You are the weakest link in IT security

October 31, 2012 - 06:13

Hackers often gain access to IT systems by exploiting the weakest link in IT security – the users. New social IT security system aims to weed out the human factor.

A new IT security model seeks to combat hacking by focusing on the people who use IT systems on a daily basis. (Photo: Colourbox.dk)

Why bother to hack into complex security systems when it’s so much easier to hack into people?

By using what’s known as ‘social engineering’, hackers exploit unsuspecting people who in good faith open up their doors to unwanted strangers.

“Hi, I’m calling from the IT department. There’s a program that you need to install on your computer.” This is a typical example of a phone call from a hacker using social engineering to fool you into granting the hacker access to you IT system.

Another common example of social engineering is someone leaving a memory stick in your office. When you insert the stick into your computer to find out whose memory stick it is, a surveillance program is installed. The next thing you know is that the hacker has made it into your company’s IT system.

Social IT security model

To combat this problem, researchers at DTU Informatik at the Technical University of Denmark have developed a new security model which not only focuses on security by analysing technical specifications, but also by looking at the people who use the technology.

Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks.
Christian W. Probst

”Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks,” says Christian W. Probst, an associate professor at DTU Informatik.

“Our model calculates where in a system the risk can be found. A typically overlooked link in the chain is the user.”

More specifically, he’s looking at access control for programs and the people who use them. What options does an actor have in an IT system, and what could be the consequences?

“My dad’s just been attacked”

The clever thing about social engineering is that many people blindly trust a person who appears to have authority and greater knowledge than themselves.

“A hacker only needs one single person who isn’t fully familiar with the company’s IT security policy – and then they’re in,” says Probst, whose father has just suffered a hack attack:

It’s all about striking the right balance between security and usability for the staff. You can’t just regulate your way out of these problems.
Christian W. Probst

“My 72-year-old father received an email which said that his bank account was overdrawn. He was tired that day, so he just clicked the link in the mail and ended up with a virus on his computer.”

This document must never leave the company

Today, Probst and his colleagues will start field-testing their new security model by looking at how humans affect security systems.

“In our model, we place a document which says ‘This document must never leave the company’ in a company’s IT system,” he explains.

“If we can then show in the model that the document can leave the company, it means that a malicious actor has access to company data.”

Together with partners from Aalborg University and other European universities and companies, Probst will be testing the effect of e.g. an attack that uses a memory stick. Can social engineering enable access to confidential information in a given company?

The cloud is a huge challenge
If you only think security, eventually the employees stop losing interest in using the IT system and may even go looking for their own alternative ways around the security mechanisms.
Christian W. Probst

The next big challenge for IT security researchers is cloud computing.

In recent years, cloud computing has become a hot buzzword in the world of IT. The concept implies that data storage and computing power are increasingly shifted from the individual user or company to huge data centres known as ‘clouds’.

This trend can be compared with the changes that took place 100 years ago in factories, where there was a shift from local energy supplies from water wheels or steam engines to energy supplies from large central power utilities.

”Cloud computing represents a special challenge, since it implies that businesses will have less control over their data. This is because businesses do not only associate with other computers and computing power in cloud computing, but also with the data centre staff,” says the researcher.

“The security chain becomes more complex as more human links are added in the transition to IT becoming a service that’s delivered over the internet. From an IT-security perspective, the cloud is a huge challenge.”

IT security is all about balance

Facts

Whether hackers use attachments, phone calls or memory sticks to gain access to an IT system, it can all be grouped under the social engineering umbrella.

The principle remains the same: trick the people rather than the systems.

Making an IT system as secure as possible is more than just minimising risks by restricting staff members’ access to data.

“It’s all about striking the right balance between security and usability for the staff. You can’t just regulate your way out of these problems,” he says.

”If you only think security, eventually the employees start losing interest in using the IT system and may even go looking for their own alternative ways around the security mechanisms.”

-------------------------------------

Read the Danish version of this article at videnskab.dk

Country
Translated by
Dann Vinther