Discusses why cybersecurity has to be approached from a sociotechnical perspective. Accompanies YouTube video
http://www.youtube.com/watch?v=8bLwJy2BwKs
Breaking the Kubernetes Kill Chain: Host Path Mount
Cybersecurity 4 security is sociotechnical issue
1. Security is a socio-technical issue
Cybersecurity: Security is a socio-technical issue
Slide 1
2. Improved security technology
• Computer security and security
engineering focuses on the technical
aspects of the cybersecurity problem
Cybersecurity: Security is a socio-technical issue
Slide 2
3. • By reducing vulnerabilities in code and
by adding more checks to code, many
security vulnerabilities can be avoided
and the number of incidents reduced
• However, this can significantly increase
costs and time required for development
and so delay delivery of the software
Cybersecurity: Security is a socio-technical issue
Slide 3
5. • “If you think technology can solve your
security problems, then you don't
understand the problems and you don't
understand the technology.”
Cybersecurity: Security is a socio-technical issue
Slide 5
7. • Technology is necessary but cannot, on
its own, guarantee that systems will be
secure
• Cybersecurity is a socio-technical rather
than a technical problem
Cybersecurity: Security is a socio-technical issue
Slide 7
8. Why technology is not enough
• Technology reliability cannot be
guaranteed
• Insider attacks
• Technical security compromises made
for usability reasons
Cybersecurity: Security is a socio-technical issue
Slide 8
9. • Failure of organisational procedures or
poorly designed procedures
• Human carelessness
• Social engineering
Cybersecurity: Security is a socio-technical issue
Slide 9
10. Unreliable technology
• In the same way that it is practically
impossible to guarantee that a complex
system is free from bugs, it is also
impossible to guarantee that a system is
free from security vulnerabilities
Cybersecurity: Security is a socio-technical issue
Slide 10
11. • Even if a system A is „secure‟, it may
rely on other systems that are
potentially insecure. If these are owned
by different people, „system wide‟
security validation is impossible
Cybersecurity: Security is a socio-technical issue
Slide 11
12. Insider attacks
• Insiders have legitimate credentials that
allows them access to the system
– Therefore, strong access control
technology is not a barrier
Cybersecurity: Security is a socio-technical issue
Slide 12
13. • Insiders in an organisation are aware of the
technical safeguards built into the system and
may know how to circumvent these –
especially if they have privileged system
access
• Insiders have local knowledge that may be
used for social engineering and so may be
able to discover privileged information.
Cybersecurity: Security is a socio-technical issue
Slide 13
14. Maroochy water breach
Image credit: www.discoverqueensland.com.au
Cybersecurity: Security is a socio-technical issue
Slide 14
15. Usability vs security
• There is always a trade-off to be made
between usability and security
• Security procedures slow down system
operation and may alienate users
Cybersecurity: Security is a socio-technical issue
Slide 15
17. Procedural failures
• Procedures that are intended to
maintain security may be badly
designed or implemented
• This may introduce vulnerabilities into
the system or may mean that users
have to circumvent procedures
Cybersecurity: Security is a socio-technical issue
Slide 17
18. Poor procedures
• Companies request strong passwords but do
not provide any help to users how to construct
strong easy to remember passwords such as
“My_hamster.spot
• Requirements for regular password change.
Thought to improve security but actually means
that users can‟t remember passwords so they
write them down
Cybersecurity: Security is a socio-technical issue
Slide 18
20. Some technical controls
against carelessness
but impossible to
completely control this
vulnerability without
incurring very high costs
Cybersecurity: Security is a socio-technical issue
Slide 20
22. •
Attacker Alex calls system admin Bob pretending to
be the manager of a company and asks for his
password to be reset.
•
He asks Bob to tell him the new password
•
Bob wants to please his boss so does as he is asked
.
•
Alex then can gain access to the system (and lock
out the legitimate manager)
Cybersecurity: Security is a socio-technical issue
Slide 22
23. Multiple points of failure
• These „social‟ vulnerabilities may be
exploited in connection with each other
or with technical vulnerabilities to gain
access to system
Cybersecurity: Security is a socio-technical issue
Slide 23
24. • For example, a successful password
attack may require social engineering to
convince system administators to reset
a user‟s password
Cybersecurity: Security is a socio-technical issue
Slide 24
25. • A poor password change
procedure, which does not include a
check to ensure that the requestor is
legitimate
– Require text confirmation of password change
request or text password change details to users
mobile
– Requests made by phone should require callback25
Slide
Cybersecurity: Security is a socio-technical issue
26. Summary
• Cybersecurity is a socio-technical
problem
• Technology reliability cannot be
guaranteed
• Insider attacks
• Technical security compromises made
for usability reasons
Cybersecurity: Security is a socio-technical issue
Slide 26
27. • Failure of organisational procedures or
poorly designed procedures
• Human carelessness
• Social engineering
Cybersecurity: Security is a socio-technical issue
Slide 27