Michael Weiss20h ago

@brianhonan I'd like to add to your reassessment of "humans are the weakest link".

If you look at airline crashes in the 1960s and 1970s, you'll see a similar pattern: they're frequently attributed to "pilot error". The frequency of such events declined tremendously in the decades that followed. It's not that the pilots got so much better, but rather that many cockpit design flaws that led to "pilot error" were corrected.

I often stress the importance of social engineering in security defense. We tend to think of social engineering as an attack vector, but it works both ways. Design systems to exploit human behavior to make them do the "secure" thing, and the number of incidents will fall. Basically, make the easiest path align with the most secure path, and people will naturally be more secure. This is what "secure by design" looks like.

Show threadBrian Honan14h ago

@mweiss I totally agree and in fact have been making saying for over a decade that we need to learn more from the airline industry

From my keynote at Vbulletin in Madrid

https://threatpost.com/security-industry-failing-to-establish-trust/128321/

From my talk at #IRISSCON in 2017

https://www.theregister.com/2017/11/24/infosec_disasters_learning_op/

And my keynote at BSides Belfast in 2019

https://www.infosecurity-magazine.com/news/bsidesbelfast-attacks-zero-days/

Sadly, rereading those articles its disappointing to see the issues I spoke about back then still remain

Security Industry Failing to Establish Trust

During the Virus Bulletin closing keynote, Brian Honan urged the security industry to share more, victim-shame less and work harder to establish trust.

Threatpost
Show threadMichael Weiss14h ago
@brianhonan I see you, Cassandra.
Show threadBrian Honan
@mweiss
9:36pmIvory for iOS