Cybersecurity: The human flaw is not inherent to the user
When it comes to cyber-malware, the human flaw, by which is meant the user, is very often pointed out. Sometimes with good reason. But this is forgetting that human error can also come from the design of the infrastructure itself. Working on its robustness upstream is therefore at least as important as evangelizing users about cybersecurity.
Tribune of Sylvain Guilley, CTO of Secure-IC and Senior Editor at ISO
Cyberspace, an amplifier to danger?
In real life (“IRL”, i.e. “In Real Life”), the relationship to risk-taking and adrenaline is specific to each individual: some like to live dangerously, while others prefer not to venture into unknown territory. These complex psychological mechanisms obviously depend on the innate and acquired nature of each individual.
In cyberspace, the principle is finally quite similar. Some places visited are riskier than others, and bad encounters (or even attacks) can unfortunately happen to anyone: scams, false e-mails, targeted attacks (social engineering; manipulation practices aiming at extracting information from people without them realizing it), etc. In many cases, it is these types of behaviors that are the root of the dangers, and educating everyone about these risks would make it possible to avoid a number of pitfalls.
However, even though technology is supposed to be at the service of humans, it is technology itself, that can sometimes be trapped by bugs, flaws or too much permissiveness. In this case, the user, in spite of an exemplary behavior, could also be a victim of a malicious act that would rely on and exploit one or several pre-existing vulnerabilities.
The human flaw at conception
If among these vulnerabilities, some can be thwarted by the user himself (or by his browser for example), as is the case of the insecure web protocol (the “s” of https and the associated padlock), others are much less obvious. For example, cross-site scripting (or XSS vulnerabilities) is a flaw in a perfectly legitimate site, capable of executing any action on the browser that is viewing the page.
In this case, the human fault is not to be blamed on the user, but on the designer. It is the infrastructure, software and/or hardware, that has not been designed with a sufficient level of quality – and security – in mind. However, the blame should not be systematically put on the designers themselves.
Indeed, with increasingly complex infrastructures, it is becoming more and more difficult to ensure maximum security. On the other hand, the relentless and permanent work of ill-intentioned people allows them, to discover and exploit unknown flaws at the time of design.
Towards security by design
Is system security therefore destined to remain an eternal flight forward, coupled with the hope of never suffering (or not suffering too badly) from assaults of cybercriminals? Fortunately, no, and it is in fact the technology itself that accompanies the designers in their virtuous approach, with the help of tools for checking properties, non-regression, formal equivalence at the compilation level, etc. It is of course necessary that they are correctly configured, while not preventing bugs in the specifications or source code.
Careful not to make any shortcuts however: although the human being may be the security flaw in the design phase, he is above all its major asset, as recognized by most certification schemes, which imply documented procedures (thus intended for humans). In the automotive industry, for example, standardization (ISO/SAE 214341) goes even further by involving top management, which must know how to measure the stakes, appoint a security manager, etc.
In other words, it is the understanding of standards and their strict application, or even reinforcement, during the design phase that will ensure the quality and security of infrastructures and other systems, from the semiconductor to the cloud. Combined with the gradual learning of cybersecurity issues among the greatest number of people, this approach, which is always centered on the human being, makes it possible to limit the risks, and therefore the proven exploitation of vulnerabilities to a minimum.
Do you have questions on this topic and on our protection solutions? We are here to help.