In the world of cyber-crime, it is a certainty that whatever you do to protect access and lock down your systems, a breach will nonetheless occur if a cyber-criminal is determined to achieve it.
Using this assumption, those in the IT security profession are left with the basic principle that has always been the fundamental of their trade and has never changed - focus on the data and make sure it is protected so that when a breach occurs, the cyber-criminal is left empty-handed.
These were the views expressed by Jason Hart, the VP Cloud at SafeNet, a former ethical hacker and a renowned expert in the tools and techniques of hacking and password vulnerabilities. Intrigued by his approach, ProSecurityZone met Jason recently in London to discuss data protection and find out why passwords are so vulnerable.
Passwords are a pain and it would be better to assign them the same status as floppy disks as curious artefacts of the bygone age of obsolete technology. Unfortunately, we're not there yet and continue to have to put up with an escalating number of passwords that have to be used. Each one needs to be unique, conform to a set of rules (which may be different for each one), memorised and then changed regularly.
Such a process across multiple systems and web sites is clearly unsustainable so people write them down, re-use and re-cycle them, use their browser facility to remember passwords, list them on a spreadsheet on their computer or on their smart-phones. Some of the more tech-savvy keep them in a secure password vault, the security of which is determined by a single password needed in order to enter the vault. Whatever system you use in order to manage your unmanageable list of passwords is vulnerable.
This is one of the reasons behind Jason's opening statement when we met that we have to accept that breaches will happen and therefore need to focus on protecting the data. Passwords aren't the only means of breaching a system of course, there are many others including network vulnerabilities and capturing data in transit.
Data in transit vulnerability
Data in transit is particularly easy to hack in Wi-Fi environments which Jason was able to demonstrate in the small cafe with free Wi-Fi access where we'd chosen to meet. Using a piece of hardware cobbled together from easily available components and some similarly accessible software, Jason was able to create his own unsecured hotspot.
Using my computer to search for hotspots, I found his and logged on with ease. Once connected to Jason's hotspot, everything I did on my computer was his to analyse so I logged onto one of my password protected cloud services. To demonstrate the simplicity of harvesting login credentials using unsecured hotspots, Jason invited me to watch it as it happened using a Linux console that looked suitably geeky with its green-screen display scrolling dozens of lines of characters and no graphics. Despite the unfriendly looking interface, it took him all of 5 seconds to locate both the userid and the password in plain text that I'd passed to my cloud provider.
This isn't unusual, he told me. Cloud servers are everywhere, we all use them in one form or another but most of them don't even offer two-factor authentication (2FA) for more secure access control to that all-important data. Even banks only use 2FA for transactions outside of the managed accounts. Accessing online bank accounts is more difficult because only random sequences of bits of PINs and passwords are used but to set up a new payee and transfer money to it requires a Hardware Security Module (HSM) which provides another authentication factor.
As far as Jason's demonstration was concerned, it was clear that providing a free hotspot introduces a temptation that makes users extremely vulnerable. I argued that although this may be the case for people with very low awareness of security, most people understand the vulnerability of free Wi-Fi access and are unlikely to fall into such a trap, particularly when dealing with sensitive data.
Trusted connections shouldn't be trusted
However, the reality is that free Wi-Fi comes as such a relief to people travelling on business that security is often the last thing on their minds. Nonetheless, to capture even the most security conscious browser, Jason had something much more sinister in his bag of tricks.
Using his self-assembled hardware and a downloadable piece of hacking software, Jason was able to scan my computer for all the wireless networks listed that are trusted and that I automatically connect to. The software then spoofed one of those connections and my computer automatically connected to it. I didn't have to do anything, the computer simply connected itself to a hostile hotspot thinking it was one of my trusted networks.
This would have looked a bit fishy if I'd hovered over the connection icon in the toolbar and seen the name of a network that I only use when I'm abroad but, as Jason pointed out, I was taking part in a hacking demonstration so I knew what I was looking for. Most people would have no awareness of what was going on, they would just work on their computer as normal while the hacker sifted through all the information being transmitted, searching for something useful .... or something targetted.
Focusing on the data
Hackers have always wanted your data and although this hasn't changed, their armoury for accessing it becomes more sophisticated every day. Since it's the data that's important to them, it is on this data that information security should be focused, Jason asserts.
The only effective way of doing this is by making the data unusable through encryption and effective key management. Encrypting data at rest protects it from being read if accessed and protecting data in transit protects it when it's being transmitted such as in a cafe with Wi-Fi. If my userid and password for the cloud service I'd been accessing had been encrypted for transmission, it wouldn't have been readable on Jason's Linux console.
Access control is of course also important but simple password control just isn't enough. Two-factor authentication should be deployed as a minimum and shouldn't be seen as an alternative for protecting the data through well managed encryption.
Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan