Cybersecurity 4 security is sociotechnical issue

Cybersecurity: Security is a socio-technical issue Slide 1

Security is a socio-technical issue


Improved security technology

• Computer security and security engineering focuses on the technical aspects of the cybersecurity problem


• By reducing vulnerabilities in code and by adding more checks to code, many security vulnerabilities can be avoided and the number of incidents reduced

• However, this can significantly increase costs and time required for development and so delay delivery of the software


• “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”


• "Security is a chain; it's only as secure as the weakest link."

© John Wiley and Sons 2004


• Technology is necessary but cannot, on its own, guarantee that systems will be secure

• Cybersecurity is a socio-technical rather than a technical problem


Why technology is not enough

• Technology reliability cannot be guaranteed

• Insider attacks

• Technical security compromises made for usability reasons


• Failure of organisational procedures or poorly designed procedures

• Human carelessness

• Social engineering


Unreliable technology

• In the same way that it is practically impossible to guarantee that a complex system is free from bugs, it is also impossible to guarantee that a system is free from security vulnerabilities


• Even if a system A is ‘secure’, it may rely on other systems that are potentially insecure. If these are owned by different people, ‘system wide’ security validation is impossible


Insider attacks

• Insiders have legitimate credentials that allows them access to the system

– Therefore, strong access control technology is not a barrier


• Insiders in an organisation are aware of the technical safeguards built into the system and may know how to circumvent these – especially if they have privileged system access

• Insiders have local knowledge that may be used for social engineering and so may be able to discover privileged information.


Maroochy water breach

Image credit: www.discoverqueensland.com.au


Usability vs security

• There is always a trade-off to be made between usability and security

• Security procedures slow down system operation and may alienate users


Companies may make a deliberate decision to use weaker security procedures so that users don’t decide to go elsewhere Login/password

authentication instead of biometrics

Unencrypted information as encryption slows down the system

© http://www.activistpost.com/ 2012

http://www.activistpost.com/

http://www.activistpost.com/


Procedural failures

• Procedures that are intended to maintain security may be badly designed or implemented

• This may introduce vulnerabilities into the system or may mean that users have to circumvent procedures


Poor procedures• Companies request strong passwords but

do not provide any help to users how to construct strong easy to remember passwords such as “My_hamster.spot

• Requirements for regular password change. Thought to improve security but actually means that users can’t remember passwords so they write them down


Human carelessness• People will inevitably

be careless

– Leave systems unattended whilst they are logged on

– Use authentication in public places where they can be observed

– Lose keys

– Etc.

© www.labnol.org 2009

http://www.labnol.org/


Some technical controls against carelessness but impossible to completely control this vulnerability without incurring very high costs


Social engineering

• Many examples that show users are willing to provide confidential information to a plausible requestor

© thehackernews.com 2011


• Attacker Alex calls system admin Bob pretending to be the manager of a company and asks for his password to be reset.

• He asks Bob to tell him the new password

• Bob wants to please his boss so does as he is asked .

• Alex then can gain access to the system (and lock out the legitimate manager)


Multiple points of failure

• These ‘social’ vulnerabilities may be exploited in connection with each other or with technical vulnerabilities to gain access to system


• For example, a successful password attack may require social engineering to convince system administators to reset a user’s password


• A poor password change procedure, which does not include a check to ensure that the requestor is legitimate

– Require text confirmation of password change request or text password change details to users mobile

– Requests made by phone should require callback to registered number


Summary

• Cybersecurity is a socio-technical problem

• Technology reliability cannot be guaranteed

• Insider attacks

• Technical security compromises made for usability reasons


• Failure of organisational procedures or poorly designed procedures

• Human carelessness

• Social engineering

Cybersecurity 4 security is sociotechnical issue

Technology

Transcript of Cybersecurity 4 security is sociotechnical issue