Investigating System Operators' Perspective on Security Misconfigurations

Dietrich, Constanze and Krombholz, Katharina and Borgolte, Kevin and Fiebig, Tobias

(2018) Investigating System Operators' Perspective on Security Misconfigurations.

In: 25th ACM Conference on Computer and Communications Security.

Conference: CCS ACM Conference on Computer and Communications Security

This is the latest version of this item.

Preview

Text
authorversion-CR-v2.pdf
Download (1MB) | Preview

Abstract

Nowadays, security incidents have become a familiar “nuisance,” and they regularly lead to the exposure of private and sensitive data. The root causes for such incidents are rarely complex attacks. Instead, the attacks are straight-forward, and they are enabled by simple misconfigurations, such as authentication not being required, or security updates not being installed. For example, the leak of over 140 million Americans’ private data from Equifax’s systems ranks among most severe misconfigurations in recent history: The underlying vulnerability was long known, and a security patch had been readily available for months, but it was never applied. Ultimately, Equifax blamed an employee for forgetting to update the affected system, highlighting the personal responsibility of that operator. In this paper, we investigate the operators’ perspective on security misconfigurations to approach the human component of this class of security issues. We focus our analysis on system operators, as although they are the relevant actors managing the affected systems, they have not yet received significant attention by prior research. We follow an inductive approach and apply a multi-step empirical methodology: (i) a qualitative study to understand how to approach the target group and measure the misconfiguration phenomenon, and (ii) a quantitative survey rooted in the qualitative data. We then provide the first analysis of system operators’ perspective on security misconfigurations, and we determine the factors that operators perceive as the root causes. Based on our findings, we provide practical recommendations on how to reduce security misconfigurations’ frequency and impact.

Item Type:	Conference or Workshop Item (A Paper) (Paper)
Divisions:	Katharina Krombholz (Human-Oriented Security, HOS)
Conference:	CCS ACM Conference on Computer and Communications Security
Depositing User:	Katharina Krombholz
Date Deposited:	23 Oct 2018 09:21
Last Modified:	18 Jul 2019 12:12
Primary Research Area:	NRA5: Empirical & Behavioral Security
URI:	https://publications.cispa.saarland/id/eprint/2729

Available Versions of this Item

Investigating System Operators' Perspective on Security Misconfigurations. (deposited 25 Aug 2018 19:58)
- Investigating System Operators' Perspective on Security Misconfigurations. (deposited 23 Oct 2018 09:21) [Currently Displayed]

Actions

Actions (login required)

View Item