From curiosity to convenience...why security keeps getting harder, pt. 2

Every year our job gets easier. Between Facebook, Instagram & Flickr, people are surveilling themselves - Agent Coulson

 

Marissa Meyer, CEO of Yahoo, recently revealed that she doesn't use a passcode on her phone. In a nutshell, it's too annoying for her to log in 15 times a day. I understand that because I don't use one for exactly the same reason.  However, I'm not the head of a multi-billion dollar corporation whom I have to imagine has access to more important things on her phone than Words with Friends. It's simply a matter of risk management. Mine is relatively low. Hers, not so much. 

 

Security is already getting harder for a variety of reasons. Thinking of what could happen if she lost her phone (pwned in a matter of seconds if ‘recovered’ by the wrong person) reminded me that the most underrated element of any successful security program is more often than not the human one.  I frequently tell audiences that it's only a matter of time before an application exploit causes physical damage in the real world.  A host of exploits ranging from overheating web enabled coffee makers to causing pacemaker malfunctions have already been well documented. However, the converse of using physical means to exploit digital security, especially via social engineering,  is already here. Because as much as applications are the weak link in IT environments, humans are still the weak link in the security ecosystem.

 

Rapid7 recently found this out the hard way when a spoofed change request form faxed to their domain registrar allowed theirs to be hijacked. The bitter part of that lesson was it would be a stretch to say it was their fault, yet they suffered the consequences regardless. There are myriad other examples. An extreme version involves tailgating smokers and bypassing badge requirements to gain access to buildings. How hard would installing malicious software on a network really be in that situation? But in most instances, it still requires no or extremely limited risk on the part of the attacker to use physical means to further their agenda. I wrote an article a couple of years back about how often found thumb drives with corporate logos dropped in parking lots are subsequently plugged in (90%!) that still remains relevant today.  Even hotel card reader exploits are relatively low risk, all things considered.

  

The vast majority of any successful hack is reconnaissance and information gathering. Hackers do their homework, in other words. With social media now providing a blueprint, we'll see more focused attempts at using physical means to install malicious software. For instance, if I tweeted that I went to a specific concert, and I just happened to receive a free promotional CD in the mail the following week, I wouldn't think twice about playing it. It would be easy to assume it came from Ticketmaster or Columbia or whomever.  And therein lies the problem. From curiosity to convenience, one of the reasons the complexity and difficulty of security keeps increasing is that we keep making it harder.  The fault, dear Brutus, is not always in our security…it’s often in ourselves. 

 

 

 

 

 

 

 

 

 

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation