Making Humans the Strong Link in the IS Defence Chain (by Cyril Bras, CISO, Grenoble-Alpes Métropole)

The panorama of cyberthreats put together by the European Union Agency for Cybersecurity (ENISA) in January 2019 (ENISA, 2019) firmly situates the end user as the primary target of cyber attackers. These attackers understand that humans are the weak link in the cybersecurity chain at the level of the individual, business and government. However, this weakness can conceivably be transformed into a strength. The first step consists of acculturation to cybersecurity in order to raise awareness of challenges and individual roles in defending information systems. It is important for the CISO to be personally involved in this process. The subject lacks inherent appeal and requires a human approach to make it « sexy, » as Guillaume Poupard called for during the Hexatrust 2018 summer school[1]. The second step is to then capitalise on users’ capacity to pick up on abnormal situations. This is accomplished by inviting users to report such situations to IT support staff and/or the CISO. This article will examine the second step in depth based on feedback from experience in Grenoble, France.

When the CISO took office in March 2018, it was difficult to obtain information on security incidents affecting users. This was not acceptable as good defence requires, first and foremost, knowing one’s « territory » and its goings-on. (Tzu, 1st century). Hence, cybersecurity awareness-raising campaigns were launched. The return on investment was immediate, with alerts from users becoming more frequent. This enabled the CIO to limit exposure to threats and the CISO to report fraudulent email campaigns to the French National Cybersecurity Agency (ANSSI) (Filippone, 2019). When a phishing campaign occurred after an internal user account was compromised, users’ reactions were encouraging. The CISO received 400 emails in less than 10 minutes in an ultimately unbridled success. Thus it became necessary to find a solution that allowed users to remain involved in cybersecurity yet prevented the CISO from drowning in emails and telephone calls. The method pursued was an intranet webpage.

The way in which it works is quite simple. When a user receives a suspicious email, he or she copies and pastes the entire message into a form on a webpage. The content is then analysed using regular expressions to detect, for example, any URLs. If this is the first time that this message has been sent, the user is invited to send a copy of the message to an internal address; this allows additional information such as headers to be retrieved. The CISO is notified of the presence of a new message to be assessed. The message is determined to be of a malicious or non-malicious nature through a back office. If the message poses no risk, the CISO marks it accordingly. If this same email is submitted for assessment a second time, the web interface will display a message indicating that there is no risk. If, on the other hand, an email is categorised as fraudulent, the on-screen message will tell users what to do if they clicked on the link, or worse, provided their log-in information.

The advantages to the CISO and the security of the IS are many. First of all, few false positives arise. The CISO is notified only once of any one fraudulent email campaign. From the information obtained, it is possible to, for example, block the addresses in the emails at the proxy server level and thus limit risks of compromising log-in information (Le Dez, 2019). If multiple addresses are used in a single campaign (with identical content), they will be detected.

To conclude, here are some figures and areas for improvement. This system was tested and put in place among 6,000 agents in the community. Since May 2019, 286 mostly malicious websites have been detected and blocked by the CIO. The tool developed has opened up prospects for more in-depth research. Indeed, it would be interesting to combine it with a tool for analysing logs. This would enable faster determination of potentially compromised users and implementation of account protection measures, among other possibilities. Such an approach transforms the weak link in cybersecurity, i.e. the human factor, into a wilful and effective player.

References

ENISA. (2019). ENISA Threat Landscape Report 2018. Athens: ENISA.
Filippone, D. (2019, April 05). Cybermatinée Sécurité Lyon : La France en retard sur le hacking éthique [Lyon Cybersecurity Morning: France Lags Behind in Ethical Hacking]. Retrieved from Le Monde Informatique: https://www.lemondeinformatique.fr/actualites/lire-cybermatinee-securite-lyon-la-france-en-retard-sur-le-hacking-ethique-74886.html
Le Dez, A. (2019). Tactique Cyber. Le combat numérique [Cyber Tactics: Digital Combat.]. Paris: Economica.
Tzu, S. (1st century). The Art of War.