THE HUMAN RISK TO CYBER SECURITY · protected against harmful threats. Cyber security threats have...
Transcript of THE HUMAN RISK TO CYBER SECURITY · protected against harmful threats. Cyber security threats have...
THE HUMAN RISK TO CYBER SECURITY
SHIREEN WALTON AND DAVID HIGGINS
SHIREEN WALTON and David Higgins – BEE Resilient
AGENDA
About us
Introduction
Cybercrime – techniques, factors and impacts
Security is a state of mind, not a state
Positive psychology and human factors in security
The Murad conspiracy – a real world story
Questions?
Contact us.
About us
David: Secure Government, National Security & Intelligence
background, Security Director - Critical National Infrastructure,
Cabinet Office High Risk/High Threat Programme Reviewer.
Shireen: Cyber Security and Agile Software Development –
GCHQ, NCSC, Banking, Retail, GDS, Smart Meters, Human Factors
and Positive Psychology
Introduction
Security is a growing concern. It’s more important than ever that businesses are protected against harmful threats.
Cyber security threats have been well documented in the media but security problems are much more widespread. They don’t just pose an IT risk, but a significant business risk that could threaten the whole scope of commercial business operations and materially impact National Security.
Despite an increase of expenditure in Security technology security attacks continue to grow at an exponential rate.
Human factors play a key part in attack and defence strategies.
What do we mean?
Cybercrime “criminal activity carried out by means of computers or the internet”
Internet based, criminally motivated attacks designed to:
Steal data – phishing, personal data, credit cards, passwords for re-use/sale etc
Stop or misuse operational processes (normally associated with blackmail) – Denial of Service due to traffic overload, Bitcoin mining
Deploy Ransomware (also blackmail) – encrypt operational data, decrypt for bitcoin etc
Intellectual Property theft – acquire valuable information allowing competitive advantage, time to market, military superiority etc.
Non Internet, cyber-enabled, criminally motivated based attacks:
Vishing – fraudulent bank card transfer etc
Smishing – malicious links, fraudulent HMRC texts etc
Plain old letter in the post
How’s my driving?
What do we mean?
Cybercrime can also be used as a basis to conduct military or political
operations without actually declaring war:
Energy planning data before bidding for power station contracts
Attacking critical national infrastructure to weaken an opponents ability to resist – Ukraine
Black Energy
Social media manipulation to create or diffuse support – Bots, fake news etc.
Cyberterrorism, Cyberwarfare
Traditional crime transformed through the use of computers and technology
Online marketplaces for illegal items
Malicious and offensive communications, i.e. cyberbullying
Child sexual offences etc
The financial costs:
Organisations (and individuals) are under attack all the time. But
what is the impact of this risk?
Financial - NHS WannaCry attack cost £92 million to fix; Norsk Hydro –
currently $40 million and rising
Threat to life – failure of medical equipment, air traffic control, safety
systems, water treatment, energy
Loss of reputation, Talk Talk loss of individuals personal details and credit
data – lost 100,000 customers and drop in share price
Loss of operational capability impacting profit – Maersk ransomware
Regulatory and legal impact – GDPR, PECR regulations
Who’s doing it?
Organised crime – who might not look like criminals (of which more later)
Opportunist crime – white hats, DVLA/Insurance details case
Hacktivists/activists – may be related/sponsored by states, socially motivated
Nation states – who also may not look like that
Insiders – Edward Snowden, NSA contractor (50Tb of data in the garage..)
And how do you tell them apart?The problem of reliable attribution and chain of
evidence – of which more later
Insured losses?
Mondelez vs Zurich- $100 million claim for 17,000 servers and 24,000
laptops based. Claimed to be Russia but Intelligence services couldn’t confirm
DLA vs Hiscox – claim based on 15,000 hours of overtime to clean up
after NotPetya
Maersk vs Allianz – in progress as the attack is cleaned up – cost
>$100m
The attribution problem
Firstly - why attribute?
Attribution is complicated (but not impossible)
Digital obfuscation and anonymity
Hacking as a Service
Some actors actively pretend to be another actor (especially nation
state)
The weak spot
95 to 97% of compromises are based on email
based attacks
Attack surface actively seeks to compromise the
weakest link – humans
Risk assessment and thus security posture is
based on the risk tolerance of the assessor
coupled with the psychological resilience of the
organisation
Are Threat Actors Using This Approach?They are – as a method of
creating information warfare
campaigns as well as
targeted “under pressure”
attacks specifically
designed to exploit the
psychological make up of
defender teams and high
value asset owners.
19
Information Security Forum Threat Horizon 2020.
Risk Assessment as an Art Not a Science
Thinking about security risk:
• Risk Frameworks
• Threat Intelligence
• Threat perimeter perceptions
• Team and organisational dynamics
• The macro environment
• Personal psychological frameworks (aka “Risk tolerance”)
21
Measuring Personalities
• What approaches can we use to measure the make up of overall personality structure of security risk assessment teams?
• O.C.E.A.N.
• Openness
• Conscientiousness
• Extraversion
• Agreeableness
• Neuroticism
22
Tupes and Christal (1961), Digman and Goldberg (1990), Costa and McCrae
(1976), Cattell (2007)
OCEAN – Personality Fundamentals
23
Anna Tunikova for peats.de - https://peats.de/article/big-five-die-personlichkeit-in-funf-dimensionen
Mapping the Ocean
24
0
1
2
3
4
5
6
7
8
9
10
Openness
Conciousness
ExtraversionAgreeableness
Neuroticism
Defender
Mapping the Ocean
25
0
1
2
3
4
5
6
7
8
9
10
Openness
Conciousness
ExtraversionAgreeableness
Neuroticism
Defender Defender
Mapping the Ocean
26
0
1
2
3
4
5
6
7
8
9
10
Openness
Conciousness
ExtraversionAgreeableness
Neuroticism
Defender Defender Defender
Mapping the Ocean
27
0
1
2
3
4
5
6
7
8
9
10
Openness
Conciousness
ExtraversionAgreeableness
Neuroticism
Defender Defender Defender Blended
Mapping the Ocean
28
0.0
1.0
2.0
3.0
4.0
5.0
6.0
7.0
8.0
9.0
10.0
Openness
Conciousness
ExtraversionAgreeableness
Neuroticism
Blended Attacker
Mapping the Ocean – disposition gap
29
0.0
1.0
2.0
3.0
4.0
5.0
6.0
7.0
8.0
9.0
10.0
Openness
Conciousness
ExtraversionAgreeableness
Neuroticism
Blended Attacker
Beyond the Ocean
Other complicating factors:
• Groupthink – The social dynamics of a situation override the best outcomes.
• Confirmation Bias – Looking for ways to justify your existing beliefs.
• Belief Bias – If a conclusion supports your existing beliefs then you’ll rationalise anything that supports it.
• In-Group Bias – favouring those who belong in your group.
• Reactance – Doing the opposite of what someone is trying to make you do.
30
*World Economic Forum – 24 Cognitive biases that are warping your perception of reality
Reducing the risk
• Ensure that you have explicit psychological diversity in the risk
assessment process.
• Look for, and avoid Groupthink, In-Group bias, Conformation Bias.
• Be aware of belief bias – e.g. it won’t happen to us (security through
insignificance isn’t a defensive strategy).
• Psychological flexibility (aka Neuroplasticity) and resilience is key to
reducing the gap.
31
Neuroplasticity in Action
32
http://techdissected.com/wp-content/uploads/2015/12/London-Black-Cab-Featured-Image.jpg\
WHAT CAN WE DO TO MANAGE THE
HUMAN RISK TO CYBER SECURITY
Establish resilient behaviour
into organisational thinking.
Research shows that
resilience is innate to the
human condition
Ability to bounce back
from difficulty
BEE RESILIENT
“Our greatest freedom is the freedom to choose our attitude.” Victor Frankl-‘Man’s search for Meaning’
The innate resilience of the human condition
“Forces beyond your control can take away everything you possess except one thing, your freedom to choose how you will respond to the situation.”― Victor Frankl
Being in the flow helps us to handle
adversity:
“To overcome the anxieties and depressions of contemporary life, individuals must become independent of the social environment to the degree that they no longer respond exclusively in terms of its rewards and punishments. To achieve such autonomy, a person has to learn to provide rewards to herself. She has to develop the ability to find enjoyment and purpose regardless of external circumstances.”
― Mihaly Csikszentmihalyi, Flow: The Psychology of Optimal Experience
Mindfulness
Self Compassion
Gratitude
3 Good Things
Loving Kindness
Forgiveness
Cognitive Behavioural Therapy
Tools/Interventions that will help you -
The neuroplasticity of the brain
Working together- bee thinking
Getting things done as a group
Individual autonomy
Model of social organisation
Flexible
Adaptable
Collaboration
Interdependent
THE T.H.R.I.V.E Model
THREAT
HOW RESILIENT ARE YOU?
HUMAN FACTORS
HUMANS AT THE CENTRE OF THE CYBER SYSTEM
RELATIONSHIP
SERVANT LEADERSHIP
TEAMWORK
INTEGRITY/ETHICS
BUILDING CYBER SYSTEMS FOR PEOPLE
VISION
WHAT IS YOUR STORY?
ELASTICITY
FLEXIBLE
ADAPTABLE
THE CYBER RESILIENCE INDEX
Question: YES /NO ANSWER?
AT WORK
MY HUMAN VALUES ARE
ALIGNED TO THE VALUES OF
THE ORGANISATION : YES/NO
I am supported when I make a
mistake: YES/NO
I believe my organisation can
overcome any challenges;
YES/NO
I can say no when I have to:
YES/NO
I can learn new skills at work:
YES/NO
The Resilience Threat analysis
IF MORE YES THAN YOU ARE
THRIVING AND RESILIENT
IF YES/NO THEN NEED TO EVALUATE STRENGTHS AND WEAKNESSES IN
EACH AREA OF THE THRIVE MODE
IF NO: YOU ARE SURVIVING
Evidence so far:
BASED ON SCIENTIFIC RESEARCH
CURRENTLY WORKING WITH A CYBER
COMPANY TO MAKE THEIR TEAM OF
ETHICAL HACKERS MORE RESILIENT
FINDINGS SO FAR:
ABLE TO RECOVER FROM MISTAKES
ABLE TO REFLECT AND LEARN
CLARITY ON THEIR PERSONAL STORY AND
CYBER MISSION
TEAM COLLABORATES AS A HIVE TO SOLVE CYBER PROBLEMS- CREATIVE SOLUTIONS AND INNOVATION
ABLE TO ADAPT AND BE FLEXIBLE TO UNDERSTAND CYBER CRIMINALS MINDSET
IS THE HUMAN RISK TO CYBER
SECURITY REAL? ’HE WHO MOVES FAST, WHO THINKS
FAST AND WHO MOVES FIRST, WILL
CREATE A WORLD OF COMPETITIVE
ADVANTAGE’’- Klaus Schwabb –
WORLD ECONOMIC FORUM 2018
The vision of our cyber security future
is based on the stories we tell:
Their flowing cups freshly remember’d.
This story shall a good man teach his
son;
And Crispin Crispian shall ne’er go by,
From this day to the ending of the
world,
But we in it shall be remember’d;
We few, we happy few, we band of
brothers;
Who owns Muradinvestment.com?
Phone number traces to VideoZal.Net, based in Moscow,
whose domain was de-comissioned in February 2019
Murad round up
Website registered to via now defunct Russian registrar
Contact details of a deceased Tennessee Resident
Persona using stolen/fake photos – bad operational security!
Persona integration (between actors)
Financial inducement email
Not great geographical awareness, Building 304 (Murad HQ) doesn’t exist
Conclusion: Likely to be a more sophisticated advance payment fraud or information gathering (security posture, client data etc) for criminal or nation state
Attribution and chain of evidence
Connect/Contact Us
David: LinkedIn: https://www.linkedin.com/in/higginsdavid/
Mobile: 07747 898095
Shireen: LinkedIn: https://www.linkedin.com/in/shireen-walton-
32304416
Mobile: 07771 580147