Graeme Batsman | 6 February 2019
When you are researching new technical security controls you need to think about ways that it can potentially be broken look for a plug or new vendor till you have solved all possible eventualities. This, of course, is next to impossible. We have all heard the term 'next generation security' (often firewalls or UTMs) or military/banking grade security (encryption usually). In many cases these products are not amazing. Just look at InfoSec Europe in London and every year there is a 'craze'; machine learning, artificial intelligence or threat intelligence crop up most years. How can 100+ products all doing the same thing work?
The problem is many people do not think about these loopholes and even if they did would they spend the extra cash trying to close them? In the past I have spent weeks researching a particular problem and during that time I read up and test out tens of products per category. E.g. email security gateways. I have found that sometimes, even the good ones, do not always do everything they're meant to.
FIPS 140-2 level 1 certified encryption suite or OpenPGP
You can encrypt a file, folder, email, USB stick, archive, CD/DVD using symmetric 128-256-bit AES encryption or asymmetric PGP 2048-4096-bit encryption. Let's assume the key generation is secure. If someone stole the encrypted file somehow it should be 'technically' unbreakable without the key.
The problem is that a keylogger, shoulder surfer, malware or hidden camera could either see the password (not key based of course) used to encrypt the file or malware could be used to extract the key from the computer. This is how governments often defeat encryption.
The solution is to store the key on a specialist USB stick or to buy a solution which uses the USB token as a key. Thus the key never leaves the USB token and cannot be extracted. This offers the crème-de-le-crème of encryption though it is expensive of course to implement.
FIPS 140-2 level 2-4 certified hardware encrypted USB stick
Integral, IronKey, Kingston and many other vendors offer high security USBs which auto erase the data after 6-10 wrong attempts with all data being encrypted 100% of the time while on the stick. These are highly secure and if lost no one can brute force them.
This can be problematic. The unlocking is started on the computer and as above many methods could be used to capture the password which is entered on the computer. An attacker could bug the victim's computer, grab the password and then stage a mugging to get the USB stick.
To mitigate this, you could use USB sticks which have a physical PIN pad on them. This isn't 100% perfect but at least malware or a keylogger would not work since the authentication is done on the USB stick. These are not vastly more expensive than ones which take the password on the computer and these work with photocopiers & CCTV units to, since they are pre-boot authenticated.
Many authentication services, SaaS or on-premise (using SaaS to some extent of course) offer SMS/text message authentication where it sends you a six-digit number code after you enter your username & password. It is easy to use and everyone caries their phone around with them.
What is the problem then? If you are in a hostile country the government could be monitoring your texts over the waves. Someone could trick your network provider to switch the number to another SIM. Malware could grab the code or someone could oversee the code, or just steal the phone.
Solution? Though fiddlier to roll out and expensive, use a hardware token like RSA or Gemalto, then someone needs to physically steal it. Users could be tricked into giving out the code, so a challenge-response option is far stronger and ideally protect the USB token with a PIN number.
Google or Microsoft Authenticator
Both apps for Windows Phone, iOS and Android do the same thing and are very easy to use once setup. You scan a QR code and every 30 secs a new number is shown synchronised to the server's clock. After entering your username & password just enter the six-digit code and you are logged in.
This has a similar issue to SMS authentication but interception or transferring of numbers is far less a problem. Malware could screenshot the app, someone could steal the device, someone could oversee the phone and read the code - note the codes only last for 30 or 60 secs.
The solution is exactly the same as above since time-based codes can be phished if the end user is stupid enough to fall for it - this does happen! Biometric, ideally not just fingerprints is another strong option but then rolling it out is tough. Network access control by device fingering is a new trick.
Website security gateway
This is either down to poor knowledge, poor configuration or due to the device's functions. A website security gateway scans and filters website traffic, i.e. blocks gambling websites, anti-malware scans everything and blocks executables. They mainly scan port 80 (HTTP) which is clear-text but what about the more controversial port to scan 443 (HTTPs). Other ports should be blocked.
A few years ago, more traffic was HTTP which is unencrypted and now most is HTTPs which means the website security gateway or IPS cannot understand it. Both devices can scan HTTPs which comes with its own problems. Privacy, security, bandwidth and device RAM/CPU. If you do not scan HTTPs a large threat vector is not being blocked before it hits.
Installing the private key or turning on man in the middling is one option then you need to install a certificate in the end user's browser, so it does not complain. If not, a half decent option is general DNS filtering and better still proper endpoint defence not just bog-standard antimalware. Patching, anti-exploit, application whitelisting and whitelisting of known good website helps greatly.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.