Cybersecurity 4 security is sociotechnical issue
Upcoming SlideShare
Loading in...5
×
 

Cybersecurity 4 security is sociotechnical issue

on

  • 351 views

Discusses why cybersecurity has to be approached from a sociotechnical perspective. Accompanies YouTube video

Discusses why cybersecurity has to be approached from a sociotechnical perspective. Accompanies YouTube video

http://www.youtube.com/watch?v=8bLwJy2BwKs

Statistics

Views

Total Views
351
Views on SlideShare
351
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cybersecurity 4 security is sociotechnical issue Cybersecurity 4 security is sociotechnical issue Presentation Transcript

  • Security is a socio-technical issue Cybersecurity: Security is a socio-technical issue Slide 1
  • Improved security technology • Computer security and security engineering focuses on the technical aspects of the cybersecurity problem Cybersecurity: Security is a socio-technical issue Slide 2
  • • By reducing vulnerabilities in code and by adding more checks to code, many security vulnerabilities can be avoided and the number of incidents reduced • However, this can significantly increase costs and time required for development and so delay delivery of the software Cybersecurity: Security is a socio-technical issue Slide 3
  • © John Wiley and Sons 2004 Cybersecurity: Security is a socio-technical issue Slide 4
  • • “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” Cybersecurity: Security is a socio-technical issue Slide 5
  • © John Wiley and Sons 2004 • "Security is a chain; it's only as secure as the weakest link." Cybersecurity: Security is a socio-technical issue Slide 6
  • • Technology is necessary but cannot, on its own, guarantee that systems will be secure • Cybersecurity is a socio-technical rather than a technical problem Cybersecurity: Security is a socio-technical issue Slide 7
  • Why technology is not enough • Technology reliability cannot be guaranteed • Insider attacks • Technical security compromises made for usability reasons Cybersecurity: Security is a socio-technical issue Slide 8
  • • Failure of organisational procedures or poorly designed procedures • Human carelessness • Social engineering Cybersecurity: Security is a socio-technical issue Slide 9
  • Unreliable technology • In the same way that it is practically impossible to guarantee that a complex system is free from bugs, it is also impossible to guarantee that a system is free from security vulnerabilities Cybersecurity: Security is a socio-technical issue Slide 10
  • • Even if a system A is „secure‟, it may rely on other systems that are potentially insecure. If these are owned by different people, „system wide‟ security validation is impossible Cybersecurity: Security is a socio-technical issue Slide 11
  • Insider attacks • Insiders have legitimate credentials that allows them access to the system – Therefore, strong access control technology is not a barrier Cybersecurity: Security is a socio-technical issue Slide 12
  • • Insiders in an organisation are aware of the technical safeguards built into the system and may know how to circumvent these – especially if they have privileged system access • Insiders have local knowledge that may be used for social engineering and so may be able to discover privileged information. Cybersecurity: Security is a socio-technical issue Slide 13
  • Maroochy water breach Image credit: www.discoverqueensland.com.au Cybersecurity: Security is a socio-technical issue Slide 14
  • Usability vs security • There is always a trade-off to be made between usability and security • Security procedures slow down system operation and may alienate users Cybersecurity: Security is a socio-technical issue Slide 15
  • Companies may make a deliberate decision to use weaker security procedures so that users don‟t decide to go elsewhere Login/password authentication instead of biometrics © http://www.activistpost.com/ 2012 Cybersecurity: Security is a socio-technical issue Unencrypted information as encryption slows down the system Slide 16
  • Procedural failures • Procedures that are intended to maintain security may be badly designed or implemented • This may introduce vulnerabilities into the system or may mean that users have to circumvent procedures Cybersecurity: Security is a socio-technical issue Slide 17
  • Poor procedures • Companies request strong passwords but do not provide any help to users how to construct strong easy to remember passwords such as “My_hamster.spot • Requirements for regular password change. Thought to improve security but actually means that users can‟t remember passwords so they write them down Cybersecurity: Security is a socio-technical issue Slide 18
  • Human carelessness • People will inevitably be careless © www.labnol.org 2009 Cybersecurity: Security is a socio-technical issue – Leave systems unattended whilst they are logged on – Use authentication in public places where they can be observed Slide 19
  • Some technical controls against carelessness but impossible to completely control this vulnerability without incurring very high costs Cybersecurity: Security is a socio-technical issue Slide 20
  • Social engineering © thehackernews.com 2011 Cybersecurity: Security is a socio-technical issue • Many examples that show users are willing to provide confidential information to a plausible Slide 21
  • • Attacker Alex calls system admin Bob pretending to be the manager of a company and asks for his password to be reset. • He asks Bob to tell him the new password • Bob wants to please his boss so does as he is asked . • Alex then can gain access to the system (and lock out the legitimate manager) Cybersecurity: Security is a socio-technical issue Slide 22
  • Multiple points of failure • These „social‟ vulnerabilities may be exploited in connection with each other or with technical vulnerabilities to gain access to system Cybersecurity: Security is a socio-technical issue Slide 23
  • • For example, a successful password attack may require social engineering to convince system administators to reset a user‟s password Cybersecurity: Security is a socio-technical issue Slide 24
  • • A poor password change procedure, which does not include a check to ensure that the requestor is legitimate – Require text confirmation of password change request or text password change details to users mobile – Requests made by phone should require callback25 Slide Cybersecurity: Security is a socio-technical issue
  • Summary • Cybersecurity is a socio-technical problem • Technology reliability cannot be guaranteed • Insider attacks • Technical security compromises made for usability reasons Cybersecurity: Security is a socio-technical issue Slide 26
  • • Failure of organisational procedures or poorly designed procedures • Human carelessness • Social engineering Cybersecurity: Security is a socio-technical issue Slide 27