Friday, 14 December 2012

Do Better Technical Controls Increase People Focused Attacks?

Technical controls are often the default security response for many organisations.  When I refer to technical controls, there is obviously a people element to that, from a design and implementation perspective, but ultimately the control is focused on a piece of hardware or software.  For example, cryptographic algorithms have continued to evolve over the last 40 years, to levels which allow them to be computational secure and can be used on a wide scale without major concern.  PKI and other crypto infrastructures are often too focused on the algorithms; hardware security module usage and technical touch points, than for example, the people related process and awareness.  It is all very well having an industry standard algorithm, but that becomes less useful if a user doesn't protect the un-encrypted payload when it’s at rest, or allows it to be stored in temporary memory for example.

Casually thinking of the default security controls for many organisations and many are in fact software or hardware related: antivirus, firewall, intrusion detection systems, encryption, data loss prevention systems or security information and event monitoring solutions.  The focus is on faster, stronger or cheaper software or hardware technology.

People as an attack vector

People play a critical role in the security landscape of an organisation.  From a design and implementation perspective from those working under a chief information security office or security ops team, right through to non-IT related individuals, all can be seen as a potential attack vector and therefor, a threat to an organisations information assets.
System accounts are created for individuals.  Staff, have physical security badges and proximity cards.  Audit trails are linked in real people (or should be). 

More than one way to skin a cat

The last 24 months has seen a significant rise in the number of external or cyber related attacks.  These attacks have either been advanced persistent threats using advanced evasion techniques, or simple “hacktivist” style approaches, would undoubtedly have utilised, an internal account to gain unauthorised access.  That account is likely to have already existed, have permissions (or enough to start a privilege escalation process) and might also be assigned to a real person, as opposed to a service or system account.
However, to gain access to an initial password, a hacker would always choose the simplest and most cost effective (from a time and money perspective) method of entry.  If a user’s complex password or passphrase is hashed using a salt, and algorithm that is computational secure – resulting in say 400 years of brute force protection, why bother attempting to crack it, if you can use more subtle methods?

Increase in social engineering

People are undoubtedly the biggest threat and biggest asset to an organisations security position.  Social engineering can be seen as a more direct approach to exposing real security assets such as passwords, processes, keys and so on.  Via subtle manipulation, carefully planned framing and scenario attacks, through to friending and spear phishing attacks, people are increasingly becoming the main target, as technologically is seen to becoming more secure and more expensive to crack.