The Strongroom

Securing the Human: A $35m Question

21 August 2017

Information Security

Written by Chris Hails

Browsing the BBC website this morning, a quote in a report on Alex Stamos' keynote to Black Hat jumped out at me. Facebook's CSO was talking about 'a more people-centric security industry' and suggested:

"We have perfected the art of finding problems without fixing real world issues. We focus too much on complexity, not harm."

The human side of information security and associated online harms is a major focus for me. Between August 2010 and August 2016, New Zealanders reported almost 28,500 online incidents to NetSafe involving $35m in direct financial losses.

In policing terminology there's a difference between pure 'advanced cybercrime' and cyber-enabled crime but when you've spoken with individual victims who have lost their life savings thanks to some shady overseas operator, the difference tends to melt away and the impact on the victim is what matters the most.

Think of the individual who has remortgaged their house; drained their business of operating capital; traveled to a hotel room thousands of miles away to meet that mysterious investor offering a handsome percentage in return for a small up front payment.

Those experiences at NetSafe left me wanting to find solutions to what are increasingly known as 'socio technical attacks'. If you haven't heard that term before I'll refer to Dr Jean-Louis Huynen: “A socio-technical attack is possible because of the human components in a system.”

Over those six years working at NetSafe, the most common - and most financially and/or emotionally harmful - forms of socio-technical attacks were:

  • Romance fraud

  • Investment fraud

  • Ransomware

  • Business Email Compromise (BEC)

Whether you classify those as cyber-enabled or pure cyber attacks isn't the important point here. The key is that in the majority of those cases, the weakest link in the system was often a human being - a human who responded to the charms of a scammer or was curious enough to infect their own system and encrypt essential data.

Humans, it's fair to say, can be wonderful things but they also come with a range of inherent flaws or vulnerabilities:

  • Many of us like to help people: that could be holding a door open for someone wearing a hi-vis vest  piggybacking into a building or allowing the helpful 'Microsoft' technician to have access to your computer to fix the viruses.

  • Many of us respond to outside forces or biases in the form of authority, curiosity or a general sense of invincibility and click on the malicious attachment or submit our credentials to the phishing site that 'satisfices' our need to verify it really is the official bank website.

These concepts are not new and whilst a smattering of the word cyber adds a sexy sheen to the stories, humans have been taken advantage of for a long time.

What cyber brings to the picture is a speed of operation and ability to bridge the distance unimaginable for the criminals operating at the end of the 19th century. Speed and ease of operation and access to a global pool of victims equals profit and has resulted in changing the face of modern crime.

Look at the latest UK crime statistics and you'll find that 'cyber crime' in the form of Computer Misuse and Cyber Enabled Fraud now makes up 53% of reported crime.

There's no doubt that the technical skills involved in advanced, persistent, technically impressive attacks are to be reviewed with a wry smile and a sense of awe.

But it's becoming apparent that a failure to implement basic cyber hygiene steps - not sophisticated attackers - is often to blame. And that includes failing to train your staff on how to recognise suspicious activity and how to respond to potential cyber incidents.

Dr. Ian Levy, from the UK’s National Cyber Security Centre probably said it best:

“A lot of the attacks that we see on the internet today are not purported by winged ninja cyber-monkeys. Attackers have to obey the laws of physics; they can’t do things that are physically impossible”

The wonderful people at InternetNZ have provided me with funding this year to explore some of the root causes of those 28,500 incidents, to research why so many socio-technical attacks are successful and to examine if there might be a programmatic way to identify individual cyber security risk profiles and deliver adaptive security benefits in future.

It's only the start of the project, but I'll be posting updates as I progress in the hope we can continue to explore ways to help more people stay safe and secure online.

Chris Hails

Information Security Consultant at Origin

Chris is an information/cyber security specialist with an interest in cyber-enabled crime and social engineering. He likes to look at patterns in data and speak with real people to understand and solve problems.

Join the Strongroom
Join The Strongroom and get a regular round-up of news and views to keep you up to date with the fast moving world of cyber security.