The Often-Overlooked Soft Skills of Information Security
As a branch of computer science, Information Security has traditionally focused on technology, either in terms of software, deep understanding of the possibilities of computing hardware, or on the networks and other interfaces between the two. Whilst securing digital information requires understanding of technology, increasingly, attackers are thinking of other ways to gain access to information (or just cause disruption) that takes a more creative approach.
It’s never possible to make a system completely immune from threats, but this is especially true as long as that system involves those most unpredictable and erratic of system components: users.
Social Engineering is the #1 Threat to Information Security
It’s a grave error to ignore the human aspect of information security. Some recent high profile security breaches that caused incredible damage were human or social in their origin, and this fits a growing trend of attackers exploiting the industry’s focus on technology which historically overlooked the idea of people simply tricking their way into accessing data.
The 2011 attack on SecurID is a textbook example of a targeted phishing attack. The exploit involved zero day vulnerabilities in Flash and MS Excel with files appearing to be sent from internal emails; technological protections were unable to provide defence. In this situation, the defence for the company relied on the savviness of their users. Should the recipient open this email that (seemingly) came from HR?
It may have been one click on an email, but it resulted in a $66 million dollar loss for the company due to data theft. In this instance, the solitary clue for the user that something was wrong was a mismatch in the names in the email address and the email signature, something that some specialist user training might have prevented.
With this in mind, here are some vital soft skills that are of increasing importance within the cyber security industry in light of current threats.
Education: patience and an ability to explain
Criminals that can get to your users can often get to everything. Social engineers may start out by infecting the computer of a mutual friend of an employee and then gradually worm their way in from there. “Watering hole” attacks might involve learning the sites that specific users visit and exploiting the weaker security of these third party sites. Such an approach might involve tricking a user into downloading some custom malware built for their company’s network from a “safe” site they use every day for work.
In all cases of social engineering, the main line of defence are the users themselves, so it’s important to be able to communicate the intricacies and interconnectedness of information security to staff beyond creating IT handbooks or staff policies. They need to know the routes that attackers can take and be vigilant against them. The ability to teach others requires buckets of patience; if your security policies are to be implemented correctly you need everyone to be aware and persuaded.
Whilst there is an infinity of ways that a user can bring problems into an IT system, it’s still of vital importance that everything is done that can be to predict, identify and mitigate this myriad of interactions before they become threats that cripple an organisation. Knowing everything about the server environment and the exploitable loopholes in software isn’t enough without an ability to improvise solutions on the fly. Strong, general problem solving skills are often as important as technical nous when it comes to spotting the loopholes within human interactions.
Such socially led cyber-attacks are effective in part because they are not predictable. The ability to think ‘outside the box’, and to pre-empt unusual ways of bypassing your company’s security system is something that requires a lot of creative ability. There’s not really much of a methodological or systematic way to approach the issue, other than flexing your creative muscles and putting yourself in an attacker’s shoes. The creative process is vital if you are to penetrate for weaknesses in the human element of the network – so whilst you might not think that creative types would find utility in deep internet security, you’d be surprised.
Presentation and persuasiveness
You will not only need to create ways to make non-tech savvy people understand their own need to take part and to use caution, but you’ll also potentially need to underscore the importance of the security measures, over and over, to stakeholders placed at the very bottom all the way to the top of the corporate hierarchy. This is a vital skill to have, as there’s every chance that people won’t follow your policies if they don’t understand the importance of what you’re saying.
So in short, whilst technological nous is undoubtedly an important thing to have, in the era where your company can be compromised through targeted human interaction, technological know-how works best when wielded by creative, patient, problem-solving teachers, who have more strings to their bow than just technical expertise.