The Communications Web site, http://cacm.acm.org,
features more than a dozen bloggers in the BLOG@CACM
community. In each issue of Communications, we’ll publish
selected posts or excerpts.
Follow us on Twitter at http://twitter.com/blogCACM
DOI:10.1145/2184319.2184322
http://cacm.acm.org/blogs/blog-cacm
Protecting Against
Data Breaches;
Living with Mistakes
Jason Hong writes about security breaches and offers a three-pronged
approach. Greg Linden discusses the differences between computers
and the human brain and their tolerance of errors.
Jason hong “Why have There Been so Many security Breaches Recently?”
http://cacm.acm.org/ blogs/blog-cacm/107800 April 27, 2011 (updated April 30, 2012)
Just to recount, here are some of the
more prominent breaches in the past
18 months:
˲ HBGary Federal, a beltway computer security firm, had all of its email
stolen and made available on Bit Torrent. This incident also raised a lot
of questions about the ethics of the
work it was being paid to do in the
first place.
˲ Comodo Group had its systems
breached, and several fake browser
certificates were created along the way.
˲ Databases used to maintain RSA
SecurID tokens were breached using
a combination of a spear-phishing attack and a zero-day Flash exploit.
˲ The Epsilon mailing list service,
which maintains mailing lists for
many corporations, had its databas-
es hacked, quite possibly through a
phishing attack.
These attackers, ranging from script
kiddies to criminals to state-sponsored
cyberwarriors, have been all too successful in breaking into online systems.
There are two interesting observations here. The first is that many of
these attacks have shifted from just
directly attacking a computer system,
an attack model that computer security specialists are somewhat good
at defending against, toward also exploiting the human vulnerabilities in
these systems.
By human vulnerabilities, I mean
all of the misunderstandings, laxness,
and cognitive and social biases that
arise with the people who use computer systems. The list of human vulnerabilities here are numerous: poor
interfaces that are difficult to understand, interfaces that are easy to mis-configure, guessable passwords, reused passwords, tricking people into
installing malware, tricking people
into opening up documents (which
might use zero-day exploits), and on,
and on, and on.
These human vulnerabilities are
clearly a major weakness, but are also
a puzzling blind spot from both a research perspective and an industry
perspective. Well, actually, it is not
that puzzling. People are messy. We
all have a wide range of experiences,
knowledge, and motivations, and so it
is natural and tempting to just buy that
“magic black box” that claims to solve
all your security problems and avoid
having to actually deal with the messiness. Just go to any industry conference, like RSA, and you will see what I