As our dependence on being connected to the internet grows, so does our need to protect our data and improve our resilience to cyber-attacks.
The online world is an environment dense with sensitive information, which inevitably attracts those who want to steal it for their own gain. Cybercriminals. Cyber-attack. Data breach. We see these words across headlines all too often and knowledge in the wrong hands can have disastrous consequences.
Two of our computer scientists are working on different research projects but are connected by a common thread, cyber-attacks.
Dr Rizwan Asghar’s research has investigated which websites are vulnerable to cyber-attacks so that these areas of weakness can be addressed with better protection methods. Whereas Dr Danielle Lottridge’s expertise lies in understanding how people interact with technology. Her research explores the human-system interaction of a type of cyber-attack, phishing, so people can be more resilient to such attacks with the support of better design.
Phishing: reeling in human error
Phishing attacks can be deployed in the form of an email scam. “A single successful phishing attack can completely ruin a company and can completely ruin an individual’s life if they’re being blamed for that,” says Danielle. “It’s tragic what can happen, and it can cost hundreds of thousands, if not millions of dollars.”
Her research project looks at phishing susceptibility and how the problem of phishing can be approached in a way that’s constructive, productive and is understanding of how situations can make people susceptible.
“I bring to it a systems perspective,” she explains. “So as people, we tend to be very individual focused. If a problem happened, we usually point to a person and say, ‘that’s your fault’. Whereas we might be in a system that makes some people more prone to commit these errors than other parts of the system.”
Funded by IBM, Danielle collaborated with an interdisciplinary team for the project which included Associate Professors’ Giovanni Russello, Yun Sing Koh, and Paul Corballis, Professor Robert Biddle, Dr Jude Buckley, and PhD candidates Jacinda Murphy and Sijie Zhuo.
Jacinda, Paul, Jude and Danielle worked together with a financial institution to create a phishing simulation, which was emailed to over 4,000 employees. Then they observed two behaviours: the employees who clicked on the phishing links and those who recognised and reported the scam.
“This particular line of research really does benefit organisations and it’s fantastic to be able to collaborate with organisations to do it,” says Danielle.
The human element
So far, Danielle’s team has found certain predictors for phishing, related to age, job type and the amount of training employees have done.
“One of the most mysterious ones is job type,” she says, as one particular job type was more susceptible to phishing, and they are yet to understand the reason. “Is that job type receiving more email? Is it something inherent in the types of tasks that are related to that job?” says Danielle.
“So instead of being focused on an individual and their susceptibility we now understand we’re looking at groups of people.” As a result, the company can consider customizing settings such as firewalling around those groups to shield them from phishing attacks more effectively. In the future, she envisions more dynamic design interventions, which are deployed in moments of greater susceptibility.
She says digital wellbeing also plays a factor. “If you haven’t gotten enough sleep and you’re stressed out, you may be more likely to fall for a phishing attack. So, we need to take care of our employees and there’s yet another reason to care about their health because when people are doing well, that ultimately keeps the organisation safe.”
How secure is online data?
As a cybersecurity expert, a broad theme of Rizwan’s research is combating cyberattacks. “One key focus of my research is to investigate potential weaknesses in providing a secure communication channel over the internet,” he says.
For the past five years, he has been collaborating with Computer Science colleague Dr Qinwen Hu on a research project focused on the security protocol HTTPS or Hypertext Transfer Protocol Secure – the familiar lettering you see at the start of your website URLs.
Rizwan and Qinwen investigated the HTTPS security level of the top one million domains listed by Amazon’s web analytics provider, Alexa. Among the domains were banking, e-commerce, government, and education websites.
“We evaluated the domains by launching three large-scale measurements to assess the security risk of the current HTTPS configuration and track the historical changes in mitigating HTTPS vulnerabilities discovered since 1993,” explains Rizwan.
“The main driver for this research project was to analyse whether domain administrators ignored the well-known security issues or patched them. This would suggest whether hackers can use those vulnerabilities or require more sophistications in mounting cyber-attacks.”
Their research found that of these one million domains, five percent of the 720,000 HTTPS-enabled servers were still vulnerable to one or more known forms of cyberattack in 2018, although in 2020 they saw an improvement when it dropped to 0.01 percent.
“However, it is worth mentioning that 72 HTTPS-enabled servers are still vulnerable to one or more known forms of cyberattacks discovered in the last three decades,” says Rizwan, pointing out that it took multiple years for these domains to fix many of those vulnerabilities.
“The lesson we can learn is attackers can get enough time to exploit such vulnerabilities.”
Rizwan says these domains unfortunately still use out-dated security protocols, weak key exchange methods and even expired certificates.
“These are straightforward loopholes that can easily be addressed and there are already some patches and updates.”
But now the nature of the attack is becoming more sophisticated. “So even if we ignore this aspect of whether the system is updated or not, the attackers are creating more sophisticated attacks,” he says, such as using ransomware, as seen in the Waikato DHB case earlier this year.
Protecting our data
The findings from this research project will help to provide a safer cyber environment. It will also enable organisations to protect their IT infrastructure from cyber-attacks which “can save businesses from catastrophic financial or even human loss”, says Rizwan.
“In my opinion, New Zealand is seriously lacking a crisis management plan for dealing with cyber-attacks as we can see in the case of Waikato District Health Board. Also last year, we had attacks on the New Zealand Stock Exchange. I think this is where New Zealand should be having a proactive approach instead of a reactive approach to deal with cybersecurity or cyber-attacks.”
Eyes on Tāmaki
It’s one thing to protect yourself from cyber-attackers looking to steal data, but what about the data that we give access to freely? Danielle and University colleague’s Dr Ethan Plaut from Arts and Dr Fabio Morreale from Creative Arts and Industries, collaborated with Auckland Museum to create Eyes on Tāmaki, an exhibition within the Tāmaki Herenga Waka: Stories of Auckland galleries.
Visitors can interact with a touchscreen that looks like a larger-than-life smartphone, putting themselves into the story with face filters and giving their opinion about regulation of facial recognition. The experience raises awareness around data privacy, facial recognition technologies and who is collecting and using personal information. The survey findings will be part of a paper the academics are working on around data privacy, which Danielle says could potentially inform municipal policy.
Consumers aren’t offered much choice when it comes to data collection options, says Danielle. “You either agree to the terms of service or you don’t use the tool. This needs to change.”
As technology evolves and cybercrime no doubt along with it, research that strengthens our cybersecurity, uncovers vulnerabilities, and explores how we humans behave and interact with our computers and smartphones is vital in ensuring we are prepared to combat cyber-attacks and keep our online information and our communities safe.
This article appears in the December 2021 edition of inSCight, the print magazine for Faculty of Science alumni. View more articles from inSCight.
Disclaimer: The ideas expressed in this article reflect the researcher’s views and not necessarily the views of The Big Q.
You might also like:
Is cyber security a people problem?