Zimpapers Logo

Previous articles focused on vulnerabilities and attack vectors to understand the basic concepts of information security. One may be tempted to believe that information security is all about patching technological loopholes in ICT systems.

This is obviously a glaring misconception. The human element has on countless occasions been proven the weakest link in the Information Security chain. Corporates may invest in firewalls, biometrics and other high-tech information security tools but attackers can artlessly exploit untrained, careless and in some cases disgruntled system users to compromise information systems intentionally or subconsciously.

The human mind can be exploited through social engineering, saving passwords on browsers, jotting down passwords, dumpster diving, revealing bank card pins to peers, among other human loopholes.

Deliberate human errors include carelessness, revenge, leaving laptops unsecured, using weak passwords and failure to adhere to laid down IT Security policies and procedures. The list is endless.

In circumventing human errors, human firewalls should be put in place, which include user education and training, adherence to clear IT policies and procedures, collaborative response to security incidents and most of all support from the top management.

The topmost to human attack is social engineering (human hacking) which turns a blind eye to sophisticated software or hardware tools as it exploits weaknesses in the human mind.

It is a form of psychological manipulation where a hacker usually fools unsuspected users to disclose confidential or sensitive information.

Common social engineering scams are phishing and ransom-ware. In phishing, hackers send emails with outwardly genuine attachments but loaded with malicious payload. If one downloads these attachments, they compromise their computers and other network connected devices.

A phishing scenario is when a hacker sends an email with a phony link to your bank requesting user ID or PIN.

In responding to the request, hackers could harvest your credentials in the process and illegitimately perform bank transactions masquerading as a genuine account holder. Credential harvesting can also be achieved by over-the-phone password request by system administrators.

To avoid this type of manipulation by masqueraders, never give away vital information over the phone.

Ransom-ware also manipulates the human mind and works in cahoots with phishing emails. Hackers usually send emails attached with a malicious payload which encrypts the entire hard disk once downloaded.

The attacker then demands a payoff in the form of crypto-currency popularly known as bit-coins in retaining encrypted data. In recent ransomware attacks the world over, it is fortunate that hackers decrypt data upon victims’ positive response to a ransom. Another trick which was proved to be effective in social engineering is shoulder surfing. This is a technique used by hackers to harvest user’s credentials through peeping over the victim’s shoulders. It appears simple but in crowded places such as banks and internet cafes one could be a victim of credential theft.

The best defense mechanism against phishing, ransomware and shoulder surfing is security education and user training.

It is also wise for users to keep in mind the “think before you click rule”, before clicking any email attachments in case they may be subject to phishing and ransomware.

Users have the tendency of using passwords that involve their background information such as birthdays and names of children. These weak passwords present easy entry to would-be hackers.

Passwords like john86 should be discouraged. Hackers can easily guess such passwords by forming several password combinations from your background information. Strong passwords should combine alpha-numeric and special characters to make them practically impossible to break.

Web browsers often give an option to save passwords. Hackers also harvest users’ passwords by analysing cookies or saved passwords on search browsers. Attackers could exploit this loophole to trap users without a security conscience. The golden rule is to never save passwords on web browsers lest you become hackers’ prey.

Users have the potential to deliberately expose information to unauthorised personnel due to disgruntlement or as form a revenge for unfair dismissal. ICT employees who are not satisfied by their employer pose a serious security risk. The only defence against such scenarios is to address employee grievances rather than searching for hi-tech control measures.

Carelessness in handling information assets is an additional loophole for exploitation by hackers. It is now a common mantra to information security professionals that there is no patch to human carelessness. Carelessness can include leaving computers unlocked. Dumpster-diving is also an easy way to harvest password and access codes. It involves going through organisational trash for many users usually jot passwords on paper which they later throw into the bin. This technique is not only restricted to glance on jotted down credentials but also applies to sensitive data typed or written on sticky notes. The best defence for patching human error is continuous user education and training and security clearance before hiring.

The chain is as strong as its weakest link. Ongoing personnel security awareness training should be a priority for organisations in order to safeguard against security breaches caused by the human mind.