Invest in your User

Last week I was one of the speakers at an ISACA Chapter event on mobile computing security. I was thrilled to be invited, not only because Malta, even in April, was always going to be warmer than Scotland, but because this is such an important area for discussion.  To have the chance to present my more psychologically based perspective alongside well respected professionals in the field was a privilege.

I find it hard, after so many years of trying to sell my services as a ‘User focused Info Sec Specialist’, not to be excited that the growth of the use of mobile devices  means that business and other organisations must finally confront the fact that not all Information Security can be solved by a combination of:

IT Security + Blame the User

When data leaks because the user fails to follow policy or procedures regarding their device we should no longer just cast eyes to heaven and say “What else can we expect from users? After all they are the weakest link”

Weakness in any system should draw the challenge to add effort, and even specialist expertise.  Just because we are all human, it doesn’t mean we are all experts in dealing with people.  If we were there would be far fewer family arguments for a start!

Mobile computing means that most of the time the organisation cannot be sure how securely their staff are in their device use.  There is also the tricky possibility that the policies and controls, which are designed to ensure secure working on the move, are actually incompatible with the work staff are employed to do.  Do you have a way to gather that sort of feedback and the means to find a solution?  Is it ever used? If it isn’t, given staff will always moan, that indicates that for some reason this may not be perceived as a useful communication channel.  In that case then the reason for that needs to be understood and a solution found.  If staff are struggling to work securely you need to understand why.

Also, and this is a fundamental point that was echoed through a number of the presentations last week, do you fully understand the nature of the risks that mobile working brings to your organisation?Is it the issue of data interception when staff use open WiFi? Is it the content, or access to content, that the loss of a device can mean? Is it the potential corruption of data by malware downloaded when a device is shared; for example with a child on a long journey? There are a whole range of risks, but we can only target education, guidance and controls when those risks which are appropriate to the specific organisation are identified.

For a long time I have stood in front of a variety of audiences and discussed how managing the user can be sufficiently tricky that getting the insight of a specialist is a sensible investment.  Ensuing discussions generally brought enthusiastic agreement, but then explanations that, while they, as Info sec professionals appreciated my skill-set their budget holders couldn’t.  Sorry, they would have to use their own common sense.

I wonder how organisations deal with a blockage in the toilets?  After all many people can fix minor plumbing problems in their own home.  Surely the company could save a fortune using the skill of their staff to deal with such minor repairs.  Am I being flippant?  I don’t think so. Organisations, and sadly especially information security budget holders, are being flippant.  They continue to resist calling in specialists in the user interface because we don’t come in nice shiny boxes (although I could if required of course) and we do something that they believe they really ought to be able to do without.

Most of all I want to stress that mobile information security management is about understand risks and devising workable solutions.  Neither of these elements are totally technical.  Business has to accept that they need to be able to gain the co-operation of staff to make mobile information security effective and even occasionally be brave enough to get help to do so efficiently and effectively.

 

“Security by design still not a reality, says security veteran.”

Just pinged into the endless “stream of consciousness” that, mixed with the various spam, money-off, and administrivia that constitutes my email in-box, comes a Computer Weekly article.

Security by design will have to happen eventually, but will come little by little unless there is some catastrophic event that will move things along a bit quicker.

Hmm. Interesting. I was at the HMG IA Practitioners event mid-week and one of the very interesting comments there was from one of the speakers, I’m fairly sure it was from McAfee, and he was quite keen that “security by design”, whether we are there or not, is insufficient, in that it brings security in too late in the project process – often at the detailed design phase. What is needed is actually “security by default” where security is designed in not just to the supporting technology but to the underlying business processes that technology is designed to support.

This closely mirrors work I did in the financial sector where we made new projects not just get sign-off from Information Security, but from the business area’s own counter-fraud specialists. This was in response to a number of “interesting” marketing exercises undertaken by one business area which were uniformly reported as phishing attacks by the by-then-fairly-experienced customer base.

Admittedly, the speaker then highlighted McAfee’s “DeepSAFE™”* technology as an example of “security by default” whereas I think that is clearly an example of “security by design” – in that your architecture still has to implement the relevant controlling software and that it still won’t protect a flawed business process.

A return to a theme on Identity Theft

Back in 2008, Identity Theft was the gossip topic of the year for information security and a right lot of muck was being spread around the fields of industry. Trying to help make some sense of things and introduce a bit of reality into the “30% of people suffer from ID theft” statistics, I proposed a “Taxonomy of ID Theft” in an article1.

Today, a colleague queried a dodgy looking statistical statement in a piece of security advice:

In 2013, 36% of UK internet users reported that they had been the victim of online identity theft.

Looking at the original piece of research, an Experian paper from 2013, that says:

36% of UK internet users in the survey state that the had been the victim of ID or device theft in the past.

So, the original statement is both incorrect (in that it both excludes device theft and expressly limits Identity Theft to the online realm) and misleading, in that there is a significant implication that the identity theft occurred in 2013 rather than the reporting. Of course, the survey was based on a limited methodology (2,249 interviews) and the report itself didn’t not claim any significant status for that finding (“It appears that …”)

But one of the key issues that this statistic (even the correct one) does not address is what actually is “identity theft”. In the demonic rhetoric of the media, this is evil people taking over your life – running up debts, drawing benefits and committing crimes, under your name. However, in the basic statistics, I expect that much lower impact crime is included – having your credit card cloned or your bank account phished. These do cause both loss and, often worse, considerable inconvenience but they are usually relatively quickly dealt with. And technical controls have been and are continuing to be introduced, not always obvious to the customer, which will assist in preventing or mitigating this level of crime.

I originally proposed a taxonomy that climbed from misuse, to abuse, to account takeover, and then fraudulent account opening, before you get to the heights of actual “identity theft”. Things, since then have got more complicated, not least with the general improvements in online transaction security and the more advanced methods the fraudsters now need to use to gain sufficient access to complete fraudulent transactions.

Consider this. You conduct transactions, using credentials, against various accounts. You open those accounts using certain approved identifiers. Therefore there are 4 things that can be attacked and, apart from transactions2, attacks can either be transient or extended3 in duration. So you then have a punctuated continuum of attacks.

  • Transaction hijacking (normally diversion).
  • Credential abuse.
  • Credential theft.
  • Account access.
  • Account diversion.
  • False account opening.
  • Identity theft.

Aside from the more explicit differentiation between immediate and extended impacts, this does not vary significantly from my previous taxonomy, although I have dropped the distinction between misuse and abuse, which used to concentrate on the unfortunately common situation where an account holder has given permission to somebody else to do certain things with their account (i.e. a carer being given an ATM card and PIN to get money for a less-mobile person) and they then misuse those permissions. These are, it has to be said, very difficult for the banks or similar organisations to detect, never mind prevent.

Comments?

  1. Pemble, Matthew. “Don’t panic: taxonomy for identity theft.” Computer Fraud & Security 2008.7 (2008): 7-9.
  2. I can’t think of a time-extended attack against a transaction, particularly a consumer one. But that might just be a lack of imagination.
  3. I didn’t want to use the more obvious “permanent” here, simply because attacks can eventually be reversed, although it may take legal involvement.

New Spam Trick

Okay, so probably only new to me but:

  ENERGY STATEMENT
 PG&E
Account Number: 0906927506-8
Bill date: 01/10/14
Amount due: $503.80

Please pay off the debt until January 15th, 2014. If you delay the payment we will have to call on enforcement powers.

The full latest bill of yours can be found here. Log-in to your account on our website or pass registration and get a new account to view your recent statements.

Not particularly clever. Not well targeted. We’re nowhere near the Pacific (and have the energy prices to prove it!)

  • Note that the bill date is in American rather than being 9 months ahead of itself.
  • Email sourced from a wholly unrelated but apparently legitimate dot-com address and the link goes off to an apparently legitimate Indian company who provide “coco peat” products.
  • Poor English.
  • Just 5 days between bill and law enforcement? Not nice …

An easy one for the Bayesian filters, even though it is moderately interesting from a social engineering perspective.