Technical controls are often the default security response
for many organisations. When I refer to
technical controls, there is obviously a people element to that, from a design
and implementation perspective, but ultimately the control is focused on a
piece of hardware or software. For
example, cryptographic algorithms have continued to evolve over the last 40
years, to levels which allow them to be computational secure and can be used on
a wide scale without major concern. PKI
and other crypto infrastructures are often too focused on the algorithms;
hardware security module usage and technical touch points, than for example,
the people related process and awareness.
It is all very well having an industry standard algorithm, but that
becomes less useful if a user doesn't protect the un-encrypted payload when it’s
at rest, or allows it to be stored in temporary memory for example.
Casually thinking of the default security controls for many
organisations and many are in fact software or hardware related: antivirus,
firewall, intrusion detection systems, encryption, data loss prevention systems
or security information and event monitoring solutions. The focus is on faster, stronger or cheaper
software or hardware technology.
People as an attack vector
People play a critical role in the security landscape of an
organisation. From a design and
implementation perspective from those working under a chief information
security office or security ops team, right through to non-IT related
individuals, all can be seen as a potential attack vector and therefor, a
threat to an organisations information assets.
System accounts are created for individuals. Staff, have physical security badges and
proximity cards. Audit trails are linked
in real people (or should be).
More than one way to skin a cat
The last 24 months has seen a significant rise in the number
of external or cyber related attacks.
These attacks have either been advanced persistent threats using
advanced evasion techniques, or simple “hacktivist” style approaches, would
undoubtedly have utilised, an internal account to gain unauthorised
access. That account is likely to have
already existed, have permissions (or enough to start a privilege escalation
process) and might also be assigned to a real person, as opposed to a service
or system account.
However, to gain access to an initial password, a hacker
would always choose the simplest and most cost effective (from a time and money perspective) method of entry. If a user’s complex password or passphrase is
hashed using a salt, and algorithm that is computational secure – resulting in
say 400 years of brute force protection, why bother attempting to crack it, if
you can use more subtle methods?
Increase in social engineering
People are undoubtedly the biggest threat and biggest asset
to an organisations security position.
Social engineering can be seen as a more direct approach to exposing
real security assets such as passwords, processes, keys and so on. Via subtle manipulation, carefully planned
framing and scenario attacks, through to friending and spear phishing attacks,
people are increasingly becoming the main target, as technologically is seen to
becoming more secure and more expensive to crack.