The Weakest Link in Cyber Systems Wears Spectacles
By David Nicol, Editor in Chief, IEEE Security and Privacy
Share this on:
The owner of a small firm responds to an email apparently from the company’s bank, but as a result of the interaction the company’s bank account is cleaned out, wired to an account in Eastern Europe. The purchasing manager of a large company opens a spreadsheet which proports to come from the CFO, but as a result locks the entire company’s IT system up with ransomware. An eager-to-help member of a company’s IT help desk resets a caller’s password after being convinced that the caller is a legitimate user with a problem, but instead hands over a legitimate user’s account to an attacker. A production manager buys a number of inexpensive networked webcams for deployment through the factory, but it turns out that the webcams have hard-wired impossible-to-change passwords which can be discovered on the Internet, an intruder is able to take control of them all and use them as part of a massive army of bots which generate network traffic aimed at a victim IP address. An engineer uses the same password for her bank, her email account, and her on-line account at an internet merchant site. A cyber-attacker penetrates that merchant’s system, gathers all account information, and after running off-line a password cracking program obtains the password of many users, including the engineer. The intruder runs programs that automatically attempt to log in to other Internet sites using discovered email addresses as ids with their paired passwords, and because the engineer used the same password at the bank as at the merchant, the intruder gains access to the engineer’s bank account.
These stories have all actually happened or are similar to stories that have happened. The common theme is that people interacting with information systems perform actions that turn out to have significant negative consequences. People are the weakest link in cyber systems. The first line of defense against cyber malfeasance is human awareness of what is happening, what can happen, how it happens, how it can be kept from happening. IEEE Security and Privacy is a magazine devoted to increasing the awareness of its readership to issues like these.
Articles in IEEE S&P target a broad spectrum of readers and cover a broad spectrum of topics. An article is expected to provide a view of a topical area, to educate the reader. Recent issues have focused on advances in digital forensics, cyber-security in the Internet of Things, and on the impact of the European GDPR privacy. Planned issues include foci on cyber-security policy, and on hardware-based support for cyber-security. IEEE S&P keeps the computing professional apprised of threats, and counters to those threats in the rapidly changing field of cyber-security.