**THE WEAKEST LINK: HUMAN FACTORS IN COMPUTER SECURITY**!
*Written by Laquinta, Ochea, Tan*
Computers are designed to follow precise instructions, execute algorithms flawlessly, and perform complex calculations at lightning speed. As such, they represent and are a symbol of reliability and consistency. However, humans with all their quirks and flaws, introduce a plethora of vulnerabilities into the equation.
First and foremost is the **aspect of human error** as humans are prone to making mistakes, no matter how knowledgeable or trained we may be. It may be due to a short lapse of judgment, a momentary distraction, or even fatigue.
Humans also seek **convenience instead of security** as it is in our nature to seek shortcuts, simplicity, and efficiency in our daily lives. This may seem harmless but it can lead to vulnerabilities that can be exploited with ease.
Lastly, is **social engineering**. This is due to the natural inclination of humans to form connections and trust others. This is the trait that attackers or cybercriminals capitalize on the most as no matter how secure your digital castle is, it can be easily exploited by convincing its owner or the one who manages it.
---
**WHY ARE HUMAN FACTORS CONSIDERED A RISK IN COMPUTER SECURITY?**
Imagine a vault that contains a company's contracts and valuable assets. This state-of-the-art vault is equipped with the latest technology in terms of security such as biometric scanners, and a complex lock, and is built out of the strongest reinforced steel. Of course, with that kind of security, you would think that it would be impenetrable and would simply have complete confidence in its security measures.
However, there will always be someone who can bypass that security to gain access to the contents within the vault, whether it be the owner of the company or simply a manager tasked with managing its contents and security. That person could now be considered the impenetrable vault’s weakest link.
One day, that manager receives an urgent email from someone claiming to be the owner or a top-level executive of the company which states that there’s an emergency and requires immediate access to the contents of the vault. This email contains believable information and details that are difficult to disregard, making it seem legitimate. Unbeknownst to the manager, this email is part of a social engineering attack.
In this scenario, the weakest link was the human factor—the manager unknowingly bypassed the safe's advanced security features and fell victim to **social engineering**. The easiest way to open the safe was by exploiting the human's trust and manipulating them into ignoring the established security protocols. As such ~
<div style="text-align: center;">
<img src="https://hackmd.io/_uploads/S1qHkjmo6.jpg" alt="fooled">
</div>
---
**WHAT IS SOCIAL ENGINEERING?**
One might assume, especially from the nontechnical individuals, that computer security, for both “white hats” and “black hats”, only involves sitting in a dark room, wearing a black hoodie and absolutely spamming keys trying to hack NASA or something. While this is true, a considerable amount of time for hackers can also involve social engineering; yes, you guessed it–actually communicating with people and touching grass!
Social engineering covers lots of different techniques that exploiters can utilize. These techniques range from scouring the Internet for any potentially useful clues to getting outside and doing the work on the ground.
* Scouring the Internet - Social media has become a huge part of modern life. Almost everyone who has access to social media has used it as a platform to update their lives at least once. With this, the opportunities for exploiters to grab sensitive information--that can be used nefariously--from the employees and company arises. For example, an unsuspecting and high-level employee of a firm, posting about celebrations regarding the successful and latest security installations of their firm can lead to potential leaks. Another example is posting about a team building that allows attackers to know that their office is relatively easier to break into and is ripe for the taking.
* Getting the Hands Dirty - Another major umbrella technique of social engineering involves using psychological manipulations, deception, and trickery. It can be as simple as starting a friendly conversation with an involved employee to gain information and a complex and well-planned investigation regarding the target company and its employees. On the other hand, a simple overheard conversation between employees can also jeopardize the company.
<div style="text-align: center;">
<img src="https://hackmd.io/_uploads/rJbqwoQip.png" alt="loki" width="500">
</div>
---
**WHAT HAPPENS WHEN THE POSSIBILITY OF HUMAN ERROR IS IGNORED?**
If human error is not considered when establishing computer security, then you would simply leave exploitable avenues for attackers to use to gain access to your system.
Ignoring the human element of computer security would mean that the security measures would be primarily made up of technical aspects such as firewalls, encryptions, detection systems, or other installed security software. While these technical aspects are important in safeguarding the security of the system, they do not address the human element of security which is considered as the weakest link in the security chain. This is due to the human factor being susceptible to manipulation, persuasion, and deception.
A common form of persuasion is the Principle of Authority. This principle states that people tend to trust authority figures and thus are more inclined to have them guide their choices. Attackers could capitalize on this principle by assuming a position of authority or presenting themselves as experts or influential figures. The attacker could then ask a series of ‘innocent’ questions that could potentially lead to the leaking of sensitive information unbeknownst to the victim who honestly believes that their counterpart is trustworthy due to the authority the attacker presents himself as.
Some of the consequences when human error is ignored are as follows:
* Sabotage - One of the consequences is the system being sabotaged. There are many ways to sabotage a system–malicious code can be injected into the system, some parts of the system may be altered to the attacker’s liking, or the system can be shut off partially or entirely.
* Loss of money - One of the biggest motivations of security attacks is financial gain. Attackers may use your passwords and bank or credit card details to withdraw money. They may also hold your information in exchange for ransom money, or they may simply just sell out your information on the dark web.
* Espionage - This might be one of the purposes of cybersecurity attacks. This may be in the forms of corporate espionage–wherein attackers steal trade secrets from competitor companies, or political espionage–wherein attackers interfere for political purposes, such as tampering election data and accessing government or military documents.
---
**POPULAR INCIDENTS**
One of the most recent and notorious social engineering attacks is what happened in 2020 called the **Twitter Bitcoin Scam**. During this attack, around 130 high-profile Twitter--or in this case, X--accounts were compromised by external actors and were used to post messages indicating the following:
<div style="text-align: center;">
<img src="https://hackmd.io/_uploads/Sk3vWjQj6.png" alt="bitcoin">
</div>
This led to the loss of around $100,000 in Bitcoin before it was finally stopped. This incident not only demonstrates the vulnerabilities in our personal accounts across all kinds of social media but also the need for heightened security when it comes to the rapidly emerging trend of digital currencies. And trust me, you definitely don't want to wake up one day to find out you accidentally transferred $100,000 worth of Bitcoin to some mischievous hacker.
<div style="text-align: center;">
<img src="https://hackmd.io/_uploads/S1cLEjmoT.png" alt="phealth">
</div>
A local case of cybersecurity attack also happened recently. On September 22, 2023, **Medusa ransomware** attacked PhilHealth–a government-owned health insurance organization in the Philippines. This brought about the temporary shutdown of PhilHealth's online systems and compromising the data of both the users and the employees. The said attack has affected the data of about 13 million users, including around 600 to 800 PhilHealth employees' data. The attackers demanded ransom money in exchange for the information worth $300,000 which is approximately P17 million from PhilHealth.
Isn’t it frightening being one of the users whose data were compromised and possibly exposed? Of course, it is scary! It is our personal data after all. We will never know what they intend to do with them–they might even try to use it to commit more crimes! Nevertheless, PhilHealth assured its users that the database is still intact and that they will be using a P14-million antivirus software for protection against malwares and ransomwares.
---
**COMMON HUMAN FACTOR RISKS AND VULNERABILITIES IN COMPUTER SECURITY**
* Phishing
* Hacking
* Insufficient Password Management
* Negligence and Misconfiguration
Have you ever received a suspicious email before that says you've won a million pesos and asks for your personal information? Are you still receiving spam messages with shady links that say you've been accepted for a job position that you didn't even apply for? These are just some of the familiar scenarios that still occur to us from time to time which may endanger our data and, possibly, even our lives. These are examples of phishing attacks.
**What is phishing?**
Phishing is a type of cybercrime wherein the victims are targeted via different means
of communication such as email, telephone calls, or text messages. The attacker tries to pose as a legitimate person or institution to trick individuals into providing their sensitive data such as personal information, passwords, and bank account and credit card details.
Imagine you're strolling through the digital streets of the internet, minding your own business, when suddenly, you encounter a sneaky cyber-criminal lurking in the shadows. This nefarious character is none other than a "phisher"! Phishing is like a clever con artist who disguises themselves as a trustworthy entity, like your bank, favorite online store, or a friendly IT support person.
The phisher can then attack through the use of cunning emails, text messages, and even fake websites. They may look trustworthy but beware! Phishers are masters of deception and trickery. They are fully capable of using fear, urgency, and the promise of incredible rewards to grab your attention and make you act without thinking. For instance:
> **PHISHER** used a **SUSPICIOUS LINK!**
> **IT WAS SUPER EFFECTIVE!**
Unknowingly, you would already be clicking a link that leads straight to a trap where they can capture your credentials, credit card details, and personal information. With this, you would now be handing the digital key of your castle of secrets to an attacker who could use your credentials to expose your browsing history. Oh no!
Aside from that, did you ever experience having your Facebook account hacked after logging it in at a computer shop before? Despite keeping your password a secret, they were still able to force their way in somehow. Once the account gets hacked, the hacker is now able to do things on your account that he is not supposed to be able to. This is the basic concept of hacking.
<div style="text-align: center;">
<img src="https://hackmd.io/_uploads/HJB57sQi6.png" alt="hackerman" width="400">
</div>
**What is hacking?**
Hacking refers to the act of finding and exploiting the weaknesses of a computer system with the intention of gaining unauthorized access to data–may it be private or organizational. However, hacking was never considered a malicious activity before. In fact, the term hacking only gained its negative undertone due to its constant association with cybercrime.
Somehow, hacking looks like some magic trick is performed to bypass security. However, just like every magic, there is an underlying trick being pulled off. Hackers use different techniques in order to achieve their goal. Some of these methods are the following:
* **Social engineering** - which is a manipulation technique which tries to exploit human error in order to gather personal information using fake identities or psychological tricks.
* **Brute force attack** - wherein the hacker tries to guess the password using every possible combination
* **Malware** - Another method is to infect devices with malware and then gaining backdoor access through the said malware.
* **Zombie Computers** - which send spam or perform Distributed Denial of Service (DDoS) attacks to try and create a connection between the hacker's system and the computer to take over it–making it a ‘zombie computer.’
* **Keylogging** - wherein hackers track each keystroke that the user of a computer makes.
* **Attacking insecure wireless networks** - Exploiting insecure, open wireless networks can also be a method used by hackers wherein they connect to the unsecured network to gain access to devices connected to the same network.
Aside from phishing and hacking attacks, there are some human practices that compromise computer security–which includes poor or inefficient password management, and negligence and misconfiguration.
**Inefficient Password Management**
From the name itself, you are simply using unsafe and unrecommended password practices such as using non-unique password names such as your birthday, the name of your dog, ‘admin123’, or even ‘password123456789’. These types of passwords can be easily guessed through the use of certain techniques.
One very inefficient practice is also writing it down in mediums such as notepad, notion, chatting with yourself in Messenger, Discord, and any other online and physical mediums.
<div style="text-align: center;">
<img src="https://hackmd.io/_uploads/rJ_xzsmo6.png" alt="OF">
</div>
See, the problem with inefficient password management is that it creates opportunities for social engineering attacks. When passwords are stored haphazardly or shared insecurely, it becomes easier for malicious actors to gain unauthorized access.
**Negligence and Misconfiguration**
Negligence can lead to misconfigurations in security settings, leaving systems and networks vulnerable to attacks. Negligence and Misconfiguration are like a mischievous duo of troublemakers when it comes to computer security. Negligence has the penchant for forgetfulness and a knack for overlooking important details such as leaving passwords unchanged, forgetting security patches, as well as leaving access controls wide open. Misconfiguration on the other hand revels in the art of leaving things in disarray such as changing configuration settings with reckless abandon as well as turning off the encryption and granting permission to all who dare to ask.
Together, they leave a wide avenue and a clear trail of vulnerabilities for attackers to take advantage of, like breadcrumbs leading attackers straight to a treasure trove of sensitive information.
<div style="text-align: center;">
<img src="https://hackmd.io/_uploads/rkGrXsQi6.png" alt="unlocked">
</div>
---
**MITIGATING HUMAN ERROR IN COMPUTER SECURITY**
“Prevention is better than cure.”
This line couldn’t be more appropriate in the field of computer security. Dealing with the aftermath of a security breach is almost always astronomically more expensive than preventing it from happening in the first place. This is the reason why it is critical to implement measures to prevent (hopefully!) such security breaches from even happening.
**Vigilance and Alertness**
A way to mitigate human error in computer security is to be alert and be vigilant of one's computer and internet activities. Make sure that you thoroughly check emails and text messages. New emails or messages coming from an unknown sender which includes a link or attachment may be suspicious. You should avoid clicking the link or opening the attachment for it may be a form of phishing.
You should also avoid questionable websites. When trying to download from the internet, make sure that you are doing so on trusted websites. Before downloading, you should carefully examine the 'free softwares.' Also, make sure that the websites you transact with have an up-to-date security certificate--which will start with an HTTPS instead of an HTTP.
**Security Awareness and Training**
One of the best ways to prevent or at least lessen the risks of a security breach is to improve on the internal workforce itself. Computer security training can involve topics such as security risks awareness and countermeasures in the event of a security breach.
Security Risks Awareness can involve topics such as company assets discretion, Internet vigilance practices, and device security etc. By making the people involved more aware of potential threats that they can unknowingly bring into the organization, it can significantly reduce the chances of employee-induced security breaches.
**Password Practices**
Some of the best strong password practices are the following:
* **Create a strong and long passphrase**
Think of it as a secret code phrase that only you know. Instead of settling for a simple password, you construct a clever combination of words that nobody would guess. It should be long, like a never-ending train of thought, and blend unlikely words that create an unbreakable barrier.
A good and strong password would be 16 characters long, however you can make it longer as the longer it is, the stronger your password would be. Do remember that you also have to make it unique for each account where each password does not follow a sort of pattern, making it harder to crack.
* **Apply password encryption**
This is the process of converting your passwords into an unreadable format before storing it or transmitting it over a network. Its purpose is to protect sensitive information such as user credentials from unauthorized access in the event of a security breach.
* **Implement two-factor authentication**
It's like having a backup plan in case your password falls into the wrong hands. Whenever you try to access a restricted area, a secondary challenge appears, asking for additional proof of your identity. It could be a text message with a special code or a fingerprint scan. This way, even if someone guesses or steals your password, they won't get far without the second piece of the puzzle.
By combining something you know (your password) with something you possess (a verification code or device), you erect an impenetrable barrier against possible attacks from malicious attackers.
* **Avoid storing passwords**
Basically just avoid storing your passwords in vulnerable places such as messaging apps, browsers, and physical paper.
* **Use Password Managers**
Instead of keeping your passwords in vulnerable places like sticky notes or saved in your browser, you use a password manager. It's like having a top-secret vault where you can safely store all your passwords. Plus, it can generate strong passwords for you, sparing you the headache of coming up with unique ones for every account. Some of the best passwords managers currently in use are the following:
<div style="text-align: center;">
<img src="https://hackmd.io/_uploads/BJEAujmo6.png" alt="passmanager" width="300">
</div>
**Least Privilege Principle**
Another way to maintain computer security is implementing a least privilege principle. Least Privilege Principle revolves around the concept of completely limiting the access capabilities of people involved in a system. In addition, this concept works well against most internal threats (misuse or intentional) to computer systems. Here are some of the few advantages of implementing least privilege principle alongside computer security:
* **Compartmentalization of workload**
When one employee does not need to know the other critical “gears” of the system to finish his own tasks, it provides benefits to the company. Not only does it provide a more manageable and less demanding workload for individual employees, it also provides extra security measures for the system in its entirety. By allowing lesser people involved in managing the critical sections of the system, it also lessens the risks for any tampering or misuse.
* **Protection Against Inside Threats**
On the other hand, it cannot be denied that many leaks occur due to internal involvement or “inside job”. This is the reason why utilizing the least privilege principle is very effective against this vulnerability as it limits the access to the critical gears of the system, hence, also limiting any potential leaks.
* **Cheaper Security Administration**
By implementing this principle, it provides a more simplified, effective, and cheaper security system. By simply limiting the access of people involved in the system, without any sophisticated tools and security principles, one can ensure a cheap, robust, and effective computer security system.
* **Continuous Monitoring, Auditing, and Assessment**
Another way to mitigate the potential problems caused by human factor in computer security is to perform regular implementation of Continuous Monitoring, Auditing, and Assessment (CMAA). One of primary goals of CMAA is to proactively deal with potential threats to the system. This is a critical part of CMAA as it aims to detect telltale signs of potential security breaches and deal with them before they occur.
In addition, CMAA also provides a comprehensive way of updating security measures based on the latest security policies, auditing access logs, and reviewing system configurations aiming to provide a thorough internal assessment of the computer system. Finally, CMAA also implements assessment techniques to the system such as penetration testing and security risks/vulnerability assessments to detect any real-time threat to the system.
CMAA generally involves regular maintenance, performing diagnostics, detecting vulnerabilities in real-time or near-real-time which is critical in minimizing the potential security breaches caused by human error. Despite its advantages, CMAA can be resource-hungry to implement and time-consuming which might hurt the productivity of the system. In conclusion, while CMAA has its advantages, the administration must also be able to optimize its implementation to maximize CMAA’s utility (based on their needs) and minimize the cost.
---
**Conclusion**
There is no such thing as perfect security. As long as there is someone who can access something, that someone is the vulnerability or the weakness of the security. In computer security, the human factor is considered the weakest link since we are prone to human error, preferring convenience over security, and social engineering attacks. Some of the common risks and vulnerabilities in computer security due to human factors are phishing, hacking, poor password management, and negligence and misconfiguration. However, these can be avoided–or at least the negative effects can be lessened–by being vigilant and alert when using a computer and the internet, undergoing security awareness training, applying good password practices, and lastly, limiting the access of people to some aspects of the system.
Cybersecurity attacks cannot be completely avoided but by improving our computer and internet security, we may reduce the frequency of security attacks, and lessen the damage they may cause. This way, we will be able to protect our data from attackers. After all, our data is basically a copy of us and we should protect it the way we protect ourselves and others.
---
**References:**
GMA News Online. (2023). Data of 13 million persons compromised in PhilHealth ransomware attack. Retrieved from https://www.gmanetwork.com/news/topstories/nation/885587/data-of-13-million-persons-compromised-in-philhealth-ransomware-attack/story/
Kaspersky. (n.d.). What is hacking? And how to prevent it. Retrieved from https://www.kaspersky.com/resource-center/definitions/what-is-hacking
Mitnick Security. (2020). The 2020 Twitter Bitcoin Scam: How it Happened and Key Lessons from Whitehat Hacker Kevin Mitnick. Retrieved from https://www.mitnicksecurity.com/blog/2020-twitter-bitcoin-scam
PCMag. (2024). The Best Password Managers for 2024. Retrieved from https://www.pcmag.com/picks/the-best-password-managers
Reid, J., Atterholt, J., Cellini, A. (2023). The Human Factor in Cybersecurity. Crowe. Retrieved from https://www.crowe.com/insights/the-human-factor-in-cybersecurity#:~:text=Some%20of%20the%20most%20common%20incidents%20that%20involve,training%20when%20it%20comes%20to%20operational%20security%20measures
Smith, D. (2022). 15 Password Management Best Practices. Retrieved from https://www.beyondtrust.com/blog/entry/top-15-password-management-best-practices
Sign in with Wallet
Connect another wallet