Is Human Error Biggest Cybersecurity Vulnerability?

Photo of Woman on Computer. In January 1986, the world’s first computer virus for MS-DOS was unleashed. Written by two Pakistani brothers, Basit and Amjad Farooq Alvi, the “Brain” as it was later coined, affected IBM PC computers by replacing the boot sector of a floppy disk with a copy of the virus. While the attack was intended to protect against piracy of the brothers’ medical software (it included their contact information so authorized users could reach out for “vaccination”), the world was put on alert.

Twenty-seven years later, computer viruses are everywhere and cyber crime is a $400 billion global industry with the potential to impact nearly any person or type of organization. Bank accounts, intellectual property or confidential information belonging to large- and mid-sized corporations, small businesses, public utilities, charitable organizations and even churches are vulnerable to cyber-attacks.

Cybersecurity Vulnerabilities

In response, organizations have turned to cybersecurity, or the practice of protecting computer systems by identifying and addressing vulnerabilities from various vantage points. “Hacking is big business,” says Reg Harnish, founder of GreyCastle Security and cyber consultant to Excelsior College.

Coming soon is “Introduction to Cybersecurity”, the college’s first foray into Massively Open Online Courses (MOOCs). In it, Harnish details the three components of cybersecurity: technology, process and people.

The technological aspects of cybersecurity – firewalls, badges, anti-virus and intrusion detection software – often garner the most attention. Also key are processes which establish the framework of an organization’s systems, describing what can and cannot be accomplished from a cybersecurity perspective.

However, the most vulnerable component of any computer system is humans, says Dr. Jane LeClair, COO for the National Cybersecurity Institute at Excelsior College in Washington D.C.

 

Addressing the “Human Element” in Cybersecurity

“Social engineering” refers to a criminal practice in which individuals or groups attempt to secure access to finances or other critical data through deception. This is often accomplished by employing a variety of false pretenses with a single objective: convince an employee to click on a link containing a virus, visit a malicious site, or even provide access to company hardware. In fact, criminals have been known to pose as a company technician in order to access an organization’s mainframe.

Dr. Jane LeClair, COO of National Cyber Security Institute at Excelsior College

Dr. Jane LeClair says “technology is not enough” when it comes to cybersecurity.

“Companies and organizations need to focus on the human-side of the equation,” said Dr. LeClair. “That means focusing resources on not just the latest anti-virus software but on the education and training of employees – the human element.”

Social engineering has become such a problem, that hackers can even demonstrate their skills at Social-Engineer.org’s Capture The Flag (CTF) contest at DefCon, a hacking conference started in 1993. There, participants work to gather information on a pre-determined targeted company via “passive” information gathering such as public websites, Google searches, etc. The purpose is to illustrate the ease to which private information can be accessed due to lax information security practices.

As recently as 2012, participants were even allowed to use more deceptive means to reflect with greater accuracy the practices of criminal social engineers. For instance, former CTF champion Shane MacDougall, won the contest by posing as a company executive and convincing a Wal-Mart manager to divulge key company data, including the make and model numbers of his computer’s “operating system, Web browser and even (his) antivirus software.” If MacDougall had been an actual criminal, the data would have provided a doorway into the corporation’s computer system.

To combat these types of attacks, many companies are taking a more pro-active approach to protect their data from the confluence of deception and complacency. Policies and training programs educate employees on how to browse the Internet safely, handle and use confidential data appropriately, and identify and prevent potential social engineering invasions.

“Technology is not enough,” said Dr. LeClair.

Cybersecurity Programs at Excelsior

Excelsior College is developing graduates capable of working on the front lines of the cybersecurity field and leading initiatives that take an interdisciplinary approach to combat cyber breaches through several undergraduate and graduate certificate programs in cybersecurity.

The college’s Bachelor of Science in Cyber Operations, which was developed with input from industry leaders, focuses on prominent contemporary issues such as cyber-attacks and defense, cybersecurity defense, computer forensics, crypotography and security-focused risk management among others. Excelsior’s  BS in Information Security (Cybersecurity) also explores cyber-attacks and defenses as well as cyberterrorism, cloud computing and systems architecture.

Excelsior’s graduate program, a Master of Science in Cybersecurity focuses on IT risk assessment, information assurance and communication security, as well as project management, digital crime and ethical and legal issues in the growing field. The educational focus on the human element, says Dr. LeClair, is what helps a technician advance into a leadership role.

“Excelsior’s programs prepare graduates to detect and analyze cyber attacks, conduct risk and vulnerability assessments and develop the policy frameworks necessary to protect enterprise-wide information assets,” said Andrew Wheeler, assistant dean for the School of Business and Technology at Excelsior. “Our curriculum contains everything that students will need to become leaders in the cybersecurity field.”


Resources: National Cybersecurity Institute Call for Abstracts and Papers.