Skip to main content

Do Better Technical Controls Increase People Focused Attacks?


Technical controls are often the default security response for many organisations.  When I refer to technical controls, there is obviously a people element to that, from a design and implementation perspective, but ultimately the control is focused on a piece of hardware or software.  For example, cryptographic algorithms have continued to evolve over the last 40 years, to levels which allow them to be computational secure and can be used on a wide scale without major concern.  PKI and other crypto infrastructures are often too focused on the algorithms; hardware security module usage and technical touch points, than for example, the people related process and awareness.  It is all very well having an industry standard algorithm, but that becomes less useful if a user doesn't protect the un-encrypted payload when it’s at rest, or allows it to be stored in temporary memory for example.

Casually thinking of the default security controls for many organisations and many are in fact software or hardware related: antivirus, firewall, intrusion detection systems, encryption, data loss prevention systems or security information and event monitoring solutions.  The focus is on faster, stronger or cheaper software or hardware technology.

People as an attack vector

People play a critical role in the security landscape of an organisation.  From a design and implementation perspective from those working under a chief information security office or security ops team, right through to non-IT related individuals, all can be seen as a potential attack vector and therefor, a threat to an organisations information assets.
System accounts are created for individuals.  Staff, have physical security badges and proximity cards.  Audit trails are linked in real people (or should be). 

More than one way to skin a cat

The last 24 months has seen a significant rise in the number of external or cyber related attacks.  These attacks have either been advanced persistent threats using advanced evasion techniques, or simple “hacktivist” style approaches, would undoubtedly have utilised, an internal account to gain unauthorised access.  That account is likely to have already existed, have permissions (or enough to start a privilege escalation process) and might also be assigned to a real person, as opposed to a service or system account.
However, to gain access to an initial password, a hacker would always choose the simplest and most cost effective (from a time and money perspective) method of entry.  If a user’s complex password or passphrase is hashed using a salt, and algorithm that is computational secure – resulting in say 400 years of brute force protection, why bother attempting to crack it, if you can use more subtle methods?

Increase in social engineering

People are undoubtedly the biggest threat and biggest asset to an organisations security position.  Social engineering can be seen as a more direct approach to exposing real security assets such as passwords, processes, keys and so on.  Via subtle manipulation, carefully planned framing and scenario attacks, through to friending and spear phishing attacks, people are increasingly becoming the main target, as technologically is seen to becoming more secure and more expensive to crack.

Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…