ForHacSec

Users are not the Enemy:

Although I am sure many IT Technical Support, HelpDesk, IT Security/Governance and other front line IT services would disagree, Professor Angela Sasse (University College London) then presented a topic titled ‘Users are not the Enemy – A Human Centered Perspective on Security, Privacy, Identity and Trust’ discussing how systems and processes, especially those directly related to ‘end user’ interaction need to be designed with the likes of ‘Homer Simpson’ in mind – an individual who is –

• Stupid
• Lazy
• Careless

Something which I am sure many IT Technical Support, HelpDesk, IT Security/Governance and other front line IT services would agree with!

Prof Sasse discussed how many professionals are having to carry more than one laptop as too many organisations are issuing restrictive security orientated ‘standard build’ laptops which are restricting their employees in doing their job and how employees are driven by ‘goal driven’ behaviour and priorities their goals at that point in time, in many cases, where IT and data security and the associated policies are not a priority as they prevent the end user in achieving their end goal, in relation to their primary job function.

Alternatives to forcing policies upon polices on to users could be by having users take a quick ICT Security quiz about random different aspects of the policies in place from a common sense perspective. Enabling the employer and organisation to gauge what and where education needs to be focused and not forced.

Prof Sasse then went on to discuss how end users perception of a website leads them to trust it more by –

• Seeing familiar logos on a website which they have seen elsewhere, but failing to even click on them to see if there genuine, such as the ‘McAfee Secure’ logo which displays whether or not a website is secure and has passed it’s daily vulnerability scan.
• Seeing an advertisement which they have seen on other websites which they perceive to trust also, or where they have not had a known ‘bad’ experience. Such as card fraud etc.
• Affiliate links, addresses and references to known trusted sources.
• Links to a websites Facebook, Twitter and other Social Networking sites apparently ensur it trustworthiness.
• User testimonials and feedback
• General website design and layout – If it looks ‘Professional’ or not
• Inclusion of visual artefacts, such as Google Maps
• Company information – VAT number, contact telephone number, address etc.

However, from Prof Sasse’s research, the majority of participants failed to check any of this, they simply carried out there task on the website. Failed to click on McAfee Secure links, failed to simply check an address on Google Maps and failed to ring the telephone number provided.

Prof Sasse also highlighted a study undertaken in 1999 discussing how end users responded to using an email encryption programme with a graphical user interface and how this affected their ability (or lack of) to use it in a logical format – Whiten Tygar – ‘Why Johnny Can’t Encrypt’.

Electronic Footprints in the Sand:

Dr Andy Dale (Northumbria Criminal Justice Board Programme Manager) and Martin Emms (Newcastle University) provided a joint presentation on both the work of the Criminal Justice Board of Northumbria and the study and work being undertaken to assist ‘survivors’, those who are victims of domestic violence and creating new ways to enable more victims to survive.

The Local Criminal Justice Boards (LCJB) were created in 2003 following the ‘Auld’ review. The Local Criminal Justice Board comprises of heads and/or deputy heads of police, prisons, youth offending, (and in Northumbria) Legal Services Commission.

The aim of the Local Criminal Justice Board is to improve service and value for money across the criminal justice system in; bringing offenders to justice and reducing crime and victimisation.

A lot of Dr Andy Dale’s presentation focused on ‘The BIG Society’ and what it means. With regards to the Local Criminal Justice Board, it means –

• Giving communities more powers
• Encouraging people to take an active role in their communities
• Transferring power from central to local government
• Supporting co-op’s, mutual’s, charities and social enterprises
• Publishing government data

Martin Emms then went on to discuss the work being undertaken to enable domestic violence victims to access help more easily and securely. Martin discussed how they wish to assist survivors in accessing domestic violence support services without the fear that their electronic footprints will draw attention to their actions.

Leaving an Electronic Trail –

Catch-22 – Seeking Help Leaves a Trail:

• Trails can be followed
• Online browsing history
• Telephone and mobile call logs and statements
• Mobile phone texts
• Limited technical knowledge required

Checkstick & Spysure Technology – Remote monitoring applications

• Good technology for bad users

Manually covering your tracks –

Deleting your browsing history:

• Browser history, cookies & temp files
• Experience required
• Can raise suspicion if history and data are gone

Private Browsing –

• Only available in newer browsers (IE7 & 8 for example)
• Some technical knowledge is required

Deleting browsing history etc does not defeat the likes of ‘Checkstick’ which enables people to access and monitor their PC’s remotely from the likes of their work PC’s to their home PC’s where the survivor may be trying to access support services.

Pages: 1 2 3 4 5