I was recently briefed on yet another painful breach; an employee, thinking they were responding to a request from the CEO, provided confidential information on employees to an attacker who apparently intended to use it to steal their identities. A new report from ProofPoint has concluded that the use of CEOs is declining for this kind of attack, and that sounds like good news, until you read further and realize that this is because attackers now have the ability to identify supervisors and more tightly target these phishing attacks using the names of more immediate superiors. You can no longer be sure the email you are receiving is from the person on the email, regardless of who they are or where it appears to have come from.
Protective tools like SecureWorks can overlay an email system but ideally, anti-phishing needs to be built into email because too many people are being compromised. You need to be able to trust your communications.
But I think we need to go farther still.
Thinking About Security Strategically
We tend to think about security tactically. We see an attack, we develop and implement a defense, the attacker modifies the attack, we modify the defense, and on and on. This seems to work really well for convincing executives they are doing something while enriching attackers, who always find a way around these defenses.
At the heart of an overarching defense is the ability to not only reliably identify people entering our firms, physically and digitally, but identify where they are coming from or where they are, so we can determine if they are compromised. Stealing someone’s identity is a thing. If we can attach metadata to someone attempting to gain any type of access, that increases the probability of determining whether they are who they say they are, whether their intent is benign or hostile, and then taking action. In that scenario, we could likely eliminate entire classes of attack types, some before they were even conceived.
We have tools to at least tell where an employee is, and where they are supposed to be, which could be used definitively to identify when a phishing attack or physical breach was being attempted and immediately notify the employee affected of the attempt.
Tailgating, which has again become a problem, could be illuminated if every employee’s badge was tracked inside the company, people without badges were flagged, and employees who seemed to be in two places at once (both on vacation and entering the data center) could be apprehended. This happens often and everywhere. I’ve heard a doctor argue that it was rude not to hold a secure door open for someone right after an operating room was compromised by an unauthorized guest. Putting the burden on employees just doesn’t work. You need a definitive way to make sure that people are who they say they are and are authorized to be where they want to go.
It all starts with identifying and tracking employees physically and digitally, because just doing one will likely force the attackers to use the other approach.
Wrapping Up: People Are Our Greatest Security Exposure
We’re seeing too much successful penetration of our firms, electronically and physically. Until and unless we can reliably and consistently identify employees to our security systems and each other, any chance of being acceptably secure will be increasingly remote. Not only should this feature be built into communications systems to prevent phishing, but it should be integrated with other employee validation systems to assure that discrepancies are flagged regardless of where they occur and the exposures immediately mitigated. But, at the very least, it is time to rethink email so that our employees, executives, and even our vulnerable family members can’t be so easily tricked and taken advantage of.
If we can’t fix this, it won’t be long until distrust and damage force us to consider replacing email with something far more secure and reliable. Maybe something like Symphony, a communications product that was designed from the ground up to be secure. Symphony was created as a joint project by financial institutions sick of the fact that they couldn’t trust email. Maybe it is time for the rest of us to step up.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+