Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Toru Nakata,
Institute of Secure Systems, AIST, Japan.
Aug., 22, 2013.
toru-nakata@aist.go.jp
Human Factors on Information...
Human, the weakest link
 Most of data leaking are caused by humans.
 Human factor is also the most dangerous for general...
Human
Error
Five causes of information leak
3
Intentional
1. Human-Targeted Attack
2. Bringing out or lost of
data media
3...
1. Human-Targeted Cyber Attack
 The Cyber attackers are becoming bigger and more organized.
 The targets shift to bigger...
Example of targeted attack email
 From Mandiant report.
 The attack is supposed from the Chinese army.
 Personating the...
Typical Techniques of Trap Mail
 “Help me now ” type
 pretends someone troubled with computer,
 and demands tentative r...
Prevention of targeted attack
 Equipment countermeasure
 Filteing of email.
 Automatic removal “exe” files
 Countermea...
2. Bringing-out and lost of equipment
 Why bring out? Why copy files on USB memory?
 Overtime work at home
 Sending big...
3. Failure on sending the file
 Prepare a clean model file and start the work from it.
 Do not use old file again.
 Som...
Before and After sending
 Before: Check
Sending address, letter body, and
attachments.
But, email address is not easy t...
4. Insider Crime: Information Theft
 To sell and get money.
 To protect oneself from company authority
 Secret document...
5. Thoughtless leaks on SNS
 Tweet of confidential information about the job.
 Writing disgraceful matter in the company...
Leakage from Cognitive Gap
Subordinate's view
“This info is
important.”
“It is not
important.”
Boss’s
View
“This info is
i...
Provisions against Data Leakage
 Countermeasure on Equipment
 Security software and hardware are already prepared for
ty...
Upcoming SlideShare
Loading in …5
×

Human Factor on Information Security -- Origin of Information Leakage

2,682 views

Published on

Leakage of important information is often caused by human. This presentation file shows how human factor play dangrous role in information security.

Published in: Technology
  • Be the first to comment

Human Factor on Information Security -- Origin of Information Leakage

  1. 1. Toru Nakata, Institute of Secure Systems, AIST, Japan. Aug., 22, 2013. toru-nakata@aist.go.jp Human Factors on Information Security 1
  2. 2. Human, the weakest link  Most of data leaking are caused by humans.  Human factor is also the most dangerous for general information security matters. 2 Misoperation 35% Failure of info management 33% Lost the devices 14% Stolen 7% Brought out 5% Insider Crime 2% failure of System Setting 1% Illegal access 1% Bug 1% Appropriation of Data 1% Warm 0% Cause of Leak (From JNSA, 2011 Information Security Report)
  3. 3. Human Error Five causes of information leak 3 Intentional 1. Human-Targeted Attack 2. Bringing out or lost of data media 3. Mistake on sending data to outside. 4. Insider Crime 5. Thoughtless leak on Social Networking Service
  4. 4. 1. Human-Targeted Cyber Attack  The Cyber attackers are becoming bigger and more organized.  The targets shift to bigger and more focused.  The arts of attack became more sophisticated and tailored for the particular target. 4 Individual Company-level Country-level Everyone Particular Organization Particular Person Human-Targeted Cracker Group DOS Attack Mass Spam
  5. 5. Example of targeted attack email  From Mandiant report.  The attack is supposed from the Chinese army.  Personating the president of the company.  The link leads to download malware. 5 Date: Wed, 18 Apr 2012 06:31:41 -0700 From: Kevin Mandia <kevin.mandia@rocketmail.com> Subject: Internal Discussion on the Press Release Hello, Shall we schedule a time to meet next week? We need to finalize the press release. Details click here. Kevin Mandia
  6. 6. Typical Techniques of Trap Mail  “Help me now ” type  pretends someone troubled with computer,  and demands tentative relaxation of security policy.  “Please tell me the password to open the file.” etc.  “Police impersonation” type  commands and controls the victim  “Open the attachment file. This is demanded by the information security center.”  “Ordinary information” type  pretends unimportant mail.  “Open the attachment to see spec of the new copy machine.” 6 Those are not accidental human error, but sophisticated techniques to reduce human wariness.
  7. 7. Prevention of targeted attack  Equipment countermeasure  Filteing of email.  Automatic removal “exe” files  Countermeasure on Human Management  Education: “Vaccine Training”  Information Management: Do not allow accesses to important data by inadequate personnel.7
  8. 8. 2. Bringing-out and lost of equipment  Why bring out? Why copy files on USB memory?  Overtime work at home  Sending big files to customers.  To convey files to stand-alone equipment.  Why leaks?  Lost of USB memory and/or smart phone.  Attach big strap on such small equipment.  Smart phones must be protected by passcode.  Make Password Policy: how to make, share, and retire them.  Not guarded equipment  Left as initial setting/password.  Peeping from side  Do not open your laptop and smart phone in crowded place.8
  9. 9. 3. Failure on sending the file  Prepare a clean model file and start the work from it.  Do not use old file again.  Some unwanted data may remains.9 Excel files may contain unwanted sheet.  Elimination of unintentional data contained in a Word file
  10. 10. Before and After sending  Before: Check Sending address, letter body, and attachments. But, email address is not easy to read. Do not use unreliable methods   Broadcast mail with hiding receivers’ mail address listed in “BCC”   Using mail as file sending machine too much. After: Cancelation of wrong mail  Some new mail system can do this.10
  11. 11. 4. Insider Crime: Information Theft  To sell and get money.  To protect oneself from company authority  Secret documents described in movie “Erin Brockovich”  By personal belief and/or political reason  Wikileaks, etc.  By selfish reason (but not spy-like crime)  (From Symantec and Ponemon Report “Data Loss Risks During Downsizing -- As Employees Exit, so does Corporate Data”, 2009)  “Employees are stealing data and are more likely to do so when they don’t trust their employer.”  “Employees are stealing proprietary and confidential data that might affect their former company’s business competitiveness and could result in a data breach.”11
  12. 12. 5. Thoughtless leaks on SNS  Tweet of confidential information about the job.  Writing disgraceful matter in the company.  Writing important news not knowing that is important.  Leak preceding offical press release, etc.  Why write?  SNS seem a small networks of one’s friends.  But, SNS are actually worldwide and open.  In SNS, one can play it as almost anonymous.  But, it is very easy to detect your identity from records of your anonymous account. 12
  13. 13. Leakage from Cognitive Gap Subordinate's view “This info is important.” “It is not important.” Boss’s View “This info is important.” <Locked Door> This info is dealt as property. <Door of Rumor> This info is easy to be leaked. “It is not important.” <Glassed-In Door> This info is used without correct permission. <Free Door> This info remain neglected until analysis technology is invented. 13 Two doors of cognitive discord are main routes of data loss and leak.
  14. 14. Provisions against Data Leakage  Countermeasure on Equipment  Security software and hardware are already prepared for typical and ordinary patterns.  On Individuals  Awareness of danger is required for every employee.  Clear policy, reasonable procedure, and kind education.  On Organization: Security policy  You cannot have everything: Usability vs. Security.  Security is matter of choice.  Company Policies of password, BYOD, cloud service etc.  Do not left the policies for individual employee. 14

×