SlideShare a Scribd company logo

Human/User-Centric Security

Download as PPTX, PDF
Shujun Li
Shujun Li

Slides of an invited talk given at the Fast Stream Conference 2017 - Digital: Definition Unknown, organised by UK Government's Civil Service Fast Stream, on 3 February 2017 in London.

Technology
1 of 44
Human/User-Centric Security Dr Shujun Li Deputy Director, Surrey Centre for Cyber Security (SCCS) Senior Lecturer, Department of Computer Science University of Surrey, Guildford http://www.hooklee.com/ @hooklee75
User-centric security GCHQ new (2016) password guidance
3 GCHQ new password guidance
4 GCHQ new password guidance
5 Case study: Password expiry policy
6 Case study: Password expiry policy @ Surrey
User-centric security Let us look at more about passwords!
8 How many passwords are there? - 4 digits (PINs): 104=10 thousand≈213.3 - 6 digits (PINs): 106=1 million≈220 - Lowercase letters only, 7 characters: 267≈8 million≈233 - Lowercase letters + digits, 7 characters: 367≈78.4 million≈236 - Lowercase & uppercase letters + digits, 7 characters: 627≈10 trillion≈242 - Lowercase & uppercase letters + digits, 11 characters: 6211≈52 quintillion≈265.5
9 How fast are today’s supercomputers? 10EFlops =1019263
10 What passwords are being used? - Dinei Florêncio and Cormac Herley, “A Large- Scale Study of Web Password Habits,” in Proc. WWW 2007, W3C/ACM - Real passwords collected from 544,960 web users in three months in 2006.
11 What passwords are being used? - DataGenetics, PIN analysis, 3rd September 2012 - 3.4 million leaked passwords composed of 4 digits. xy00 9999 00xy 19xy mmdd xyxy
12 Password cracking: 1979 - R. Morris and K. Thomson, “Password security: A case history,” Communications of the ACM, vol. 22, no.11, 1979 - In a collection of 3,289 passwords… - 15 were a single ASCII character - 72 were strings of two ASCII characters - 464 were strings of three ASCII characters - 477 were strings of four alphamerics - 706 were five letters, all upper-case or all lower-case - 605 were six letters, all lower-case - 492 appeared in dictionaries, name lists, and the like 2,831 passwords
13 Password cracking: 1990 - Daniel V. Klein, “Foiling the Cracker: A Survey of, and Improvements to, Password Security,” in Proc. USENIX Workshop on Security, 1990 - In a set of 15,000 passwords - 25% were cracked within 12 CPU months - 21% were cracked in the first week - 2.7% were cracked within the first 15 minutes
14 Password cracking: 2005 - Arvind Narayanan and Vitaly Shmatikov, “Fast dictionary attacks on passwords using time- space tradeoff,” in Proc. CCS’2005, ACM - In a collection of 142 real user passwords - 67.6% (96) were cracked with a searching complexity 2.17×109≈231 14
15 Password cracking: 2013 - Dan Goodin, “Anatomy of a hack: How crackers ransack passwords like ‘qeadzcwrsfxv1331’,” ars technica, 28 May 2013 - Three professional crackers were given 16,449 hashed passwords and the best of them was able to crack 90% of the passwords. - Remark 1: All the passwords are considered harder ones because they are what remained uncracked in a much larger database of leaked passwords. - Remark 2: Nate Anderson, Ars deputy editor and a self- admitted newbie to password cracking, was able to crack around 50% of the passwords within a few hours.
16 What can we learn from reality? - The security-usability dilemma - Stronger passwords are securer but harder to remember by humans. - Weaker passwords are easier to remember by humans but also easier to be cracked. - Strong passwords for humans  Strong passwords for automated password crackers - End users have a tendency of choosing usability over security: using easy-to-remember passwords. - End users have not changed their ways of using (weak) passwords very much since 1970s!
17 Solution: xkcd method?
18 Solution: Password checkers? - A password checker checks the strength of a given password and warns the user about its weakness. - Proactive password checkers work at the client side when the user is entering his/her password. - Reactive password checkers work at the server side after the user set his/her passwords (by scanning all passwords of all users). - All password checkers are based on one or more password meters which estimate the strength of any passwords given, but there are also standalone password meters.
19 Solution: Password managers? - A password manager is a software/hardware tool managing credentials of multiple accounts of the user. - A master password is normally required to manage all passwords. - Local password managers run from a local computer (could be a smart phone) and store the data locally. - Web-based password managers run from the Web or the cloud and store the data remotely in a remote web site. - Cloud-based password managers run from local computer or the Web and store the data remotely in a cloud. - Data across devices could be synchronized.
20 More solutions? - Passphrases - Graphical passwords - Strong password policies - Frequently changed passwords - One-time passwords (such as iTANs) - Hardware-based solutions - One-time password generators (such as RSA® SecurID) - Physical tokens (such as smart cards) - Biometrics (finger/face/iris/palm/… recognition, …) - Multi-factor authentication - Single-sign-on (SSO)
21 - A new technology developed by cyber security researchers (my PhD student and me) at the University of Surrey - It allows user-centric combinations of diverse authentication actions (across different factors), while keeping backward compatibility with current passwords. Pass∞ (PassInfinity)
22 - Access control policies - Data protection policies - Bring your own device (BYOD) policies - USB usage policies - Email policies - Confidential documents management policies - Computer incident reporting and investigation policies - … Going beyond passwords
User-centric security Why do we need cyber security policies?
24 Security is a process, NOT a product. - A product is secure.  A process is secure. - Bruce Schneier, Secrets and Lies: Digital Security in a Networked World, John Wiley & Sons, Inc., 2004
25 Social engineering does work well! - Hackers only need to break the weakest link in a process – humans! - Weak human users vs. Strong hackers
26 A real hacker’s testimony Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it. Kevin D. Mitnick and William L. Simon The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons Inc., 2003
27 Social engineering everywhere: Phishing, SMiShing, vishing, … - Getting your password from you.
28 A recent book on social engineering - Christopher Hadnagy, Social Engineering: The Art of Human Hacking, John Wiley & Sons, Inc., 2010
29 Different kinds of weak humans - Weak designers - Weak programmers - Weak assemblers - Weak distributors - Weak deployers - Weak maintainers - Weak users - Weak …  Security holes in the delivered products  Security holes in the deployed system Strong Hackers
User-centric security Are you a weak link of your organisation(s)?
31 Are you a weak link of your organisation(s)? - Have you installed any encryption software (such as GPG) for your email client or your web browser (for web mail)?
32 Are you a weak link of your organisation(s)? - For those who said YES in previous question: How often do you use the above encryption software to protect your personal emails?
33 Are you a weak link of your organisation(s)? - Have you written one or more of your passwords down (on paper, on mobile phone, …) at least once to avoid forgetting them?
34 Are you a weak link of your organisation(s)? - Are you sharing passwords over multiple web sites? - SSO (Single-Sign-On password is not counted).
35 Are you a weak link of your organisation(s)? - Do you know how digital certificates are used with secure web sites such as online banking sites?
36 Are you a weak link of your organisation(s)? - If YES to the last question: How often do you check digital certificate’s contents against the claimed owner?
37 Are you a weak link of your organisation(s)? - Have you seen a web browser warning about a digital certificate used by a website (untrusted issuer, expired or self-signed certificate, etc.)?
38 Are you a weak link of your organisation(s)? - If YES to the previous question: Did you choose to ignore the web browser warning(s) because you felt you could trust the website(s) you were visiting? ?
User-centric security The solution and take-home message: Human/User-centric security
40 Help users, not blame them!
41 - Better tools for all humans involved - Better user interfaces - More useful data - More user control - Visualisation & gamification - Personalisation & contextualization - Human-in-the-loop - … - Better guidance for all humans involved - Awareness campaigns, education, training, serious games, more user-friendly and consistent guidelines and policies, … How to help users?
42 - Consultancy - Technical reports - Bespoke solutions (tools / data) - Joint (research) projects - Cyber Aware (formerly known as Cyber Streetwise) - Cyber Security Body of Knowledge (CySec-BoK) - Individual research projects - Communities - RISCS (Research Institute in Science of Cyber Security) - Living labs for cyber security - Meet-ups and networking events - … We can work together!
43 - Pass∞ (PassInfinity) - A new user authentication framework - H-DLP - Human-assisted machine learning for bootstrapping DLP (data loss/leakage prevention) systems - ACCEPT - Addressing Cybersecurity and Cybercrime via a co-Evolutionary approach to reducing human-related risks - COMMANDO-HUMANS - COMputational Modelling and Automatic Non-intrusive Detection Of HUMan behAviour based iNSecurity - POLARBEAR - Pattern Of Life ANPR Behaviour Extraction Analysis and Recognition Opportunities for collaboration
User-centric security Thanks! Questions?

Recommended

When will passwords die? Research challenges and opportunities in user authen...
When will passwords die? Research challenges and opportunities in user authen...When will passwords die? Research challenges and opportunities in user authen...
When will passwords die? Research challenges and opportunities in user authen...Shujun Li
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseShujun Li
 
Human factors in cybersecurity
Human factors in cybersecurity Human factors in cybersecurity
Human factors in cybersecurity Rick van der Kleij
 
Cyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdfCyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdfMitch Cardoza, SPHR, Workforce Solutions Exec.
 
Jae hyung lee mit
Jae hyung lee mitJae hyung lee mit
Jae hyung lee mitIT Strategy Group
 
Internet transaction and communication security
Internet transaction and communication securityInternet transaction and communication security
Internet transaction and communication securityDianoesis
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Ulf Mattsson
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYNexgen Technology
 

Recommended

When will passwords die? Research challenges and opportunities in user authen...
When will passwords die? Research challenges and opportunities in user authen...When will passwords die? Research challenges and opportunities in user authen...
When will passwords die? Research challenges and opportunities in user authen...Shujun Li
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseShujun Li
 
Human factors in cybersecurity
Human factors in cybersecurity Human factors in cybersecurity
Human factors in cybersecurity Rick van der Kleij
 
Cyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdfCyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdfMitch Cardoza, SPHR, Workforce Solutions Exec.
 
Jae hyung lee mit
Jae hyung lee mitJae hyung lee mit
Jae hyung lee mitIT Strategy Group
 
Internet transaction and communication security
Internet transaction and communication securityInternet transaction and communication security
Internet transaction and communication securityDianoesis
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Ulf Mattsson
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYNexgen Technology
 
iStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationiStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationHayden McCall
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityPvrtechnologies Nellore
 
IRJET- Crypto-Currencies How Secure are they?
IRJET- Crypto-Currencies How Secure are they?IRJET- Crypto-Currencies How Secure are they?
IRJET- Crypto-Currencies How Secure are they?IRJET Journal
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityLeMeniz Infotech
 
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineeringPeter Wood
 
Cyber of things 2.0
Cyber of things 2.0Cyber of things 2.0
Cyber of things 2.0Deepak Kumar (D3)
 
IRJET - Securing Aadhaar Details using Blockchain
IRJET - Securing Aadhaar Details using BlockchainIRJET - Securing Aadhaar Details using Blockchain
IRJET - Securing Aadhaar Details using BlockchainIRJET Journal
 
Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Martin Ruubel
 
IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...
IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...
IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...IRJET Journal
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Clare Nelson, CISSP, CIPP-E
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceUlf Mattsson
 
Is Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferIs Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferMAX Technical Training
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionUlf Mattsson
 
Między realem a digitalem
Między realem a digitalemMiędzy realem a digitalem
Między realem a digitalemMaciej Lipiec
 
WGP Universal Analytics Breakfast Seminar
WGP Universal Analytics Breakfast SeminarWGP Universal Analytics Breakfast Seminar
WGP Universal Analytics Breakfast SeminarGabriella Janni Albemark
 
Welcome to Userland - A user centric web2.0 workshop
Welcome to Userland - A user centric web2.0 workshopWelcome to Userland - A user centric web2.0 workshop
Welcome to Userland - A user centric web2.0 workshopTamir Berkman
 
User-centric settlement for music streaming
User-centric settlement for music streamingUser-centric settlement for music streaming
User-centric settlement for music streamingArnt Maasø
 
Projektowanie użytecznego e-sklepu
Projektowanie użytecznego e-sklepuProjektowanie użytecznego e-sklepu
Projektowanie użytecznego e-sklepuKuba Zwolinski
 
Designing for Call to Action
Designing for Call to ActionDesigning for Call to Action
Designing for Call to ActionLorraine Lai
 
Call to Action Button Design
Call to Action Button DesignCall to Action Button Design
Call to Action Button DesignPhowr Quang
 

More Related Content

What's hot

iStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationiStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationHayden McCall
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityPvrtechnologies Nellore
 
IRJET- Crypto-Currencies How Secure are they?
IRJET- Crypto-Currencies How Secure are they?IRJET- Crypto-Currencies How Secure are they?
IRJET- Crypto-Currencies How Secure are they?IRJET Journal
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityLeMeniz Infotech
 
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineeringPeter Wood
 
IRJET - Securing Aadhaar Details using Blockchain
IRJET - Securing Aadhaar Details using BlockchainIRJET - Securing Aadhaar Details using Blockchain
IRJET - Securing Aadhaar Details using BlockchainIRJET Journal
 
Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Martin Ruubel
 
IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...
IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...
IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...IRJET Journal
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceUlf Mattsson
 
Is Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferIs Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferMAX Technical Training
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionUlf Mattsson
 

What's hot (15)

iStart - Cybercrime scene investigation
iStart - Cybercrime scene investigationiStart - Cybercrime scene investigation
iStart - Cybercrime scene investigation
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward security
 
IRJET- Crypto-Currencies How Secure are they?
IRJET- Crypto-Currencies How Secure are they?IRJET- Crypto-Currencies How Secure are they?
IRJET- Crypto-Currencies How Secure are they?
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward security
 
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineering
 
Cyber of things 2.0
Cyber of things 2.0Cyber of things 2.0
Cyber of things 2.0
 
IRJET - Securing Aadhaar Details using Blockchain
IRJET - Securing Aadhaar Details using BlockchainIRJET - Securing Aadhaar Details using Blockchain
IRJET - Securing Aadhaar Details using Blockchain
 
Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...
 
IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...
IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...
IRJET - DDOS Traffic Control using DSA Algorithm with Structure Informati...
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and Compliance
 
Is Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson HelferIs Your Company's Data Secure? Shelley Vinson Helfer
Is Your Company's Data Secure? Shelley Vinson Helfer
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
 

Viewers also liked

Między realem a digitalem
Między realem a digitalemMiędzy realem a digitalem
Między realem a digitalemMaciej Lipiec
 
Welcome to Userland - A user centric web2.0 workshop
Welcome to Userland - A user centric web2.0 workshopWelcome to Userland - A user centric web2.0 workshop
Welcome to Userland - A user centric web2.0 workshopTamir Berkman
 
User-centric settlement for music streaming
User-centric settlement for music streamingUser-centric settlement for music streaming
User-centric settlement for music streamingArnt Maasø
 
Projektowanie użytecznego e-sklepu
Projektowanie użytecznego e-sklepuProjektowanie użytecznego e-sklepu
Projektowanie użytecznego e-sklepuKuba Zwolinski
 
Designing for Call to Action
Designing for Call to ActionDesigning for Call to Action
Designing for Call to ActionLorraine Lai
 
Call to Action Button Design
Call to Action Button DesignCall to Action Button Design
Call to Action Button DesignPhowr Quang
 
15 EPIC Copywriting Hacks Can Dramatically Improve Your Landing Page Conversion
15 EPIC Copywriting Hacks Can Dramatically Improve Your Landing Page Conversion15 EPIC Copywriting Hacks Can Dramatically Improve Your Landing Page Conversion
15 EPIC Copywriting Hacks Can Dramatically Improve Your Landing Page Conversionsteve harry
 
User-centric design for large enterprises
User-centric design for large enterprisesUser-centric design for large enterprises
User-centric design for large enterprisesInVision App
 
Andrew Roe: Microcopy
Andrew Roe: Microcopy Andrew Roe: Microcopy
Andrew Roe: Microcopy Jack Molisani
 
Designing a user-centric strategy using digital
Designing a user-centric strategy using digitalDesigning a user-centric strategy using digital
Designing a user-centric strategy using digitalT-Shape Consulting
 
E copywriting cz.2-wstep_jaworowicz_basiak_2012_copywriter
E copywriting cz.2-wstep_jaworowicz_basiak_2012_copywriterE copywriting cz.2-wstep_jaworowicz_basiak_2012_copywriter
E copywriting cz.2-wstep_jaworowicz_basiak_2012_copywriterPiotr Jaworowicz
 
Copywriting. Trochę o tym, jak sprzedawać pisząc tekst na WWW.
Copywriting. Trochę o tym, jak sprzedawać pisząc tekst na WWW.Copywriting. Trochę o tym, jak sprzedawać pisząc tekst na WWW.
Copywriting. Trochę o tym, jak sprzedawać pisząc tekst na WWW.Agnieszka Starzynska
 
Call to Action: Challenge Based Learning in Action
Call to Action: Challenge Based Learning in ActionCall to Action: Challenge Based Learning in Action
Call to Action: Challenge Based Learning in ActionKatie Morrow
 
Online copywriting w praktyce
Online copywriting w praktyceOnline copywriting w praktyce
Online copywriting w praktyceLeszek Łuczyn
 
20 Tested and Proven Copywriting Rules That Can Triple Your Sales Appointments
20 Tested and Proven Copywriting Rules That Can Triple Your Sales Appointments20 Tested and Proven Copywriting Rules That Can Triple Your Sales Appointments
20 Tested and Proven Copywriting Rules That Can Triple Your Sales AppointmentsHeather R Morgan
 

Viewers also liked (20)

Między realem a digitalem
Między realem a digitalemMiędzy realem a digitalem
Między realem a digitalem
 
WGP Universal Analytics Breakfast Seminar
WGP Universal Analytics Breakfast SeminarWGP Universal Analytics Breakfast Seminar
WGP Universal Analytics Breakfast Seminar
 
Welcome to Userland - A user centric web2.0 workshop
Welcome to Userland - A user centric web2.0 workshopWelcome to Userland - A user centric web2.0 workshop
Welcome to Userland - A user centric web2.0 workshop
 
User-centric settlement for music streaming
User-centric settlement for music streamingUser-centric settlement for music streaming
User-centric settlement for music streaming
 
Projektowanie użytecznego e-sklepu
Projektowanie użytecznego e-sklepuProjektowanie użytecznego e-sklepu
Projektowanie użytecznego e-sklepu
 
Designing for Call to Action
Designing for Call to ActionDesigning for Call to Action
Designing for Call to Action
 
Call to Action Button Design
Call to Action Button DesignCall to Action Button Design
Call to Action Button Design
 
15 EPIC Copywriting Hacks Can Dramatically Improve Your Landing Page Conversion
15 EPIC Copywriting Hacks Can Dramatically Improve Your Landing Page Conversion15 EPIC Copywriting Hacks Can Dramatically Improve Your Landing Page Conversion
15 EPIC Copywriting Hacks Can Dramatically Improve Your Landing Page Conversion
 
User-centric design for large enterprises
User-centric design for large enterprisesUser-centric design for large enterprises
User-centric design for large enterprises
 
Andrew Roe: Microcopy
Andrew Roe: Microcopy Andrew Roe: Microcopy
Andrew Roe: Microcopy
 
Designing a user-centric strategy using digital
Designing a user-centric strategy using digitalDesigning a user-centric strategy using digital
Designing a user-centric strategy using digital
 
What is Design Thinking?
What is Design Thinking?What is Design Thinking?
What is Design Thinking?
 
Amazon is Design Thinking
Amazon is Design ThinkingAmazon is Design Thinking
Amazon is Design Thinking
 
E copywriting cz.2-wstep_jaworowicz_basiak_2012_copywriter
E copywriting cz.2-wstep_jaworowicz_basiak_2012_copywriterE copywriting cz.2-wstep_jaworowicz_basiak_2012_copywriter
E copywriting cz.2-wstep_jaworowicz_basiak_2012_copywriter
 
Copywriting. Trochę o tym, jak sprzedawać pisząc tekst na WWW.
Copywriting. Trochę o tym, jak sprzedawać pisząc tekst na WWW.Copywriting. Trochę o tym, jak sprzedawać pisząc tekst na WWW.
Copywriting. Trochę o tym, jak sprzedawać pisząc tekst na WWW.
 
Amazon.com
Amazon.comAmazon.com
Amazon.com
 
Call to Action: Challenge Based Learning in Action
Call to Action: Challenge Based Learning in ActionCall to Action: Challenge Based Learning in Action
Call to Action: Challenge Based Learning in Action
 
Online copywriting w praktyce
Online copywriting w praktyceOnline copywriting w praktyce
Online copywriting w praktyce
 
20 Tested and Proven Copywriting Rules That Can Triple Your Sales Appointments
20 Tested and Proven Copywriting Rules That Can Triple Your Sales Appointments20 Tested and Proven Copywriting Rules That Can Triple Your Sales Appointments
20 Tested and Proven Copywriting Rules That Can Triple Your Sales Appointments
 
Webwriting
WebwritingWebwriting
Webwriting
 

Similar to Human/User-Centric Security

Usable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityUsable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityShujun Li
 
Human_Factors_KA_webinar_-_slides.pptx
Human_Factors_KA_webinar_-_slides.pptxHuman_Factors_KA_webinar_-_slides.pptx
Human_Factors_KA_webinar_-_slides.pptxMuddasarahmed5
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPriyanka Aash
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)Hitoshi Kokumai
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Dinis Cruz
 
Ubiquitous computing presentation 2
Ubiquitous computing presentation 2Ubiquitous computing presentation 2
Ubiquitous computing presentation 2Arpan Patel
 
Big Crypto for Little Things
Big Crypto for Little ThingsBig Crypto for Little Things
Big Crypto for Little ThingsH4Diadmin
 
Securing the “Weakest Link”
Securing the “Weakest Link”Securing the “Weakest Link”
Securing the “Weakest Link”Priyanka Aash
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
A 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care ProvidersA 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care ProvidersFeisal Nanji
 

Similar to Human/User-Centric Security (20)

Usable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityUsable Security: When Security Meets Usability
Usable Security: When Security Meets Usability
 
Human_Factors_KA_webinar_-_slides.pptx
Human_Factors_KA_webinar_-_slides.pptxHuman_Factors_KA_webinar_-_slides.pptx
Human_Factors_KA_webinar_-_slides.pptx
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
 
Password Problem - Solved!
Password Problem - Solved!Password Problem - Solved!
Password Problem - Solved!
 
128 BIT WHAT?
128 BIT WHAT?128 BIT WHAT?
128 BIT WHAT?
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
[EN]THS22_AMM_ishing.pptx
[EN]THS22_AMM_ishing.pptx[EN]THS22_AMM_ishing.pptx
[EN]THS22_AMM_ishing.pptx
 
Password in 2022
Password in 2022Password in 2022
Password in 2022
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)
 
Ubiquitous computing presentation 2
Ubiquitous computing presentation 2Ubiquitous computing presentation 2
Ubiquitous computing presentation 2
 
Big Crypto for Little Things
Big Crypto for Little ThingsBig Crypto for Little Things
Big Crypto for Little Things
 
Securing the “Weakest Link”
Securing the “Weakest Link”Securing the “Weakest Link”
Securing the “Weakest Link”
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
A 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care ProvidersA 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care Providers
 

Recently uploaded

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Human/User-Centric Security

  • 1. Human/User-Centric Security Dr Shujun Li Deputy Director, Surrey Centre for Cyber Security (SCCS) Senior Lecturer, Department of Computer Science University of Surrey, Guildford http://www.hooklee.com/ @hooklee75
  • 2. User-centric security GCHQ new (2016) password guidance
  • 7. User-centric security Let us look at more about passwords!
  • 8. 8 How many passwords are there? - 4 digits (PINs): 104=10 thousand≈213.3 - 6 digits (PINs): 106=1 million≈220 - Lowercase letters only, 7 characters: 267≈8 million≈233 - Lowercase letters + digits, 7 characters: 367≈78.4 million≈236 - Lowercase & uppercase letters + digits, 7 characters: 627≈10 trillion≈242 - Lowercase & uppercase letters + digits, 11 characters: 6211≈52 quintillion≈265.5
  • 9. 9 How fast are today’s supercomputers? 10EFlops =1019263
  • 10. 10 What passwords are being used? - Dinei Florêncio and Cormac Herley, “A Large- Scale Study of Web Password Habits,” in Proc. WWW 2007, W3C/ACM - Real passwords collected from 544,960 web users in three months in 2006.
  • 11. 11 What passwords are being used? - DataGenetics, PIN analysis, 3rd September 2012 - 3.4 million leaked passwords composed of 4 digits. xy00 9999 00xy 19xy mmdd xyxy
  • 12. 12 Password cracking: 1979 - R. Morris and K. Thomson, “Password security: A case history,” Communications of the ACM, vol. 22, no.11, 1979 - In a collection of 3,289 passwords… - 15 were a single ASCII character - 72 were strings of two ASCII characters - 464 were strings of three ASCII characters - 477 were strings of four alphamerics - 706 were five letters, all upper-case or all lower-case - 605 were six letters, all lower-case - 492 appeared in dictionaries, name lists, and the like 2,831 passwords
  • 13. 13 Password cracking: 1990 - Daniel V. Klein, “Foiling the Cracker: A Survey of, and Improvements to, Password Security,” in Proc. USENIX Workshop on Security, 1990 - In a set of 15,000 passwords - 25% were cracked within 12 CPU months - 21% were cracked in the first week - 2.7% were cracked within the first 15 minutes
  • 14. 14 Password cracking: 2005 - Arvind Narayanan and Vitaly Shmatikov, “Fast dictionary attacks on passwords using time- space tradeoff,” in Proc. CCS’2005, ACM - In a collection of 142 real user passwords - 67.6% (96) were cracked with a searching complexity 2.17×109≈231 14
  • 15. 15 Password cracking: 2013 - Dan Goodin, “Anatomy of a hack: How crackers ransack passwords like ‘qeadzcwrsfxv1331’,” ars technica, 28 May 2013 - Three professional crackers were given 16,449 hashed passwords and the best of them was able to crack 90% of the passwords. - Remark 1: All the passwords are considered harder ones because they are what remained uncracked in a much larger database of leaked passwords. - Remark 2: Nate Anderson, Ars deputy editor and a self- admitted newbie to password cracking, was able to crack around 50% of the passwords within a few hours.
  • 16. 16 What can we learn from reality? - The security-usability dilemma - Stronger passwords are securer but harder to remember by humans. - Weaker passwords are easier to remember by humans but also easier to be cracked. - Strong passwords for humans  Strong passwords for automated password crackers - End users have a tendency of choosing usability over security: using easy-to-remember passwords. - End users have not changed their ways of using (weak) passwords very much since 1970s!
  • 18. 18 Solution: Password checkers? - A password checker checks the strength of a given password and warns the user about its weakness. - Proactive password checkers work at the client side when the user is entering his/her password. - Reactive password checkers work at the server side after the user set his/her passwords (by scanning all passwords of all users). - All password checkers are based on one or more password meters which estimate the strength of any passwords given, but there are also standalone password meters.
  • 19. 19 Solution: Password managers? - A password manager is a software/hardware tool managing credentials of multiple accounts of the user. - A master password is normally required to manage all passwords. - Local password managers run from a local computer (could be a smart phone) and store the data locally. - Web-based password managers run from the Web or the cloud and store the data remotely in a remote web site. - Cloud-based password managers run from local computer or the Web and store the data remotely in a cloud. - Data across devices could be synchronized.
  • 20. 20 More solutions? - Passphrases - Graphical passwords - Strong password policies - Frequently changed passwords - One-time passwords (such as iTANs) - Hardware-based solutions - One-time password generators (such as RSA® SecurID) - Physical tokens (such as smart cards) - Biometrics (finger/face/iris/palm/… recognition, …) - Multi-factor authentication - Single-sign-on (SSO)
  • 21. 21 - A new technology developed by cyber security researchers (my PhD student and me) at the University of Surrey - It allows user-centric combinations of diverse authentication actions (across different factors), while keeping backward compatibility with current passwords. Pass∞ (PassInfinity)
  • 22. 22 - Access control policies - Data protection policies - Bring your own device (BYOD) policies - USB usage policies - Email policies - Confidential documents management policies - Computer incident reporting and investigation policies - … Going beyond passwords
  • 23. User-centric security Why do we need cyber security policies?
  • 24. 24 Security is a process, NOT a product. - A product is secure.  A process is secure. - Bruce Schneier, Secrets and Lies: Digital Security in a Networked World, John Wiley & Sons, Inc., 2004
  • 25. 25 Social engineering does work well! - Hackers only need to break the weakest link in a process – humans! - Weak human users vs. Strong hackers
  • 26. 26 A real hacker’s testimony Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it. Kevin D. Mitnick and William L. Simon The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons Inc., 2003
  • 27. 27 Social engineering everywhere: Phishing, SMiShing, vishing, … - Getting your password from you.
  • 28. 28 A recent book on social engineering - Christopher Hadnagy, Social Engineering: The Art of Human Hacking, John Wiley & Sons, Inc., 2010
  • 29. 29 Different kinds of weak humans - Weak designers - Weak programmers - Weak assemblers - Weak distributors - Weak deployers - Weak maintainers - Weak users - Weak …  Security holes in the delivered products  Security holes in the deployed system Strong Hackers
  • 30. User-centric security Are you a weak link of your organisation(s)?
  • 31. 31 Are you a weak link of your organisation(s)? - Have you installed any encryption software (such as GPG) for your email client or your web browser (for web mail)?
  • 32. 32 Are you a weak link of your organisation(s)? - For those who said YES in previous question: How often do you use the above encryption software to protect your personal emails?
  • 33. 33 Are you a weak link of your organisation(s)? - Have you written one or more of your passwords down (on paper, on mobile phone, …) at least once to avoid forgetting them?
  • 34. 34 Are you a weak link of your organisation(s)? - Are you sharing passwords over multiple web sites? - SSO (Single-Sign-On password is not counted).
  • 35. 35 Are you a weak link of your organisation(s)? - Do you know how digital certificates are used with secure web sites such as online banking sites?
  • 36. 36 Are you a weak link of your organisation(s)? - If YES to the last question: How often do you check digital certificate’s contents against the claimed owner?
  • 37. 37 Are you a weak link of your organisation(s)? - Have you seen a web browser warning about a digital certificate used by a website (untrusted issuer, expired or self-signed certificate, etc.)?
  • 38. 38 Are you a weak link of your organisation(s)? - If YES to the previous question: Did you choose to ignore the web browser warning(s) because you felt you could trust the website(s) you were visiting? ?
  • 39. User-centric security The solution and take-home message: Human/User-centric security
  • 40. 40 Help users, not blame them!
  • 41. 41 - Better tools for all humans involved - Better user interfaces - More useful data - More user control - Visualisation & gamification - Personalisation & contextualization - Human-in-the-loop - … - Better guidance for all humans involved - Awareness campaigns, education, training, serious games, more user-friendly and consistent guidelines and policies, … How to help users?
  • 42. 42 - Consultancy - Technical reports - Bespoke solutions (tools / data) - Joint (research) projects - Cyber Aware (formerly known as Cyber Streetwise) - Cyber Security Body of Knowledge (CySec-BoK) - Individual research projects - Communities - RISCS (Research Institute in Science of Cyber Security) - Living labs for cyber security - Meet-ups and networking events - … We can work together!
  • 43. 43 - Pass∞ (PassInfinity) - A new user authentication framework - H-DLP - Human-assisted machine learning for bootstrapping DLP (data loss/leakage prevention) systems - ACCEPT - Addressing Cybersecurity and Cybercrime via a co-Evolutionary approach to reducing human-related risks - COMMANDO-HUMANS - COMputational Modelling and Automatic Non-intrusive Detection Of HUMan behAviour based iNSecurity - POLARBEAR - Pattern Of Life ANPR Behaviour Extraction Analysis and Recognition Opportunities for collaboration

Editor's Notes

  1. Ask the audience to read the infographic quickly and ask them where digital technologies appear and what are items are about cyber security policies. Then go through those bullet points one after the other (skipping the one on password expiration). Digital technologies mentioned: password cracking (can be used for good purposes such as reactive password checkers and evaluating password strength meters); proactive and reactive password checkers; password use monitoring and statistics; CAPTCHA and 4th factor for authentication; password manager; SSO and other factors of user authentication; password reset / recovery authentication; encrypt passwords at server side (strong salting); password security awareness and education (=> personalisation and contextualization); … Digital technologies not mentioned: HTTPS, TLS/SSL, and all other network protocols, …
  2. ISAGG = Information Security & Governance Group
  3. Exactly 30 years ago…
  4. Around 20 years ago…
  5. Four years ago…
  6. Rule based approach, hybrid approach, …
  7. http://en.wikipedia.org/wiki/Xkcd xkcd, sometimes stylized as XKCD, is a webcomic created by Randall Munroe. The comic's tagline describes it as "a webcomic of romance, sarcasm, math, and language."[‡ 1] Munroe mentions on the comic's website that the name of the comic is not an acronym but "just a word with no phonetic pronunciation".
  8. Do they solve the problem completely?
  9. Do they solve the problem completely?
  10. All of them have some usability problems. We will focus on graphical passwords to show it’s not trivial to have a better solution.
  11. Does anybody happen to know the person in the middle of the three? In the late 20th century, he was convicted of various computer and communications-related crimes. At the time of his arrest, he was the most-wanted computer criminal in the United States. At age 12, Mitnick used social engineering to bypass the punchcard system used in the Los Angeles bus system. After a friendly bus driver told him where he could buy his own ticket punch, he could ride any bus in the greater LA area using unused transfer slips he found in the trash. Social engineering became his primary method of obtaining information, including user-names and passwords and modem phone numbers.[3] Mitnick first gained unauthorized access to a computer network in 1979, at 16, when a friend gave him the phone number for the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E operating system software. He broke into DEC's computer network and copied their software, a crime he was charged with and convicted of in 1988. He was sentenced to 12 months in prison followed by three years of supervised release. Near the end of his supervised release, Mitnick hacked into Pacific Bell voice mail computers. After a warrant was issued for his arrest, Mitnick fled, becoming a fugitive for two and a half years. Mitnick served five years in prison — four and a half years pre-trial and eight months in solitary confinement — because, according to Mitnick, law enforcement officials convinced a judge that he had the ability to "start a nuclear war by whistling into a pay phone"[7] meaning that law enforcement told the judge that he could somehow dial into the NORAD modem via a payphone from prison and communicate with the modem by whistling to launch nuclear missiles.[8] He was released on January 21, 2000. During his supervised release, which ended on January 21, 2003, he was initially forbidden to use any communications technology other than a landline telephone. Mitnick fought this decision in court, eventually winning a ruling in his favor, allowing him to access the Internet. Under the plea deal, Mitnick was also prohibited from profiting from films or books based on his criminal activity for seven years. Mitnick now runs Mitnick Security Consulting LLC, a computer security consultancy. According to the U.S. Department of Justice, Mitnick gained unauthorized access to dozens of computer networks while he was a fugitive. He used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the country's largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail. Mitnick was apprehended on February 15, 1995 in Raleigh, North Carolina.[4] He was found with cloned cellular phones, more than 100 clone cellular phone codes, and multiple pieces of false identification.[5]
  12. Vishing = voice phishing (phishing over voice) The image on the right seems to be an “orphan image”. I did search on the web but cannot find its owner.
  13. Weak distributors may choose to exclude one security-oriented component to make their distributions more competitive in the market in term of price. Weak humans vs. Strong attacker as well.
  14. Cormac Herley: “It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.”