Human Factors Notes

Week 35: Human Factors

Shujun LI (李树钧), Director, Institute of Cyber Security for Society (iCSS), Professor of Cyber Security, School of Computing.

Outline

• A Quiz (Teaser)
• Humans = The Weakest Link?
• The “Zoo” of Human Actors as Weak Links in Security
• Making “Weak” Humans Strong(er)!

Human Factors Quiz (Teaser)

• Are you a weak link in your system?
  • Have you installed any encryption software (such as GPG) for your email client or web browser (for webmail)?
  • How often do you use the encryption software to protect your important personal emails?
  • Have you written down one or more of your passwords (on paper, on mobile phone, etc.) at least once to avoid forgetting them?
  • Have you (partially) reused passwords over multiple websites?
  • Do you know how digital certificates are used with secure websites such as online banking sites?
  • If YES to the previous question: How often do you check digital certificate’s contents against the claimed owner?
  • Have you seen a web browser warning about a digital certificate used by a website (untrusted issuer, expired, or self-signed certificate, etc.)?
  • If YES to the previous question: Did you choose to ignore the web browser warning(s) because you felt that you could trust the website(s) you were visiting?
  • Should you trust a CA or when should you trust it?

Humans = The Weakest Link?

• Data breaches visualised (2004-).
• World's Biggest Data Breaches & Hacks.
• Selected events over 30,000 records stolen. Updated: Jun 2024.
• Examples of companies and scale of breaches include:
  • AT&T
  • CDEK
  • WHB
  • Indonesia's health agency
  • Indian Railways
  • Facebook
  • Canva
  • Arma
  • Capital One
  • Dubsmash
  • Xfinity
  • Twitter
  • Shanghai Police
  • Shein
  • T-Mobile
  • Experian Brazil
  • Microsoft
  • Facebook
  • Uber

Data breaches and password cracking:

• 2017 Verizon Data Breach Investigations Report (DBIR)
  • What tactics do they use?
    • 62\% of breaches featured hacking.
    • 51\% over half of breaches included malware.
    • 81\% of hacking-related breaches leveraged either stolen and/or weak passwords.
    • 43\% were social attacks.
    • 14\% Errors were causal events in 14% of breaches.
    • The same proportion involved privilege misuse.
    • 8\% Physical actions were present in 8% of breaches.

What passwords are/were being used?

• Things we can remember.

What PINs are/were being used?

• DataGenetics, PIN analysis, 3rd September 2012
• 3.4 million 4-digit PINs
  • 19xy
  • mmdd
  • xyxy
  • 20xy
  • ddmm
  • 9900
  • 9999
  • 0099
  • 0000
  • 5000
  • 5099
  • 0050
  • 9950
  • 1234
  • 10xx
  • xx11
  • xx25
  • xx33
  • 1111

IBM 2015 Cyber Security Intelligence Index

• Over 95 percent of breaches caused by insiders are unintentional due to human error.

  • Accidentally posting information on the company's public-facing website.
  • Sending information to the wrong party via email, fax, or mail.
  • Improperly disposing of clients' records.

• Insiders who set out to take advantage of the company they work for can be much more dangerous.

  • It's more difficult to thwart these insiders' malicious actions because they're willing to take extraordinary measures to circumvent access controls and are typically unconcerned with corporate policies or the potential consequences of their actions.
  • Attackers use one attack as a smokescreen to hide others.

• Security is a process, NOT a product.

  • A product is secure. ≠ A process is secure.

• Social engineering does work well!

  • Hackers only need to break the weakest link in a process – humans!
  • Weak human users vs. Strong hackers

• A real hacker’s testimony

  • Kevin D. Mitnick (1963-2023) and William L. Simon The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons Inc., 2003
  • Explained that he could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it.

Social engineering everywhere:

• Phishing, smishing, vishing.
• Getting your password from you.
• Whaling (CEO fraud)
  • Phishing attacks targeting senior executives.
  • An example in 2016 about FACC
    • “An Austrian aerospace manufacturer [FACC] that lost €50 million in a business email compromise scam earlier this year has fired its CEO over the incident.”

IBM Cyber Security Intelligence Index

• Top initial access vectors in 2023 versus 2022
  • Valid accounts (T1078): 41\% in 2023, 30\% in 2022
  • Phishing (T1566): 30\% in 2023, 26\% in 2022
  • Exploit public-facing application (T1190): 16\% in 2023, 12\% in 2022
  • External remote services (T1133): 9\% in 2023, 4\% in 2022
  • Replication through removable media (T1091): 3\% in 2023, 3\% in 2022
  • Drive-by compromise (T1189): 1\% in 2023, 1\% in 2022
  • Trusted relationship (T1199): 1\% in 2023, 1\% in 2022

The