Analisi degli attacchi alla cybersecurity con la lente dei fattori umani

Analizzare e documentare gli attacchi alla cybersecurity è doppiamente difficile per la natura stessa del fenomeno. La riservatezza con la quale gli eventi sono descritti, quando sono descritti, rende critico identificare i fatti, gli attori coinvolti e le dinamiche, come pure gli impatti, le conseguenze e le ricadute dell’attacco.

Nel progetto di ricerca H2020 Hermeneut (www.hermeneut.eu), che coinvolge tra gli altri partner, anche BSD design e Cefriel, è stata ultimata, in parallelo con l’analisi dei report istituzionali e delle informazioni di trend 2017, un’attività di analisi dei casi realmente accaduti e riportati nei media.

L’obiettivo dell’analisi dei casi è stato quello di evidenziare i fattori umani coinvolti negli attacchi e di riportarne una descrizione finalizzata all’individuazione di contromisure di intervento reattivo e proattivo in grado di mitigare l’impatto degli attacchi alla sicurezza informatica. L’intero report di progetto verrà pubblicato nelle prossime settimane come deliverable di progetto. Di seguito alcuni dati che ne anticipano il contenuto e ne delineano l’approccio. Il contributo è stato prodotto da Alessandro Pollini e Luca Raschi di BSD e Alessandra Tedeschi di DeepBlue.

L'articolo che segue è in lingua inglese, come tutti i materiali prodotti nel progetto Hermeneut.

Historically, cybersecurity has been usually approached adopting a technology-centric viewpoint. Hence, solutions to tackle the cybersecurity vulnerabilities and breaches have focussed mainly on technical countermeasures (e.g. firewalls, implementation of encryption, etc.), designed and implemented with little – if no - consideration for the needs and characteristics of the end users, network administrators, and cybersecurity managers. This lack of consideration of human factors have been reported to lead legitimate players to make mistakes and errors, and/or deliberate violations but with non-malicious.

The recent research in cyber-security widely agree that technical solutions alone are not suffice to contract cyber-attacks (Besnard & Arief, 2004). On the contrary, a more systemic approach taking into account the organisational and management factors in the creation of error-prone conditions (Colwill, 2009; Reason, 1997), and a deeper understanding of the end-users cognitive processes and mechanisms (Rasmussen, Pejtersen, & Goodstein, 1994), needs, motivations, etc., are under investigation by the cybersecurity research community.

We propose that cybersecurity is a systemic matter, and a HFs/E perspective should be taken into account to address the issue. To do so, the cybersecurity phenomenon is seen as a socio-technical system, in which different components interact with legitimate users to keep the system safe. Components may include

• • organisational factors (such as security policy and procedures, management attitude toward security, etc.),
• • technology (such as type and characteristics of technology and tools used -including cybersecurity security tools),
• • environment (e.g. physical surrounding) (Carayon, 2006; Carayon & Kraemer, 2002).
• • The users hold a central position in the cybersecurity socio-technical system, and they are the critical factors to either success or failure of cybersecurity management in organisations (Eminağaoğlu, Uçar, & Eren, 2009).

Critically, we argue that an effective cybersecurity management takes into consideration the interdependences played by the different components and the users, and a holistic approach is the key to cybersecurity management success.

Within the EU Research Project Hermeneut (www.hermeneut.eu), the BSD design (www.bsdesign.eu) and DeepBlue (www.dblue.it) joint team has been carrying out an integrated research and analysis of real cases. The analysis involved web based investigations about most recent (2017) targeted or large-scale attacks, which are still not officially published inside annual reports.

Eligibility of use cases attains to all the cases where human factor, either those related to personal behaviour and organization strategies, is involved. Organizations’ networks and external relationships along the supply chain has been also considered, with a special attention to involvement of third parties in the attack strategy.

In particular, as main finding of the analysis, phishing and contextualised phishing are reportedly exploiting a combination of factors including employees’ low awareness and scarce knowledge about cybersecurity risks. Other factors are related to exploitation of brand reputation and trust, in particular the Copyfish attack, that, by replicating web components (i.e. browser add-ons, plug-ins, …), exploited the general sense of trust people showed towards big web industries such as Google.

Other sophisticated attacks, such as the Business Email Compromise (BEC) scam, by replicating and modifying the procedure of the target company aims to figure out organizational policy and procedures vulnerabilities.

Main Findings

1_ The analysis allows us to confirm that the human error is always part of organization vulnerability. Infact spam, web components and ransomware exploiting improper operations due to:

- slips in job routine such as continuous checking of emails and automatic/ not controlled web interactions.

- mistakes in when people follow the right procedures and rules, and refer to their organisational addresses and procedure to access documents rather than using USB drives supposed to be safe

2_ As for the main heuristics influencing decision making about security we may focus on the following reasoning bias and trends:

- users underestimate the risk of visiting malicious websites.

- users intentionally used institutional resources for unsafe activity to avoid infecting their personal computers.

- users trust their OS and security software to protect them,

- a few users took reasonable precautions, including opening the HTML file in a text editor and connecting the drive to an offline computer.

3_ As for the organizational explicit rules and procedures we noticed that poor regulations is a pervasive factor in determining organizational vulnerabilities, indeed:

- password management are increasingly provoking access to systems even without privileges,

- for software update and upgrade, as well as systems maintenance, may cause easy access.

Not adequate back-up and data protection policy and systems may represent a risk especially in data breaches attacks.

4_ As for the organization modus operandi, companies inadvertently leaving personal/ relevant data about employees are offering the opportunity to create fake account and open to vulnerability. Even more, as a quite common modus operandi, especially in not-mature sectors, companies do not have structured procedure to manage critical data set in a secure manner.