Humans - Weakest Link in an InfoSec Journey, or not!
A list of the biggest & most devastating cyber-attacks in the recent past indicate a consistent pattern.
• WannaCry Ransomware (2017), which exploited a vulnerability in SMBv1 Protocol of Windows, was successful due to unpatched computers. Microsoft had released a patch two months before the ransomware hit the world but many systems were infected, which means that someone had failed to install these patches.
• Bangladesh Bank (2016) was hit by a cyber-heist after login details of an employee were discovered,& then used to install malware on the bank’s system. Total loss to the bank was estimated to be USD 81 million dollars.
• PlayStation Network Attack (2011), which resulted in hackers getting access to 77 million user details, and which ultimately led to a fine of GBP 250,000 on Sony, were attributed to “poor security measures” which did not comply with British Law.
Why are Humans our Weakest Link?
Given that humans make so many mistakes, it is not surprising that we hold a belief that they are the weakest link. After all, what qualities does a “typical human” possess? They are frequently unpredictable, often irrational in their decisions, easily form poor habits, are emotionally driven, sometimes unreliable, and in general behave differently from a computer system. If our objective is to protect information, then instead of being seen as a strong tool against attacks, our human traits, in fact, make us part of the security problem.
On the other hand, a computer system, or in general, any automated system, is capable of following a set protocols & procedure to an exacting degree of precision, repeatedly, consistently, predictably & reliably; something that is a boon to information security. It is natural that we prefer computers over humans. Info Sec Professionals have become so confident in the dependability of computers that we will gladly replace a human with a machine. A machine, after all, does not make mistakes, it does not get tired, it always responds in a manner that it has been designed to, it adheres to its algorithm; and basically a machine will do exactly what it has been “taught” to do.
Can Humans be our Strongest Link?
It is common to use technology in information security systems. Heuristics-based systems are employed regularly in our protective perimeter, and with the advent of AI which applies machine-learning techniques, it is logical to assume that the future of information security lies in fully automated systems, which are capable of responding to almost all kinds of threats.
While there is no doubt that recent advances in AI have been significant and impressive, there have been some major and risky incidents in the field of AI in 2016 alone.
• An AI designed to predict recidivism acted racist
• AI NPCs (Non-Playable Characters) in a video game designed unauthorized super weapons
• A patrol robot collided with a child
• World champion-level Go-playing AI lost a game
• A self-driving car had a deadly accident
• AI designed to converse with users on Twitter became verbally abusive
While automated systems, specially the “smarter” ones, have come a long way, they still tend to lack maturity. They are designed and trained by programmers who have till now been unable to suitably, and comprehensibly, define the entire “universe” of information security to them. Without a complete understanding and knowledge of this InfoSec universe, it is near-impossible for a computer to deal with new and unforeseen threats. While they may be able to deal well with known issues, when a situation is new altogether, these computers need a human to make qualitative decisions for them. This is analogous to the need of human pilots in aircrafts even though most of the flying is done by computers today. Those same traits of humans, which make them appear “weak”, sometimes end up becoming a necessity in the field of security.
The Right Weapon for the Right Battles
While attacks are carried out using powerful computers &ingenious code, a hacker is still simply a malicious human; one who can think, adapt, become excited, display initiative, and be emotionally invested. Consequently, it is in our best interest to fight that human with a weapon which is equipped with similar traits & qualities, albeit is someone who has been made stronger with the help of training & technology.
While there is no doubt that humans are weak in several ways, there are still those who can be trained better, be given an opportunity to form good infosec habits, and be provided with tools necessary to overcome their shortcomings.
While we should not undermine the importance of, and reliance on, automated systems, the purpose of all security systems should be to strengthen security by helping humans to make good decisions. We should not exclude ourselves from the security perimeter, but build mechanisms which include us as an asset to security.
Information Security ensuring sustained business
The strength of a product lies in serving business objectives, which is provided by build stability along with reliable information security (both intellectual & data), and effective infosec processes which are ultimately run by empowered humans. Clients need these to rest assured that their business continues without having to constantly worry about the next cyber-attack.
The best way to execute information security is when it remains covert, stays one step ahead of these attacks, adheres to reliable and tested security frameworks, and employs technology in a manner that permits humans to become the strongest link in the information security chain; thus allowing client business to continue uninterrupted, and for business owners to focus on their growth strategy.