Human Factors on Computer Security

MOHD SUHAIMI BIN MOHD NASUHA

SX140090CSRS04
COMPUTER SECURITY (SCSR3413)
ASSIGNMENT 1
Dr. MAZURA MAT DIN
1

Human, the weakest link

Cause of Leak
Misoperation;
35%
Warm;
0% 0%
Appropriation
of
Bug; 1%
Illegal
Access;
1%Data;
failure of
System
Theft;
7% Setting; 1%
Insider Crime;
2%
Brought out; 5%
Lost the media; 14%

Failure of Management; 33%

(From JNSA, 2011 Information Security
Report)

Most of data leaking are caused by humans.

Human factor is also the most dangerous for gene

ral information security matters.

2

Five causes of information leak

1. Human-Targeted Att

ack
2. Bringing out or lost
of data media
3. Mistake on sending
data to outside.
4. Insider Crime
5. Thoughtless leak on
Social Networking S
ervice

Human
Error

Intention
al

1. Human-Targeted Cyber Attac

k
Country-level
Company-level

HumanTargeted
DOS Attack

Cracker Group
Individual

Mass Spam

Particular Person

Particular
Organization

Everyone

The Cyber attackers are becoming bigger and more organi

zed.
4

The targets shift to bigger and more focused.

The arts of attack became more sophisticated and tailored for the p

Example of targeted attack ema

il
Date: Wed, 18 Apr 2012 06:31:41 -0700
From: Kevin Mandia
<kevin.mandia@rocketmail.com>
Subject: Internal Discussion on the Press Release
Hello,
Shall we schedule a time to meet next week?
We need to finalize the press release.
Details click here.
Kevin Mandia

From Mandiant report.

The attack is supposed from the Chinese army.

Personating the president of the company.

The link leads to download malware.
5

Typical Techniques of Trap Mail

Help me now type
pretends someone troubled with computer,
and demands tentative relaxation of security policy.
Please tell me the password to open the file. etc.

Police impersonation type

commands and controls the victim
Open the attachment file. This is demanded by the

information security center.

Ordinary information type
pretends unimportant mail.
Open the attachment to see spec of the new copy

machine.
Those are not accidental human error, but
sophisticated techniques to reduce human wariness.

Prevention of targeted attack

Equipment countermeasure
Filteing of email.
Automatic removal exe files

Countermeasure on Human Management

Education: Vaccine Training

Information Management: Do not allow accesses

to important data by inadequate personnel.

ent
Why bring out? Why copy files on USB memory?
Overtime work at home
Sending big files to customers.
To convey files to stand-alone equipment.

Why leaks?
Lost of USB memory and/or smart phone.
Attach big strap on such small equipment.
Smart phones must be protected by passcode.
Make Password Policy: how to make, share, and retir

e them.
Not guarded equipment
Left as initial setting/password.
Peeping from side
Do not open your laptop and smart phone in crow

3. Failure on sending the file

Excel files may contain

unwanted sheet.
Elimination of
unintentional data
contained in a Word file

Prepare a clean model file and start the work f

9

rom it.
Do not use old file again.

Before and After sending

Before: Check
Sending address, letter body, and at

tachments.
But, email address is not easy to re
ad.
Do not use unreliable methods
Broadcast mail with hiding receivers

10

mail address listed in BCC

Using mail as file sending machine to
o much.
After: Cancelation of wrong mail

4. Insider Crime: Information Th

eft
To sell and get money.
To protect oneself from company authority
Secret documents described in movie Erin Brockovi

ch
By personal belief and/or political reason
Wikileaks, etc.

By selfish reason (but not spy-like crime)

(From Symantec and Ponemon Report Data Loss Ri

11

sks During Downsizing -- As Employees Exit, so does

Corporate Data, 2009)
Employees are stealing data and are more likely to
do so when they dont trust their employer.
Employees are stealing proprietary and confidential
data that might affect their former companys busine

5. Thoughtless leaks on SNS

Tweet of confidential information about the job.
Writing disgraceful matter in the company.
Writing important news not knowing that is import

ant.
Leak preceding offical press release, etc.

Why write?
SNS (Social Network Services)seem a small network

12

s of ones friends.
But, SNS are actually worldwide and open.
In SNS, one can play it as almost anonymous.
But, it is very easy to detect your identity from rec
ords of your anonymous account.

Leakage from Cognitive Gap

This info
is
important.

Bosss
View

13

It is not
important.

Subordinate's view
This info is It
is
not
important.
important.
<Locked Door> <Door
of
This
info
is Rumor>
dealt
as This info is easy
property.
to be leaked.
<Free Door>
<Glassed-In
This info remain
Door>
neglected until
This info is used
analysis
without correct
technology
is
permission.
invented.

Two doors of cognitive discord are

main routes of data loss and leak.

Provisions against Data Leakage

Countermeasure on Equipment
Security software and hardware are already prep

14

ared for typical and ordinary patterns.

On Individuals
Awareness of danger is required for every employ
ee.
Clear policy, reasonable procedure, and kind ed
ucation.
On Organization: Security policy
You cannot have everything: Usability vs. Securit
y.
Security is matter of choice.
Company Policies of password, BYOD, cloud s
ervice etc.
Do not left the policies for individual employe

The human factor of security

Successful

Deceit

attack Neglect

Configuration
15

The human factor: configuration

Weak passwords
With Tsow, Yang, Wetzel: Warkitting: the Drive-by
Subversion of Wireless Home Routers
(Journal of Digital Forensic Practice, Volume 1,
Special Issue 3, November 2006)

16

s
s
e
l
e
r
Wi ware wardriving
rootkitting
firm ate
d
p
Shows uthat more than
50% of APs are vulnerable

The human factor: configuration

Weak passwords

With Stamm, Ramzan: Drive-By Pharming

(Symantec press release, Feb 15, 2007; top story on Google
Tech news on Feb 17; Cisco warns their 77 APs are vulnerable,
Feb 21; we think all APs but Apples are at risk. Firmware update
tested on only a few. Paper in submission)

17

s
s
e
l
e
r
Wi m
a
r
v
n
e
Use DNS server x.x.x.x
u
l
a
v
g
n
i
t
t
e
Ands worse: geographic spread!

The human factor: neglect

18

The human factor: deceit

19

(Threaten/disguise - image credit to Ben Edelman)

Experiment Design

20

21

Ethical and accurate assessments

With Ratkiewicz Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features (WWW, 2006)

Reality:

1
4

22

eBay

3 credentials

Ethical and accurate assessments

With Ratkiewicz Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features (WWW, 2006)

Attack:

A
23

1 (spoof)

2 credentials

Ethical and accurate assessments

With Ratkiewicz Designing Ethical Phishing Experiments:

A study of (ROT13) rOnl auction query features (WWW, 2006)

A2

Experiment:

2
1

A1

5 eBay

Yield (incl spam filtering loss): 11%24

(s
po
of

B
4 credentials

3% eBay greeting removed: same

Stay Safe
Think before you
click and try to be
mysterious when
online

25