I’ve read a lot of analysis on the iCloud celebrity photo leak and what we can learn from it. I have to say, amidst all the sensationalist hoopla, I think we’re missing the point. This is about targeted attacks and how to defend against them. It’s a very, very hard problem. The majority of the advice I’ve read so far falls short. Most of what I’ve read comes down to two areas:
We shouldn’t upload private data to the cloud.
Really? If that works for you then great; however, in my case, the data I’m trying to protect isn’t photos of me in my birthday suit. I’d be flattered and more than a little concerned if that was what people were after, but I’m more worried about things like bank account data, intellectual property, sales and customer data. It’s just not practical to say we shouldn’t use salesforce.com, Amazon web services and online banking. For most, the economic advantages of working in the cloud are too great to ignore.
Use two-factor authentication.
I agree 100 percent, but let’s not get too excited. Two-factor authentication is great, but it’s very hard to apply on a grand scale. When someone loses their token – and this happens all the time – you need some kind of override or reset. This is usually accomplished in one of two ways: 1) a complex password is issued that can override the two factor – Dropbox, Apple and Google all do this. 2) customer support can reset it or turn it off – Amazon does it this way.
Both have their flaws. Reset codes get saved to the hard drive or typed into Evernote where they can be stolen by a determined hacker. Likewise, when resetting the two-factor, customer support representatives need a way to validate that the person is who they say they are. This is either done by validating the person’s email (usually protected by another password) or asking personal questions. Again, both can be acquired or socially engineered by a persistent targeted attacker.
Also, two-factor authentication is often impractical. How do I secure a photo stream with it? I can think of ways, but it’s not easy. I don’t want to grab my token every time my daughter wants to download a new game on the iPhone – which happens only 500 times a week and often from the backseat while I’m driving. Also, because mobile-based two-factor is often the most practical implementation, it can pose a challenge when the device you’re trying to protect is also your security token.
So, what are we to do? We need to change how we’re approaching the problem. We need to use an “active, threat-based defense.”
First, we need to be “threat-based”, not vulnerability-based. Two-factor authentication addresses a known vulnerability (passwords that can be guessed or stolen); however, there are places it works and places it doesn’t either because it is too much or not enough security. We need to deploy the appropriate control for the appropriate target given the threats they face. JLaw and I face very different threats when it comes to our photo archives. Similarly, your company’s CEO, its CIO, servers and developers are all unique targets that require different kinds of protection based on the threats they face.
The adversary and the methods they employ to attack you will vary, based on who you are. Whether you know it or not, you are most likely on someone’s radar. We see sophisticated attacks against everyone from 20 person companies on up. But who attacks you varies a lot based on your vertical market and what you do. Cybercrime, hacktivism and espionage are all different threats that require different protections.
Second, and here is where we often fall down, we need to mount an “active” defense. If you don’t actively monitor your systems, they will be compromised. Set and forget doesn’t work. Given enough time and resources, any system can be compromised.
This doesn’t always mean faces on glass. Facebook and Google do some neat automated tricks that look for things like international logins and failed login attempts and then notify the account owner, but we can do more here. Cloud vendors need to provide more visibility. Consumerization of IT means we need visibility into consumer-grade offerings, not just corporate products. An active defense requires that we learn from what we see, react and improve.
We don’t have all the facts about the photo leak, but we do know this: many of these photos are months or years old and were apparently getting shared below the radar for a long time. We’re all for better prevention, but let’s not lose sight of the fact that we need to get much better at how we detect attacks and how we respond. Corporations are no different. You will get compromised – you’ll be judged by how quickly you identify it and how you react. An active, threat-based defense isn’t a cure all, but it’s my best argument for how to improve.