One of the things that I wish Information Security didn't have to deal with is catchy marketing terms. Remember "Web 2.0"? Fancy Javascript with a little sprinkle of XML on top... Already had it, just didn't have a good name that could be sold to the people with the money. What about the new current term "The Cloud"? The cloud has been around for a while, it used to be call SaaS (Software as a Service) or PaaS (Platform as a Service), but those names were too technical and didn't catch on. It's basically hosting your data and/or applications on someone else's servers in someone else's data center. It's been around for a while. It's risky, but so is trying to run your own data center.
Same thing with the new term that is making the rounds in the media the "Advanced Persistent Threat (APT)". Funny thing is that it also has been around for quite some time. It just didn't have a good marketable term yet. We have come up with good terms for most/all of the single avenue threats that we have uncovered so far, but what should we call it when someone decides to put a bunch of them together and make a new puzzle from the same pieces? Today, we apparently have decided on APT, tomorrow, your guess is as good as mine. It is one of the hardest attacks to defend against because there is no signature for it. No single thing that can defend against it. It typically starts with the weakest link in the InfoSec armor; humans. Doesn't seem to matter how much we train and try to make people aware of what is out there, all it takes is a single moment of weakness and clicking before thinking... Trying to defend an Enterprise, we in InfoSec have to get it right every time. The guys/gals trying to get in only have to get it right once. That honestly sucks from the defender's position.
You probably haven't seen a product or signature that promises to solve your APT problem, that's because one doesn't exist and in my opinion would be near impossible to build. To me, APT is very similar to Application Security where it is more about the People and Process and less about the tools. Not that tools aren't needed, but they cannot fix/block the problem, check-boxing will not work. Whitelisting would be nice, but the users we are trying to protect seem to like access to things to get their job done. More to come later...
Monday, April 18, 2011
Wednesday, March 30, 2011
The weakest link with user passwords may not be the password...
We see a lot of coverage about how you need to have a "strong" password for all of your accounts, and you do what you can to create one that you remember. It's not easy, different people settle on different patterns; compilation of birthdates and/or names, acronyms that should only make sense to you, or the ever popular favorite 6-8 letter word with the first letter capitalized and a number between 1-99 added on the end so we can increment it easily and still meet the minimum requirements of a "strong" password... (You know you have done that before...) Humans are built to be patterned based, and we will each find our own pattern to follow. That's why many times, once one password to one site is compromised for a user, it isn't too difficult to start breaking/figuring out others and it snowballs from there.
What we don't see a lot is how to protect the backside of your account, the "Forgot Password" functionality. I see way too often that the forgot password option asks the user to setup questions that the legitimate answers are public knowledge. This really defeats the whole purpose of trying to identify the user with a high level of assurance that they are who they say they are. It is supposed to be "something you know...", but what is left off is the rest of the saying, " ... that others don't." Standard questions in the forgot password section don't really help: "Where did you go to high school?", "What is your dog's name?", "What is your favorite color?", and other similar questions. For many people, the answers to these questions are often in public record for others to see. Forum posts, Facebook status updates or the never ending cute surveys of "25 things about you", and many other places contain the answers to your forgot password questions... On top of that, many times the forgot password option allows someone to type in the email address they would like the password (or reset link) to be sent to. I understand that sometimes the user might have changed email addresses, but this makes it oh so easy for someone with less than honorable intentions as well.
Sometimes I try to answer the questions with answers that don't really seem to make sense so that they can't be easily guessed, but sometimes my answer is hard to remember. I like the sites that let me type in my own question and answer, this allows me to pick questions/answers that should (hopefully) only make sense to me. Now, I know that for some people this may not work that well as they may enter really simple questions so that it is easy for them to remember, but I like having the option.
As we get further and further into the information age, and more and more information about us is publicly available, this is getting harder to implement the "what you know" authentication factor with a high level of assurance.
What we don't see a lot is how to protect the backside of your account, the "Forgot Password" functionality. I see way too often that the forgot password option asks the user to setup questions that the legitimate answers are public knowledge. This really defeats the whole purpose of trying to identify the user with a high level of assurance that they are who they say they are. It is supposed to be "something you know...", but what is left off is the rest of the saying, " ... that others don't." Standard questions in the forgot password section don't really help: "Where did you go to high school?", "What is your dog's name?", "What is your favorite color?", and other similar questions. For many people, the answers to these questions are often in public record for others to see. Forum posts, Facebook status updates or the never ending cute surveys of "25 things about you", and many other places contain the answers to your forgot password questions... On top of that, many times the forgot password option allows someone to type in the email address they would like the password (or reset link) to be sent to. I understand that sometimes the user might have changed email addresses, but this makes it oh so easy for someone with less than honorable intentions as well.
Sometimes I try to answer the questions with answers that don't really seem to make sense so that they can't be easily guessed, but sometimes my answer is hard to remember. I like the sites that let me type in my own question and answer, this allows me to pick questions/answers that should (hopefully) only make sense to me. Now, I know that for some people this may not work that well as they may enter really simple questions so that it is easy for them to remember, but I like having the option.
As we get further and further into the information age, and more and more information about us is publicly available, this is getting harder to implement the "what you know" authentication factor with a high level of assurance.
Tuesday, November 30, 2010
Introductions
I kind of had security dropped in my lap one day about 6 years ago. I signed up to be a developer for an Identity Management system, and a couple months later had Application Security responsibilities handed to me. After three years as the technical lead, I moved up to manager of the team. After a couple years of manager (I started writing applications for the iPhone to satisfy my need to write code), it was time to move on from consulting with teams on how to secure their applications to getting my hands dirty and doing it myself. So I moved into an Enterprise Architecture team and took over responsibilities for the Security API and an Enterprise Application Authorization system. And that is where I am at the moment; helping teams properly implement authorization in their applications. More to come on that at some point...
Subscribe to:
Posts (Atom)