Security: it’s the humans, stupid

If you’re like me, you’ll be aware of the obvious dangers of using the same logon name and password for different websites – but often fall into the bad habits anyway.

Mark Zuckerberg did. That’s why after logons from the 2012 LinkedIn hack eventually found their way on to the black market, the Facebook boss temporarily lost control of his Twitter and Pinterest accounts. Of course, the damage is worse when a bank account logon, work password or email password is involved (email being a treasure trove of passwords and other details; just ask hapless users of Yahoo Xtra mail).

A password manager
One solution is to use a password manager – a piece of software automatically generating passwords for different sites then remembers them. You only have to remember one password: the one to access the password manager.

But which password manager is best? I put this question to Microsoft worldwide security lead Chris Jackson during his visit to Auckland this week for his company’s Ignite conference. I was intrigued which solution a hardened industry veteran would plump for.

His choice of password manger was KeePass – actually a free open source product rather than Microsoft software (LastPass and Dashlane are also worth checking out).

His broader point, however, is that humans are inherently lazy creatures – and his solution is not to fight it.

More on this shortly. First, a bigger question. Ian Apperley (see facing page) says security could be automated, and that the “shortage” of people to fill security roles is hype and scare-mongering.

True?

Mr Jackson agrees, up to a point.

“Today’s threats – in a few years I think we can automate our reaction to them,” he says

“We’ve got machine learning we can already apply to do detective controls and to shut down threats a lot more quickly than we ever could historically. That’s happening.

Takes a human to stop a human
“But the thing is, we’re also going against a human adversary – which has an upside and a downside. The upside is: ‘the other side are humans’ – and we tend to be lazy; we’d rather not do more work than we need to. That’s why people still do credentials theft – because it still works. The downside of the fact we have a human adversary is that when they decide to start working, humans can be quite clever and think of ways that we would never dream of to get into a place,” he says.

“When they’re looking at an adversary, attackers tend to think about cracks: they only need one way in. Defenders tend to think in boundaries and lines. It’s a change in mindset to think: how do I consider all the possible ways what I’m trying to protect could be attacked. The adversary is not going to follow the rulebook.”

But while you can be clever, and lock things down tight, your staff can be lax and, well, sometimes not that bright.

Mr Jackson relates a test in which 100 users were sent a phishing email (an email that pretends to be from, say, a bank, asking you to supply logon details). Twelve happily coughed up their logon.

How do you protect against passwords being stolen?

A common way these days is to give people the option of “two-factor authentication.”

For example, your accounting software app might give you the option to not just enter a password, but also a verification code that gets texted to your phone (and indeed that’s what Xero did after its customers were hit by a rash of phising scams). That’s secure, but also a hassle – and over time, people have a strong tendency to choose convenience over security.

Microsoft’s solution for multi-factor security is the Windows Hello and Microsoft Passport technologies that form part of Windows 10.

The idea  is to have two different security steps to logon to Windows or access a secure Microsoft service, but to make them as painless as possible. You can, for example, combine a four-digit PIN with biometric recognition such as a fingerprint scan or a camera that supports IR facial recognition software.

“You want to make it as hard as possible to do the wrong thing but as easy as possible to do the right thing,” Mr Jackson says.

Of course, the Microsoft security lead is also focussed on more complex security concerns higher up the food chain, but broadly speaking his thinking is the same: allow for human frailty, and think like an attacker looking for gaps.

He talks about a network admin who runs their personal email on a computer that’s supposed to be hardened and locked down, or a development site that lacks the full-blooded security of a company’s real website. A patient hacker could sabotage code on a development site, then wait for it to be introduced to a main site.

The world getting better, or worse?
Mainstream media often make the cloud seem a scary place, susceptible to hackers and thieves.

Is it right? Is security becoming more of an issue?

Mr Jackson notes that over the past few years, the hacker threat has graduated from “script kiddies” to organised crime and now governments.

The threats are definitely getting more serious and yet, “Well it still all works, doesn’t it?” Mr Jackson says.

For several hours last Saturday, New Zealand time, large parts of the internet stopped working for millions of Americans on the east coast of the US as a distributed denial of service (DDoS) attack swamped Dyn, one of the domain name system companies that acts as a kind of switchboard for the internet. Hundreds of sites including Twitter, Netflix and SoundCloud were swamped by bots trying to connect, rendering them slow or outright inaccessible.

It’s not clear who was behind the attack, but its signature feature was it was the first large-scale instance of millions of gadgets in the so-called “internet of things” – from internet-connected security cameras to baby monitors – being hijacked and used as staging posts for bots in a DDoS attack.

Like other security experts, Mr Jackson is extremely wary about the sudden proliferation of everyday objects that are being given internet connectivity.

“Your Philips LED light can become a weapon used against you,” he says.

“The reality is we’re running all kinds of devices that are not secure.”