Security perspective -human factor

About digital spheres rotation
role of perspective in cyber security
Artur Marek Maciag

Data breach
& hacking
https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

https://www.photographymad.com/pages/view/long-exposure-star-trail-photography
Direct observation with some patience
https://www.nytimes.com/2018/11/30/business/marriott-data-breach.html

By Eugene Alvin Villar (seav) - Own work, CC BY-SA 4.0,
https://commons.wikimedia.org/w/index.php?curid=4662202
https://en.wikipedia.org/wiki/Apparent_retrograde_motion
https://www.operationblockbuster.com/wp-content/
uploads/2016/02/Operation-Blockbuster-Report.pdf
Detailed analysis – single focus

By James Ferguson (1710-1776), based on similar diagrams by Giovanni Cassini (1625-1712) and Dr Roger Long (1680-1770);
engraved for the Encyclopaedia by Andrew Bell. - Encyclopaedia Britannica (1st Edition, 1771; facsimile reprint 1971),
Volume 1, Fig. 2 of Plate XL facing page 449., Public Domain, https://commons.wikimedia.org/w/index.php?curid=10884763
https://en.wikipedia.org/wiki/Deferent_and_epicycle
https://enterprise.verizon.com/resources/reports/
2019-data-breach-investigations-report.pdf
Term clusters in criminal forum and marketplace posts
Data modeling and analysis – broad perspective

Let’s see what we have here…
IncidentA security event that compromises the integrity,
confidentiality or availability of an information asset.
BreachAn incident that results in the confirmed disclosure—not just
potential exposure—of data to an unauthorized party.

Who and What?

by Who and Why?

Who, again?

How and Where?

How, again?
C-suite
Mobile
GUI

How long it can be? Not so long…

And the pain costs…
but “half of all US-based
business email compromises
had 99% of the money
recovered or frozen; and only
9% had nothing recovered”

One quick look at…

And the dark web…
Term clusters in criminal forum and marketplace posts https://cyware.com/educational-guides/
cyber-threat-intelligence/how-is-surface-web-intelligence
-different-from-dark-web-intelligence-393c

What about dark Web data driven picture?
https://www.recordedfuture.com/dark-web-reality/

Put the more light on the dark web…
200 million
55,828
8,416

Dark web is also full of (bad) humans…

Term clusters in criminal forum and marketplace posts
If cybersecurity looks like that:

How we can make it simpler?
By Copernican_heliocentrism_diagram.jpg: Own work from Copernicus 1543derivative
work: Professor marginalia (talk) - Copernican_heliocentrism_diagram.jpg, Public
Domain, https://commons.wikimedia.org/w/index.php?curid=12353176
https://en.wikipedia.org/wiki/Copernican_heliocentrism

https://www.ccn-cert.cni.es/publico/InfraestructurasCriticaspublico/CPNI-Guia-SCI.pdf
Shaded state of the mind…
Testing
as User
Testing
as User with
Access
to Internals
Testing as
Developer
As human brain user
we can do that
always
To do that we need
more knowledge about
our behavior factors
leading to errors
That is out of our reach
as we don’t design our brain
(still, we can try, as lifehackers)

https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Testing as a user…
When Who How What
2018 Marriott Acquired hacked company
(Starwood)
500 million
2017 Equifax Hacking (app vulerability) 143 million
2016 Adult Friend Finder Hacking (Local File Inclusion) 412 million
2016 Uber AWS credentials on Github 57 million
2015 Anthem Phishing/malware 78 million
2014 eBay User credentials 145 million
JP Morgan Chase Hacking 83 million
Home Depot Malware/trojanAV 56 million
2013 Yahoo User account hacked 3 billion
2012 Target Stores Third party HVAC system 110 million
2011 Adobe ? 38/150 million
2008 OPM Hacking 22 million
2006 Sony Hacking 77 million

Dirty dozen of human errors
is root cause of all cyber incidents.

Testing as User with Access to Internals
…Who How Why
Marriott Acquired hacked company
(Starwood)
Lack of communication, norms, lack of team work, lack of knowledge
Equifax Hacking (app vulnerability) Lack of resources, pressure, lack of team work, lack of awareness
Adult Friend Finder Hacking (Local File Inclusion) Lack of resources, pressure, lack of team work, lack of awareness, stress
Uber AWS credentials on Github Norms, complacency, pressure, lack of resources, lack of team work
Anthem Phishing/malware Lack of assertiveness, stress, pressure, fatigue, complacency, lack of awareness
eBay User credentials Norms, lack of awareness, pressure, fatigue, lack of resources
JP Morgan Chase Hacking Lack of resources, pressure, lack of team work, lack of awareness, stress
Home Depot Malware/trojanAV Lack of resources, pressure, lack of team work, lack of awareness, stress
Yahoo User account hacked Norms, lack of awareness, pressure, fatigue, lack of resources
Target Stores Third party HVAC system Lack of communication, norms, lack of team work, lack of knowledge
Adobe ? ?
OPM Hacking Lack of resources, pressure, lack of team work, lack of awareness, stress
Sony Hacking Lack of resources, pressure, lack of team work, lack of awareness, stress

Cybersecurity Dunning-Kruger Effect
confidence vs competence
What you really know
Realized lack of knowledge
You are sure you are safe
You think you know,
but still don’t know
what you don’t know
You think you are safe
But you don’t know
what you don’t know You find your self vulnerable
You know what you don’t know
External audit, penetration tests, awareness exercise or cyber incident
You know what to do to feel safe
You know, what you need to know
to minimalize impact on you
from what you don’t know yet

https://www.skyhighnetworks.com/cloud-computing-trends-2019/ 30 million McAfee MVISION Cloud users, 50 attributes of user behavior analysis, signatures for 25,000 cloud services

COLLABORATIONBUSINESS
CONSUMERENTERPRISE

SINGEPROVIDER
MULTI PROVIDER

Confidential data in the
cloud are about 5.5% of
total data in the cloud!

%OFUSERSSHARINGFILES%OFFILESSHARED
SHARED WITH?

3,263,144,325
Total events per month
3,217Anomalous events per month
31.3Threats per month
An average institution statistics:
3x109
3x103
3x101
WORLD
SMALL CITY
FAMILLY
USER BEHAVIOR ANALYTICS ROLE
THE CHALLENGE

CLOUD USERS SIDE VIEW: HOW MANY CLOUD APPLICATIONS YOU USE?
https://www.skyhighnetworks.com/cloud-computing-trends-2019/ 30 million McAfee MVISION Cloud users, 50 attributes of user behavior analysis, signatures for 25,000 cloud services + survey of 1,400 security professionals in 11 countries

CLOUD PROVIDER SIDE CONTROLS: ADAPTATION OF CRITICAL SECURITY CONTROLS
PicturebyAdrianGrigorof,MariusMocanu

Change perspective… see problem in grey box
PEOPLE
Lack of Teamwork
Lack of Assertiveness
Lack of Communication
Lack of Resources
Lack of Knowledge
Norms
Complacency
Lack of Awareness
Distraction
Fatigue
Pressure
Stress

Dirty dozen – Lack of communication
Issues:
 Poor or non existing communication
 Lost in transmission
 Information reciver can make
assumptions about communicate
 You should know that only 30% of verbal
communication is understood
 You should know that usually begining
and end of message is understood
 Body language is misunderstand or
neglected in person-to-person
communication
Countermeasures:
Write down complex instructions
Use checklists, logbooks, to communicate
work progress
Never assume that the work has been
completed
Ask if not understand
Reconfirm if not sure
Beware of culture effect on message
interpretation
Pay attention to body language
Always repeat most critical part of
message at the end

Dirty dozen – Lack of knowledge
Issues:
Acting based on outdated
documentation can create chaos or
error in process
Performing jobs without prior
training could put employee in risk
and damage company reputation
Attempt to solve issue without
knowledge and skills how to do it
efficiently may turn issue into crisis
Countermeasures:
Perform only job you are trained to
Do not try to help if you do not
know how
If you do not know, ask for help
Update your knowledge and
documentation to current state

Dirty dozen – Lack of teamwork
Issues:
Single point of failure
Knowledge, power, operations
concentration – creating „bottle neck”
situation
Resource wasting due to lack of
understanding of common goal
Communication degradation due to
social issues or lack of human
resources
Wasting resources due to competence
proving
Countermeasures:
Encourage team playing approach and
communication
All team members need to understad
common goal and way to cope with it
including their duties
Promote co-workers with safety in
mind
Promote disscusion to solve issues
Diverse skills and points of view
Encourage challenge
Celebrate success

Dirty dozen – Lack of resources
Issues:
Safety and quality concerns due to
improvised or outdated resources
 Creating pressure on employee
that strenghtened other human
error components
Impact compliance and safety by
employee actions of crossing the
border or forced creativity
Countermeasures:
Plan resource utilization, maintain
resources and assets supply
Manage resources lifecycle
Optimize resources utilization
Request for resource if safety can
be impacted
Don’t agree with safety violations –
probably you will take
responsibility when something will
go wrong

Dirty dozen – Lack of assertiveness
Issues:
Suppress the concerns, feelings,
opinions, beliefs and needs
Continue to use culture of fear and
false responsibility
Falsing or failing the communication
and avoid resolving the root cause of
problem
Creating false/fake picture with
generalization
Countermeasures:
Never compromise your standards
Provide clear feedback when a risk or
danger is perceived
Speak up keeping calm, rational and
using specific examples rather
generalisations
Always direct criticism at actions and
their consequences rather than
people and their personalities
Invite feedback
Realize that It’s YOUR duty, your
decision and future

Dirty dozen – Lack of awareness
Issues:
Lack of role and impact
understanding can cause serious
damage to the employee or
company
Lack of visibility can lead to tunel
vision and affect actions or
effectiveness
 Lack of foresight can lead to
serious incidents impacting
human life or company brand
Countermeasures:
Use checklists, logbooks, etc.
Don’t assume situation, ask for
clarification, ask for checkup
Constant questioning „what
if...?”
Promote to bexperience by
knowledge sharing and
situational awareness
Promote developing foresight

Dirty dozen – Complacency
Issues:
Relay on memory/custom/habit
Have a good faith with tendency
to neglect the obvious message
Overestimate strenghts,
realiability,
Ingore the warning signals, going
rouge in sack of custom
Countermeasures:
Always expect something could
go wrong
Never sign off on something
that you did not fully verify or
provide
Always double check your work
Never put yourself in risky
situation counting on luck or
experience

Dirty dozen – Distraction
Issues:
Distracted employee can easly
miss part of the process and
create defect
Can be caused or strenghtened
by other factors like fatique,
stress, complecancy to greatly
impact the productivity
Introduce delays, errors and
mistakes driven by chaotic or
messy job performance
Countermeasures:
Use detailed checklist
Secure your workplace and
tools, keep it safe and clean to
avoid unexpected
If you can’t focus on job, take a
break to remove distraction
Resuming job, go back and
double check what you think is
already completed

Dirty dozen – Fatigue
Issues:
Fatigue employee can make
harmful decisions,
When symptoms are ignored can
cause rapid fall down situation that
could be risky for health
Attempts to finish the job for any
cause could seriously damage
process and employee because
error or lost of control over tools
Strenghten negative impact and
probability of occurence when in
conjunction with other factor
Countermeasures:
Take care of yourself, eat healthy,
be active and maintain regular
sleep patern
Put down complex tasks if you
know that you are exhausted
Be aware of the fatigue symptoms
in yourself and coworkers
Manage short breaks to refresh
mind and body muscles

Dirty dozen – Pressure
Issues:
Regardles if self induced or
external, pressure can impact
process or product in way that
damage organization reputation
Creating false picture about job
conditions or covered trading
jobs can impact project deadline
or client relations with your
company
Countermeasures:
Ensure that pressure is not self
induced
Ask for extra help if time is an
issue
Communicate if you think you
will need more time to complete
job rather than rush through it

Dirty dozen – Stress
Issues:
If demands are too high or not
managed subconscious will
response with stress impacting
overall employee posture
Stress greatly strenghten employee
response to other factors,
increasing risk of damage to the
employee or error to the process
Countermeasures:
Reduce stress level by take time off
or a short break
Ask co-workers to monitor your
work
Excercise, eat healthy and have
sufficient ammount of rest to keep
stress level under control
Know you limits and communicate
this when expectations wil rease

Dirty dozen – Norms
Issues:
Crossing the line to the standard
violation in most cases is wrong
idea causes losses and potential
harm to the employee
Keeping wrong norm as standard
operation procedure or silent
employee agreement can harm
employee, impact process or
company in serious way
Countermeasures:
Ensure that everyone follows
the same standard
Even if something looks normal
does not make it correct
The easiest way of
accomplishing something may
not be the standard
Eradicate negative standards by
rising discussion about them

THAT IS ONLY BEGINNING
THANK YOU FOR YOUR ATTENTION!

Security perspective -human factor

More Related Content

Similar to Security perspective -human factor

More from Artur Marek Maciąg

Recently uploaded

Security perspective -human factor