Cybersecurity is meer dan alleen het nemen van technische maatregelen. En alhoewel gebruikers ten onrechte vaak alleen worden aangemerkt als ‘de zwakke schakel’ binnen die cybersecurity, moet een deel van de maatregelen zich toch echt wel richten op deze groep. Gebruikers gedragen zich immers soms bewust of onbewust onveilig: - ze klikken op hyperlinks als ze dat niet moeten doen; - reageren op een phishingmail; - gebruiken zwakke wachtwoorden; - hergebruiken wachtwoorden; - melden incidenten niet; - geven (te) veel gegevens prijs van zichzelf op social media; - maken niet consequent back-ups van hun data. Sinds jaar en dag lijken organisaties ‘awareness’ te zien als de sleutel om van gebruikers iets minder de zwakke schakel te maken. De gedachte daarachter is kortgezegd dat gebruikers zich ‘beter’ gaan gedragen als we ze voeden met informatie over dreigingen, goed en fout gedrag en het cybersecurity-beleid. Het is inmiddels echter wel duidelijk dat een beleid dat alleen gericht is op ‘awareness’ niet gaatzorgen voor het gewenste effect. Onderzoek toont bijvoorbeeld aan dat anti-phishingcampagnes, waar nepphishingmails worden verstuurd, niet heel lang beklijven. Cybersecuritybedrijven geven dan ook steeds vaker aan dat het niet alleen gaat om het verhogen van kennis en bewustwording, maar ook om andere aspecten die gedrag lijken te beïnvloeden. Recent wetenschappelijk experimenteel onderzoek laat zelfs zien dat het hebben van meer kennis kan leiden tot onveiliger gedrag: gebruikers die (een beetje) meer weten, gedragen zich nog onveiliger. Mogelijk komt dat doordat die groep zichzelf overschat en daardoor ten onrechte grotere risico’s durft te nemen. We moeten dus verder komen dan alleen awareness. Het lab observeert dat er twee grote vraagstukken spelen. 1. Wat moeten we dan verder nog doen? Het is duidelijk dat er geen simpele oplossing is voor het bevorderen van veilig cybergedrag. Toch is het goed om nieuwe oplossingsrichtingen te onderzoeken die richting geven aan het verbeteren van cyberveilig gedrag. 2. Hoe zorgen we ervoor dat organisaties daadwerkelijk verder gaan dan alleen het creëren van meer awareness? Individuele organisaties hebben lang niet altijd de kennis en kunde om dit zelf te doen. Moet de overheid dit stimuleren? Zo ja, hoe dan? Kan het aan de markt zelf (lees: cybersecurity bedrijven) overgelaten worden? Wat kunnen we leren over het stimuleren van effectieve gedragsinterventies binnen andere vakgebieden? https://nl.linkedin.com/in/rutgerleukfeldt
MULTIFILE
From the article: This paper describes the external IT security analysis of an international corporate organization, containing a technical and a social perspective, resulting in a proposed repeatable approach and lessons learned for applying this approach. Part of the security analysis was the utilization of a social engineering experiment, as this could be used to discover employee related risks. This approach was based on multiple signals that indicated a low IT security awareness level among employees as well as the results of a preliminary technical analysis. To carry out the social engineering experiment, two techniques were used. The first technique was to send phishing emails to both the system administrators and other employees of the company. The second technique comprised the infiltration of the office itself to test the physical security, after which two probes were left behind. The social engineering experiment proved that general IT security awareness among employees was very low. The results allowed the research team to infiltrate the network and have the possibility to disable or hamper crucial processes. Social engineering experiments can play an important role in conducting security analyses, by showing security vulnerabilities and raising awareness within a company. Therefore, further research should focus on the standardization of social engineering experiments to be used in security analyses and further development of the approach itself. This paper provides a detailed description of the used methods and the reasoning behind them as a stepping stone for future research on this subject. van Liempd, D., Sjouw, A., Smakman, M., & Smit, K. (2019). Social Engineering As An Approach For Probing Organizations To Improve It Security: A Case Study At A Large International Firm In The Transport Industry. 119-126. https://doi.org/10.33965/es2019_201904l015
MULTIFILE
This essay explores the notion of resilience by providing a theoretical context and subsequently linking it to the management of safety and security. The distinct worlds of international security, industrial safety and public security have distinct risks as well as distinct ‘core purposes and integrities’ as understood by resilience scholars. In dealing with risks one could argue there are three broad approaches: cost-benefit analysis, precaution and resilience. In order to distinguish the more recent approach of resilience, the idea of adaptation will be contrasted to mitigation. First, a general outline is provided of what resilience implies as a way to survive and thrive in the face of adversity. After that, a translation of resilience for the management of safety and security is described. LinkedIn: https://www.linkedin.com/in/juul-gooren-phd-cpp-a1180622/
The CARTS (Collaborative Aerial Robotic Team for Safety and Security) project aims to improve autonomous firefighting operations through an collaborative drone system. The system combines a sensing drone optimized for patrolling and fire detection with an action drone equipped for fire suppression. While current urban safety operations rely on manually operated drones that face significant limitations in speed, accessibility, and coordination, CARTS addresses these challenges by creating a system that enhances operational efficiency through minimal human intervention, while building on previous research with the IFFS drone project. This feasibility study focuses on developing effective coordination between the sensing and action drones, implementing fire detection and localization algorithms, and establishing parameters for autonomous flight planning. Through this innovative collaborative drone approach, we aim to significantly improve both fire detection and suppression capabilities. A critical aspect of the project involves ensuring reliable and safe operation under various environmental conditions. This feasibility study aims to explore the potential of a sensing drone with detection capabilities while investigating coordination mechanisms between the sensing and action drones. We will examine autonomous flight planning approaches and test initial prototypes in controlled environments to assess technical feasibility and safety considerations. If successful, this exploratory work will provide valuable insights for future research into autonomous collaborative drone systems, currently focused on firefighting. This could lead to larger follow-up projects expanding the concept to other safety and security applications.
Today, embedded devices such as banking/transportation cards, car keys, and mobile phones use cryptographic techniques to protect personal information and communication. Such devices are increasingly becoming the targets of attacks trying to capture the underlying secret information, e.g., cryptographic keys. Attacks not targeting the cryptographic algorithm but its implementation are especially devastating and the best-known examples are so-called side-channel and fault injection attacks. Such attacks, often jointly coined as physical (implementation) attacks, are difficult to preclude and if the key (or other data) is recovered the device is useless. To mitigate such attacks, security evaluators use the same techniques as attackers and look for possible weaknesses in order to “fix” them before deployment. Unfortunately, the attackers’ resourcefulness on the one hand and usually a short amount of time the security evaluators have (and human errors factor) on the other hand, makes this not a fair race. Consequently, researchers are looking into possible ways of making security evaluations more reliable and faster. To that end, machine learning techniques showed to be a viable candidate although the challenge is far from solved. Our project aims at the development of automatic frameworks able to assess various potential side-channel and fault injection threats coming from diverse sources. Such systems will enable security evaluators, and above all companies producing chips for security applications, an option to find the potential weaknesses early and to assess the trade-off between making the product more secure versus making the product more implementation-friendly. To this end, we plan to use machine learning techniques coupled with novel techniques not explored before for side-channel and fault analysis. In addition, we will design new techniques specially tailored to improve the performance of this evaluation process. Our research fills the gap between what is known in academia on physical attacks and what is needed in the industry to prevent such attacks. In the end, once our frameworks become operational, they could be also a useful tool for mitigating other types of threats like ransomware or rootkits.
Despite their various appealing features, drones also have some undesirable side-effects. One of them is the psychoacoustic effect that originates from their buzzing noise that causes significant noise pollutions. This has an effect on nature (animals run away) and on humans (noise nuisance and thus stress and health problems). In addition, these buzzing noises contribute to alerting criminals when low-flying drones are deployed for safety and security applications. Therefore, there is an urgent demand from SMEs for practical knowledge and technologies that make existing drones silent, which is the main focus of this project. This project contributes directly to the KET Digital Innovations\Robotics and multiple themes of the top sectors: Agriculture, Water and Food, Health & Care and Safety. The main objective of this project is: Investigate the desirability and possibilities of extremely silent drone technologies for agriculture, public space and safety This is an innovative project and there exist no such drone technology that attempts to reduce the noises coming from drones. The knowledge within this project will be converted into the first proof-of-concepts that makes the technology the first Minimum Viable Product suitable for market evaluations. The partners of this project include WhisperUAV, which has designed the first concept of a silent drone. As a fiber-reinforced 3D composite component printer, Fiberneering plays a crucial role in the (further) development of silent drone technologies into testable prototypes. Sorama is involved as an expert company in the context of mapping the sound fields in and around drones. The University of Twente is involved as a consultant and co-developer, and Research group of mechatronics at Saxion is involved as concept developer, system and user requirement verifier and validator. As an unmanned systems innovation cluster, Space53 will be involved as innovation and networking consultant.
