Last month I attended the Cyber Threat Summit in Dublin and I had the opportunity to assist to the interesting presentation "Humans The weakest link in cyber security" of Mark Johnson, Chairman, The Risk Management Group.
The topic of presentation is one of the most interesting in cyber security, the massive introduction of technologies in every environment must take in care of the human factor under the security perspective. In many cases wrong behaviors of users, the failure to comply with security policies and leak of awareness on the cyber threats that could target a systems representing main factors that could expose overall integrity of an IT solution.
The principal families of security standards such as ISO 27001 reserve great attention to the argument explicitly requiring the involvement of employees in the process of securing the information. It makes no sense to have sophisticated security systems if the security of the infrastructure can potentially be affected by the work of human beings.
Unfortunately in different occasions in enterprise and government environment the security is perceived as a further cost and a burden that complicate ordinary work. Let's consider how much wide is the attack surface for each user today, mobile, wireless access, cloud computing, social media all conspiring to make life more complicated. The human factor is the underlying reason why many cyber attacks are successful, underestimate the severity of potential cyber threats is one of the most common errors.
Distraction, ignorance, curiosity are just some of the factors that can lead to a high risk behavior in terms of security, for this reason is crucial get to define rules to be followed in situations that expose the user at risk.
The engage to securely manage all these platforms and technological solutions could induce users to improper behavior exposing his personal information with evident risks, and in some cases the entire IT infrastructure.
According the presentation of Johnson the main factors that are highlighting the problem of considering the human being as the weakest link in the safety chain are:
- Market becoming ever more ‘user-centric’
- At the same time, it is all becoming a lot more ‘virtual’
- Users becoming ever more device dependent
It is possible to formulate the following laws for ICT Rick
- The number of device owners is inversely proportional to the cost of ownership.
- The overall level of ICT risk is a function of the number of devices in use and the number of discrete vulnerabilities.
- The mean level of awareness and security competence of the user base declines as the user population increases.
What make social media so critical?
Among the various web services in rapid diffusion the ones that create major concerns are the social media and mobile, as said in a past article also governments are really concerned about the use of these powerful communication platforms and are promoting surveillance projects to control and monitor user’s activities.
But social media and mobile platforms represents also privileged targets for cybercrime that use them to implement complex fraud schemas.
The social media are point of aggregation for any kind of information, users have to be educated on the proper use of these services that are attracting an increase number of ill-intentioned.
Thanks to Social networks it is easy to identify prime victims within Enterprises and send them a message with a malicious attachment or a link to a compromised web site.
It has been estimated that there are now over 1,000 social networking sites on the Internet, and Facebook currently being the largest, with over 840 million user profiles. The trend is in constant growth with the born of new thematic platform.
Social networks can be a virtual goldmine of information and knowledge for those who can potentially harvest it for different purpose..
The human factor in overall security is determinant, user's have to manage carefully the exposition of their data on-line, a wrong usage of social networking info could damage the user itself but also other accounts linked to him.
- How users manage their credentials?
- How they manage their profile?
Be social, catch the highest number of friend without controlling them ... that is the imperative and the risks are elevated.
Today we all know that thanks to a metadata hidden in a picture posted on line is possible to localize the user ... it is possible to link him to other persons of interest discovering their habits and their on going activities, in private and corporate life.
The only way to protect users is to teach them that they are part of a network which security is also related to their behavior. When user accepts friendship on a social platform he must be aware on the risks related to the choice, and unfortunately today it doesn't happen!
Summarizing the main factors of risk related to social media use are:
- Lack of identity verification
- Social engineering
- Diffusion of fake profiles
- Personal data exposure
- Corporate data disclosures
- Inadequate Data retention
- Failure to follow the behavior policy
Obviously, the human factor plays an important role not only in participating in social media, there is a wide range of situations in which the services accessed depending once again on it, following other relevant factors of risk:
- Adoption of weak authentication processes
- Unaware diffusion of malware
- Failure to follow the best practices and policy for the mitigation of cyber threats, such as the adoption of security systems to protect against malware
- Inadequate data classification/segmentation
- Failure to followthe best practices for data protection
- Remote access and device sharing
How to prevent most common incidents?
- Improve awareness campaign, users must be aware of the principal risks related to the use of most common platforms.
- Definition of best practices for the adoption of new technologies
- Knowledge sharing on the principal incident occured due human unproper behaviour
Create a reliable security model globally recognized by all internet users is utopian but we are obliged to share knowledge on the major risks related to human factor.
Special thanks to Mark Johnson, Chairman, The Risk Management Group