Attack Complexity and Assurance Levels

-

 One of the challenging aspects of defining a security strategy is to define how complex an attack you need to defend against. Over the years, I've seen far too many organizations that are trying to build complex reverse engineering capabilities to dissect potential malware, while leaving 85% or more of their environment unpatched, not implementing strong 2-factor authentication, or failing to perform basic hardening. Security is very often mostly about doing the basics well. If you cannot tell the board that you know who all the global root users are - including the ones that could become global root easily - implementing a complex data loss prevention solution is probably not the item that should be at the top of your list.

One of the challenges in security is thinking through the threat environment we are facing. Typically, we can never measure anything with absolute certainty in security, and there is opinion in everything, but one thing that seems to work is bucketing things into relatively coarse buckets. It's much easier to say that the risk of something is high, medium, or low, rather than 73% probability. This same scale works well for numerous types of things we need to measure. 


As part of the foregoing multi-factor solution, there was an undercurrent, and sometimes an overt current, of attack complexity in compromising a factor. I decided it may be worth making my thinking on this a little more clear. As part of the analysis, I've been thinking about the ease with which an attacker could compromise a factor, given certain conditions. Here is an example of the analysis, relating to three different factors.



This table measures the complexity of attacking a multi-factor authentication system to establish an independent session (as opposed to hijacking an existing user session) given certain pre-conditions and when certain factors are used. These kinds of tables can be really useful and the simple scale used here of simple, moderate, high, and not possible, is easy enough to use and still provides value even though it does not measure anything with 100% accuracy.Personally, I like four point scales. Others use 5, or 3. More than that generally is too much though. 


To illustrate the use of this, let's say that the attacker has compromised the computer or device used to establish the session, or even the device used to generate the token code or the approval notification. In this case, it is relatively easy for the attacker to capture the entire session, or to obtain the TOTP codes, or to approve the push notification. If I control your phone, I can click the "Do you want to approve this login" button just as easily as you can. 


However, with WebAuthn, doing this is harder because WebAuthn, typically, would require some form of action from the user. Even with root access on the computer, the attacker could not perform the user verification in WebAuthn because that requires physically interacting with the device. Consequently, push approvals and TOTP provides a low level of assurance against a compromised platform, while WebAuthn provides a very high level of assurance. The reason it is possible still for WebAuthn to be fooled in this case is because it is possible for the user to accidentally activate the system, and for the malware to lie in wait for this to happen. 


On the other end of the spectrum, phishing WebAuthn tokens, without a compromised platform or application, is not possible unless the client application is flawed. On the other hand, phishing push approvals is very simple. If you are an attacker and you want a user to do something, all you really need to do is ask. It doesn't really matter how much anti-phishing training we give people, the pressures we put them under to do their job, and the erratic nature of the technology we give them, makes it nearly impossible for the average end user to successfully tell the trustworthy thing from the malicious thing, especially in the absence of the trustworthy thing to compare with at the time. 

Comments

Post a Comment

Popular posts from this blog

U2F, FIDO2, and Hardware Security Keys

-
  In our journey through possession proofs we have encountered hardware factors of various kinds. HOTP and TOTP is often implemented as hardware devices, and of course, so are Smart Cards. In this post we will look at authenticators that implement the FIDO standards -  U2F, WebAuthn, and CTAP2. WebAuthn and CTAP2 are collectively part of the FIDO Alliance ’s FIDO2 protocol suite. U2F and UAF are older FIDO protocols that are supported under FIDO2. They can all be thought of as being part of the FIDO2 suite of protocols.  To understand these protocols, and their advantages and disadvantages, we need to be familiar with the three fundamental actors: Relying party (RP) - Also known as the server. This is the service that a user wishes to log into. Client - This is the application that brokers the authentication from the relying party to the authenticator and eventually the user. Much of the time, this is a web browser, but it could be any application. Authenticator - This is a thing tha
Read more

The Busy Executive’s Guide to Personal Information Security

-
Congratulations. As an executive you are the favorite target of ne’er-do-wells across the world. They will spoof email messages to staff and business partners in your name. They will try to hack your corporate account, your bank account, your email account, and your phone. In addition to hundreds of messages per week from semi-legitimate vendors who want to sell you their most recent search engine optimization snake-oil you will also get a variety of Word documents, PDF files, and PowerPoint presentations, most of which are laden with malware. If this sounds depressing, it is. It is the world of Information Security. There are ways to protect yourself, however. This document will tell you the most important things you can do. 1. Patch Your Stuff! The first thing you need to do is to patch. Software and hardware vendors provide regular security updates to fix security bugs. Or, rather, the reputable ones do. The first step is to use devices and software that provide timely and reliable
Read more

Single Sign-On

-
There are two kinds of organizations. Those that manage their single sign-on (SSO) system, and those that let their users manage their SSO. The other day I was in a discussion with a number of security leaders about how important identity management is to your security strategy. Obviously, everyone agreed that identity is very important. After all, if you don’t have a strong identity strategy pretty much no other component of your strategy will be strong. There is a reason that the first function of the NIST CSF is Identity.  However, the discussion then turned to SSO and whether it didn’t constitute putting all your eggs in one basket, and whether doing so is a good idea. Yes. SSO does constitute putting all your eggs in one basket. But, that is a good  thing. Why? Because you, as a security leader control  that basket. You know where it is. You know how it is configured. You have already required strong multi-factor authentication (MFA) on it. (You have right? If not, stop reading th
Read more