The insider threat is grossly underestimated.
While focusing on technical security issues remains vital, Snowden and the CIA leak illustrate how easy it is for insiders to steal large quantities of information. The vast majority of government and private-sector organizations ignore the principle of least privilege. Many employees and contractors are granted carte blanche access to far too much information.
To make matters worse, insider access to corporate data, especially file shares, is often not logged. An insider copying thousands of files to their local PC should result in alarm bells, but in practice most organizations are unable to even audit access after the fact.
The belief that insiders are inherently trustworthy, and the assumption that employees are somehow less likely to leak information than contractors, defies logic. Organizations of all sizes must start taking the insider threat seriously.
PGP was first released in 1991. More than a quarter century later, provided that keys are of a sufficient length and properly protected by users, PGP continues to effectively protect message contents. Signal Messenger by Open Whisper Systems provides highly secure text, voice, and most recently video calling. The only practical way for an adversary to access the content of these communications is to compromise the endpoint or surveil the physical environment in which the communications occur.
TLS, despite flaws in its certificate trust model, has made intercepting Internet traffic significantly more difficult. Google currently reports that during the past year, 84 per cent of inbound messages from other providers and 86 per cent of outbound messages to other providers were protected in transit using TLS.
According to Let’s Encrypt, in December 2015, 39.5 per cent of page loads on the Web used HTTPS as measured by Firefox telemetry. By June 2016, that number was up to 45 per cent. Google continues to prod site owners to migrate to HTTPS by using it as a ranking signal, and announcing that their Chrome browser will eventually flag all HTTP sites as “insecure.” While state-sponsored actors may be able to spoof targeted sites, increased TLS adoption drives up the cost and difficulty of intercepting communications.
The primary target is the endpoint.
Strong cryptography, improvements in operating system security, and the direct monetization associated with ransomware are making users and applications the primary targets. Mobile devices and porous perimeters provide unprecedented opportunities for attack. The most effective way to gain access to encrypted communications is to steal the keys, or monitor data before encryption or after decryption. Compromising a system administrator’s PC and leveraging it for lateral movement may be significantly easier than directly attacking servers. It is also much more difficult to detect.
Traditional anti-malware software is not up to the challenge, execution control products are too expensive to implement, and weak administration procedures make it too easy for intruders. Until better solutions are developed, businesses should reflect on why employees read email, surf the web, and process sensitive corporate information on the same computers given how frequently those computers are compromised.
Software vulnerabilities are critical.
Zero-day exploits are the holy grail for spies and criminals, who appear to be quietly stockpiling them. It is naive for governments to believe that they alone were capable of discovering any given vulnerability. Governments are in a position to do tremendous good by reporting security issues to vendors, and more debate is required on why keeping them as weapons is more important than protecting citizens.
While zero-day exploits receive a lot of attention, the reality is that most organizations, in both public and private sectors, regularly fail to address known vulnerabilities for which patches and upgrades already exist. Mature products make it easy to obtain technical details and enterprise-wide vulnerability metrics. All organizations need to stop making excuses and start managing vulnerabilities.
Protecting metadata is the next challenge.
Canadian law has traditionally provided protection against the unauthorized interception of communications, but it has become increasingly clear that governments believe metadata deserves little protection. Many encryption systems, including PGP and HTTPS, focus on protecting content, but leave metadata exposed. While content protection is important, metadata can reveal sensitive information and patterns, and it is generally easier to automatically collect and analyze. Canadians need to start paying much more attention to protecting metadata.
Have a security question you’d like answered in a future column? Please send me an email.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…