Opinion

The human factor in cybersecurity

photo_camera Atalayar_Ciberseguridad

Cyber-attacks are the order of the day. In two months we have had two attacks with a lot of media coverage, but many others have not been covered as much and many others have not been made public. In all of them there is a key factor, the individual. In a very significant percentage of cases we are the entry point for the worst attacks. We analyse the importance of the user and the human factor in cybersecurity; how it influences the defence of our systems and how to be more cybersecure.

1.- Presence of the user in systems:

Today, any person, in Spain and anywhere in the world, has to connect to the internet or some device to work, manage a bureaucratic procedure, communicate, or simply for leisure. These interactions have skyrocketed due to the pandemic and teleworking.

We also know that the user is not an isolated agent, but interacts in various environments: work, home, mobile devices, IoT devices, etc. Interaction exists.
In this context, the traps that cybercriminals are throwing at us are increasingly original and sophisticated, and many of them are designed to exploit gaps in the user's knowledge of cybersecurity.

It has always been said that a chain is only as strong as its weakest link, which applies to cybersecurity. A company or a family can invest enormous resources in making their computers or mobiles practically impenetrable barriers, but if the users themselves are responsible for opening holes in these barriers, we will find ourselves completely compromised and vulnerable to their attacks.

A few days ago an alert was published by the Spanish National Cybersecurity Institute (INCIBE) warning of a phishing attack that tries to impersonate the Tax Agency at this time of year when the IRPF is due to be paid. This is an annual classic. We can count on the best antivirus, use VPNs, strong passwords, all kinds of defensive measures (which are neither exclusive nor exclusive of others), but a simple click, allowing the download of improper material, will do the damage and enter our home. 
The consulting firm Deloitte, speaking after the famous WannaCry attack, pointed out that the worm was distributed through a phishing campaign where human action was essential for its entry and propagation; it was the workers of the affected companies themselves who spread and let the malware in without being aware of it.

In fact, in a study conducted by Kapersky, the cybersecurity company, 52% of companies admit that employees are their biggest cybersecurity risk.

2.- Types of attacks and personal influence

Personal responsibility is involved in virtually all attacks. This is not so much a question of which attacks involve the user as the trigger or attacker, but to what extent it is the individual who, consciously or not, creates a vulnerability through which the malware that infects the system is introduced.

Cybercriminals know that they have to get in through some loophole or exploit some vulnerability, and it will always be more likely to exploit a human failure than a Zero-Day (a vulnerability only known to the attacker and for which there is no patch yet) or a misconfigured firewall. In addition, there is a chance of a successful attack for each user on a system: you can throw a hook and throw it a thousand times and if only one fish bites, it is already a successful attack.

Within these weaknesses, which are people, we can find even more personalised attacks such as CEO fraud where a specific identity is impersonated, using data previously obtained by different means of social engineering such as OSINT, HUMINT, VIRTUALHUMINT (hence the importance of privacy on the Internet and the importance of being careful about what we publish). It can even be an email or a very specific message from a criminal impersonating someone you trust (friends, partner, family...).

They can also be massive attacks such as the aforementioned one from the Tax Agency or one impersonating the DGT, warning of a false fine, which is "trolling" because they are very cheap campaigns but with a high impact. 

Another massive attack comes from introducing a USB device or CD with malware inside so that employees can insert it into their own or the company's computer, thinking that it contains legal or at least harmless information.

Be careful, it's not all about misdirection. There is, and it is not uncommon, the figure of the insider, which we can quickly define as "the enemy at home"; someone who maliciously decides to attack the system from the inside, or to generate a vulnerability in a conscious and motivated manner. The National Cryptologic Centre in its 2019 annual cyberthreat report attributed no less than 25% of incidents to them. It could be the case of a dismissed employee, who, acting out of hatred and spite, decides to harm the company.

3.- What causes these vulnerabilities and how to avoid them?

There are few causes, but each of them is very strong. One, undoubtedly, is the lack of training of the user or employee, who does not know how to differentiate between a threat and harmless content. They are not educated in checking the links they click on or whether the document they are downloading looks "bad". A little care would prevent many attacks.

However, we cannot be trained if we are not aware of the threat we pose to ourselves and our environment. Therefore, hand in hand with training should be the awareness of the importance of knowing what we do and what we pose, even assuming that our national organisations for cybersecurity (e.g. INCIBE, CCN, IS4K, OSI...) have a significant amount of resources for all ages, fields, knowledge, skills...

Another factor is the sophistication of the attack: it is much more difficult to detect a surgical attack against our person or company where the data and the bait are very well chosen. In these cases, our defensive work starts earlier, by preventing our data from being made public or leaked, by changing passwords periodically, and so on. Of course, there will also be more crude and generic attacks, which with a little care and awareness we can avoid. And if there are younger or older users in our environment who are less experienced, we must also protect them from these attacks beforehand, with an antivirus and educating them in the use of technology. We must be aware that no user is alone, that we live together in cyberecosystems such as wifi networks, intranets, etc. that can endanger the rest of our environment.

In addition to all of the above, we must have good practice guidelines in our SMEs, not mix personal devices with work devices, have user permissions properly configured, etc. It is a job that is divided between the purely technological and the instinct to defend oneself.

Conclusion

We are a risk, both to ourselves and to those around us. When we drive a car we must be aware of the benefits and the risks. In cybersecurity, the human factor is a vulnerability in any security system and we must take care of it as much or more than software or hardware barriers. There is no exclusive or excluding security measure.

Daniel Juanes Fernández/Intelligence Analyst/Collaborator of the Cybersecurity Area of Sec2Crime.