User-Centric Security Countermeasures
We provide an overview of existing countermeasures that focus on one or more threats, and address gaps and challenges in Appendix A.6 of document D4.3. This section aims to present the status of cybersecurity solutions connecting them to identified threats and gaps. We discuss classes of countermeasures, each describing the most relevant solutions to date.
- C6.1 – Security training. A solid security training may prevent many incidents, reducing significantly the risks associated with user-centric threats. Most attacks focus on gaps that are easily avoidable by providing basic security training to the users, allowing them to understand the implications of their actions in an organization. Examples of fields of training include password handling, identification of frauds (e.g., phishing emails), network security (e.g., encryption, VPNs, trusted sources), social engineering techniques. More focused training should be introduced into software engineering-related roles.
Threats: T6.1.1 – Mishandling of physical assets, T6.1.2 – Misconfiguration of systems, T6.1.3 – Loss of CIA on data assets, T6.2.2 – Illegal acquisition of information, T6.3.1 – Organized criminal groups’ activity, T6.4.1 – Misinformation/disinformation campaigns, T6.5.1 – Skill shortage/undefined cybersecurity curricula, T6.5.3 – Pivoting
Gaps: G6.1 – Gaps on modelling user behavior, G6.2 – Gaps on the relation between user behavior and adverse security-related effects, G6.3 – Gaps on security information, G6.4 – Gaps on security training and education, G6.6 – Gaps on protection from online scammers - C6.2 – Assessment of security standards implementation. Security standards identify sets rules and processes that grant quality and safety to the organizations that adopt them. Correct implementation of standards is a prerequisite for their benefit to express therefore it is advisable to include assessment of their implementations in the organization processes.
Threats: T6.1.2 – Misconfiguration of systems, T6.4.2 – Smear campaigns/market manipulation, T6.5.1 – Skill shortage/undefined cybersecurity curricula, T6.5.2 – Business misalignment/shift of priorities
Gaps: G6.2 – Gaps on the relation between user behavior and adverse security-related effects, G6.4 – Gaps on security training and education - C6.3 – Data encryption. Encryption is a fundamental technique to preserve the confidentiality of information. The usage of a solid cryptographic system allows its users to exchange or store data in a privacy-preserving manner, even in adverse situations. Common methods for private network communications include VPNs, HTTPS, SOCKS5, PGP. Cryptographic techniques are effective as long as the encryption keys are not disclosed, therefore safe key and password management are prerequisites.
Threats: T6.1.1 – Mishandling of physical assets, T6.1.3 – Loss of CIA on data assets, T6.2.1 – Profiling and discriminatory practices, T6.2.2 – Illegal acquisition of information, T6.3.1 – Organized criminal groups’ activity
Gaps: G6.2 – Gaps on the relation between user behavior and adverse security-related effects - C6.4 – Access control policies. Access control policies are sets of rules that allow identifying the subset of assets to which a certain user should be granted access. This kind of policy can be used to restrict the capabilities of users to the smallest number of systems or resources necessary for their tasks to be completed, reducing the risk of their misuse. Access control systems can automate this selection based on the assigned tasks or the role inside the organization.
Threats: T6.1.3 – Loss of CIA on data assets, T6.2.2 – Illegal acquisition of information, T6.3.3 – Malicious employees or partners’ activity, T6.5.3 – Pivoting
Gaps: G6.2 – Gaps on the relation between user behavior and adverse security-related effects, G6.4 – Gaps on security training and education, G6.5 – Gaps in collaborative protocols for disclosure - C6.5 – Increase awareness on security and technology use. Increase awareness on security and technology use. Deep fakes, propaganda, misinformation, and disinformation campaigns are everywhere, designed to lead users into making mistakes. These social engineering campaigns have a direct impact on users’ daily life and society. The only remedy not to fall into these trivial scams, and not to be influenced by bogus information, is to deeply inquire and research, on different sources, especially institutional ones. Recognizing how this information is used for social engineering is vital for security awareness training. Awareness of what is happening around us, and the knowledge of the threat itself, are the only remedies to avoid information fraudsters.
Threats: T6.4.1 – Misinformation/disinformation campaigns, T6.4.2 – Smear campaigns/market manipulation, T6.4.3 – Social responsibility/ethics-related incidents, T6.5.1 – Skill shortage/undefined cybersecurity curricula
Gaps: G6.1 – Gaps on modelling user behavior, G6.2 – Gaps on the relation between user behavior and adverse security-related effects, G6.4 – Gaps on security training and education, G6.6 – Gaps on protection from online scammers - C6.6 – Multi-factor authentication. Multi-factor authentication is a technique of access control that validates a user identity using two or more authentication factors. These may include passwords, physical tokens (i.e. USB keys), software tokens (i.e. code generator), and biometric features (i.e. fingerprints, retina, behavior). Multi-factor authentication requires accessing users’ multiple proofs of their identity, drastically reducing the likelihood of identity fraud.
Threats: T6.1.1 – Mishandling of physical assets, T6.3.1 – Organized criminal groups’ activity
Gaps: G6.2 – Gaps on the relation between user behavior and adverse security-related effects - C6.7 – Firewall. Firewalls are the first line of defense for an organization’s activity in a network and can be used to monitor and filter possibly malicious traffic. On the user level, a correctly configured firewall may detect and mitigate a large set of security risks, including phishing attacks, information leaks, incorrect network configurations, malicious code execution, and propagation.
Threats: T6.3.1 – Organized criminal groups’ activity, T6.3.2 – State-sponsored organizations’ activity
Gaps: G6.1 – Gaps on modelling user behavior - C6.8 – Traffic analysis. Traffic analysis consists of the monitoring of network traffic and the extraction of structured information. The acquired data can be used for further analysis, i.e. identifying patterns, inferencing the communication actors and the software used, etc. This kind of technique can be combined with firewalls and other tools to effectively identify abnormal or malicious traffic in an organization’s network.
Threats: T6.3.1 – Organized criminal groups’ activity, T6.3.2 – State-sponsored organizations’ activity
Gaps: G6.1 – Gaps on modelling user behavior - C6.9 – Tokens leaks prevention and mitigation. Authentication tokens and secret keys often follow standardized text or binary formats. By analyzing network traffic, source code repositories, and logs it is possible to identify accidentally leaked tokens, thus preventing their leak or automating their deactivation, alerting the relevant users. Examples of leaked tokens that can be detected are cloud platforms authentication tokens, SSH or VPNs private keys, clear text passwords.
Threats: T6.1.3 – Loss of CIA on data assets, T6.2.2 – Illegal acquisition of information
Gaps: G6.1 – Gaps on modelling user behavior, G6.2 – Gaps on the relation between user behavior and adverse security-related effects - C6.10 – Log analysis. The automated collection and analysis of systems logs is an effective technique to identify possible anomalies in an organization’s systems. A log analysis process may detect malicious or erroneous behaviors of users and services, providing an effective source of information for automated decision and defense systems.
Threats: T6.3.1 – Organized criminal groups’ activity, T6.3.3 – Malicious employees or partners’ activity
Gaps: G6.1 – Gaps on modelling user behavior, G6.4 – Gaps on security training and education - C6.11 – Code analysis. Various analysis techniques can be applied to code and configurations to prevent or mitigate human error. The static analysis uses abstraction over structured languages to infer and validate bounds and can identify logical errors. Dynamic analysis techniques are applied to running code and allow to verify its correctness. Fuzzing methods may be used to test execution paths against potentially malicious input.
Threats: T6.1.2 – Misconfiguration of systems
Gaps: G6.1 – Gaps on modelling user behavior, G6.4 – Gaps on security training and education - C6.12 – Legal audit. Legal threats are specific to the local legislation and the organization’s internal rules. Users may not have a complete understanding of the legal aspects of their actions and possibly increase legal risks. A legal audit may analyze the internal processes, evaluate risks and identify specific countermeasures or mitigations.
Threats: T6.1.4 – Legal, reputational, and financial cost, T6.2.1 – Profiling and discriminatory practices, T6.3.3 – Malicious employees or partners’ activity, T6.4.2 – Smear campaigns/market manipulation, T6.4.3 – Social responsibility/ethics-related incidents
Gaps: G6.3 – Gaps on security information, G6.5 – Gaps in collaborative protocols for disclosure - C6.13 – Honeypots. Honeypots are systems designed as baits for possible attackers. These machines are intentionally vulnerable systems, isolated from the production environment. They are heavily monitored, to observe and classify attacks against the organization network as a means to develop countermeasures against attacks to the main network. This kind of system can also be applied as an expedient against malicious insiders and pivoting, possibly simplifying the process of identification of the attacker.
Threats: T6.3.1 – Organized criminal groups’ activity, T6.5.3 – Pivoting
Gaps: G6.1 – Gaps on modelling user behavior, G6.4 – Gaps on security training and education
Highlights on Identified Countermeasures
Dealing with user-level security requires considering both external and internal threats. Automated tools, like firewalls and traffic analysis, can be adopted to prevent external attacks. Internal attacks can be identified by monitoring network and execution logs, while their mitigation can be achieved using access control policies, roles separation, multi-factor authentication, and encryption. Depending on the organization’s internal processes, more specific techniques can be integrated. Although the countermeasures indicated may reduce the risks, humans are still the weak link in the chain, therefore security training should be considered a basic prerequisite.