November 17, 2017

In depth security... what when the tables are turned?

With many new initiatives at governments and organisations in the area of security, I see that tables are being turned... and initiatives are lagging. Again.


We all do our best keeping the baddies out of our systems, away of our data. But what if the baddies try to do the same? Trying to keep us out of our systems, away from our data? There's a new threat in town, it's our own systems.

Lately I have been talking a lot with one of the Information Risk Managers of one of my clients. Let's call him Frank, it makes writing this post a lot simpler.
So Frank is a different kind of Information Risk Manager. He's very much involved and active in product development. Frank's not policing, he's establishing policies in stead. Mind that I'm specifically not saying that he's writing policies, instead he's establishing them. Together with those around him that are supposed to live according to these policies, he is ensuring that every step of the way, they're involved. It's pretty cool. Then again, Frank is pretty cool.

Frank and I have been doing a couple of security awareness sessions at the client's site. These sessions revolve around Secure Software Development and the intention of these sessions is making sure that those that are developing the products know that they need to build in security from the start. Yes, we are only looking at IT peeps, even though security is obviously a business concern. Well, one step at a time.

I take it that you're well aware of OWASP's top 10. And likely you've at least heard somebody mentioning the GDPA, General Data Protection Act. And considering you're reading this post, you haven't lived under a rock in the past couple of years, so data breaches like the one at Equifax or Yahoo for that matter should be known facts by you.
I love it when these things are being discussed. Stolen passwords, accounts hacked, social engineering to get into systems. Examples galore to justify all those millions of Euro's and Dollars spend on security. Implementing all kinds of programs at enterprises and organisations. At one client I actually told the ISO (Information Security Officer) that his presentation on the topic leaned towards plain old terrorism considering how she was scaring the CFO to approve her budget request.
Well Frank is not like that. Instead Frank is explaining why awareness is so important. He's addressing it from a business benefit to do in-depth security, privacy by design and so on. I actually had to talk firmly to Frank and have a slide in his deck to convey the amount of vulnerabilities found in our systems in the past couple of months. Just to show that not doing anything is not an option. Reluctantly Frank complied.

At this client, we do threat modeling. We do Privacy Impact Analysis, Business Impact Analysis, etc. We analyse a lot. And we're moving into a way of doing all this such that the developers can keep on becoming more and more agile. Sprint based, epic-by-epic, one story at a time. Ensuring that nobody gets into the systems, privacy sensitive information is encrypted and transaction integrity is ensured.
Nobody gets in, and who's in can't see any data and those that can, won't be able to change is. It's awesome, it's secure. And it's lagging behind today's and more importantly tomorrow's threats.

We're spending so much time to lock things down, in depth, on all levels, by design. Making sure that there're no backdoors, systems are patched. But what about the threat of being locked out yourself?

Data hostage is the new trend. With the advent of biometrics, access to systems by certain individuals becomes more prevalent. Unless it's your iris, you won't get into the server room. Unless it's your fingerprint, you won't be able to unlock the device. With face recognition systems build into operating systems like Windows 10, iOS and Android you only have to look at your screen to be granted access to all that data.

Frank knows about all this stuff as well. Together with a couple of really smart developers he's working on utilizing this new tech to make security more convenient for employees that need to access on a regular basis, sensitive information from their devices. Multi-factor, with biometrics as a second factor is around the corner. It'll be all about what you know (PIN or password) and who the system recognises.

This makes it more and more interesting for cyber criminals to no longer try to get access to your data and instead prevent you to get access to your data. When we rely heavily on the uniqueness of our bodies. By storing precise information about a person's iris, face-metics, fingerprints and in the (near) future a person's DNA, we can ensure that people are uniquely identified. But what is going to happen when that data is compromised? 'Access Denied'.
In today's systems where identification is based on what you know and what you, we are nog focussing on corruption of passwords, PINs or authenticator apps. We're focussing on people not getting in, but we forget about people keeping us out. And when you can't get in, your systems are held hostage. Not only your data, which is typically the target of today's Ransom-ware.

We need to think of new architectures that also consider this aspect of security. It's the availability aspect of security. Data and systems need to be available, but consequently also accessible. Availability is typically associated with redundancy and clustering. Cloning and mirroring. On a more functional level it is associated with the GDPA views on a person's right to always access her data and the right to be forgotten. But what if access is denied? What if you're locked out?

Another interesting feat today is that once security is breached, users need to be informed. But what about the reverse. Your security wasn't breach in the sense that people gained access, but instead people removed your access?

This is new territory for many of us and I don't have a suitable solution for these kind of threats. What I do know is that you'll need to address this from your architecture. And you'll need to involve your Information Risk Manager from day one. And make her tag along full time. Constantly. Just like I talk with Frank on a steady basis. Sharing thoughts, discuss the philosophy of security and challenge each other on everything but mainly on how we can make everybody involved in the process of product development aware of these at times very interesting nuggets of architecture.

Thanks once again for reading my blog. Please don't be reluctant to Tweet about it, put a link on Facebook or recommend this blog to your network on LinkedIn. Heck, send the link of my blog to all your Whatsapp friends and everybody in your contact-list. But if you really want to show your appreciation, drop a comment with your opinion on the topic, your experiences or anything else that is relevant.


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.