As engineers and technologists, it’s easy to become bogged down in the technical solutions that maintain high levels of computer security, but the first port of call in designing any secure system should be to consider the user and their interaction.
To truly understand the vulnerabilities encapsulating computer security, we must consider the motivations of one very specific group: users. Users are often considered insecure by IT security departments, and consequently they are subjected to some rather draconian measures to “make them secure”. However, cybercriminals do understand how users think and no matter how secure a system, they use their knowledge of human psychology to gain the upper hand.
Phishing emails are well documented and understood by IT professionals. Attackers send very convincing emails to unsuspecting users asking them to click on a seemingly inconspicuous link. From there details such as passwords and user IDs are easily within the grasp of the cybercriminals, and the rest is history. If the user procrastinates then the attackers use time pressure techniques to cajole them into making impromptu decisions to further the attackers’ cause.
Draconian Password Policies
Another example of vulnerability is a direct consequence of the password policy of the company. This may include forcing the user to provide complex passwords containing obscure characters, a mix of capitals and numbers, or just generally difficult to remember strings of characters.
Forcing reset policies on users certainly achieves the goal of keeping passwords new, but this usually causes users a great deal of stress, especially if they’re working in a highly pressured broadcast environment with only minutes before a live program is broadcast.
Although active password management looks like an ideal technical solution, it’s far from a practical operation for users. Given a complex password that changes frequently, what does the user do? They write down their password! A password that is technically complex and mathematically un-hackable, suddenly becomes a vulnerability. And the more passwords and IDs a user requires, the more they write down and the more vulnerable the system becomes, especially if they’re not used very often.
Ease Of Use Paradox
It’s clear that a contradiction occurs with computer security. A system that is easy to use is invariably insecure, and a system that is very secure is difficult to use. Unfortunately, users demand easy-to-use systems, especially in times when stress levels are high.
Another complication is the user’s own perception of their threat to the company based on their understanding of the value of the data they have access to. A user who has access only to email will probably not understand the dangers they could place the company in if they clicked on a phishing email or were to inadvertently share their login credentials. An attacker may even access their emails to find other admin-type users to help them form another part of the puzzle, and the user wouldn’t even know they had been looking at their emails.
Adhering to company policies may seem straightforward in itself. The bullet points are quite clear, and the board has signed-off the hundred-page document IT has spent weeks, if not months designing. The directive makes perfect logical sense and provides the highest theoretical security standards possible. However, for users to embrace the security directive they must understand the threats that are posed and the part they play in negating them. Just providing a list of instructions, without context, is unlikely to encourage full user engagement.
User Context And Responsibility
In part, one solution is to promote understanding through training. Telling somebody not to click on a link in an email or telling them not to write their password on a post-it-note and leave it under their computer keyboard may make perfect logical sense, but from the view of the user, the instruction may seem relatively trivial and irrelevant.
The fundamental challenge we have is that most people cannot think like cybercriminals, mainly, because they are not criminals and do not have a criminal mindset. Why, for example, would you cover the credit card pay machine when entering your pin number in a restaurant? Not necessarily because somebody sat behind you could be craning their neck to see your pin number, but instead, what about the HD security camera in the ceiling? How do you know there isn’t an unscrupulous employee watching in the back room and writing down your pin number? Or how do you know somebody hasn’t hacked the WiFi and is viewing the camera from the comfort of their car outside?
Social media is playing an increasingly important role in the lives of many people. We share all kinds of information about our families and friends that we would probably never do in any other surrounding. Also, the lines between home and work life are being blurred, at least in a social media sense, leading to the opportunity for a cybercriminal to profile users and gain information that wouldn’t otherwise be available. Not only can this be used to hack into home accounts, but more importantly for the cybercriminal, it is a potential portal into the domain of the user’s company leading to the potential of much greater pickings to further the attackers’ financial or political aims.
Cybercriminals have one fundamental advantage over the rest of us to further their cause, they’re willing to do things we won’t, and their actions are sometimes so abhorrent that we wouldn’t have thought about them in the first place.
Giving users context and understanding of the capabilities of a cybercriminal is critical to building secure systems.
Complacency provides massive potential for security breaches, even for IT professionals and broadcast engineers. Computer servers are gaining more traction in broadcast workflows and with that comes the potential for security breaches.
Although firewalls and virus scanners may make us feel confident about security, seemingly inconspicuous broadcast processing systems can be a source of vulnerability unless adequately protected, especially those running on old or out-of-date operating systems. Keeping a username and password to “admin” and “admin” may be convenient, as everybody in the engineering department can easily access the server, but it’s like leaving an open door for a cybercriminal with a big signpost on it. The firewall should stop them gaining access to the network, but if there’s a fault or unknown vulnerability, then they can scan servers in seconds to find any obvious holes.
Emotional Thinking First
Cybercriminals are often happy to play a waiting game. If they find a vulnerability they can exploit, they don’t necessarily do anything other than wait. Maybe create a password and username or install a process with a time activation in it, but they have time on their hands and just lie in wait.
Providing users with a list of instructions telling them what they need to do isn’t a long-term solution against cybercrime. To maintain full engagement requires IT system designers to think more about psychology and human emotion. They must put themselves in the shoes of the user and understand why having to change passwords, including WiFi access, is such a big deal for users, especially if they are working in high-pressured environments such as a live broadcast facility.
You might also like...
Time base correction is an enabling technology that crops up everywhere; not just in broadcasting.
As streaming platforms and viewership continues to grow, so too does the drive towards harvesting maximum ad dollars. With so many OTT services available, a growing number of consumers are willing to accept ad-supported programming in return for lower subscription…
Media streaming over the internet is unique. Packet switched networks were never designed to deliver continuous and long streams of media but instead were built to efficiently process transactional and short bursts of data. The long streams of video and…
As users return to the studio and office the need to work remotely is more powerful now than ever. Hybrid is the new way of working and computing innovation is rising to the challenge to provide broadcast users with easy…
By assuming that IP must be made secure, we run the risk of missing a more fundamental question that is often overlooked: why is IP so insecure?