Research News

comic illustration of gun shooting a target.

IT security is a people problem, UB cybersecurity expert tells House members


Published May 4, 2016 This content is archived.

Arun Vishwanath.
“The attacks can’t be stopped unless users are involved in the solution. ”
Arun Vishwanath, associate professor
Department of Communication

Developing new approaches to curb spear phishing must involve a broad innovative vision that looks beyond technical solutions and instead focuses on individual computer users, who represent the weakest link in most cybersecurity systems, UB faculty member Arun Vishwanath told congressional members and staffers at the 22nd annual Coalition for National Science Funding (CNSF) exhibition and reception on April 26.

Vishwanath, associate professor in the Department of Communication and an expert in cybersecurity and online deception, was one of 30 scientists from across the nation each representing a specific discipline at this year’s CNSF event, titled “Investments in STEM Research and Education: Fueling American Innovation.”

“These spear phishing attacks are taking advantage of vulnerabilities posed by computer users,” Vishwanath says. “The attacks can’t be stopped unless users are involved in the solution.”

Held at the Rayburn House Office Building, located just south of the U.S. Capitol, Vishwanath found himself discussing online security while standing a couple of doors away from the United States Office of Personnel Management’s (OPM) liaison office.

In June 2015, the OPM announced it had fallen victim to one of the largest breaches of government data in the country’s history. The personal information of 21.5 million current and former federal employees, including 5.6 million fingerprints, were compromised as part of a stealth attack the agency said began the previous May.

That it took so long to discover the breach is not unusual, according to Vishwanath.

He says the average time between infection and detection is 230 or more days, down less than 20 days from estimates made four years ago.

“That tells you how little progress has been made with this particular issue,” he says.

Spear phishing is a form of email spoofing that carries malicious hyperlinks or attachments. The messages often look harmless. Many of them appear genuine, but these authentic-looking messages have become the primary attack vector of hackers, including those who broke into OPM’s system.

“Computer science and computer engineering have not come up with a technical answer to the problem,” says Vishwanath. “If we’re going to build defenses against spear phishing we have to look at the people and their habits.”

Hackers already have realized that computer users are the best way to slip past cyber defenses. One click on a malicious link or attachment can open a tunnel that provides hackers with remote access to computer networks. Some attacks hold data hostage, a malware known as Ransomware. Other attacks are designed to identify greater system weakness, while others steal data, slowly.

Vishwanath’s research involves understanding why each user is vulnerable by studying their beliefs, patterns, attitudes and heuristics.

The resulting individual risk profiles from these studies would form the basis of behavioral-based system administration privileges.

If someone is cavalier about security or has risky email habits, their access to sensitive parts of a network would be limited relative to a co-worker who understands the security risks.

“This would allow us to get away from one-size-fits-all training. That kind of training is not effective. Many people at OPM were trained or likely aware of spear phishing, yet it had limited impact in stopping the breach,” says Vishwanath. “The training can be improved by using the risk profiles of each user, which show why that person is a risk and how that person can be better trained.”

Building defenses around people by identifying what makes them vulnerable allows for the development of better training and can identify under what circumstances information access should be sequestered.

“This approach can turn human vulnerabilities in cyber security into strengths,” says Vishwanath.