Plan like a marketer, test like an attacker
Regardless of how good IT security technology becomes, attackers will continue to hold the upper hand in the cyber security war because they have a far better understanding of the psychology of human nature and how to exploit it.
This is the view of Perry Carpenter, chief evangelist and strategy officer at KnowBe4, and author of “Transformational Security Awareness”, who gave a keynote address at ITWeb Security Summit 2019 yesterday.
He emphasised that users are neither stupid nor negligent, nor do they wilfully disobey instructions; they are simply human.
“All people are very susceptible to predictable patterns of behaviour and the way we interact with technology plays into this,” Carpenter said. “The only way to defend ourselves against attacks requires us to do more than simply make people aware. At the end of the day, we have to learn to deal with patterns of behaviour and the realities of human nature.”
Quoting from Sun Tzu’s “Art of Warfare” that “all warfare is based on deception”, making people believe something that is not real, Carpenter proceeded to deceive the hall of nearly 600 security experts with a popular card trick.
Users are neither stupid nor negligent, nor do they wilfully disobey instructions; they are simply human.
The audience was instructed to stand and to quickly select one of the five picture cards that had been flashed on the screen before them. After three seconds, four cards were flashed on the screen and delegates were told to sit if their card was no longer there. And everyone – bar one lone individual – sat, the stunned silence punctured by a few bewildered titters. (Scroll down to read how this was achieved.)
Confusing perception with reality
Cyber criminals, like spies, magicians, scammers and con artists, always make use of the human trait of confusing perception with reality, Carpenter explained.
They also utilise other tactics, including what is known as the OODA (observation-orientation-decision-action) loop, hiding the extraordinary within the ordinary in such a way that the human mind, which is designed to automatically look for important messages, will filter the extraordinary out.
“All phishing crimes are built using OODA loop tactics and they exploit common human traits such as a hunger for knowledge or financial gain, curiosity or fear, and do so in a way that usually elicits a knee-jerk, automatic reaction,” he said.
A common mistake made by security experts was to confuse security awareness – knowing not to click on a suspicious attachment or changing one’s password regularly – and security behaviour (doing it anyway for any number of often unconscious reasons).
“We can give people the right information; and they could sense that it is the right thing to do – and in the right context they may want to do it. But then human nature takes over. Human nature is all about getting things done; usually in the easiest and quickest way possible. Humans are also lazy, social and creatures of habit.
“So, if you have issues with your security policy, and want people to follow it, it could be because you are expecting them to act in a way that is not consistent with human nature,” he said.
We have to learn to deal with patterns of behaviour and the realities of human nature.
When designing a security policy and programme, it is essential to keep these factors in mind:
* Just because I am aware doesn’t mean that I care.
* If you try to work against human nature, you are going to fail – every time.
* What your employees do is way more important than what they know.
“What security professionals need to do, is plan like a marketer, and test like an attacker. The approach to take when building a program that actually does something is to focus on the behaviour aspects and use social engineering tactics to modify that behaviour,” Carpenter concluded.
How the card trick worked:
* The five cards used were picture cards – they are less easy to remember than number cards.
* The cards were shown for only a short time – the audience was placed under pressure to follow an instruction to choose and remember a card.
* When the five cards were replaced by four cards, none of the cards on the screen was the same, yet the perception created was that only one card was missing – the card each audience member had chosen. (The individual who failed to sit either lied, or had made a mistake).