Humans are the Weakest Link in Information Security

This article was originally published in the September 2017 issue of CIO Review Magazine

Consider the following:-

• WannaCry Ransomware (2017) exploited a vulnerability in SMBv1 Protocol of Windows, was successful due to unpatched computers. Microsoft had released a patch two months before the ransomware hit the world but many systems were infected, putting the security of their information at risk.
• Bangladesh Bank (2016) was hit by a cyber-heist after login details of an employee were discovered and used to install malware on the bank’s system. Total loss to the bank was estimated to be at around  $81 million USD.
• PlayStation Network Attack (2011), resulted in hackers getting access to details of 77 million users ultimately leading to a fine of GBP 250,000 on Sony, which was attributed to “poor security measures” that didn’t comply with UK’s legal requirements.

Wannacry, Bangladesh Bank, and the PlayStation Network attack are only the tip of the iceberg. As a pattern, all the attacks are only aimed at one thing: information.

Why are Humans our Weakest Link?

Given that humans make so many mistakes, it is not surprising to suppose that in the great chain of machines, we are the weakest link. The defining qualities of our species are that we are unpredictable, often irrational, easily form poor habits, are emotionally driven and in general, behave far differently than any computer system. If our objective is to protect information, then instead of being seen as a strong tool against cybernetic attacks, our humanity is the very thing making us vulnerable.

On the other hand, a computer system or any automated system for that matter is capable of following set protocols and procedures to an exacting degree of precision, repeatedly, consistently, predictably and reliably; something that is a boon to IT security. It’s only natural that we would prefer computers over humans. Info-sec professionals have become so confident in the dependability of computers that they would gladly replace their human forces with a horde of machines. A machine would make no mistakes, would never tire, it would always respond in a manner that it has been designed to. Machines would adhere to their algorithms and will only ever do what they have been taught to do.

Can Humans be our Strongest Link?

It is common to use technology in information security systems. Heuristics-based systems are employed regularly in our protective perimeter, and with the advent of AI which applies machine-learning techniques, it is only logical to assume that the future of information security lies in fully automated systems, which are capable of responding to almost all kinds of threats.

While there is no doubt that recent advances in AI have been significant and impressive, there have been some major and risky incidents in the field of AI in 2016 alone:-

• An AI designed to predict recidivism acted racist
• AI NPCs (Non-Playable Characters) in AI infused video game “Elite Dangerous” designed unauthorized super weapons
• A patrol robot collided with a child
• A developing self-driving car was involved in a deadly accident
• Microsoft’s Teen AI designed to converse with users on Twitter became verbally abusive

While automated systems, especially the “smarter” ones have come a long way, they still tend to lack refinement. They are designed and trained by programmers until now been unable to suitably, and comprehensively, define the  “universe” of information security to them. Without a complete understanding and knowledge of this Infosec universe, it is near-impossible for a computer to deal with new and unforeseen threats. While they may be able to deal well with predictable issues, in unanticipated circumstances, they require humans for taking qualitative decisions. This is analogous to the need for human pilots in aircraft even though most of the flying is done by computers today. Those same traits of humans, which create security vulnerabilities are often a crucial necessity in the field of security.

The Right Weapon for the Right Battles

While attacks are carried out using powerful computers racked with ingenious coding, a hacker is still nothing more a malicious human; one who can think, adapt, become excited, display initiative, and be emotionally invested, just like the people defending themselves from their attacks. Consequently, it is in our best interest to fight that human with a weapon which is equipped with similar traits & qualities, albeit one that has been made stronger with the help of training & technology.

In the face of machines, there is no doubt that humans fall short in many aspects. It would be unwise to dismiss their role altogether.the purpose of all security systems should be to strengthen security by helping humans make good decisions, including them as an asset to security.

Info-censured Sustained Businesses

The strength of a product lies in serving business objectives, which is provided by build stability along with reliable information security (both intellectual & data), and effective info-sec processes which are ultimately run by humans. Clients need these to rest assured that their business continues without having to constantly worry about the next cyber-attack.

The best way to execute information security is when it remains covert, stays one step ahead of these attacks, adheres to reliable and tested security frameworks, and employs technology in a manner that permits humans to become the strongest link in the information security chain; thus allowing client business to continue uninterrupted, and for business owners to focus on their growth strategy.

Share

Shailendra Singh is the Chief Information Security Officer at Capillary Technologies