Human Factor on Information Security -- Origin of Information Leakage
Institute of Secure Systems, AIST, Japan.
Aug., 22, 2013.
Human Factors on Information Security
Human, the weakest link
Most of data leaking are caused by humans.
Human factor is also the most dangerous for general
information security matters.
Failure of info
Lost the devices
Cause of Leak
(From JNSA, 2011 Information Security
Five causes of information leak
1. Human-Targeted Attack
2. Bringing out or lost of
3. Mistake on sending
data to outside.
4. Insider Crime
5. Thoughtless leak on
1. Human-Targeted Cyber Attack
The Cyber attackers are becoming bigger and more organized.
The targets shift to bigger and more focused.
The arts of attack became more sophisticated and tailored for the particular
Example of targeted attack email
From Mandiant report.
The attack is supposed from the Chinese army.
Personating the president of the company.
The link leads to download malware.
Date: Wed, 18 Apr 2012 06:31:41 -0700
From: Kevin Mandia <email@example.com>
Subject: Internal Discussion on the Press Release
Shall we schedule a time to meet next week?
We need to finalize the press release.
Details click here.
Typical Techniques of Trap Mail
“Help me now ” type
pretends someone troubled with computer,
and demands tentative relaxation of security policy.
“Please tell me the password to open the file.” etc.
“Police impersonation” type
commands and controls the victim
“Open the attachment file. This is demanded by the
information security center.”
“Ordinary information” type
pretends unimportant mail.
“Open the attachment to see spec of the new copy
Those are not accidental human error, but
sophisticated techniques to reduce human wariness.
Prevention of targeted attack
Filteing of email.
Automatic removal “exe” files
Countermeasure on Human Management
Education: “Vaccine Training”
Information Management: Do not allow accesses to
important data by inadequate personnel.7
2. Bringing-out and lost of equipment
Why bring out? Why copy files on USB memory?
Overtime work at home
Sending big files to customers.
To convey files to stand-alone equipment.
Lost of USB memory and/or smart phone.
Attach big strap on such small equipment.
Smart phones must be protected by passcode.
Make Password Policy: how to make, share, and retire them.
Not guarded equipment
Left as initial setting/password.
Peeping from side
Do not open your laptop and smart phone in crowded
3. Failure on sending the file
Prepare a clean model file and start the work from it.
Do not use old file again.
Some unwanted data may remains.9
Excel files may contain
Elimination of unintentional
data contained in a Word
Before and After sending
Sending address, letter body, and
But, email address is not easy to read.
Do not use unreliable methods
Broadcast mail with hiding receivers’ mail
address listed in “BCC”
Using mail as file sending machine too
After: Cancelation of wrong mail
Some new mail system can do this.10
4. Insider Crime: Information Theft
To sell and get money.
To protect oneself from company authority
Secret documents described in movie “Erin Brockovich”
By personal belief and/or political reason
By selfish reason (but not spy-like crime)
(From Symantec and Ponemon Report “Data Loss Risks
During Downsizing -- As Employees Exit, so does Corporate
“Employees are stealing data and are more likely to do so
when they don’t trust their employer.”
“Employees are stealing proprietary and confidential data
that might affect their former company’s business
competitiveness and could result in a data breach.”11
5. Thoughtless leaks on SNS
Tweet of confidential information about the job.
Writing disgraceful matter in the company.
Writing important news not knowing that is important.
Leak preceding offical press release, etc.
SNS seem a small networks of one’s friends.
But, SNS are actually worldwide and open.
In SNS, one can play it as almost anonymous.
But, it is very easy to detect your identity from records of
your anonymous account.
Leakage from Cognitive Gap
“This info is
“It is not
“This info is
This info is dealt as
<Door of Rumor>
This info is easy to
“It is not
This info is used
This info remain
Two doors of cognitive discord are
main routes of data loss and leak.
Provisions against Data Leakage
Countermeasure on Equipment
Security software and hardware are already prepared for
typical and ordinary patterns.
Awareness of danger is required for every employee.
Clear policy, reasonable procedure, and kind education.
On Organization: Security policy
You cannot have everything: Usability vs. Security.
Security is matter of choice.
Company Policies of password, BYOD, cloud service
Do not left the policies for individual employee.