Security isn't Natural
Humans are social beings; we need the collaboration and connection of our communities. These communities can be local, or in many cases - such as my own, our online communities are vital to maintaining mental health and wellbeing. To feel a sense of value, I need to have mutually beneficial relationships*. Be it talking to a friend, colleague, or my partner, I need to know that the value I receive is mirrored back. Due to this need for collaboration, we seek out others with the hope that they too, have positive and constructive motivations.
Looking at the a few examples of solutions we use daily below, you can see the clear disconnect between security and the system’s design:
When created, IP addressing wasn’t expected to evolve into the vast connectivity solution that it is today, it was used for** – connections of the U.S. government***. Only Later did it develop into the system we recognise today. Now, the internet is everywhere, and our lives are nearly completely – at least from a social perspective – always connected.
Simply put, IPv4 address space is limited to less devices than we have connected today, and with almost no form of security in place. Currently, in most homes, you will have public and private addresses - meaning when you connect externally, you appear as one address only. This adds a small layer of privacy - not really and not that well. It wasn’t designed for how we use it for today.
Why is the internet such a massive disorganised and, for some, scary place? Because it was never designed for untrusted connections, the original design was for trusted organisations. No one seemed to have thought that the other side may have malicious intentions and therefore, might need to be subject to restrictions and controls.
As you can imagine, adding security and privacy later on - has come at a cost to the individuals trying to access, and navigating the complexity of the connectivity. In more cases than we’d like to admit, it has also led to reducing adoption of said security and privacy controls.
I was once told that emails were never intended to be used for continuous daily communication, if you’ve worked in a corporate environment, you likely would agree with this statement. I have found email not only cumbersome, but also, it is frequently viewed as legitimate communication with more integrity than it should be.
The way email works is - in a highly simplified way – you send an email from let’s say server A. Server A says to Server B, ‘hey, I want to send you something, can we send using a recognised-encryption-standard?’ Now, if Server B has this enabled, it will say ‘sweet’ and accept the email. But in some cases, Server B might not have this, and the email is then sent via clear text. (Read how a malicious actor can exploit this in a TLS downgrade attack****)
Yes, by default, email servers will do this - so by default, it isn’t a secure communication channel. However, as you read the email, the assumption is that is secure.
A few years ago, I received a Phishing email to the organisation I worked for, from a travel agency we were a client of. Being a security person, I immediately notified the organisation and then went through the proper channels to notify the sending agency. Their response was (A) they we’re already aware, and ‘investigating’ and (B) it wasn’t a compromise in their environment.
Two parts of this story are of value here:
1. I was able to confirm the email did, indeed, come from the travel agency’s email server. Which they later notified us they had “turned off just in case” but had “confirmed it did not mean they had a breach.” Which is a ridiculous way of saying, we turned our email server off which is sending out malicious emails, but don’t want to take responsibility for it. - I might be a bit grumpy on this point with the lack of accountability.
2. As most travel agencies, this one asks for traveller’s passport details to book all trips. In fact, when I was travelling with this company previously, they had tried to receive my passport details via email, and I had declined - they got upset, and we went through a longer than they would have liked process of me providing the details. The reason this is upsetting, is this company likely had hundreds or even thousands of customer’s confidential information stored on their email servers - which now, they claimed wasn’t compromised, but there was evidence it was sending out Phishing emails.
Email attachments and links
As you have read above, I’m not a fan of continuous communication via email. I do understand the value, to have a consistent location of stored information, but at the speed of which I receive email it becomes disastrous to try and keep up. Add onto this, the fear of falling behind - with the terror of being punished - and with the confusion of not knowing how to protect yourself against this – it can be a demoralising experience for many others.
Now, with those anxieties compounded by the ultimate terror of the media presenting almost daily on data breaches, ransomware infections, the confusing information and blame provided - let’s look at email attachments.
My role is to recognise and respond to malicious content, an accountant’s is to pay invoices and other financial aspects of companies (I don’t actually know how to describe it, so hopefully that simplified version is enough) - they were not trained to recognise and respond to a Phishing attack. The natural side of their role is open attachment, click a link and deal with what’s needed. It is unnatural, for accountants and staff to recognise when a link or attachment is malicious - without opening or clicking.
It’s a completely different career, and therefore, we should realise this when requiring users to act with security in mind. Instead of fear, we should motivate with positives (I’ll write more on how to do this later) and empower staff to know the ‘why’ and ‘how’ before requiring them to take those additional security steps. In order to keep this blogpost readable, I will stop here with everyday connectivity and tasks we regularly do, but if interested in further - reach out, I’m always welcome to blogpost ideas to help!
Hackers are simply persons looking at something, not for what it’s meant to do, but what they can make it do - to benefit themselves.
With the above definition in mind, you may already see how a malicious - or a black hat - hacker could tailor their responses online, in an email to achieve the fundamental need to connect from the target, which in turn can prove useful and benefit their malicious intentions.
Due to this, my role is simply being a translator, a motivator to enhance someone’s security posture so they can continue using the connectivity of the internet in a positive way; whilst minimising the impact of a malicious actor who target’s them.
The reality is, security isn’t natural - at least with the solutions we have now.
In the future, when privacy and security by design are the default features in solutions perhaps then security will be natural; may be then it will be on the front of everyone’s minds because we have done our job in proper awareness, training, and positive motivation. Unfortunately, malicious actors will likely always exist, and our roles as solution architects is to make the unnatural easier, one small change and design at a time.
References and further reading:
* Interested in reading/listening to more about the connection between loneliness to depression and anxiety? Check out a book I’ve been listening to on Audible: Lost Connections by Johann Hari I (http://a.co/a7TIcU7)
** TCP/IP protocol, read the wiki entry: https://en.wikipedia.org/wiki/Internet_protocol_suite
*** IPv4 was originally implemented within ARPANET read more here: https://en.wikipedia.org/wiki/ARPANET
**** Read about downgrading TLS attacks here: https://elie.net/blog/understanding-how-tls-downgrade-attacks-prevent-email-encryption/