Another day, another breach.
We haven’t received details yet, but we’re sure to hear that poor passwords were at least partly to blame in this week’s massive Evernote breach. And Bank of America’s. And [insert company name here]’s.
It seems that we may never get passwords right.
There are many reasons for this.
First, passwords may be the most targeted of all security controls. They are, after all the keys to the kingdom. If you hit something hard enough, long enough, it’s going to break. Even the toughest passwords can be cracked.
Second, passwords may be the most numerous of all security controls. I have 200 times as many passwords as I do firewalls, access control procedures or data classification policies. A typical organization may have 10,000 passwords for every other security control they possess.
Third, passwords may be one of, if not the most dynamic of security controls. Think about how often you create new passwords or change existing passwords. You don’t see this level of volatility in other areas of security.
Last, passwords are often designed, implemented and administered by the unwashed masses. Unlike other controls, they may not be reviewed by a committee, subject to monitoring or in the worst case – even required.
So what’s the secret to solving this problem?
Lowering our expectations.
Lowering our expectations? That’s the secret? Yes, don’t be alarmed. Because as sad is that sounds, expecting less of passwords (and the people who create and enforce them) should give us pause about the controls that compensate for these historically weak protections.
Remember that the goal of your security program is not to create one impenetrable wall, but rather to create a system of defenses that together are strong enough to withstand the threats that you are likely to encounter. Your passwords are just one piece of the puzzle.
Spending too much time on developing the ultimate password scheme, training your workforce on developing perfect passwords and monitoring for 100% password compliance may potentially distract you from the job at hand – protecting the crown jewels.
Good generals know it’s not about winning every battle, but winning the war.
Many organizations recognize this and are moving towards requiring or recommending multi-factor or other out-of-band authentication mechanisms to support passwords. Certificates, biometrics and other controls are becoming more popular for this reason, as well.
Take a look at what you’re doing with passwords and decide how practical and effective your efforts are. Don’t make excuses – you can’t lower your expectations so far that passwords offer no protection.
But lowering your expectations may just increase your defenses.
Sounds awesome, doesn’t it?
Unfortunately, I’m not talking about getting you elected to the highest, most powerful office in the world.
No, sadly I’m talking about the likelihood that your e-mail will get hacked and pictures of you in the shower will show up on the Interwebz.
Ask yourself when was the last time you sent an e-mail that you didn’t want anyone else to see? It may have been complaints about your boss, or sweet nothings to your girlfriend. It could have been tax or financial information, or perhaps something about a medical issue.
And you probably keep e-mail around forever, right?
I’ve seen people with thousands of e-mails still in their Inbox. They didn’t think to move them to another folder or delete them after they read them.
Receipts from online purchases. New account registrations and password changes. They just sit there like little gold nuggets, waiting for a miner.
The reality is, we all do it. Just like Ashton Kutcher, Sarah Palin and Lindsay Lohan, we normal people use e-mail for just about everything. And few truly think about or understand just how sensitive, or critical e-mail has become.
Until their undergiblets show up in a Google images search.
So take a moment today to manage that risk down a little. If your e-mail is compromised it probably exposes a whole pile of other things.
Make sure you have a good password. If your e-mail service offers multi-factor authentication (SMS, token, etc.), consider it. Delete e-mail that you don’t need anymore. Think about the things that you send through e-mail before you send them – if they ended up in the wrong hands would you be OK with it?
Because it may sound awesome, but you don’t want to be the next President.
Yesterday I was waiting in the lobby of one of our larger clients as I had arrived a bit early for a meeting. I was doing something really useful on my BlackBerry to kill time when a thirty-something year-old woman walked in and approached the receptionist. To protect the not-so-innocent, we’ll refer to her as Jane.
What I’m about to tell you is a true story.
Jane: “Hi, I’m here to see [name deleted] but I think I may be in the wrong building.”
Receptionist: “OK, where do you think you’re supposed to be?”
Jane: “Hold on let me call my office and I’ll find out.”
Jane now steps away from the receptionist desk, pulls her mobile phone from her purse and immediately begins dialing her office for information. She reaches someone who appears to be her assistant, given the following conversation. We’ll make some assumptions about the Assistant’s dialogue.
Jane: “Hi [name deleted] can you do me a favor? I need you to access my calendar to see where my meeting is this morning, I think I’m in the wrong building.”
Assistant: “No problem Jane! How do I get access to your calendar?”
Jane: “My password is ‘Password1’ with a capital ‘P’. Yeah I know it sucks.”
Assistant: “OK well I can’t get to your calendar from my PC.”
Jane: “Yeah you can use my PC, I never lock it.”
Cue Quentin Tarantino soundtrack, an ultra-closeup of highly polished men’s dress shoes as they one-by-one, shuffle towards a thirty-something woman in a black suit, the staccato click of their heels shattering the deafening silence now engulfing the steel and glass lobby, cut to a super-tight shot in slow-motion of a GreyCastle Security business card being drawn from inside suit pocket –
“Hey Reg! Sorry I’m late.”
As I’m snapped from that dreamscape carved straight from a Hollywood set, I realize that we can’t save everyone, and not everyone wants to be saved.
I hope Jane made it to her meeting on time. I hope she changed her password when she got back to the office and has started locking her PC. And her phone. I hope the title on her business card doesn’t say Comptroller. I hope Jane doesn’t have to learn the hard way that just a little bit of security can go a long way.
The Zappos hack this week made national headlines for a number of a reasons.
First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.
Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.
But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.
Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.
This is what I would do if I were Zappos:
- I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
- I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
- I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
- I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.
It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.
Maybe Zappos should start selling eyewear.
Last week’s SC Congress in New York City was short and sweet. The one-day security conference focused on emerging threats and case studies, including Barnes and Noble, Tyco and HSBC. There were several hundred in attendance. The multi-grain tunafish box lunch was delightful.
Among my favorite presenters was Mark Clancey, the CISO for the Depository Trust and Clearing Corporation (DTCC). You’ve never heard of this organization, but you use them every day. In fact, we all do. DTCC provides clearing and settlement for equities, bonds and securities for the US and 121 other countries. In 2009, DTCC settled more than $1.48 quadrillion in securities transactions. Yes folks, that was not a misprint. The number is so big that they had to make up a name for it.
In his talk he described the information security challenges they face, which are understandably different from most. Asked what he considered to be his greatest security hurdle, he responded “information sharing”. He went on to describe DTCC’s relationship with the FBI, the FS-ISAC and other information sharing organizations, and the difficulties they face. We’ve seen this problem cited countless times before, including its roots in 9-11. He closed by saying that “hackers communicate better than we do”.
But is this why we’re losing the war on cybercrime? As I wandered off, deep in thought it occurred to me that there may be other areas where hackers are outperforming us. Perhaps it wasn’t their cunning, but rather their ability to understand business, strategy and process that was their advantage? Sitting and waiting for the coffee break I came up with the following possibilities:
- Hackers don’t burden themselves with compliance – It may sound silly, but there are entire industries causing victimized organizations to become distracted from the real goal. Compliance regulations have good intentions, but applied in the wrong context or culture they can be counter-productive. Hackers get the job done in the most efficient and cost-effective way, without cycles spent on annual reporting or scans.
- Hackers don’t rely on technology – The tools in use by today’s hackers are simple and effective and are geared towards ROI. While no doubt a successful attack my require a reliable rootkit, if the one they’re currently using doesn’t work, they’re not afraid to move to an alternative. Technology is a means to an end, not a religion. And it’s generally inexpensive to make and support.
- Hackers know their risks – Whether you’re a hacker, hacktivist or corporate spy, the priority is not getting caught and they put lots of wood behind this arrowhead. The numbers speak for themselves; today there are roughly three million people incarcerated in the US (it typically runs at 1% of the population). In 2011, the FBI caught (not convicted) but 17 US citizens for computer-related crimes (the total is a measly 35 globally). The value of banks being robbed by gun is dwarfed by the value of banks being robbed by computer. You do the math.
- Hackers don’t use default passwords – While I remember only bits and pieces of this story, the morale still rings true. The FBI, along with their foreign counterparts in Estonia were working to extradite an alleged cybercriminal, his laptops and other computer equipment. The suspect, after being worked over for weeks by the Federali, finally handed his laptop encryption password over – it was a passphrase nearly 300 characters long.
- Hackers don’t have sensitive data – Sure it’s true that they have an asset that they’re generally trying to protect, but if they lose it or it’s stolen they know where to get more. Besides, is it really sensitive if it’s not even theirs? In addition, there are no HR databases. No credit card transactions (not on their own cards, at least). Hackers could teach us CISSPs a thing or two about reducing our attack surface.
- Hackers don’t trust – Aliases. Onion routing. Offline couriers. Money mules. There is no trust in hacking. This is essential to their survival.
Now this list shouldn’t imply that there aren’t idiot hackers out there throwing up pictures of their new Porsche (complete with Russian license plates and geotags) on torrents once in a while, but we don’t hear about those incidents all that often. The reality is, when it comes to Operational Security (OPSEC), hackers are beating us like a барабанчик.
We often recommend to clients that they “think like hackers” when developing their security programs. The idea comes from Sun Tzu – in knowing their attacker, they can best develop their security measures.
Perhaps we should also suggest that clients look to hackers when developing their business plan.
Earlier today I received a concerned e-mail from my girlfriend, who thought she may had been the target of an attempted cybercrime. Below is a screenshot of the e-mail:
As a security professional, my immediate reaction was to provide counsel on safe e-mail practices as I read through what appeared to be a legitimate security notification regarding a brute force attempt on her account. As I continued reading, I noticed a conspicuous lack of links, misspellings and poor grammar – again suggesting a legitimate source. My next step was to inquire about the strength of the password that she had been using on this web site, and how recently it had been changed. All evidence to this point suggested that this was indeed someone attempting a Lindsey Lohan-esque attack, albeit less successful (as far as I could tell so far).
Now it was time to dig a little deeper, as at this point we hadn’t really made any determination as to the success of the alleged attack.
As I went through the source code for the e-mail looking for suspect links or domains, I asked her to go directly to the Upromise web site and attempt to log in. Normally I would have asked her to log in from a PC that she doesn’t typically use, but she was at work and didn’t really have that luxury.
As it turned out, her account was not locked.
After requesting that she change her password and log out, I continue my research. The source code showed no signs of malice, so I called the 800 number that was provided. My Call was answered by an interactive voice system claiming to be a Upromise that was “experiencing a higher than usual call volume”. A dead-end number – was it real?
After digging through an e-mail, source code, a web site, changing a password and calling the company’s 800 number, I still could not confirm the legitimacy of any of this.
Was this a sophisticated phishing attack that incorporated offline voice? Was the company’s DNS compromised such that valid domains were poisoned? And did they get money from my girlfriend’s account?
Like any good cliffhanger, you’ll have to wait until next time for the conclusion to this story. But there’s a lesson here; as the headlines of databreaches, malicious insiders, corporate failures and compliance penalties pile up, we are slowly learning to distrust the systems, applications, networks and technologies upon which we base our digital lives. As technology continues to occupy more of our day, so does distrust. It’s a dangerous cycle that will be difficult to stop without a change in our collective security mindset.
If Upromise to, Ipromise to.