Cybersecurity? There's No Accounting for Human Weakness

By Selena Templeon

The common thread I heard in the majority of the sessions at this year’s Black Hat conference was: the human factor. In other words, security only works if you actually implement it, rigorously stick to it, and consistently update it. It’s like having a state-of-the art alarm system on your house but then leaving the bedroom window open for fresh air. Or hiding the door key under the front mat.

When 45% of people will pick up a random USB drive and insert it into their computer, 42.5% will open an email from an unknown sender and click on the link provided, or the majority of people will use the password “12345” for all their devices and PINs, how can we expect cybersecurity to actually work? The proverb “A chain is only as strong as its weakest link” is very a propos here, especially if you replace ‘chain’ with security and ‘weakest link’ with good ‘ole human nature.

Case in point: at a conference teaming with over 11,000 infosec professionals and hackers, most of the attendees were still glued to their smartphones and laptops, happily scrolling through Facebook or Twitter newsfeeds as the session speaker discoursed about the serious security threat of the mobile landscape. In another session, as the speaker detailed the importance of implementing multiple levels of security within an organization’s digital structure, the slide projector instantly died when one attendee accidentally sat on the plug.

A Black Hat survey (note: opens a PDF in a new window) shows that 72% of this year’s attendees – the “most expert security professionals in the industry” – expect that their company will have a major data breach within the next 12 months but that they don’t have the resources to effectively meet that inevitable challenge. When survey respondents were asked what they felt the weakest link in “enterprise IT defenses" was, 28% said "End users who violate security policy and are too easily fooled by social engineering attacks.”

The human race has become so dependent on digital technology that we don’t stop to consider the consequence of our choices. As Charlie Miller said during his car hacking session, “It’s safer to have cars without computers, but we all like the convenience.”

As for me, I sacrificed convenience for security during Black Hat: I got to relive 1998 with my throwaway flip phone with no Internet capabilities and suffer a cramped hand from taking mostly illegible notes with pen and paper. On the other hand, not having a constant digital distraction gave me the opportunity to study the unnervingly vivid pattern of the carpet throughout the convention center. And when I noticed another attendee fixated by the same thing, we were able to strike up a conversation without our attention being pulled away by the insistent incoming message alerts from our smartphones.

Here are some of the sessions that I found particularly interesting, with more in-depth articles on individual briefings or sponsored talks to follow.

  • Can You Trust Me Now? An Exploration into the Mobile Threat Landscape – Josh Thomas, who wrote Artificial Intelligence and cryptographic solutions for the Department of Defense, and Shawn Moyer, a founding partner at Atredis Partners, discussed the pitfalls of mobile security in a world where so many people use their smartphone like a computer and yet don’t implement the same security measures.
  • Hacking Next-Gen ATMs: From Capture to Cash-out – Weston Hecker, from Rapid 7, who specializes in security research and programming, showed the audience that “a motivated attacker could bypass anti-skimming/anti-shimming methods introduced to the latest generation ATMs, and perform EMV/NFC long-range attacks that allow real-time card communication from over 400 miles away.” Why would criminals automate cash-out? As Hecker so amusingly put it, because it’s a lot easier to brag about your illegal activity on social media when you are well away from the scene of the crime. You can read the full report here.
  • Building a Product Security Incident Response Team – Kymberlee Price, an expert in the information security industry who specializes in application security incident response and investigations, took the audience through a snappy presentation on putting together a response team before, rather than after, a security incident.
  • Advanced CAN Injection Techniques for Vehicle Networks – Charlie Miller, security engineer at Uber ATC and hacker, and Chris Valasek, security lead for Uber ATC, discussed automotive security issues. These are the guys who famously hacked a Jeep Cherokee remotely while it was in motion, causing the radio to blast, the windshield wipers to start, and the acceleration to die. This is called a zero-day exploit, which is an un-patched vulnerability in the software that hackers find and manipulate, and their prank spurred new legislation concerning digital security standards for the automotive industry. Yes, it’s safer to have cars without computers, they agreed, but we all like the convenience.