Data leaks have become an all-too-common societal problem. Still, 99% of the problems do not involve scary zero-day bugs. So why is security still hard? We need to accept that technology isn’t going to save us. Rather, thinking it could, got us into this situation in the first place. A new way of teaching and implementing security is needed across organisations. In this blog I am introducing the AVA (Risk Security Model) to help us achieve this.
Credential-stealing and abuse is the most common attack vector. That means there is no use for burglars to break the lock if they can just turn the key they copied and walk in. Thus, securing the door alone is not enough: we should pay attention to handling our keys, assuming we did lock the door in the first place. An emerging trend of explosive cyber leaks involves unprotected databases that are out in the open. As we speak, organisations are unwittingly spitting out billions of sensitive records to anyone curious enough to look.
How useful is having strong technology, if we forget about the people using it or decide to neglect the information we entrust to it? Sure, those databases need to be better protected by technology. They require strong authentication or shouldn’t be exposed to the public web. However, we already understand those solutions and still, mistakes in setup and maintenance are too easily made. It is the vulnerability in the technology itself, that is slowly addressed by vendors. They may improve default configurations and add scanning abilities, but next time it will be yet another type of vulnerable technology. And how will we cope in the meantime?
Let’s consider phishing scams. While challenging, email security protocols can (and should indeed) be implemented to secure against domain spoofing. However, an email mimicking a trusted domain or person will still pass the test. As a result, people will continue to be tricked and have their privileged credentials stolen. Not to mention the extraordinary success of CEO scams, ranking in damages over $12,5B in 2018 according to FBI's Internet Complaint Center. Technology is part of the problem rather than the solution to abuse. Email, as well as the phone, are fundamentally vulnerable channels. This will not be fixed in the foreseeable future, if ever. That means that there is a need to fight the problem from other angles.
The fire triangle anology
We can use an analogy here: fighting fire is possible in three ways, and we can pick the one that is most effective and practical given the circumstances. First, water is often convenient to combat heat, but if you want less oxygen in the case of a grease fire, another solution is a fire blanket, which is safer in this case. Lastly, isolating the fuel can sometimes be most pragmatic: just wait for the fire to extinguish itself. Borrowing from this fire triangle, we can regard security risks as having three angles to attack as well. Spoiler alert: fixing vulnerabilities, let alone software bugs, only partly plays a role in one of those approaches.
Introducing the AVA=RISK Security Model
It’s time to expand our scope of how to educate on security and treat risk. First, we should clearly separate information security risks from technology. Unfortunately, security is regarded as an IT or engineering responsibility in most organisations. The AVA=RISK Security Model sheds a light on the illusion of total security through technology. It provides us with a lens to treat risk, by focusing on Actors, Vulnerabilities and Assets. Explore each aspect for any risk, and mitigation measures can be selected. Usually, addressing only one aspect will not suffice. Let’s take the phishing problem as our example. The ease by which hackers can impersonate others through email is the vulnerability. And as we have seen, we do not have enough tools to adequately protect ourselves. But water isn’t the only solution to stop a fire. Luckily, we can also fight the fire by taking away actors or assets.
The first element: Actor
There are two active actors in the phishing game: hackers and victims. We can’t magically block or cure hackers, so let’s collaborate with our colleagues. Security awareness is a fast-growing practice, yet it remains largely ineffective. Gamification, repetition and simulations should improve education programs. But how can we really engage our colleagues? At the core of the problem there is the accountability perception that spam filters should do the job. And if it’s the security team believing it, how can we expect the controller or sales representatives to take responsibility? We need to train anyone with an email address to build security hygiene habits. Reducing mistakes through better judgement skills results in fewer victims. And if victims are removed from the equation, there are fewer actors engaged in the phishing game, lowering the risk of a data breach.
The second element: Vulnerability
Improving security by resolving vulnerabilities sounds easier than it is. If email is a fundamentally flawed system, what can one do? To some extent, organisations can decide on alternative means of communication. Slack is essential to millions of businesses, as are collaborative platforms like Microsoft Teams. Their closed and centralised nature is a strength for security, and it will drastically lower chances of responding to an impersonated colleague asking for that payment or permission. For external reach though, email still has merit. When it is combined with encrypted file sharing, such as the brand new Firefox Send, the vulnerability can be managed.
The third element: Asset
The third side of the triangle, the asset aspect, requires us to consider what information assets are available and accessible. The “principle of least privilege” should be the golden rule. Its application tends to fade over time as convenience takes over, therefore data governance is important. The GDPR also provides advice in this regard. Both data minimisation and data retention are guiding principles to decide on what data to process, and for how long. If any person has access to only few data sources, a hacker will be limited in the same way, even if a phishing scam succeeds in stealing credentials. The famous criminal Willie Sutton was once asked why he robbed banks. He supposedly stated: “Because that’s where the money is.” Data is the new gold, and providing access to it must be thought of accordingly.
Technology is a tool
I’m inspired by how technology, society and policy interact. My professional career started with a decade in web development and a fascination for application security. Later roles in product and management allowed me to reassess our dependence on technology. Now, digital transformation allows us to transform our economy. We can scale our services and optimise our workforce. But technology can also take us hostage if it is not bounded. Security is like the brakes on our car. It may slow us down, but it also enables us to move faster. We should regard technology as just one of the tools in the security toolbox. If security is subject to technology, we are blind to see the risks. And worse, we would miss out on great opportunities to combat risk. With AVA=Risk in mind, we can find better solutions and further raise security awareness.
Watch the video for some background information and to see how the AVA=Risk concept is spread within iWelcome:
Rens van Dongen
CISO at iWelcome
With a deep passion for SaaS technology and information security, Rens brings to the table vast experience and deep knowledge in these fields. Within iWelcome, Rens is responsible for maturing and monitoring the strategic riskmanagement program to ensure the integrity, confidentiality, and availability of information in our platform and organisation.
Feel free to repost this blog on your website or social channels! But when you do so, please be so kind as to mention the source and give us a notice via firstname.lastname@example.org.