It seems that things have changed in recent times and suddenly everybody is under attack. First Sony with its reported 70 million compromised accounts, Epsilon, RSA – one of the most trusted brands online, now the worlds largest defence contractor Lockheed Martin, even PBS got targeted simply because they screened a critical documentary about Wikileaks. It doesn’t need much to get the attention of the wrong people. (we noticed that too!)
The resonating message from the media and people on the street is that if they can penetrate these companies, they can penetrate everybody, right?
Is the world turning upside down?
Well, for us security researchers this kind of news is not really new as it is well known that with the right tools, the right knowledge and some clever social engineering, the sky is the limit. A very nice example of how a security company penetrated a bank is here (very good reading) http://bit.ly/c4DhaZ. From the blog post: “We were recently hired to perform an interesting Advanced Stealth Penetration test for a mid-sized bank. The goal of the penetration test was to penetrate into the bank’s IT Infrastructure and see how far we could get without detection”.I specifically used an example that is more than one year old.
I think we are in the situation at the moment not because the lack of solutions out there, but because we tried to solve the problem with the wrong approach and with the wrong tools.
- Example: Wrong Tool: Two Factor Authentication (e.g. RSA) is great for authentication (well not so great anymore, but that’s a different story), but shouldn’t we start authorizing as well? How can it be that a user can do everything once (s)he got authenticated? Shouldn’t we ask whether a particular user is authorized to do something? And naturally we should only give the user an authorization code for that particular action. Not one to do anything and everything.
- Example: Wrong approach: As more and more companies and services are moved to the “cloud” we operate in a different risk exposure and we can’t simply apply the same security controls as if this is an internal application. Take email for example. Typically only accessible from the internal network (with all the security advantages), needs a much different protection from the outside. All these OWA’s (Outlook Web Access), employee remote access tools need additional security. But why only apply a higher authentication and hope that it will solve the security problem as well? We know that Man-In-The-Browser (MITB) trojans can circumvent most authentication solutions deployed today. Hope is not a strategy.
What we really need to do here is to do a threat based approach and use the right tools for the threats. Example: If the threat is a man-in-the-browser (MITB) trojans that alters a banking transaction, it doesn’t make sense to increase authentication. What we need here is a fraud detection solution together with authorization.
And what’s missing in all discussions is real-time detection and prevention capabilities based on suspicious behaviour. We need a much more intelligence based approach where suspicious activity can be detected very early on, preferably before any authentication process is completed. This suspicious activity can be as easy as the time needed to login to an account or time needed to complete the various steps of a wire transfer page.
In most cases we look at from a forensics point of view, we can detect suspicious activity based on the information that is present… But the trouble is that we can only forensically disseminate this information AFTER it has occurred. Let’s put in some systems that will proactively detect these things in real-time.
More on these topics in some upcoming posts…
Lessons learned here:
- just one incident can have disastrous consequences.
- authentication is something different from authorization.
- don’t try to solve a security problem with an authentication solution.
- if you know that your system can be circumvented, the bad guys either already know this as well or they’ll figure it out very quickly.
- implement proactive, real-time solution, rather than reactive, blacklist,heuristic based solutions
- deploy an intelligence based approach. Take advantage of the information you have and make sure you know all the things you need to know.
UPDATE: it seems that the concept of authentication and authorization is not made clear enough, so below is my attempt to clear this up.
- Authentication: Proof that someone or something is who he, she, or it claims to be. (who you are)
- Authorization: Once the system knows who the user is through authentication, authorization is how the system decides what the user can do. (what am I allowed to do)