Upload
sommerville-videos
View
351
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Explains why technical solutions, on their own cannot solve the cybersecurity problem Accompanies YouTube video
Citation preview
Cybersecurity: Security is a socio-technical issue Slide 1
Security is a socio-technical issue
Cybersecurity: Security is a socio-technical issue Slide 2
Improved security technology
• Computer security and security engineering focuses on the technical aspects of the cybersecurity problem
Cybersecurity: Security is a socio-technical issue Slide 3
• By reducing vulnerabilities in code and by adding more checks to code, many security vulnerabilities can be avoided and the number of incidents reduced
• However, this can significantly increase costs and time required for development and so delay delivery of the software
Cybersecurity: Security is a socio-technical issue Slide 4
© John Wiley and Sons 2004
Cybersecurity: Security is a socio-technical issue Slide 5
• “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”
Cybersecurity: Security is a socio-technical issue Slide 6
• "Security is a chain; it's only as secure as the weakest link."
© John Wiley and Sons 2004
Cybersecurity: Security is a socio-technical issue Slide 7
• Technology is necessary but cannot, on its own, guarantee that systems will be secure
• Cybersecurity is a socio-technical rather than a technical problem
Cybersecurity: Security is a socio-technical issue Slide 8
Why technology is not enough
• Technology reliability cannot be guaranteed
• Insider attacks
• Technical security compromises made for usability reasons
Cybersecurity: Security is a socio-technical issue Slide 9
• Failure of organisational procedures or poorly designed procedures
• Human carelessness
• Social engineering
Cybersecurity: Security is a socio-technical issue Slide 10
Unreliable technology
• In the same way that it is practically impossible to guarantee that a complex system is free from bugs, it is also impossible to guarantee that a system is free from security vulnerabilities
Cybersecurity: Security is a socio-technical issue Slide 11
• Even if a system A is ‘secure’, it may rely on other systems that are potentially insecure. If these are owned by different people, ‘system wide’ security validation is impossible
Cybersecurity: Security is a socio-technical issue Slide 12
Insider attacks
• Insiders have legitimate credentials that allows them access to the system
– Therefore, strong access control technology is not a barrier
Cybersecurity: Security is a socio-technical issue Slide 13
• Insiders in an organisation are aware of the technical safeguards built into the system and may know how to circumvent these – especially if they have privileged system access
• Insiders have local knowledge that may be used for social engineering and so may be able to discover privileged information.
Cybersecurity: Security is a socio-technical issue Slide 14
Maroochy water breach
Image credit: www.discoverqueensland.com.au
Cybersecurity: Security is a socio-technical issue Slide 15
Usability vs security
• There is always a trade-off to be made between usability and security
• Security procedures slow down system operation and may alienate users
Cybersecurity: Security is a socio-technical issue Slide 16
Companies may make a deliberate decision to use weaker security procedures so that users don’t decide to go elsewhere Login/password
authentication instead of biometrics
Unencrypted information as encryption slows down the system
© http://www.activistpost.com/ 2012
Cybersecurity: Security is a socio-technical issue Slide 17
Procedural failures
• Procedures that are intended to maintain security may be badly designed or implemented
• This may introduce vulnerabilities into the system or may mean that users have to circumvent procedures
Cybersecurity: Security is a socio-technical issue Slide 18
Poor procedures• Companies request strong passwords but
do not provide any help to users how to construct strong easy to remember passwords such as “My_hamster.spot
• Requirements for regular password change. Thought to improve security but actually means that users can’t remember passwords so they write them down
Cybersecurity: Security is a socio-technical issue Slide 19
Human carelessness• People will inevitably
be careless
– Leave systems unattended whilst they are logged on
– Use authentication in public places where they can be observed
– Lose keys
– Etc.
© www.labnol.org 2009
Cybersecurity: Security is a socio-technical issue Slide 20
Some technical controls against carelessness but impossible to completely control this vulnerability without incurring very high costs
Cybersecurity: Security is a socio-technical issue Slide 21
Social engineering
• Many examples that show users are willing to provide confidential information to a plausible requestor
© thehackernews.com 2011
Cybersecurity: Security is a socio-technical issue Slide 22
• Attacker Alex calls system admin Bob pretending to be the manager of a company and asks for his password to be reset.
• He asks Bob to tell him the new password
• Bob wants to please his boss so does as he is asked .
• Alex then can gain access to the system (and lock out the legitimate manager)
Cybersecurity: Security is a socio-technical issue Slide 23
Multiple points of failure
• These ‘social’ vulnerabilities may be exploited in connection with each other or with technical vulnerabilities to gain access to system
Cybersecurity: Security is a socio-technical issue Slide 24
• For example, a successful password attack may require social engineering to convince system administators to reset a user’s password
Cybersecurity: Security is a socio-technical issue Slide 25
• A poor password change procedure, which does not include a check to ensure that the requestor is legitimate
– Require text confirmation of password change request or text password change details to users mobile
– Requests made by phone should require callback to registered number
Cybersecurity: Security is a socio-technical issue Slide 26
Summary
• Cybersecurity is a socio-technical problem
• Technology reliability cannot be guaranteed
• Insider attacks
• Technical security compromises made for usability reasons
Cybersecurity: Security is a socio-technical issue Slide 27
• Failure of organisational procedures or poorly designed procedures
• Human carelessness
• Social engineering