OTPs as Second Factor
At no point in history have we observed more news coverage about online security. Cyberspace, the so-called fifth domain, has become so crucial to our everyday lives that major breaches affect a large percentage of the population. The recently uncovered Yahoo Hack featured millions and millions of compromised accounts. Mindboggling numbers, considering that information security used to be a niche field.
When asking security practitioners about their motivation of working in infosec, a lot of them quote curiosity and the thrill of the hunt for vulnerabilities. Ultimately, though, security is not about attacking. The defensive side is just as relevant. We need to build solutions, to educate the general population about the risks every citizen is facing and to teach them about the tools at their disposal to tackle these risks.
When Hillary Clinton’s campaign chairman, John Podesta, was recently the victim of a phishing campaign, commenters were quick to put the blame on Podesta. But the truth is: Everybody, even seasoned IT professionals, could have fallen for a well-done campaign like the one sent to Podesta. It is crucial that we understand and acknowledge that security can and should not be a user’s responsibility. Technology needs to be safe by default. To use the old, but oddly fitting car metaphor: When buying a car, you don’t get to choose if you want to get a seatbelt or how it’s constructed. It’s just there, and it’s designed in a way that will serve the intended purpose. This level of implicit safety is something we need to achieve for common technology if we truly want to treat security with the importance it deserves.
But yet, parts of the information security community maintain a technocratic, elitist and sometimes straight out abusive attitude towards everyone outside of their inner circle – and inside, for that matter. I have repeatedly stated how fed up I am with the occasional smug sense of superiority that we, as a community, sometimes tend to show. We call users stupid for clicking on things they are not supposed to click on, not realizing that the way to stop this from happening would not be awareness training but better security controls to detect and mitigate malicious content, potentially even before a questionable link can be clicked. And it does not stop there: I could fill this article with examples of destructive and demeaning behavior that does not bring us any further, but I am making the conscious decision not to, as it would potentially bring me into the same position of berating others for their stances.
We, the information security community, are facing tough and challenging times. This includes, that we need to get accustomed to the military concept of acceptable losses, as we cannot keep following the paradigm of (in)security as a black and white concept. As our field of expertise becomes more relevant by the day, we need to rise to this challenge and grow out of the adolescence our industry is still partially in. We cannot allow cybercrime syndicates to professionalize at a staggering pace while our side, the defenders and security experts, are busy with infighting and free drinks at BlackHat.
In the past months, we have been tirelessly advocating simple tools to increase security for everyone. Two factor authentication and password managers are only two of them. I am also spearheading efforts to create effective secure development models and processes to build security into products from the get-go, and it has been a tough, but satisfying task: Because if securely designed technology is something we really want to make a reality, there is no way around buckling down and creating solutions instead of blaming others for their problems.
Let our Red Team conduct a professional social engineering test!
Our experts will get in contact with you!
Further articles available here