Cyber security needs a ‘human-centric’ approach

We describe what makes Vertical Structure unique - our 'human-centric' approach.

Written by: Marc Dowie on Jan 23, 2020

Cut office pic low res

In our service descriptions, we talk a lot about having a human-centric approach. Why is that?

Too often, cyber security testing is done by machines looking for anomalies, in the way that machines do.

The market is awash with automated cyber security testing solutions.

Sometimes, after testing by this machine-led approach, applications still have vulnerabilities that went undetected. On the opposite side is the problem of having too many false positives. A cyber penetration test is virtually useless if it flags everything.

When used on its own, machine testing is missing a crucial element.

What’s missing is the individuals who know how to break into your systems.

Hackers, rogue actors – there are many names for them, but it’s a human being who initiates each and every cyber threat. Machines may carry out the execution, but the planning and strategy is very much a human act.

To prevent human-based threats, it requires human-like thinking.

What sorts of common human behaviour can result in cyber threats?

  • Developers cutting corners to save time and budget
  • Granting higher (admin) privileges to people who don’t need them, or to people who need them for testing, and then the privileges aren’t revoked
  • Users feeling restricted by security measures and trying to circumvent processes to get their jobs done

To illustrate one example, we were approached by a client that had already put their systems through automated testing multiple times.

But Vertical Structure’s team identified a dangerous loophole in the function for creating a new user on their system. When creating a user, a simple dropdown box allowed you to select whether the user was ‘regular’ or ‘admin’.

Allowing the wrong level of user privilege is one of the most commonly known cyber vulnerabilities.

However, this isn’t the sort of thing an automated system would pick up – to a machine, it may look normal. To a human, it stands out as being oddly placed, and dangerous to allow admin privileges to be so easily granted.

The team members at Vertical Structure bring a range of different skill sets, including former application developers. These team members know “where the bodies are buried.” Because they’ve developed applications before, they know where corners tend to be cut. They’re attuned to sifting through details of an application that a machine may not prioritise.

In short, they know where to look.

Rob Docherty, Cyber Security Specialist for Vertical Structure, said:

“Being a developer before, I understand how things are built – where a dev team might leave things sitting where they shouldn’t. For example, when you’re building apps to a certain budget, things like authentication might not get enough attention. If an app has an API, there are a lot of corners that can be cut in setting it up.”

Rob also describes how they get to know an application, as a first line of business.

“We act like customers, not testers, at first. We become a regular user, just like anyone using the application. Only when we’ve gained that understanding, do we begin the testing.”

“This is another area that differentiates us from automated testing – a machine isn’t going to use your application and understand how it works first.”

Rob explains how automation is one piece of the puzzle.

“Yes, we do use automated testing in addition to our manual processes, however what we don’t do is throw a piece of software at it and expect it to find all the issues.”

Rob described another vulnerability that a bot wouldn’t have picked up.

Online collaboration applications are becoming commonplace in modern businesses. If someone is granted access to a document on Google Drive, that access doesn’t expire even if the person no longer works for the organisation or had left that working team. It remains in their personal Google Drive account.

Rob said, “These types of loopholes might not seem strange to a bot, but we can understand how that could cause security vulnerabilities. Depending on what type of data is held in the Google Drive document, it could be quite a large security failure.”

Following the testing with a human touch, the Vertical Structure team summarises their findings with human-centric reports.

“An automated cyber security test might return a 480-page report, full of numbers. It’s almost impossible to understand. Instead of giving clients that, we try to be realistic about the issues we have found, so when we are writing them up, they make a lot more sense.” said Rob.

Vertical Structure is committed to producing human-written, and human-readable reporting.

Simon Whittaker, CEO of Vertical Structure, pointed out that it’s not just about finding faults with applications – it’s about giving reasonable advice on how to tighten up security controls.

“When faults or errors are detected, we apply a human sense of proportion to issues as well. We individually decide what level of issue it is. There is always a judgement call to make, and we do that based on our experience rather than just black and white numbers.” - Simon Whittaker

Need help?

Email Us
email hidden; JavaScript is required

Or send us a quick message

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.