceToowordy,peoplewon’treadorunderstandNotenoughinformaSon==notacSonable

#RSAC

NEATWarnings:Tested

ValidateyourSecurityUIwithrealpeopleBenignandmaliciousscenarios

WholearsenalofUItesSngtechniquesRangefromempaneling1000sofpeople,totesSngdozensinusabilitylab,toaskingcoworkersdownthehall

Applywhatyoucan

Usertestsarealwayssurprising

#RSAC

NEATWarnings:WalletCards

hRps://blogs.microso].com/cybertrust/2012/10/09/necessary-explained-acSonable-and-tested-neat-cards/

#RSAC

DefensivePaLernsThatWork(Opera]ons)

#RSAC

SpendYour“Budget”Wisely

32

PeoplewanttogettheirjobdoneTheyexpendefforttodoitsafely—toapoint

Whatdoyouwantthemost?ArepasswordchangesworththeSme?

Doyoupatchduringthebusinessday?

MakeiteasyandfasttodowhatyouwantthemostGreatopportunitytolearnfrommarkeSng&UIexperts

#RSAC

Example:AdviceYouGive

33

Emailisathreatvector

Howwelldoyouhelpemployeesmanageit?Prevent:IsiteasytoseewhoanemailislegiSmatelyfrom?

Howo]endoyourvendorsemailemployeeswithdemands?

Detect:Howeasyisittoreportsuspiciousemails?

Respond:Howquicklydoyourespondtothosereports?Totheoriginator?Totherecipient?

Areyoubreakingyourownadvicewithscamicry?

#RSAC

UsabilitymaLerstalkingtoexecu]ves

34

ExecuSvesareskilledatmanagingrisks

WeshowupwiththewrongmessagesCompliancerequirements

“Phonebooks”ofrisks

“CyberDefenseMatrix”isagoodstepSounilYu’stalk“UnderstandingtheSecurityVendorLandscapeUsingtheCyberDefenseMatrix”(PDIL-W02F)

#RSAC

ApplySlide

35

Don’tgiveintothedarkside

AvoidconfusingpeoplewithscamicryorimpracScaladvice

Usedefensiveso]warepaRernsGoldBarDefaultSafeNEAT

BuildoperaSonsforrealpeople

Shareyourwork

#RSAC

Ques]ons?Thankyou!