A Framework for Evaluating and Patching the Human Factor in Cybersecurity

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 11 a.m. (40 minutes).

<p><span>S</span><span>ocial engineering (SE) attacks have dramatically changed in recent years</span><span>: They</span><span> are no longer limited to PCs</span><span> and they</span><span> goes way beyond phishing.</span> <span>Despite those changes, current methods for evaluating the resilience of users to SE attacks are still mainly focus on phishing attacks</span><span> and </span><span>do not distinguish between different platforms</span><span>.</span></p><p><span>Furthermore, current </span><span>methods</span> <span>depend, to a large extent, on the subjects’ response to surveys, which tend to be subjective</span><span>, </span><span>biased</span><span> and </span><span>require the subjects’ active involvement and collaboration</span><span>;</span><span> thereby </span><span>are less accurate and </span><span>consuming significant human resources.</span> <span>Other solutions are based on measuring the momentary behaviour of subjects while facing a simulated phishing attack. These methods however, tend to be sensitive to environmental factors and cannot be used </span><span>for evaluating users’ behaviour </span><span>continuousl</span><span>y.</span></p><p><span>We present a methodology and </span><span>an automated, scalable and objective framework for continuously evaluating the resilience of users to specific types of social engineering attacks. </span><span>The methodology includes a set of measurable criteria for a security aware user; and an expert-based procedure for deriving security awareness models for different attacks classes (each class is an aggregation of SE attacks that exploit a similar set of human vulnerabilities). The framework utilizes data collected and analyzed from different data sources to measure the set of criteria:</span></p><ul><li><span>Android agent, which measures the users' actual </span><span>behaviour</span><span>while operating with their smartphones</span><span>.</span></li><li><span>C</span><span>hrome extension, which measures the users' actual </span><span>behaviour</span><span>while operating with their PCs</span></li><li><span>N</span><span>etwork traffic monitor, which analyzes the network traffic transmitted-to/received-from the devices</span><span>.</span></li><li><span>A</span><span>ttack simulator, which implement multiple type of SE attacks on the users.</span></li></ul><p><span><br> </span><span>In order to evaluate the proposed framework, we conducted an empirical experiment involving 162 users for a duration of seven to eight weeks. The results show that</span><span> (1) t</span><span>he skills required from a user to mitigate an attack are different for different attack classes</span><span>; (2) </span>the self-reported behaviour of users differs significantly from their actual <span>behaviour</span> <span> and (3) </span>the security awareness level derived from the actual <span>behaviour</span> of users is highly correlated with their ability to mitigate SE attacks.</p>

Presenters:

  • Ron Bitton - Principal Research Manager, Cyber Security Research Centre at Ben Gurion University, Israel
    <span class="">Ron Bitton is a Principal Research Manager at the Cyber Security Research Centre at Ben-Gurion </span><span class="" lang="EN-US">U</span><span class="">niversity. His main areas of interests are cybersecurity and artificial intelligence; especially the applicability of artificial intelligence algorithms in cybersecurity solutions. On these topics, Ron possess a proven track record of successfully leading large-scale research projects from concept through to design, testing and handover. Ron holds a B.SC in software engineering, a M.SC in cybersecurity and a PhD in Information System and Software Engineering all from Ben Gurion University of the Negev. Within the past years, Ron was the co-inventor of several patents; has published multiple academic papers in journals (TDSC-2019, Pervasive and Mobile Computing 2019 and Computers & Security 2018) and high ranked conferences (IJCNN-2020, CHI-2020, RAID-2019, AsiaCCS-2019, ESORICS 2018); and participate in the scientific community as a reviewer of academic journals</span><span class="" lang="EN-US">.</span>

Links:

Similar Presentations: