Steve Schlarman

Next Generation Security Operations: Flesh and Blood

Blog Post created by Steve Schlarman Employee on Mar 6, 2013

Years ago, companies had to worry about the “brick and mortar” threats – physical theft, property destruction, natural disasters.   Next, it was the “bits and bytes” threats – intellectual property theft, website defacement, denial of service attacks.   Now, there is a new element to our threat landscape – the “flesh and blood” threats.  I don’t mean personal physical attacks but rather attackers exploiting an individual for nefarious purposes.


Phishing is a well-worn arrow in the quiver of a would-be attacker.  Whether it is used to target a broad range of people or target a single person, a phishing attack can have a devastating effect if executed properly.  Phishing attacks typically contain some tidbit of personal information that makes the attack even more persuading.  With the advent LinkedIn, Facebook, Twitter and the entire spectrum of social media, attackers have a comprehensive research library at their fingertips.  It doesn’t take long to construct business relationships via LinkedIn nor much effort to compile personal information from Facebook.


There is little companies can do about this threat except establish policies and increase awareness and training for employees.  An active education program for employees highlighting the daily risks they face as end users is core to a security program.   In addition to awareness campaigns, employees should have a clear escalation path for possible phishing attempts.  The garden variety spam phishing emails should be stopped at the perimeter via email filtering or content analysis technologies.  However, once it gets past that perimeter defense, users should know how to handle a possible email borne threat.  If the communication contains some request for sensitive data or an action that is out of the ordinary (or maybe even in the ordinary but involve some escalated privilege or confidential information), employees should be trained to escalate or, at a minimum, verify the request through other mechanisms.  Too often picking up the phone and making a call is a forgotten communication method in today’s E-society.


One thing to think about is validation processes around resetting passwords.  This process is exploited often to bypass security controls.   A common mechanism is the “question/answer” dance that hinges on the user and verifier having a common piece of confidential information to verify identity.   However, with today’s social sites, some of those validating pieces of information are no longer confidential.   High school mascot?  Easy to find.  Family names? Easy to find.   I once was part of a penetration test where we validated ourselves via an “ID” number that was deemed confidential.  The bad part about the ID number was it was used on the public website to identify associates in the company.  (Granted, the ID number was buried in the URL when doing an employee lookup and we guessed it was the employee ID number but it was a pretty solid guess.)


When thinking about the next generation of security operations, these tangential processes such as security awareness, end user escalation procedures and password reset processes need to be incorporated into the attack vectors of any threat assessment.  Processes such as these are important frontline defenses that need to be evaluated regularly.   When was the last time the procedures for password verification were reviewed?   How often does communication go out to employees reminding them of their security roles?   What data is used to verify employee requests?  Sometimes we can get mired down in protecting against the “bits and bytes” threats so much that the “flesh and blood” threats saunter right around the defenses.


One mechanism that can get these tangent processes identified and up to date is through threat scenario modeling.  Engaging business contacts into a brainstorming session whereby different threat scenarios are modeled out can give great insight into vulnerable business processes.  It gives the business representatives a chance to play the adversary and give the security team much to think about in terms of attack vectors.   This can build a strong dialogue between security and the business to not only identify possible scenarios but also bring more business context to the security controls.


I would be interested to hear if your security teams engage with the business or how these ‘social’ attack vectors are addressed in your company.  Feel free to give out ideas on how threat assessments, social media or the ‘flesh and blood’ in your company is impacting your security operations.