Platt Perspective on Business and Technology

Information systems security and the ongoing consequences of always being reactive – 5: moving towards proactive controls 3

Posted in business and convergent technologies by Timothy Platt on March 4, 2013

This is my fifth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4.)

I concluded Part 4 by stating that I would focus on phishing and its more specifically targeted variation: spear phishing in this posting, and on related personalized cyber-attacks. With these threats, I move away from malware and predatory software per se, to add in an approach to cyber-crime that more directly targets the legitimate computer and systems user, that is often referred to as cybercrime’s version of behavioral engineering.

To put behavioral engineering in perspective for this, consider a password protected secure access system where all legitimate system users have login names and passwords assigned to them. A cybercriminal using behavioral engineering approaches might approach a legitimate user in ways and in a context that would instill trust, or at least allay concerns, and then talk them into sharing their login and password. Stated as such, that sounds unlikely. Now consider the following admittedly simplified scenario:

• Bob enters a business’ home office ostensibly to deliver a package, and once in walks out of the usual area for that. If he is caught he simply says he was looking for a rest room, and then proceeds on in the general direction pointed out to him.
• He has done his homework on this business and its information security and management systems and knows that logins are almost always developed in a lastname.firstinitial format. And he has reason to believe that people in Marketing and Communications would all have access to a database that he is interested in and that they would all have logins to the system he needs to breach to get into it.
• If he is not sure where Marketing and Communications is, he asks, acting like a new hire. Then once in the right area he looks for a cubicle with a name plate showing, and with its occupant there and busy. He may very well have already done some homework via social network site research on who works there so he would have starter information as is looks for a specific employee to target here.
• He walks over to a selected employee and cubicle and identifies himself by name as having come from Information Technology, and he says that he is there to do some follow-up work regarding a security vulnerability patch that at least should have been uploaded to the user’s computer.
• He asks for the user’s login and password, repeating their name when doing so and if his request is answered, he gets what is was looking for.
• If not, he says that this employee is being careful and that this is good, and asks if he can just sit at the computer and check to see if the security patch went in correctly from the day before “because there were some glitches reported and we want to make sure this is all working.” He asks his mark – this employee who’s computer he is trying to compromise, to log into his desktop “and I won’t look so your password will stay your secret” and if he can get in this way he sits down, looks briefly through the command line screen – at essentially anything, and gets out – after he has briefly plugged in a flash drive and downloaded a keystroke logger.
• Now he can get anything and everything he wants. And he smiles and thanks his victim and leaves.

Behavioral engineering in this sense is all about convincing people with legitimate access to share information that they know as a matter of basic principle they should keep confidential. And this brings me to phishing and spear phishing and related attacks. Think of them as following the same basic path of deception and misdirection that the above example outlined – but via email. Phishing attacks are generic and follow a more “to whom this may concern” approach. Spear phishing attacks are personalized and even exquisitely personalized, and add in particular individualized information as a hook that has been developed from social media and other sources. So a spear phishing attack will spoof its source so that it appears to have come from a trusted friend or colleague; it will be individually addressed to the target recipient by name; it might even convey a highly individually appropriate message as a call to action to click on a link or otherwise activate an attack.

I said “phishing and spear phishing and related attacks” above, and note here that what works face to face and via email can also be developed, refined, used, and used successfully via essentially any other online or other cyber-channel available.

At this point I reiterate my second principle for developing a more proactive information security system, as repeated from Part 4:

2. These systems need to be automated and to be able to function without active involvement or oversight from computer or system users. And any modification of automated ongoing functioning and performance in systems security – any overrides of security measures taken, would have to be intentionally and actively triggered on the part of the user and on a case by case basis. The default setting should be security-focused.

But I add that behavioral engineering is designed very specifically to create exposure paths that bypass anything like simple systems automation or process and procedure standardization. This is all geared towards convincing a user to in fact make an exception and turn of, or turn away from automated and standard and taught as to secure practice.

I am going to follow this with a discussion of information systems and of the need to develop approaches that integrate security across all organizational levels and subsystems in an overall information system, and with safeguards in one part of the system designed to help monitor for risk and attack in connected levels and subsystems. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and at its continuation page, Ubiquitous Computing and Communications – everywhere all the time 2.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: