Monday, August 15, 2011

We fix Stupid!


Recently I had a chance to meet with a couple of very different and promising companies. One is the classic information security for the enterprise company going after the holy grail of risk management. The other one is a small startup company attempting to be the good cop of consumer privacy. Both are very successful.

Allegedly there is no connection between the two, right? While some tend to bundle privacy and security together (as well as compliance), there is a clear distinction between the two. Not to mention the very different target markets (enterprise vs. consumer).

So why do I bundle the two?

Let’s take the enterprise risk management perspective first:

When observing some of the recent data breaches (e.g. the RSA incident), there is an interesting pattern. As we know hackers target the weakest links in their quest for the prize. Occasionally these links are infrastructure vulnerabilities, but in many cases it is the ultimate weak link – the human factor.

It should not surprise anyone that it is much easier entering a building through its main door (especially when you have the keys), rather than using a small, semi closed, side window on the 5th floor. Since organizations will always provide employees access to their enterprise resources (so they can perform their work), all is left to the hackers is to get the keys and use the main door. But why bother trying to hack enterprise protected resources directly?

Without getting into lengthy explanations, what bad guys do is create a “hit” list of employees with the right profile. Then they collect information about the selected targets mostly using publically available resources (such as the Wild Wild Web). Once enough information is collected a targeted campaign is launched. In many ways this campaign is very similar to consumer phishing. During this process (A.K.A spear phishing) users end up enabling the attacker to collect more information (which is not publically available), and eventually get the access they need.

Bottom line – employee’s consumer vulnerable profile is enabling an attack on enterprise resources.

Now for the consumer privacy point of view:

Simply put the objective of privacy tools is controlling the amount of private information publically available and by doing so to reduce the consumer’s attack surface.

Do I need to explain the linkage between these two companies/domains?

By protecting consumer-employees privacy enterprise reduce their risk of being attacked.  

A few things to keep in mind:
1.     “All or nothing” solutions are never a good idea – simply not practical. Security solutions that attempt to solve “everything” traditionally fail (DLP is a good example). Instead of applying protective controls for all employees we should apply the right controls only for the employees identified as “high risk” (relative to a defined threshold).
2.     How to define “high risk”? The risk is the enterprise’s risk, not the employee’s. It should be defined based on a combination of the employee’s enterprise profile (e.g. systems he can access and his access level), and his consumer online profile vulnerability score (i.e. how exposed is he).
3.     By no means I’m promoting a “big brother” type of solutions. Enterprise should not collect\manage\care about employees’ private information but only their online vulnerability score (the likelihood of being attacked).
4.     Coming up with an online profile vulnerability score should be done by leveraging similar techniques as consumer privacy tools, or emulating hackers’ information collection process.

And maybe someday, some company will address this aspect of the human factor, and will be able to use the great tagline: “we fix stupid!”

No comments:

Post a Comment