Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

From curiosity to convenience...why security keeps getting harder, pt. 2

markpainter ‎10-16-2013 11:22 AM - edited ‎07-07-2015 09:33 AM

Every year our job gets easier. Between Facebook, Instagram & Flickr, people are surveilling themselves - Agent Coulson


Marissa Meyer, CEO of Yahoo, recently revealed that she doesn't use a passcode on her phone. In a nutshell, it's too annoying for her to log in 15 times a day. I understand that because I don't use one for exactly the same reason.  However, I'm not the head of a multi-billion dollar corporation whom I have to imagine has access to more important things on her phone than Words with Friends. It's simply a matter of risk management. Mine is relatively low. Hers, not so much. 


Security is already getting harder for a variety of reasons. Thinking of what could happen if she lost her phone (pwned in a matter of seconds if ‘recovered’ by the wrong person) reminded me that the most underrated element of any successful security program is more often than not the human one.  I frequently tell audiences that it's only a matter of time before an application exploit causes physical damage in the real world.  A host of exploits ranging from overheating web enabled coffee makers to causing pacemaker malfunctions have already been well documented. However, the converse of using physical means to exploit digital security, especially via social engineering,  is already here. Because as much as applications are the weak link in IT environments, humans are still the weak link in the security ecosystem.


Rapid7 recently found this out the hard way when a spoofed change request form faxed to their domain registrar allowed theirs to be hijacked. The bitter part of that lesson was it would be a stretch to say it was their fault, yet they suffered the consequences regardless. There are myriad other examples. An extreme version involves tailgating smokers and bypassing badge requirements to gain access to buildings. How hard would installing malicious software on a network really be in that situation? But in most instances, it still requires no or extremely limited risk on the part of the attacker to use physical means to further their agenda. I wrote an article a couple of years back about how often found thumb drives with corporate logos dropped in parking lots are subsequently plugged in (90%!) that still remains relevant today.  Even hotel card reader exploits are relatively low risk, all things considered.


The vast majority of any successful hack is reconnaissance and information gathering. Hackers do their homework, in other words. With social media now providing a blueprint, we'll see more focused attempts at using physical means to install malicious software. For instance, if I tweeted that I went to a specific concert, and I just happened to receive a free promotional CD in the mail the following week, I wouldn't think twice about playing it. It would be easy to assume it came from Ticketmaster or Columbia or whomever.  And therein lies the problem. From curiosity to convenience, one of the reasons the complexity and difficulty of security keeps increasing is that we keep making it harder.  The fault, dear Brutus, is not always in our security…it’s often in ourselves. 












About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all