The Human Factor: IT Security's Achilles' Heel

Brian Kelly

The Human Factor: IT Security's Achilles' Heel

Despite advances in information security technology and processes over the past few years, it is the human being that can still be our Achilles’ heel.

A survey released last week by the Austin-based security company SailPoint found that, of the 1,000 office workers at private organizations polled, one in five said they would sell their passwords to a third party. Nearly half of those said they would do so for less than $1,000.

This data reinforces how important it is to not lose sight of the human factor when it comes to keeping our information and systems secure. As a Chief Security Officer, I factor the human element into every decision. Maybe I have hardened over the years and have witnessed too many times when, despite our best efforts, a sloppy or malicious insider can defeat millions of dollars’ worth of investments in the best security programs and technologies. Consider the efficacy of phishing attacks, and the Edward Snowden matter as examples.

Moving to a post-password world

We will never eliminate the human element or the risks associated with individuals that make bad decisions, either by mistake or for personal gain. And this survey casts light on the relative ineffectiveness of passwords, particularly static single-factor passwords.

Static passwords are slowly dying off, as they should, while the insider threat lives on. Static passwords are just too easy to find and break, and they exist everywhere. They sit in the memory of machines, whether it be in corporate environments or social sites, and the likelihood that your password can or has been exploited is fairly high.

While some are re-thinking our authentication and authorization strategies and solutions, we are just not making fast enough progress. Organizations must move to architectures and solutions that do not include static or standing permissions. At a minimum, we must employ multi-factor authentication strategies.

The simple process of sending an authentication code by mobile phone when I perform a banking transaction is comforting to me as evidence of progress. I look forward to the day when my personal mobile phone becomes the cache for biometric or complex password constructs that can intervene in the authentication process.

Trust but verify

Of course, regardless of what solutions we put in a place, a well-placed insider can likely defeat or circumvent even the best of our controls.  Add “malicious intent” to this and we have a recipe for disaster. The fact that employees are willing to sell their passwords is troubling, yet not surprising. Even with multiple levels of authentication, someone who is motivated to sell a password or otherwise exploit their status as an insider can do so. That is why this threat is so hard to defeat.

Here is some tried and true advice: “trust but verify.”  A security operations team must monitor user activity and investigate anomalous or malicious behavior. Someone reading this might think this practice is a violation of privacy and is counter-culture. I weigh these objections against the existence of the company and the livelihood of all employees and protection of customers and shareholder value.

Fraud, malicious activity and inadvertent disclosure can be monitored and managed without violating individual privacy. Traffic, both in and out of the organization, as well as traffic traversing internally can and should be monitored and characterized to detect departures from “normal” or “baseline” activity. This does not result in an invasion of privacy; rather, it often involves viewing only the meta-data and not the actual message contents.

A partner is key

The impediment for many companies, despite understanding and embracing the challenges and obligations outlined above, is they do not have the skilled and experienced resources available to effectively counter the threats. It is no secret there is a negative supply of trained and experienced security professionals. I’m aware of the statistics that suggest there are 40,000 job postings for people with CISSP certifications, yet there are only 69,000 CISSPs in the world today.

Similarly the appropriate processes and technologies do not yet exist or have not yet been widely deployed. Many companies often do not have the capability needed to detect and respond to anomalous or malicious activity. Traditional managed security services providers may be financially out of reach for many companies (generally $1- 3 million annually) and, even if the service is within budget, firms still do not have the skills to respond to alerts and events.

Rackspace responded to this challenge by launching Rackspace Managed Security earlier this year. Our cloud customers can opt to leverage this service to consume 24x7x365 advanced detection and response services at a price point that significantly reduces the total cost of ownership.

Throughout our enterprise, we are also leveraging the unique advantages cloud computing provides to overcome many of the challenges the security community wrestles with. Our end state is implementation of “high-trust” and “zero-standing permissions” architectures and solutions that move away from traditional client-server models and toward highly segmented, role based, real-time provisioned, policy-driven, zero trust models.

We are quickly moving to eliminate traditional password strategies and solutions and replace them with new approaches to authorize and authenticate users.  We speak frequently with our cloud industry partners to share security threat and technology information, so we know the other major cloud providers are doing the same.

Will these solutions be perfect? Not if history is any indicator. No sooner will a new solution be deployed that adversaries, malicious or uncareful insiders, will find a way to circumvent the security mechanisms. Significant improvements in security operations practices go a long way to detecting and responding to these activities. Constant vigilance is paramount.

Click to find out more about Rackspace Managed Security.