Mon, 20 May 2024 22:36:49 -0700WeeblyWed, 20 Jul 2016 15:39:47 GMThttp://absolvesecurity.com/blog/trust-down-the-rabbit-hole
In security, we sometimes see trust a failure.  We especially find the idea that people trust systems they haven’t tested to be a sign of weakness or stupidity.  There is a ton of rhetoric this year in the US around why you shouldn’t trust the presidential candidates, the police, protesters, and pretty much anyone you don’t directly know well.  Perhaps this is the safest approach, but I would argue that it causes us to miss some of the most amazing parts of being human.

I would argue that our society is based on the idea that we can trust people to behave in a cooperative manner a high enough percentage of the time to take reasonable risks.  While we seem to take fewer chances today, only the most risk-averse around us avoid risk at all costs.  We send our kids away on the bus, trusting that they will get to school and be safe there.  We lock our doors, trusting that someone probably won’t pick the lock.  We post on the Internet, most of the time assuming we won’t be stalked. 

Sometimes we have the most amazing experiences when we decide to trust when we don’t have proof.   That isn’t to say that bad things, horrible things don’t happen as well, but some of the best vacations, opportunities and adventures are found when we decide to take a chance that someone isn’t an axe murderer. 

On the other hand, sometimes we find ourselves in a twilight zone of finding out that the world we’ve built around us is completely untrustworthy, and the consequences are dire.  We find ourselves physically hurt, lacking the opportunities and things we need to take care of ourselves, or feeling like we must be going crazy.  We may fall into the trap of being unable to trust anyone, and as such, being unable to move forward.  This is particularly damaging when the damage comes from people close to us, whom we let our guard down with. 

For me, this is why preventing social engineering attacks programmatically is so important.  Teaching people not to trust anyone ever leads to the kind of society I don’t want to be a part of.   No more trick-or-treating for the kids, no more walks around the neighborhood, no more transactions with any risk involved.

The problem with social engineering today is three-fold.  First, the percentage of scams or attacks verses trustworthy interactions has gone up.  Most of us have only run into a street scam a few times in our lives (depending on where you live and travel), but we see email scams daily.  This is due to factors such as scalability of attacks, increasing the ability to perform remote attacks, and the lowered cost of attacks.  Secondly, the possible benefits to an attacker are higher, especially compared to the cost of performing the attack.  While physical harm may create far more harm, the actual benefit to the attacker of IP or money may be higher.  Thirdly, there is a smaller chance that the perpetrator will face significant punishment for the attack.

How do we go about reducing the risk of social engineering without eroding people’s desire to trust?  Much like the traditional analysis of the economics of an attack, we focus on changing the factors that are driving up social engineering attacks.  We find ways to reduce the likelihood that an interaction is not trustworthy.  We reduce the benefit an attacker is able to gain from any attack.  Finally, we find ways of providing negative consequences for attackers.  Over the next few weeks I’ll explore ways of doing each of these things.

A quick thank you to my anonymous yard penpal, White Rabbit, for inspiring this post. 

]]>Sat, 16 Jul 2016 22:33:01 GMThttp://absolvesecurity.com/blog/first-do-no-harm

A friend sent me a link to Healthcare workers prioritize helping people over information security (disaster ensues) as a great example of what happens when security isn’t designed for the users of the system.  For example, “Other IT-based checks forced even-more-dangerous workarounds, like the system that wouldn't let doctors save work without ordering potentially lethal blood thinners, which they'd have to remember to log back in and cancel, or kill their patients.” 

When my girls were born very prematurely, I had a chance to spend many months experiencing how hospitals work day to day.   I can attest to how busy our doctors and nurses were, and how many details they needed to remember.  I have seen doctors rush from one wing to another to save a little girl who has turned blue (but is now a happy 8 year old).  One of my daughter’s nurses committed suicide years after we left the hospital after she had made a mistake on a medication.  It is no wonder that medical professionals work around security when it gets in their way.  In many cases they are weighing the risk of a data leak vs. a medical emergency that is in progress. 

The best thing we as security professionals can do is to find solutions that not only help protect data, but also help catch medical errors, and assist professionals in an emergency.  Auditing is one solid area for this.  Another is to find better biometrics that don’t require physical touch (to cut down on germs), and have smart overrides in an emergency (allow access anyway but call security to come verify once the crisis is under control).  The work done on Microsoft’s Kinect and Amazon’s Echo come to mind as technologies that may help move research forward in this area.

The next time you’re at the doctor, or at a hospital, ask about how the data security system is working for the people you depend on.  What do they like? What would they change?  What do they work around?  How would you make their life easier so they can concentrate on treating you or keeping you well?

Questions or comments?  ellen@absolvesecurity.com. 

]]>Fri, 08 Jul 2016 01:04:57 GMThttp://absolvesecurity.com/blog/crisis-modeSecurity policies often contain safeguards, delays, limited access, or other controls designed to reduce risk impact.  However, most companies are unwilling to allow these controls to prevent necessary action in a crisis or critical situation.  This means that many security policies have built in loopholes from the beginning, or that they are added when response to a critical non-security issue is more difficult due to the controls. 

Hospitals are a classic example of this.  If a patient drops to the floor in a faint, the medical professionals nearby need to be able to access the patient’s records to find out allergies, medical conditions and medications so they can start helping them quickly.  However, medical records are very sensitive.  Fortunately, there are few cases where a highly paid professional would risk their employment reputation in order to peek at a few records.  Due to this, auditing along with smart velocity controls can reduce the risk of data leakage without compromising patient safety. 

How do you approach planning for urgency?  First, design security policies with the need to react to issues in mind.   Consider options such as a team of trusted people who have access to override controls, requiring more than one signoff for overrides, and creating tools to handle any common urgent issues.   Create an alerting system to make sure the security team is engaged as soon as possible.  Set up auditing so the people who are able to take high impact actions cannot turn it off. Finally, educate your PR and field staff in advance, so they can provide clarity to customers when issues do take longer to solve because you are safeguarding their data. 

Do you have examples of effective steps for reducing security risk during a crisis?  If so, please send them to ellen@absolvesecurity.com.

]]>Tue, 28 Jun 2016 18:14:11 GMThttp://absolvesecurity.com/blog/dont-blame-the-victim-butYesterday, a group of friends and I were discussing differences between when we were growing up and today. I still remember some of my phone numbers from when I was a kid, but can't remember my partner's number, or even my daughter's number. Have we gotten lazy with the advent of technology? Maybe, although the fact that we don't have to dial numbers in most cases anymore may be more of it. That got me thinking about what we do spend our energy memorizing that we didn't before.
This morning I came across this: "LinkedIn data breach blamed for multiple secondary compromises" and it got me thinking. What do I spend all that energy on? Passwords.

How many different passwords do you use each day? How many do you only use occasionally? How do you save or remember them? Some people use protected files, so use paper, some use online applications. I even know someone who wrote their own password generator that they can use to recreate passwords. Many of us use some combination of memory, other methods, and hope.

Unlike many of the topics I'll discuss in this blog, I haven't yet seen a truly elegant and safe way to manage all passwords. Applications are probably the best option out there today, although there is always the risk of a data breech, someone figuring out your root password, someone social engineering the company into giving them access, or losing your own access. Two factor auth works great for a small number of highly valued systems, but no one wants to carry around an object from every company they do business with. Phone code generators are another good option, as long as you aren't likely to lose your phone and have a hard to guess passcode. Have you seen something in the area of identity management that you think truly changes the playing field? If so, I'd love to hear about it. Until then, understand what you're trying to protect in each case, who you need to protect it from and how much security you need for that system, and make a reasonable choice. And of course, if a system you are a customer of has a data breech, make sure to change that password, as well as any you've used on other sites that would be guessable from the first one.]]>Tue, 28 Jun 2016 18:14:04 GMThttp://absolvesecurity.com/blog/setup-for-successThis morning I was reading The Role of Human Error in Successful Security Attacks.  As I read it, I found myself feeling empathy for the employees who are the targets of such attacks. For example, "These tools can also prevent users from engaging in inappropriate behavior, such as sending documents home via email or placing them on file-sharing sites or removable media such as USB sticks. " I can just see an employee sitting at their desktop at work, realizing that they have to go pick up their son from daycare right now, but their project is due tomorrow. Of course they are going to take it home via personal email or USB stick if that's the only way they can work on it from home. You can't leave a small child home sleeping while you go back to work, and missing the deadline could have significant career consequences.
Being in the field for many years now, I often see us security experts espousing guidance that makes running the business difficult. Certainly some tradeoffs are necessary, but people will work around any security boundary that makes it hard or impossible to do their job. We hire amazing scientists, recruiters, engineers, marketing professionals and the like, and then suddenly expect them to be security experts and produce results in the same time frames and at the same quality levels even as we put security hurdles in their way.

Is there a way to enable our people to focus on doing what they are amazing at, without unacceptable security risks? Can we make doing the secure thing the path of least resistance? In this blog I'll be exploring common social engineering issues, and ways we might alter the system to increase protection without impeding the business.]]>