Security Achilles’ Heel

June 6, 2012

All the software and audit and compliance in the world is useless, when a single person opens the door for the Big Bad Wolf to waltz in. Yes, code review is important. Absolutely, audit is essential. And without a question, process can save lives. None of that matters if the person entrusted with the key is readily duped by conversation. Social Engineering, it’s a grand-daddy when it comes to security risks. Sadly, technology has yet to come up with the panacea for stupidity. Just look at what happened to CloudFlare.

Someone convinced an AT&T technician to re-route the subscriber’s cell phone to a fraudulent voicemail box. No code hacking, no PBX re-programming. No physical breach of wires. The heavy lifting in this breach involved conversation. The first of four dominoes fell, as seen on this timeline, when un-authorized access was granted, by an employee, to some untrusted outsider. Sure, there are clearly flaws in Google’s 2FA, they’ve admitted that. And CloudFlare’s auto-cc of administrative Email containing sensitive information, that’s just bad practice all around. However, those attack vectors weren’t so handily exploited, without the initial ability to redirect the trusted channel of communication.

There are plenty of technical discussions else where, about code and process and race conditions ad nauseam… but the bottom line is this, the weakest link is “people” and exploiting people’s behavior has been security’s greatest foe since walls were made of stones. More technical solutions won’t fix this. In fact, increased complexity and the ensuing decrease in usefulness, will only create additional opportunities for human error. Awareness, instinctive or trained comprehension, is likely the only way to counter being talked into unlocking the door.

Settings

Eddie is a technology enthusiast and a blogger, now, who loves all things Internet and mobile, as if those were two separate things. As part of feyn.com, he's looking to battle the forces of evil, fight crimes and purchase security upgrades to the Metaverse.