Over the holiday break, I had a chance to see “The Big Short”, the movie based on Michael Lewis’s book about the housing bubble. Or more accurately, about how a group of Wall Street outcasts saw clear signs the mortgage market was heading for a fall. Interestingly, none of the financial clues were a secret.
That led me to think, is it possible there are also incredibly obvious signs that corporate data security is just a hack or two away from a system meltdown?
For Exhibit A, please take a look at Krebs’ post on new authentication methods being implemented by Google and Yahoo. Google is trying out password-less logins for Gmail that involve sending an approval email to the smart phone registered with your email address. Once you accept the request, you can then enter Gmail. No password required!
In October, Yahoo began to offer a similar service, called on-demand passwords. In their system, Yahoo sends a random four-letter code to a separate device when a subscriber tries to log in. Yahoo then requires users to take these codes and reenter them into their web site to gain access.
What does Krebs make of these changes?
Improving authentication is a good idea, but Krebs thinks that these approaches will lead to more sophisticated phishing attacks. Yikes!
In general, these kind of schemes can be susceptible to man-in-the-middle attacks.
Krebs, though, seemed to be suggesting that phishers, piggy-backing off of these services, will send fake emails asking for more information from subscribers. Since Yahoo and Google users will likely have become accustomed to accepting and responding to the real verification emails, they might accidentally give away a password or other bits of information in response to a forged communication.
As other major online services start trying out their own methods and organizations begin to incorporate multi-factor techniques, there’s certainly room for security holes to start creeping in.
The Dark Web
My exhibit B is all the data that’s been hacked over the last year or two. As PII and other sensitive information make its way to hackers through the dark web, cyber gangs have much more information to work with in their future phishing and other social engineering exploits.
As I write this, the tech media is reporting a giant exposure of over 190 million voting records that include date of birth, email address, and political affiliation. Of course, this is on top of the giant OPM breach, the IRS breach, and those humongous insurance company breaches.
I just wrote about the huge amounts of protected health information (PHI) that’s found within corporate IT systems — not necessarily healthcare companies. Often poorly secured, PHI has been scooped up by hackers over the last few years. This is another great source of information for future attacks.
The Jenga Tower of Data Security
Let’s go back to “The Big Short”.
I don’t think this is too much of a spoiler to reveal this one scene from the movie since it has been widely distributed. I’m referring to Ryan Gosling showing his fellow Wall Streeters how the base of the mortgage security market was very weak.
Using Jenga blocks, he slowly removed the foundational blocks from his wooden tower. To no one’s surprise, the whole structure, including the higher quality mortgage blocks at the top, eventually came tumbling down.
I’m waiting for a Jenga block moment for some CIO!
That is, an employee — perhaps someone who’s steeped in red-team thinking—explains to the C-level suite how IT security is like a Jenga tower.
At the top, there’s strong perimeter defense and data encryption. But under this first layer, there’s poorly secured data. Below those layers, there’s minimally effective authentication techniques, bad password policies, lagging patch management, and substandard data monitoring.
The employee’s hand is the hacker doing his probing and attacking. Guided by existing stolen data and other vulnerability information in his possession that he bought on the dark market (malware, PII, stolen credentials), he knows which blocks to remove from the foundations making it easier for him to get to the next layer of poorly secured data.
The whole IT structure then collapses with Jenga blocks scattered on the CIO’s desk.
I don’t think we’ll have the IT equivalent of a world-wide financial meltdown in 2016 in which e-commerce and the Interboobz suddenly freezes up.
On the other hand, there have been red lights flashing for the last few years pointing to some serious rot at the foundation of IT data security.
Where are your weakest supporting security blocks? DatAdvantage can tell you! Find out more.
Image credit: Philip Serracino Inglott