Human Vulnerability in Security Systems

November 19, 2018 | Filed Under: How ToSecurity

A system is only as strong as its weakest component. In IT security, that’s usually the people operating it. On the one hand, humans are pretty impressive – we’re able to think creatively, improvise, and work together to solve amazing problems. On the other hand, there are some areas where computers just have us beat.

One of them is consistency and precision. A computer can be programmed to do a job perfectly, and do it thousands of times every hour. A human can’t, because humans get tired and sloppy. Humans can forget to lock a door, check a security camera, or log out of their computers. Humans cannot maintain constant vigilance because we need to sleep, and the more multitasking we attempt the more escapes our notice. As with so many other tasks, taking security out of human hands through automation can be part of the solution.

Humans are forgetful. One of the most important components of security is passwords: 80% of all breaches in 2017 involved compromised credentials. Humans usually can’t remember good passwords, so they choose short, insecure phrases; or, if password policies require longer choices and special characters, they just write their passwords down on sticky notes for all to read. Many corporations try to limit the damage by forcing employees to pick new passwords at regularly scheduled intervals but – loath to remember an entirely new password – they simply increment their previous choice with sequential numbers or letters. Once again, taking the problem out of human hands and instituting automatic password rotation, along with better personal password management through tools like CyberSana, can help.

Companies can implement good security practices, but unlike computers humans can break the rules. While security policies are occasionally violated out of greed or malice, it’s more common that a skilled attacker can, through “social engineering”, manipulate an employee’s natural impulses like empathy, fear or curiosity to access information. A common anecdote in the security field revolves around exploiting curiosity: a well-dressed attacker walks into a financial firm, walks into the bathroom, and drops off a USB flash drive labeled “Layoff Info: Confidential” on the sink. A curious employee, naturally, discovers the flash drive and decides to find out if he’ll keep his job. The flash drive may contain a bogus spreadsheet but also an autorun script that opens a reverse SSH tunnel to the attacker’s machine.

In a more recent variation, internal Pentagon networks were infected by the Agent.btz worm through USB sticks left in a DoD parking lot. The attackers couldn’t enter the buildings themselves, so they tricked staff into doing it for them. While there isn’t much that can be done to fix human nature, educating employees on common tricks and instituting the Principle of Least Privilege can help keep these sorts of breaches limited.

Humans may (for now) have a leg-up on planning, abstract problem solving and overall intelligence, but that means we should be smart enough to recognize our limitations. When it comes to security, a field that by its very nature requires 24/7 vigilance, perfect consistency, perfect memory and perfect adherence to policies, take it out of human hands. Make sure all relevant employees are educated in the practices of social engineering, have clear policies to follow, and only able to access the data they absolutely require.

Beyond that, CyberSana’s automated password rotation, continuous compliance audits, backups and more ensure that the weakest link in your security will be that much stronger and smarter.

Tags: ,