THE HUMAN FACTOR OF CYBERSECURITY - THE WEAKEST AND STRONGEST LINK
Technology is made by people for people. Yet when it comes to information security, people are often seen as the weakest link. This is because they’re complex and unpredictable. Unlike technology which repeats predictable outputs based on its programming, people make their own decisions, which are sometimes good, and sometimes not.
This makes them prone to repeatable errors and highly vulnerable to cyber-attacks. The inability to predict human’s behaviour and prevent them from making mistakes is what renders them the weakest link in the information security chain. In fact, 95% of all cyber-attacks are human-enabled.
Pair that with the increasing complexity of cyber attacks, and the vulnerability of the human factor skyrockets. For instance, there are currently brute force tools that support various hashing algorithms including LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL and Cisco PIX and work with various protocols including RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP and Telnet.
While brute force attacks are already common due to people’s tendency to use weak, memorable passwords, these advances make them even harder to protect against.
If you want to learn about the most advanced techniques to protect your organisation from cyber-attacks and strengthen the human factor, sign up for one of the world’s largest cybersecurity conferences, Black Hat MEA.
You’ll be joined by global CISOs and experts from leading companies to discuss the latest technologies in cyber security and stay on top of the most advanced phishing and cyber attack techniques. Black Hat MEA is a part of Saudi Arabia’s 2030 vision to create a digitally-transformed nation.
WHAT KINDS OF RISKS ARE CAUSED BY THE HUMAN FACTOR?
Human errors can cause a myriad of cybersecurity concerns.
Weak passwords
With more companies adopting cloud-based technologies, people have to create more passwords, which is inconvenient for them. They can’t remember everything and dislike requesting password resets because it disrupts their productivity. The result? Weak passwords that are used across multiple locations include one’s own or loved ones’ name or information or series numbers like 1234. This prevents them from forgetting their passwords but also makes them easy targets for cybercriminals.
Poor authentication
People avoid multi-factor authentication (MFA) for the same reason they avoid creating new passwords. They want to quickly access resources so that they can get their jobs done, and any additional step, whether it be clicking on an authentication application or waiting for a code, interrupts their workflow. This creates more cybersecurity threats.
Misconfigurations
Misconfigurations were the top error variety in the Miscellaneous Errors breach category according to a 2021 Data Breach Investigations Report. Mistakes made by system administrators and developers could cause data breaches. For instance, if someone forgets to change a default password on a server, it increases the likelihood of cyber criminals gaining access to it. Additionally, copying and pasting configurations from one serverless function to another poses more cybersecurity risks caused by misconfigurations and human error.
CYBERSECURITY ATTACKS - HOW IS THE HUMAN FACTOR VULNERABLE?
Various types of attacks can target the human factor. Threat actors exploit human error because they know that it leaves organizations at risk.
Social engineering attacks
Cybercriminals carry out social engineering attacks by exploiting vulnerabilities in human nature. Phishing campaigns, for instance, are often successful because they prey on emotions by evoking a sense of urgency so that people don’t think before they act. Other types of social engineering attacks that target the human factor include baiting, scareware, pretexting, and spear phishing.
Dictionary attacks
A dictionary attack is one of many brute force hacking techniques that cybercriminals use to target the human factor. People’s tendency to use weak, predictable passwords makes cyber attackers’ jobs easier, as lists of commonly used passwords can be found online.
With regards to brute force attacks, these have gotten more sophisticated with time. Since guessing a password can take a long time, hackers created tools to make the job quicker.
Automated tools used for brute force attacks.
These operate by using rapid-fire guessing that creates every possible password and tries to use them. It can take only one second for a brute force hacking software to find a single dictionary word password. Automated tools like these are programmed with many workarounds that enable them to:
- Attack many computer protocols (like FTP, MySQL, SMPT, and Telnet).
- Enable hackers to crack wireless modems.
- Identify weak passwords.
- Translate words into leetspeak — for instance, “don’thackme” becomes “d0n7H4cKm3”.
- Run all possible combinations of password characters.
- Decrypt passwords in encrypted storage.
- Carry out dictionary attacks.
In fact, some brute force tools scan pre-compute rainbow tables for the inputs and outputs of known hash functions. These “hash functions” are algorithm-based encryption methods that are used to translate passwords into long, fixed-length series of letters and numerals. Ultimately, rainbow tables speed up the process of brute force attacks by eliminating the hardest part.
GPUS ACCELERATE BRUTE FORCE ATTACKS
Running brute force software requires heavy computer processing, so hackers figured out hardware-based solutions to make the job much easier. They use GPUs to carry out brute force attacks - but how?
Combing the GPU and CPU to launch attacks
This speeds up computing power. The thousands of computing cores in a GPU allow parallel processing of mathematical functions, which enables the system to handle various tasks simultaneously. Since GPU is used for heavy processes like analytics, engineering and other computing-intensive applications, hackers using a GPU can crack a password around 250 times faster than by using a CPU alone. Additionally, GPUs are extremely good at hashing since they include a wide range of Arithmetic Logic Units (ALUs) that conduct mathematical computations, which allows the GPU to carry out more calculations.
WHAT ARE SOME OF THE TOOLS USED IN GPU PASSWORD CRACKING?
- Password Cracking Tools Platform Supported Protocols
- AirCrack Windows, OS X, Linux, FreeBSD, NetBSD, OpenBSD, Solaris, and eComStation2 WPA and WEP passwords
- RainbowCrack Windows and Linux NTLM Tables, MD5 Tables, SHA2 Tables
MALWARE AND RANSOMWARE ATTACKS
Malware and ransomware attacks often succeed because users don’t install the security updates that patch popular cybersecurity vulnerabilities and exposures (CVEs). Since patches are often time-consuming, people delay installing them. Cybercriminals are aware of this, and they exploit that tendency in people to hunt for device vulnerabilities to use them as part of their ransomware and malware attacks.
HOW DO YOU PROTECT AGAINST HUMAN VULNERABILITIES?
Protecting against cyberattacks resulting from human vulnerabilities boils down to two main solutions: password protection and making cybersecurity easier for your employees.
Protect your passwords
There are various methods that you can use in your organisation to protect your passwords and make it harder for hackers to access your system.
High encryption rates
To lessen the likelihood of a successful brute force attack, system administrators should encrypt the passwords for their systems with the highest encryption rates possible, such as 256-bit encryption. The higher the encryption bits, the more difficult it is to crack the password.
Salt the password hash
Randomise password hashes by adding random strings of letters and numbers (known as salt) to the password. You should store the string in a separate database and retrieve it to add it to the password before it’s hashed. Salting the hash gives users with the same passwords different hashes, making them more difficult to track.
Two-factor authentication (2FA)
Set up two-factor authentication and install an intrusion detection system that discovers brute force attacks.
Lockdown accounts after excessive login attempts
Locking an account and requiring people to contact IT for an unlock prevents hackers from constantly retrying passwords to try and log in.
USE FIDO TO DO AWAY WITH PASSWORDS
Tech giants Apple, Google, and Microsoft are paving the way for a password-less future using the Fido standard, which replaces usernames and passwords with ‘passkeys’. This log-in information is stored directly on the device and can only be activated on the website when matched with biometric authentication. So what does this mean for users? It means no passwords, which makes users’ lives easier and makes them more likely to comply with cybersecurity measures.
How it works:
Users will be able to sync their Fido passkeys without having to log-in from the start on every new device. This means that Fido isn’t only a practical addition to passwords, it can actually replace them. The benefits of applying Fido are manifold. They’re easier and faster to use. Passkeys that are secured with biometric identification on another device like a mobile phone are faster to enter than manually writing passwords. Additionally, if you use a password manager, you’ll be able to log in to most websites and enter passwords by simply tapping a button that senses your fingerprints.
WHAT DOES THIS MEAN FOR STRENGTHENING THE HUMAN FACTOR?
It means less hassle for users in your organisation and more secure systems. Complexity is the main reason people don’t comply with security protocols. We’re creatures of habit that prefer shortcuts and efficiencies. Making people’s lives easier ensures compliance and fewer breaches. Password protection is one of the key solutions to combat bad practices by people. 61% of breaches are caused by leverage credentials, according to Verizon’s 2021 Data Breach Investigations Report. According to many security experts, it’s a lot more beneficial to move to a new form of authentication - no passwords - as opposed to trying to improve how we use passwords. After all, password protection methods like multi-factor authentication (MFA) still face resistance from users and decrease their efficiency. This is where the Fast Identity online FIDO Alliance comes in. With the aim of creating authentication methods that reduce the world’s reliance on passwords, FIDO is pioneering a password-less future with the support of tech giants like Amazon, Apple, Facebook and Google, who are members of the alliance. Using FIDO is one of the key innovations in combatting cyber-attacks. Complex passwords and multi-factor authentications are simply not enough anymore. “The problem is anything on a server can be manipulated, accounts stolen, resold on the dark web and stuffed – that’s the fundamental problem with knowledge-based authentication,” said FIDO’s executive director and CMO, Andrew Shikiar. FIDO makes public-key cryptography simple and usable so it can be easily implemented. “One thing we’ve seen through the decades is that for MFA to be adopted and sustained, it needs to be easy to use. With FIDO, it doesn’t really require any new security keys, it will be one thing, and you don’t need any ad hoc readers or anything like that,” Shikiar stated. “It’s a single gesture, user-friendly, public-key cryptography. That gesture could be touching a security key, it could be unlocking your phone – it’s that easy,” stated Shikiar. Fido keys are extremely practical for both organisations and consumers, especially since they’re supported by most cloud services, which means that one key can be used across different services. Ultimately, the future of security lies in simplicity, and FIDO might just be the way to get there.
P.S. - Join us at Black Hat MEA 2024 to grow your network, expand your knowledge, and build your business. Register now!