Security is a socio-technical issue

Cybersecurity: Security is a socio-technical issue

Slide 1
Improved security technology
• Computer security and security
engineering focuses on the technical
aspects of the cybersec...
• By reducing vulnerabilities in code and
by adding more checks to code, many
security vulnerabilities can be avoided
and ...
© John Wiley and Sons 2004

Cybersecurity: Security is a socio-technical issue

Slide 4
• “If you think technology can solve your
security problems, then you don't
understand the problems and you don't
understa...
© John Wiley and Sons 2004

• "Security is a
chain; it's only
as secure as
the weakest
link."
Cybersecurity: Security is a...
• Technology is necessary but cannot, on
its own, guarantee that systems will be
secure
• Cybersecurity is a socio-technic...
Why technology is not enough
• Technology reliability cannot be
guaranteed
• Insider attacks
• Technical security compromi...
• Failure of organisational procedures or
poorly designed procedures
• Human carelessness
• Social engineering

Cybersecur...
Unreliable technology
• In the same way that it is practically
impossible to guarantee that a complex
system is free from ...
• Even if a system A is „secure‟, it may
rely on other systems that are
potentially insecure. If these are owned
by differ...
Insider attacks
• Insiders have legitimate credentials that
allows them access to the system
– Therefore, strong access co...
• Insiders in an organisation are aware of the
technical safeguards built into the system and
may know how to circumvent t...
Maroochy water breach

Image credit: www.discoverqueensland.com.au

Cybersecurity: Security is a socio-technical issue

Sl...
Usability vs security
• There is always a trade-off to be made
between usability and security
• Security procedures slow d...
Companies may make a deliberate
decision to use weaker security procedures
so that users don‟t decide to go elsewhere
Logi...
Procedural failures
• Procedures that are intended to
maintain security may be badly
designed or implemented
• This may in...
Poor procedures
• Companies request strong passwords but do
not provide any help to users how to construct
strong easy to ...
Human carelessness
• People will inevitably be
careless

© www.labnol.org 2009

Cybersecurity: Security is a socio-technic...
Some technical controls
against carelessness
but impossible to
completely control this
vulnerability without
incurring ver...
Social engineering

© thehackernews.com 2011

Cybersecurity: Security is a socio-technical issue

• Many examples
that sho...
•

Attacker Alex calls system admin Bob pretending to
be the manager of a company and asks for his
password to be reset.

...
Multiple points of failure
• These „social‟ vulnerabilities may be
exploited in connection with each other
or with technic...
• For example, a successful password
attack may require social engineering to
convince system administators to reset
a use...
• A poor password change
procedure, which does not include a
check to ensure that the requestor is
legitimate
– Require te...
Summary
• Cybersecurity is a socio-technical
problem
• Technology reliability cannot be
guaranteed
• Insider attacks
• Tec...
• Failure of organisational procedures or
poorly designed procedures
• Human carelessness
• Social engineering

Cybersecur...
Upcoming SlideShare
Loading in …5
×

Cybersecurity 4 security is sociotechnical issue

354
-1

Published on

Discusses why cybersecurity has to be approached from a sociotechnical perspective. Accompanies YouTube video

http://www.youtube.com/watch?v=8bLwJy2BwKs

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
354
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cybersecurity 4 security is sociotechnical issue

  1. 1. Security is a socio-technical issue Cybersecurity: Security is a socio-technical issue Slide 1
  2. 2. Improved security technology • Computer security and security engineering focuses on the technical aspects of the cybersecurity problem Cybersecurity: Security is a socio-technical issue Slide 2
  3. 3. • By reducing vulnerabilities in code and by adding more checks to code, many security vulnerabilities can be avoided and the number of incidents reduced • However, this can significantly increase costs and time required for development and so delay delivery of the software Cybersecurity: Security is a socio-technical issue Slide 3
  4. 4. © John Wiley and Sons 2004 Cybersecurity: Security is a socio-technical issue Slide 4
  5. 5. • “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” Cybersecurity: Security is a socio-technical issue Slide 5
  6. 6. © John Wiley and Sons 2004 • "Security is a chain; it's only as secure as the weakest link." Cybersecurity: Security is a socio-technical issue Slide 6
  7. 7. • Technology is necessary but cannot, on its own, guarantee that systems will be secure • Cybersecurity is a socio-technical rather than a technical problem Cybersecurity: Security is a socio-technical issue Slide 7
  8. 8. Why technology is not enough • Technology reliability cannot be guaranteed • Insider attacks • Technical security compromises made for usability reasons Cybersecurity: Security is a socio-technical issue Slide 8
  9. 9. • Failure of organisational procedures or poorly designed procedures • Human carelessness • Social engineering Cybersecurity: Security is a socio-technical issue Slide 9
  10. 10. Unreliable technology • In the same way that it is practically impossible to guarantee that a complex system is free from bugs, it is also impossible to guarantee that a system is free from security vulnerabilities Cybersecurity: Security is a socio-technical issue Slide 10
  11. 11. • Even if a system A is „secure‟, it may rely on other systems that are potentially insecure. If these are owned by different people, „system wide‟ security validation is impossible Cybersecurity: Security is a socio-technical issue Slide 11
  12. 12. Insider attacks • Insiders have legitimate credentials that allows them access to the system – Therefore, strong access control technology is not a barrier Cybersecurity: Security is a socio-technical issue Slide 12
  13. 13. • Insiders in an organisation are aware of the technical safeguards built into the system and may know how to circumvent these – especially if they have privileged system access • Insiders have local knowledge that may be used for social engineering and so may be able to discover privileged information. Cybersecurity: Security is a socio-technical issue Slide 13
  14. 14. Maroochy water breach Image credit: www.discoverqueensland.com.au Cybersecurity: Security is a socio-technical issue Slide 14
  15. 15. Usability vs security • There is always a trade-off to be made between usability and security • Security procedures slow down system operation and may alienate users Cybersecurity: Security is a socio-technical issue Slide 15
  16. 16. Companies may make a deliberate decision to use weaker security procedures so that users don‟t decide to go elsewhere Login/password authentication instead of biometrics © http://www.activistpost.com/ 2012 Cybersecurity: Security is a socio-technical issue Unencrypted information as encryption slows down the system Slide 16
  17. 17. Procedural failures • Procedures that are intended to maintain security may be badly designed or implemented • This may introduce vulnerabilities into the system or may mean that users have to circumvent procedures Cybersecurity: Security is a socio-technical issue Slide 17
  18. 18. Poor procedures • Companies request strong passwords but do not provide any help to users how to construct strong easy to remember passwords such as “My_hamster.spot • Requirements for regular password change. Thought to improve security but actually means that users can‟t remember passwords so they write them down Cybersecurity: Security is a socio-technical issue Slide 18
  19. 19. Human carelessness • People will inevitably be careless © www.labnol.org 2009 Cybersecurity: Security is a socio-technical issue – Leave systems unattended whilst they are logged on – Use authentication in public places where they can be observed Slide 19
  20. 20. Some technical controls against carelessness but impossible to completely control this vulnerability without incurring very high costs Cybersecurity: Security is a socio-technical issue Slide 20
  21. 21. Social engineering © thehackernews.com 2011 Cybersecurity: Security is a socio-technical issue • Many examples that show users are willing to provide confidential information to a plausible Slide 21
  22. 22. • Attacker Alex calls system admin Bob pretending to be the manager of a company and asks for his password to be reset. • He asks Bob to tell him the new password • Bob wants to please his boss so does as he is asked . • Alex then can gain access to the system (and lock out the legitimate manager) Cybersecurity: Security is a socio-technical issue Slide 22
  23. 23. Multiple points of failure • These „social‟ vulnerabilities may be exploited in connection with each other or with technical vulnerabilities to gain access to system Cybersecurity: Security is a socio-technical issue Slide 23
  24. 24. • For example, a successful password attack may require social engineering to convince system administators to reset a user‟s password Cybersecurity: Security is a socio-technical issue Slide 24
  25. 25. • A poor password change procedure, which does not include a check to ensure that the requestor is legitimate – Require text confirmation of password change request or text password change details to users mobile – Requests made by phone should require callback25 Slide Cybersecurity: Security is a socio-technical issue
  26. 26. Summary • Cybersecurity is a socio-technical problem • Technology reliability cannot be guaranteed • Insider attacks • Technical security compromises made for usability reasons Cybersecurity: Security is a socio-technical issue Slide 26
  27. 27. • Failure of organisational procedures or poorly designed procedures • Human carelessness • Social engineering Cybersecurity: Security is a socio-technical issue Slide 27
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×