People are ‘wet’ with security

Charles Orton-Jones explores ways to strengthen cyber security in the face of human weakness

There’s hardware. There’s software. And there’s wetware – that’s the human bit in the technology chain. Hackers have long realised that Homo sapiens are the weakest point in any security wall. Wetware vulnerabilities are now their number-one target.

Humans have so many defects. They are curious. Take the USB stick scam. Hackers load USB sticks up with malware and scatter them in the target company’s car park. Humans wander out of their offices and notice these colourful bits of plastic. They pick up the sticks, activate them to see what they contain and cheerfully click on the poisoned files therein.

“The best ones are shiny neon flashing USB sticks,” reports former Met cyber crime officer Adrian Culley, now a consultant with Damballa. “I know of two large and credible organisations that were undone like that. Chuck 20 sticks on the ground and someone will pick one up.”

Humans are trusting. With a bit of coaxing, unwary staff can be persuaded to disclose passwords over the phone or via e-mail. Some of the approaches are breathtakingly direct. Gavin Watson, senior security head at security consultancy Randomstorm, tells a chilling tale.

He says: “A call to the receptionist will say something on the lines of ‘Hi, I’m about 20 minutes from the office, but I’m caught in traffic. I’ve got a contractor coming in to service our routers, I know we’re not supposed to let anyone in without supervision, but we’ll be charged for another call out if we miss this appointment. Please can you give him a visitor’s badge and show him up to my office, and I’ll be there as soon as I can.’

“This gives the receptionist a plausible scenario for the arrival of a stranger on site, the sanction from a superior for breaking the company policy covering supervision of visitors and the comfort factor that her boss will be on the scene shortly to greet the visitor and take control of the situation.”

Humans are lazy. By default they will choose passwords which are too short and too easy to either guess or to crack via brute-force guessing. The leak of 150 million Adobe passwords last year provided a profound insight into how people formulate their passwords. Nearly two million Adobe users opted for “123456”. The top 100 of most common passwords is littered with the obvious, from “password” to “letmein”.

Using the first letter from each word in a song lyric, with vowels replaced by numbers, is a simple way to create long yet easy-to-remember passwords

Tragically, users routinely create passwords using their dog’s name, birth date, mother’s name and other basic building blocks. The stratagem of “social engineering” involves hackers using Twitter and Facebook to harvest personal details from targets to facilitate password-cracking.

All it takes is one slip-up. The mother lode is an e-mail account. Let Sian John of Symantec explain just how bad this is for your business: “If I have control of your e-mail I have the keys to the safe. Because all your other accounts will be tied to it. I simply request a password reset for the thing I want to gain access to; a link will be sent to your e-mail. I can very quickly capture your entire eco-system.”

Even when staff are being vigilant there is a danger they will be undone by a clever hack. In 2011 security firm RSA got hacked. The method was “phishing”. Hackers e-mailed an Excel spreadsheet to low-level employees called “2011 recruitment plans”. When opened the document exploited a vulnerability in Flash to give hackers a foothold within RSA’s systems. Small amounts of sensitive data were leaked before the attack was repelled. And RSA, note, is one of the world’s most respected cyber security firms.

A Raconteur poll of 60 security experts revealed a cornucopia of tactics used by hackers to exploit humans. Here are just a few: paying old employees for their passwords; stealing a staff mobile phone to gain access; using browser pop-ups; bribing security guards; looking over the shoulder of staff to see their passwords or to view notes stuck to computers with passwords written on them (shamefully common); and walking into a venue and sitting down at a terminal.

Ready to panic? In fact, a lot can be done to mitigate the human threat. Let’s start with passwords. Dr Kevin Curran, senior lecturer in computer science at the University of Ulster, says: “For a hacker with the computing power to make 1,000 guesses per second, a five-letter, purely random, all-lower-case password, such as ‘kjxyu’, would take about four hours to crack, but if we were to increase the number of letters to 20, then the cracking time increases to 6.5 thousand trillion centuries.”

Passwords should reset every few months and not be shared across sites. Mnemonics are valuable. Using the first letter from each word in a song lyric, with vowels replaced by numbers, is a simple way to create long yet easy-to-remember passwords.

Training is vital. The consensus is that lectures aren’t much good. Staff doze off. You’ll need to get creative to make sure the message sticks. PhishMe is a service which runs simulated phishing attacks so staff can learn to spot attacks. Founder Rohyt Belani says: “Providing training in periodic bite-sized segments, rather than a large information dump once a year, keeps your staff continually engaged and allows you to train them on a variety of attack techniques.

“Once users can recognise phishing attacks, organisations should encourage them to report suspicious e-mail to the internal security team, a process which turns your user base into an additional source of threat intelligence.”

In particular, don’t bamboozle your staff. Catalin Cosoi, chief security strategist at Bitdefender, strongly advises against trying to train staff in complicated security protocols. “Keep in mind the limitations of humans while you set security policies,” he says. “To take a simple example, demanding a password which contains letters, numbers and punctuation that changes every month is just begging for half of your staff to write them down on post-its and the other half to use ‘Password1’, ‘Password2’ and so on.”

It may be better to limit the access technophobic staff have on your system. Does a junior member really need unfettered access to vital financial and client data?

Finally, recognise you will never be totally hacker proof. If Microsoft and Sony can fall prey to criminals, it is folly to suppose you are immune. When all it takes is a wally with a big mouth to let the hackers in, every firm is vulnerable.