Skip to content

Why humans could be the weakest link in cyber security chain?

by Pierluigi Paganini on October 3rd, 2012
HumanFactor

Last month I attended the Cyber Threat Summit in Dublin and I had the opportunity to assist to the interesting presentation “Humans The weakest link in cyber security” of Mark Johnson, Chairman, The Risk Management Group.

The topic of presentation is one of the most interesting in cyber security, the massive introduction of technologies in every environment must take in care of the human factor under the security perspective. In many cases wrong behaviors of users, the failure to comply with security policies and leak of awareness on the cyber threats that could target a systems representing main factors that could expose overall integrity of an IT solution.

The principal families of security standards such as ISO 27001 reserve great attention to the argument explicitly requiring the involvement of employees in the process of securing the information. It makes no sense to have sophisticated security systems if the security of the infrastructure can potentially be affected by the work of human beings.

Unfortunately in different occasions in enterprise and government environment the security is perceived as a further cost and a burden that complicate ordinary work. Let’s consider how much wide is the attack surface for each user today, mobile, wireless access, cloud computing, social media all conspiring to make life more complicated. The human factor is the underlying reason why many cyber attacks are successful, underestimate the severity of potential cyber threats is one of the most common errors.

Distraction, ignorance, curiosity are just some of the factors that can lead to a high risk behavior in terms of security, for this reason is crucial get to define rules to be followed in situations that expose the user at risk.

The engage to securely manage all these platforms and technological solutions could induce users to improper behavior exposing his personal information with evident risks, and in some cases the entire IT infrastructure.

According the presentation of Johnson the main factors that are highlighting the problem of considering the human being as the weakest link in the safety chain are:

  1. Market becoming ever more ‘user-centric’
  2. At the same time, it is all becoming a lot more ‘virtual’
  3. Users becoming ever more device dependent

It is possible to formulate the following laws for ICT Rick

  1. The number of device owners is inversely proportional to the cost of ownership.
  2. The overall level of ICT risk is a function of the number of devices in use and the number of discrete vulnerabilities.
  3. The mean level of awareness and security competence of the user base declines as the user population increases.
Actual ICT scenario is assisting to a sensible increasing of technology demand despite a reduction of the level of user’s awarenes on cyber threats, situation that creates the fertile ground for cyber criminals who want to exploit victim’s digital identity.
Users are facing with a complete cyber dependency on principal technologies, their operate could have impact on the entire cyber surface, let’s think for example to the use of simple password shared among different platforms, the exploit of those credentials could compromise user’s digital identity, but it could also represents a serious menace for other environments strictly related. If our user adopts same credentials to access to his corporate email he could give to the attackers precious information to use for further attacks such as APT campaign.
Another factor related to the human being in the security chain is it response time to the incident, cyber incidents occur at computer speed but the incident management takes place at human speed, another consideration that must be done in a security audit. The action taken by users to respond to an incident or to a cyber attacks suffers of human latency further exposing the victim to additional risks derived to failure to apply instant envisaged retrenchment.
Of course in this case the unique possibility that we have is to formalize the procedure to respond to incident trying to push their automation.
To strengthen the security of every process that involve humans it absolutely necessary to promote awareness campaign, no matter if we are in a enterprise or at home, it is fundamental to educate and train individuals on the principal cyber menaces, proposing best practices and also giving information related on how to respond in case of incident.

What make social media so critical?

Among the various web services in rapid diffusion the ones that create major concerns are the social media and mobile, as said in a past article also governments are really concerned about the use of these powerful communication platforms and are promoting surveillance projects to control and monitor user’s activities.

But social media and mobile platforms represents also privileged targets for cybercrime that use them to implement complex fraud schemas.

The social media are point of aggregation for any kind of information, users have to be educated on the proper use of these services that are attracting an increase number of ill-intentioned.

Thanks to Social networks it is easy to identify prime victims within Enterprises and send them a message with a malicious attachment or a link to a compromised web site.

It has been estimated that there are now over 1,000 social networking sites on the Internet, and Facebook currently being the largest, with over 840 million user profiles. The trend is in constant growth with the born of new thematic platform.

Social networks can be a virtual goldmine of information and knowledge for those who can potentially harvest it for different purpose..

The human factor in overall security is determinant, user’s have to manage carefully the exposition of their data on-line, a wrong usage of social networking info could damage the user itself but also other accounts linked to him.

  • How users manage their credentials?
  • How they manage their profile?

Be social, catch the highest number of friend without controlling them … that is the imperative and the risks are elevated.

Today we all know that thanks to a metadata hidden in a picture posted on line is possible to localize the user … it is possible to link him to other persons of interest discovering their habits and their on going activities, in private and corporate life.

The only way to protect users is to teach them that they are part of a network which security is also related to their behavior. When user accepts friendship on a social platform he must be aware on the risks related to the choice, and unfortunately today it doesn’t happen!

Summarizing the main factors of risk related to social media use are:

  • Lack of identity verification
  • Social engineering
  • Diffusion of fake profiles
  • Personal data exposure
  • Corporate data disclosures
  • Inadequate Data retention
  • Failure to follow the behavior policy

Obviously, the human factor plays an important role not only in participating in social media, there is a wide range of situations in which the services accessed depending once again on it, following other relevant factors of risk:

  •  Adoption of weak authentication processes
  • Unaware diffusion of malware
  • Failure to follow the best practices and policy for the mitigation of cyber threats, such as the adoption of security systems to protect against malware
  • Inadequate data classification/segmentation
  • Failure to followthe best practices for data protection
  • Remote access and device sharing

How to prevent most common incidents?

  • Improve awareness campaign, users must be aware of the principal risks related to the use of most common platforms.
  • Definition of best practices for the adoption of new technologies
  • Knowledge sharing on the principal incident occured due human unproper behaviour

Create a reliable security model globally recognized by all internet users is utopian but we are obliged to share knowledge on the major risks related to human factor.

Pierluigi Paganini

Special thanks to Mark Johnson, Chairman, The Risk Management Group