We do a lot of technical security testing at Asterisk, and this often brings up healthy discourse on the root cause of issues found. After thinking about this for a while I came up with a few themes which I think probably capture the majority of security issues. In fact, I think the following issues are possibly the root-cause problems that most information security professionals are trying to manage when protecting their organisation’s information. This management of issues is an important factor, as most people can’t manage threat agents. Unless you’re a government or other high-level entity, it’s unlikely you will be able to take action against attackers sitting somewhere on the other side of the world. These issues are not mutually-exclusive, but I do like the way it feels like a fairly manageable set of problems to solve.
Most of the issues we deal with as information security professionals come down to:
- Insecure software
- Misconfigured software
- People-related issues*
- Physical security issues
Surprised? Not really.
*nb: It’s important to note that these root-causes are often interrelated. Insecure or misconfigured software certainly relates to people-issues as well as other underlying issues. This interrelationship is important, but the distinction can be useful in breaking down how to address these problems.
Let us try and analyse these causes. Most of the layers of defence that organisations are applying to try and protect their assets are there to reduce attack surface area. In the case of web-based technology, we have firewalls, IDS / IPS, WAF and other related technical controls attempting to manage and reduce the likelihood that insecure or misconfigured software is exploited. If the layers of defence, and the system itself, have addressed insecure software issues, misconfiguration issues and was physically secure, it’s likely that any further exploitation is related to weak passwords, or passwords being disclosed through alternative system breaches (Take the LinkedIn breach for example).
Weak passwords are an example of a security issue that relates to both insecure software and people-related issues. More secure software may force users to use long, difficult to remember passwords. Unfortunately, if the credential is written down, or shared with someone else, then it doesn’t matter if it’s a strong password. In these particular instances, educating the user of better password practices may help.
Of the above issues, the people-related ones are often the more difficult to manage. Social engineering has proven itself an effective tool in an attacker’s arsenal over and over again, and even if you train your people, it’s difficult to reduce the exposure the same as you would with other issues. Whether this is due to the difficulty of educating the masses to social engineering, or that many information security professionals aren’t as good at addressing people-issues compared to technical-issues we can’t really say.
This list is not all that different from MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC) ‘Domains of Attack’. Below is our root-causes, with the various CAPEC domains:
|People-related issues||Social Engineering
|Physical security issues||Communication (partially)
*nb: Supply chain relates to insecure or misconfigured software, people related issues or physical security weaknesses further up the supply chain.
Okay, so if we have these root causes, what can we do about them? Our subsequent blog posts will look at each of these root causes in further detail.