So as the title says I was recently notified, well about a week ago now, that one of my online accounts (I’m not going to say which one mainly because I don’t want this to be a bashing forum and don’t think that it is pertinent to the post) “may” have been compromised. For the non-security folks out there that is hacked. I stressed the “may” because in security we don’t always know for sure if something has been broken into but we might have high suspicions base on anomalies such as a broken window might mean your house was broken into or it just might mean that you forgot your key and couldn’t get into your house. So of course when I got this information I was concerned and I followed the notifications instructions to change my password, verified that my computers and networks were secure (i.e. virus scan enabled, system patched, both network and system firewalls enabled, etc.), and checked for tell tell signs of security compromises such as random password reset requests in email (inbox, junk, spam, and deleted folders). As a security professional I felt fairly confident in at least my basic security measures but nothing is impossible so I followed the requested procedures. Not finding anything out of the ordinary and very much concerned that something might have slipped through the cracks. I followed the final option I had in the notification which was to open up a support ticket for additional information. Well here is where my beef is and it isn’t just with them because their security practices aren’t that different from everyone else. When I requested information pertaining to what events set off the alerts then so that I could compare them to my own activity to see if the system was sending out false positives (again a security term geez what am I a security geek — false positive an alert that is false. i.e. If I said your house was broken into when in fact it wasn’t.). Who know better about what I am doing than myself right? Well poppy cock! They could not or would not divulge that information. So I say why bother telling me at all. If you simply want me to do a password change then require one but not providing the necessary information to identify the root cause of the problem is just setting things up to continue down an already dark path.
OK the GOOD the BAD and the UGLY.
GOOD: I am glad they involved the user. This is the right thing to do because you can guess all day long as to what is going on but until you involve the person supposedly doing it you will never know. I wish all security teams did this and did it RIGHT. Too often a security incident happens and we just assume the worst or even ignore it. This is probably due to staffing limitations or whatever but we as professionals need to fully respond to all events of interest fully. This will allow for the security specialist to identify if the user needs additional training, if additional security measures need to be put into place, if the account has truly been compromised, or if maybe just maybe the security measures are too strict.
BAD: They found a user that is concerned and willing to help them identify what is going on provide the user with data or at least questions which can affirmatively prove or disapprove the security event. Really most users would have no idea of how to make certain their computers and network are secure and many don’t want to bother researching the event they just want to get back to what they were doing. Don’t make like this is top secret information it is my activity in your logs. One of the comments made to me in the ticket was “Please note that while we consider security of the greatest importance, we must not disclose specific details of the security protocol we use to protect accounts.”. Since when has security be obscurity worked? Now bare with me I am going to get a little geeky now. I can tell you what their security protocols are it is called a SIEM or SEIM or SEM or SIM or whatever the industry wants to call it today. Geez…OK coming down to earth now. For you normal people security be obscurity does not work. Employee’s leave and tell others, heck they stay and they tell others, information in this world leaks like Niagara Falls so don’t think you can have a secret and tell anyone much less an entire company. The only safe place is in your head and I hear that the government is working on a way to get that out too. If you are so interested SIEM are security event correlation systems. If you would like to know more you can read about them on Wikipedia. OK I ranted a little. My point is security specialists need to work with the proposed victims and … fooy just refer to my end point in the GOOD paragraph.
If security professionals keep blowing off events as false positives eventually one is going to slip through the cracks. Blips happen for a reason maybe ever so small but there is a reason and due to our lack of knowledge we ignore them. For instance that slight pain in your arm might just be a blood clot which could cause you to have an aneurism if ignored. Here’s your sign. Well that is what an attacker is hopping. That is why they attack at 3am in the morning, hoping you don’t want to get out of bed or won’t even see the event. What I am seeing today is that the serious attacks happen during office hours. Not sure if that is because all the infected laptops are in the office at that time or if it is because the attackers traffic blends in with the rest of the corporate traffic but none the less it is happening. But I think my point has been made here.
UGLY: Just to keep with my theme I still don’t know if an attackers has slipped through the cracks in my security. I have been given a sign that I would like to follow up on but I can’t get any details pertaining to if that sign is providing real information that is accurate. As a user I am frustrated with the support I am receiving and feel that this company’s security practices are pointless. And as a professional I wonder where is the security industry headed if this is the type of reaction we are going to give to a security incident.
In conclusion I just want to say although we depend heavily on computers to do all the work there is no replacement for human judgement. We can’t just depend on a computer to analyze and make judgement calls because although it has some of the data it doesn’t have all the data and most likely never will especially when dealing with us slow stupid humans. ;-) I want t to challenge the security field to better involve users and research security events. Don’t just brush them under the rug because your over worked, or understaffed. I know what it is like being bombard by 1000s of events a day but we have got to find a way to fix the problem and not just put a band aid on it for another day. But with that in mind I also want to put a challenge out to all the security product designers to reduce the number of false positives your products are putting out. Anybody can be a nay sayer but few can make a positive impact.
Signing off until next time.
P.S. Just to update everyone on this ticket I had open and have since given up on. They did come back and give me a little more information. It seems they use location or more specifically IP tracking to trend your activity against. So if all of a sudden you change ISPs, start using your account from another ISP, etc. it locks the account. This was told to me in a round about way but all the same I got the point but the stood by their guns stating that the release of how they are identifying this would be a compromising there security efforts. I still say security through obscurity does not equate to a secure system and that identifying real threats with real clients that you should have some base level of trust with should be more important than obscuring some basic security protocols.