Security Now

It is Tuesday evening.  I am listening to Security Now.  If you are not, I recommend that you do so.  

Security now features Steve Gibson, the provider of the personal pen test, Shields Up, and the author of the storage integrity progam, Spin Right.  

I find myself passing over reports of problems, vulnerabilities, attacks and breaches.  I simply wait for Steve's weekly informed analysis.  Now, I admit it, I am both old and lazy.  If I applied what remains of my intellect, I might be able to distill from the media, perhaps, as much as ninety percent of what Steve does.  After all, what I lack in intellect, I make up for in experience. Still, it turns out to be much more efficient for me to wait for Steve's articulate analysis, than to do the work myself.  

Security Now is a weekly two hour podcast on the security and privacy issues of the week.  They pride themselves on being available everywhere in every format.  While I simply rely upon my YouTube subscription, you can expect to find it in your favorite place and format.  

I hope that you find the weekly two hours to be as valuable. efficient, not to say entertaining, as I do.  

  

iPadOS 26

 The geeks have been militating to make iPadOS more like Mac OS, Android, or even like Windows.   This frightened me.  I take comfort from the fact that with iOS I am more than a click away from contaminating my system.  I take comfort from the fact that one can recommend iOS for children and people born before 1980. 

As beta releases of iPadOS 26 have become available, there have been reviews saying that the iPad is "ready for laptop duty," you  "can finally ditch your mac," and "the iPad is a full-on computer now."  

Thank God!  All the hype to the contrary not withstanding, one still "cannot change the core system or application code of iPadOS 26 directly through the user interface. Apple's operating systems, including iPadOS, are designed as a "walled garden" for security and stability. This prevents users from altering the compiled code, which is what the system and apps actually run on."  That from Apple; I could have saved myself a lot of angst if I had asked Apple in the first place.

Yes, the screen in 26 is much more like that of the Mac.  The windowing and multi-tasking are more like that of the Mac.  The file system is more capable.  There is a task bar with drop-down menus.   One can copy and paste from one app to another, indeed from one device to another.  One takes comfort in the fact that Apple first figures out how to do a feature or a function safely before adding it to the system.  

But the iPad is still an application-only computer.  It still uses purpose built apps, nearly two million of them in the store.  It is still a closed system.  Program code is still hidden.  It is a system in which one can enjoy in safety, most, but not quite all, of the benefits of the general purpose computer on which it is built.  Rest easy, Steve Jobs.

 

Attack Surface Managment

 Thanks to our colleague, Ben Carr, for the idea and the title of this post.  I wrote most of what follows in response to a post of his on LinkedIn

The attack surface of the typical enterprise includes all the users as well as all the other resources.

I think about the desktop where most of the vulnerabilities are in system code, system code that dwarfs the applications.

I think about all the applications that are on that system that are rarely if ever used.  

I think about the orphan data and servers.

I think about the excess privileges that permit entire enterprises to be compromised starting with one user who clicks on bait in an e-mail or on a web page that he visits out of curiosity.  

So, one way to manage the attack surface is to reduce it.

• Remove unused user IDs.  Reverify and reauthorize users at least annually.  
• Remove unused or rarely used applications or services.
• Install only what you really need.
• Prefer purpose-built apps to general and flexible facilities (e.g., browsers, spread-sheets, word processors).
• Hide systems, applications, services, and sensitive data behind firewalls and end-to-end application-layer encryption.
• Employee restrictive access control (i.e., least privilege, zero-trust, "white-list") at all layers
• Scan and patch only what is left (i.e., that which can be seen by potentially hostile people and  processes).
• Other.

Employee Resisitance to New Controls

One of the reasons that our security is as bad as it is, is the perceived resistance of employees to new, or even changed, controls.  Why is it that even enterprises that offer strong authentication to customers, still rely upon fraudulently reusable passwords, vulnerable to social engineering, for employee authentication?  Employees continue to rely upon passwords even though they are implicated in more than half of all breaches and even though msny strong authentication solutions are much more convenient than passwords.  Could it be, at least in part, that management wants to avoid the inevitable employee whining that accompanies any and every change in controls?

Its true!  Many, not to say most, employees do whine and complain over any change in controls.  Even good managers are deterred from such changes by such resistance.  The good news is that most of the resistance only lasts a day or two.  Even those who complained the earliest and loudest get over it in a day or two.  They do not continue to resist what they quickly come to see as inevitable.  

Oh its true, a few continue to complain.  Let's face it, they were not happy yesterday, they will not be happy tomorrow, their happiness is not within management's control. They are grievance collectors, Failing to do the right thing in an attempt to quiet their complaints is futile.  Get over it.  Do the right thing.  

Increase in Identity Fraud

A recent report from Transunion, https://tinyurl.com/TransunionFraudReport suggests a disturbing increase in credit fraud using both synthetic and stolen identities.  Here are my thoughts.

There is no more important rule in banking than "know your customer."  Unfortunately, this works against the pressure for new accounts.  Every banker must learn to balance these.  

My credentials folder begins with my birth certificate and my Social Security Card, but also contains my high school diploma, my military discharge, my college degree, my passport, RealID drivers license, my Global Entry Card, my health insurance card and Medicare Card, my certificate of retirement from IBM, my Naval Postgraduate School Identity card, my professional certification, and two Club Identity cards.  There is a spread sheet listing all the credentials with their issue date, and the name and address of the issuing authority.

Any and all of these documents are available to support any application that I might make.  While any of them might be forged, the chances that the collection is forged is vanishingly small.  While few people have all these documents most have some of them.  

Most of the issuing authorities can be queried to test the accuracy and authenticity of the document.  While some of the documents were issued in the analog age, most of the issuers now use digital systems and records.  They could all offer an online verification capability at low cost or even at a profit like the credit bureaus.  While it is unlikely that all issuing authorities will ever offer such a service, the numbers will increase as costs go down and value increases.  

These documents speak only to my identity and existence, not to my character, capacity, and collateral.  For those one must look to the plethora of data about me held by the commercial, financial, and other institutions with which I do business and can use as references.  Many, not to say most, of these are customers of and contributors to the credit bureaus that record and sell my credit history.

In short, there is a plethora of evidence that lenders can rely upon to know their customers.  There will always be some bad lending decisions, some the result of fraud.  Tolerating a small amount will always be more efficient than eliminating it all, but striking the balance is what bankers are paid to do.

    

 

Insider Risk (not Threat)

Over the last decade the media has been full of "threat," almost to the exclusion of "risk."  It should not surprise anyone that insider risk has been written of as "insider threat."  It is true there is a small threat from insiders but it has a very low rate of occurrence.  The real concern for insiders arises from consequences, not threat.  The high rate threat comes from outside, not inside.  Outsiders damage the brand: insiders bring down the business.  The threat is from the outside, risk from the inside.

Most of our employees really do want to do their jobs.  In the rare cases where they fail it is more likely to be accidental rather than malicious.  "The dummies have it, hands down, now and forever."  No matter how damaging, mistakes tend be overlooked, accepted as normal and unavoidable, and forgiven.  Even malice is more likely because of a management failure to train,  supervise, and reward, rather than a failure of motive on the part of the employees.  

Conrad Hilton, the founder of Hilton Hotels, used to display in his guest rooms what he called the  Eleventh Commandment, "Thou shalt not tempt."  My favorite ethical test is, "Nice people do not do that."  I learned my second favorite ethical test at Nortel in Canada.  When i asked my client to describe Nortel's ethical culture he said, "Behave as though your mother were watching."  Good managers watch like "Mother."  

Malicious insiders may be needy, greedy, or disgruntled.  The needy or greedy resort to fraud and embezzlement, while the disgruntled lean toward destruction.  Even the fraud may be rooted in part by a failure ot management to properly address error.  The employee makes a mistake; no one notices.  He repeats it and again no one notices.  He begins to think that a deliberate act, one in the direction of his benefit, may similarly go unnoticed.  

Watch for good numbers.  If the numbers are too good to be true, they are not true.  

The disgruntled employee is most likely upset because he believes that his worth and his contribution to the enterprise have not been properly recognized and rewarded.  However, that feeling did not occur suddenly,  He did not go home happy on Tuesday night and come in and take the place apart on Wednesday morning,  The disaffection grew slowly over time.  It likely did not go unnoticed.  His managers likely knew that he was not happy but had delayed taking action until it was too late.   Perhaps please, thank you, and attaboys are the most efficient controls.  While not a substitute for proper compensation, they do not cost much.  

Speaking of proper compensation, the higher up the management chain, the more important it becomes.  It must take into account the economic contribution of the scope managed.  It must also take into account the economic discretion that the officer exercises.  One of the reasons that we see corruption in government is that officials are not compensated in proportion to the power and influence that they exercise.  While such compensation may be hard to justify politically, it does work to limit corruption.

While management tends to worry about IT, and IT failures get the media attention, most fraud takes place in business applications.  Workers steal where they work, e.g., accounts payable and receivable, payroll, goods, inventory, credit.  IT people are more likely to convert capacity than to manipulate business applications.  

While management tends to focus on those engaged in low level routine, think clerks and tellers, the real damage comes from officers and professionals.  Tellers steal small and are caught early.  Officers steal big and may not be caught for years.  However, one must take into account the power and fragility of IT, when managing employee satisfaction and morale.  

Few embezzlers started out to steal big.  They started small but it was not detected: temptation. It became habitual and grew in magnitude over time.  Early detection and correction is essential.  

One last thought before we go.  The most effective control over insider risk is management supervision.  Everyone deserves to be supervised by someone who knows enough to understand and appreciate what they do.  On the other hand, automated controls and procedures are often more efficient than expensive supervision.  While we use them because they are efficient, they are effective only in the presence of good management.  They are hardly ever effective in controlling managers and executives.  

In summary, think risk not threat, error before malice, business before  IT, managers and executives before tellers and clerks, supervision before automation.  

 

Where to Spend your Next Security Dollar

Strong Authentication

At least two kinds of evidence, at least one of which is resistant to replay.  Mandatory for all but the most trivial systems and applications.

Privileged Access Management

Limited number of uniquely identified, authenticated, accountable, and supervised privileged users (no sharing of IDs or passwords).  Mandatory for all large enterprises, recommended wherever there must be more than one privileged user.

Document Management System

a system, process, or database to capture, track and store electronic documents such as PDFs, word processing objects, and digital images of paper-based content, providing accountability for all content, changes, and access or use.  Mandatory for intellectual assets (IP), personally identifiable information (PII), client, customer, and employee relations, or financial records; recommended for all confidential or sensitive information.  

Structured Network

Layering of your network such that user to application, application to application, server to server, and server to file and storage system communications are isolated from one another such that any layer to layer communications require additional authentication and privileges or capabilities.  This can be implemented using wiring and "firewalls," or cryptography (e.g., VPNs, Software Defined Networks (SDNs).  Recommended for all large enterprises.