human error and secure systems - devopsdays ohio 2015
TRANSCRIPT
Human Error and Secure Systems
Dustin Collins
@dustinmm80dustinrcollins.com
● Boston DevOps meetup organizer● Developer Advocate at Conjur● reformed* software developer
ZDNet: 2015 biggest hacks, breaches
(some of the) breaches in 2015
...breaches caused by insiders are often unintentional. In fact, over 95 percent of these breaches are caused by human error.
IBM 2015 Cyber Security Intelligence Index
human error
‘Human error’ blamed for Rogers online security breachHealthcare breaches need a cure for human errorsHuman error causes most data breaches, Ponemon study findsHuman Error Blamed for Most UK Data BreachesHuman error is the root cause of most data breachesHuman error causes alarming rise in data breachesHuman Error: The Largest Information Security Risk To Your OrganizationHuge rise in data breaches and it’s all your faultData breaches caused mostly by negligence and glitches
security through obscurityX
root causeanalysisX
negative reinforcementX
the solution:
people
people
the problem:
experience = bias
Our ability to reason about the systems that we’re working with (and are part of) diminishes as their scale and interdependence increases. We can no longer rely solely on past experience, and instead have to continuously discover how systems are functioning or failing, and adapt accordingly.
Dave Zwieback - Every company is a learning company
“human error”
we can do better
other industries have already learned this lesson
http://amzn.com/B00Q8XCSFI
Old View◦ Asks who is responsible
for the outcome
◦ Sees human error as the cause of trouble
◦ Human error is random, unreliable behaviour
◦ Human error is an acceptable conclusion of an investigation
two views of “human error”
New View◦ Asks what is responsible
for the outcome
◦ Sees human error as a symptom of deeper trouble
◦ Human error is systematically connected to features of people’s tools, tasks and operating environment
◦ Human error is only the starting point for further investigation
“
Rather than being the main instigators of an accident, operators tend to be the inheritors of system defects created by poor design, incorrect installation, faulty maintenance and bad management decisions. Their part is usually that of adding the final garnish to a lethal brew whose ingredients have already been long in the cooking.
http://amzn.com/0521314194
When we’re dealing with complex systems, the magnitude of a cause is often not proportionate to the magnitude of its effect
accountability
implementing reliable security requires a solid understanding its operators
know your operators
operations
development security
compliance
warning signs
◦security policy is not visible◦security is at odds with how work gets done
◦developers use a different workflow than production
◦documentation featuring warnings (“don’t do this in production!”)
◦SSH + sudo◦talking processes, not people◦audits are time-consuming
references
Sidney Dekker◦ “Just Culture” Lecture (video)◦ A Field Guide to Understanding ‘Human Error’◦ Just Culture: Balancing Safety and Accountabil
ity
◦ Human Error - James Reason◦ The Design of Everyday Things - Dan Norman◦ Universal Principles of Design - William Lidwell
Thanks!ANY QUESTIONS?You can find me at@[email protected]