Lots of discussions about complex topics start with the premise that there are two types of people. That's where Symantec's Chief Technology Officer Hugh Thompson began his discussion on the challenges facing the security industry. He began his entertaining security keynote at this year's CeBIT event in Sydney telling the story of a bird that flew into a commercial aircraft as the plane was being loaded by ground staff. It was trapped in the passenger cabin, only becoming known when the trans-Atlantic flight was in the air. The reactions to the story are indicative, he said, about differing attitudes to security risks.
After the bird entered the passenger cabin, there were various ideas promulgated by airline and security staff on how to get the bird out of the cabin. Those varied from an air marshal shooting the bird (not a good idea inside a plane while it's flying over the ocean!), opening a window (seriously) to calling a zoologist for advice.
Eventually, advice from a zoologist was followed and the plane was completely darkened other than the toilets. The bird flew to the lit toilet and was captured there and extracted after the flight ended.
When Thompson told the story to his wife, her first reaction was "Is the bird OK?". But when he told the story to security professionals, they saw the incident as a breach. One even suggested that he could create a robotic bird with an explosive payload that could be flown into a plane.
Those two, widely different reactions set the scene for Thompson's presentation. Some people see risk where others don't.
'The bird is just a symptom of the weakness," said Thompson. "The bird exposed some weakness in the system, that existed in the process".
Make the problem go away
Thompson has been in the security industry since the 1990s. He earned his PhD in the 1990s, researching Windows vulnerabilities in an era when the threats could actually be counted. He then went on to show how electronic voting systems could be hacked in a TV special that was aired on PBS in the US. Over his career, he said that when people are exposed to a security issue they fall into those two groups; a group that sees the risk and another that wants the warnings to disappear.
"What is happening is that we are making users make security decisions every day that fall into the 'is the bird OK' category which is the vast majority of people".
It's this reaction, he said, that drives the user behaviour that we see when people are confronted by security warnings. For example, when a dialog appears telling us we may be visiting a website with an expired or invalid certificate, the majority of people simply want the dialog to disappear; they don't see the risk.
"We have a small number of people that can understand signs of danger and risk with technology. And a vast majority of people which don't natively don't feel that sense of risk with technology".
In the real world, people are conditioned to see signs of danger. When they walk through a city, they innately understand when they are in more dangerous situations. But most people haven't developed the same street smarts when online.
However, some of the signals savvier users rely on are disappearing. Thompson noted that the use of URL shorteners is taking some of the signalling away. When we see a shortened URL, we have no idea where it's really going until we click.
And while the technology industry has long leaned on the idea of informed consent, Thompson said most users may give consent but the information they are supplied with before deciding to click a link or purchase an app is too opaque for them to be truly informed about the risks and consequences of their decisions.
We cannot train the problem away
For many years, the security industry has said user training is the answer.
While reinforcing that he is an advocate for education, Thompson said "The challenge with that is that it is very hard about that sense of risk with technology without it quickly going into a conversation about rules. The problem is that if your successful in importing those rules, the attacker, as a tanking adversary will go an utilise that information against those folks".
As an example, Thompson said he saw a phishing email that made a point of saying it did not contain links and it encouraged receivers to search for the company name being used in the attack and search for it. Rather than giving potential victims a link in an email to click, they poisoned search engine results so infected sites were more likely to be found in a search, thus duping their victims.
In order to overcome the increasing sophistication of the thinking adversary, Thompson said analytics is emerging as a powerful tool.
"The way I think we help fix this problem," said Thompson, "is we get better at analytics. Words like machine learning, AI, and big data are very common - every company talks about them. But they really can make a massive difference if you have a system in the backend that's assessing risk on your behalf and assisting choices that you make in a very human-aware and human-friendly way".
Help from outside
Thompson sad the security industry needs to look outside itself for examples on how this can be done. He pointed to examples such as fold.it and Glow that use gamification and apps to amass large volumes of data that can be used to assist different endeavours.
In the case of Glow, couple provide lots of data that is used to assist people seeking to conceive a child. By looking at a massive pool of data and applying analytics, it can provide advice around nutrition and other activities that can help people who want to have a child.
Thompson says the potential to solve some significant challenges in the infosec industry will come from better application of analytics. For example, the risks of IoT devices on a network can be assessed by looking at usage patterns and and how devices connect to other services. A tool that could scan a network and find devices that are not properly secured or that are still accessible through default username and password combinations could be fund and reported so we could take remedial action.
Similarly, the industry could adopt a labelling system where IoT devices indicate clearly what communications protocols they include, what they expect to connect to and other useful data. The data wouldn't need to be necessarily be readable by a person. It could be an electric label that is machine-readable so a security appliance could recognise the difference between normal and anomalous activity.
What's clear from Thompson's address is something most information security professionals know - the volume of information we need to protect is increasing, the adversaries are getting smarter and users aren't equipped to assess and respond to all the risks they face.
Looking back at the story about the bird, the solution came by using information from internal sources like the passengers and external information from the zoologist. Most people didn't see the risks that allowed the bird to infiltrate the aircraft - they just wanted the problem solved. But by helping users to see the risks, instead of just wanting to click past annoying dialog boxes and warning, we can improve the security of our personal and corporate data so the birds never get in.
Anthony Caruana attended CeBIT in Sydney as a guest of Symantec.