Human error is the weak link in cyber-security

The recent spate of activity around the hacking collective 'Anonymous' has thrown a light on the issue of cyber-security and hacking in South East Asia and across the wider APAC region. From Australia to the Philippines, and to a lesser extent here in Singapore, we've seen websites hacked, defaced and taken over.

The phrase 'hacking' however can be misleading. Anonymous may own all the latest headlines, but ‘hacking’ was originally used to describe people interested in understanding and playing with technology. It came from MIT’s Tech Model Railroad Club, where they would take apart the models in order to understand how they worked, and then 'hack' a better train.

That thinking then migrated out into hacking telephone networks. When computer ownership started to proliferate, people took the knowledge of the phone networks and expanded upon it. As networks expanded physically and into people’s lives, the ‘hackers’ exploits expanded too. With the growing amount of information that lives online, both personal and professional, what was little more than a past-time for technology enthusiasts has become a full-time industry of hobbyists, security professionals and, unfortunately, criminals.

It is important to understand that if we look at the original meaning of the term, 'hacking' in and of itself - the desire to understand, improve and have fun with technology - is not always a bad thing. The Internet itself owes its very creation to people who would have identified with the term, so too some of the digital industry's biggest players - Google, Facebook and more. In addition the growing practice of hackathons in the Singapore technology scene, most of which bring 100+ attendees.


But of course, hacking can be put to illegal purposes. And this is far from just a regional issue. In the US, it has been reported that Anonymous have been hacking into Government computers and stealing classified information, including 2,000 bank accounts, since December 2012.

Last February, the Governments of Ireland, Romania, Portugal, Belgium were just some of the many in Europe to be targeted by malware known as ‘MiniDuke’, which attempts to steal geopolitical intelligence. The malware was contained in a cleverly disguised, individually tailored email containing an Adobe PDF attachment – when clicked, ‘MiniDuke’ would install on the targets’ computers.

Returning to the APAC region, the Malaysian airline Malindo recently lost control of its Twitter account on multiple occasions, with the interlopers running riot – tweeting such things as “Dear all, in view of the recent events, Malindo Air is giving away 100,000 free seats from today till end of the week.”

Government security in Singapore has certainly been tested over the last few weeks. In the main, if you compare the outcome of the recent attacks in the Philippines, Australia and Singapore, it's clear that security here has stood up well to this test. The whole event has, however, thrown into clear perspective the importance of keeping technology up-to-date.

The hacks that did occur in Singapore almost all relied on out-of-date versions of software that still open to vulnerabilities such as SQL injections or Cross-Site Scripting. Software manufacturers periodically release updates that patch - or fix - known problems, but if organisations don't install these new updates, their software remains vulnerable.

And this is an ongoing battle. As software companies release fixes to known problems, cyber-criminals are working to discover brand new exploits. Government ministries, and their technology and agency partners need to place emphasis on the ongoing maintenance of technology platforms, not just the initial build of them. In this way we can help ensure that new technological exploits are protected against.

However, a lot of the time it is not the technological weakness in security that results in these events – it is human error. Easy-to-guess passwords, desktops left unattended, and a general lack of vigilance when it comes to junk and malicious mail, human error accounts for much of the hacking that does occur. For example, according to analysis of stolen passwords released online, the top 5 most common passwords were:

1. password

2. 123456

3. 12345678

4. abc123

5. qwerty

(source: Gizmodo

Whilst this may at first seem amusing, it also shows a startling lack of understanding of the importance of security online. Passwords are almost always the weakest link in any security chain, and even if they're not as obvious as the above, unsuspecting users can be tricked, or socially engineered, into giving out this information.

Wikipedia describes social engineering as 'the act of psychological manipulation of people into performing actions or divulging confidential information', and many online hacks rely on this type of technique for cyber criminals to gain access. Hacking is not always the actions of a technological genius, but a confidence trickster. The fact is – computer security is getting better, but people are still human.

So security is often about basic procedure, and narrowing the window for human error. Consideration must also be given to how an organisation manages the aftermath of cyber attacks, both in terms of direct response and action, but also dealing with the confusion, the fear and public concerns. This is all about crisis PR, containing and dealing with cyber assaults – which is an aspect that Singapore has managed reasonably well. Partly, this is about taking immediate action, such as resetting all passwords, boosting security of sites, and other mitigations. And partly, this is about communicating clearly and quickly and making sure everyone has the information they need.

Should a cyber attack occur, it is wise to be up front and clear about the damage done, just as Adobe did following a recent hack into their database. Adobe provided a simple search tool for users to easily see if their data was among that which was compromised, allowing users to quickly ascertain whether or not to change their passwords elsewhere.

While ever humans remain the weak link, hacking will continue to happen. The importance is in having a response that not only remedies and improves the breached systems, but also keeping control of the story and taking positive action, rather than sitting back and allowing panic and misinformation to govern.

The writer is Margaret Manning, CEO of digital consultancy Reading Room (pictured)