A few days ago a friend who has recently moved into the information security department at the corporate where he works emailed saying he is playing around with “next-generation” endpoint antimalware detection, removal and blocking endpoint software. He named a few names, most well known and all claim to use “machine learning” to do their job. Go to Info Security Europe in Olympia and every year there is a “craze”. This year was machine learning with about every stall claiming to offer a tool to find and block advanced malware. Everyone seems to be jumping on the same bandwagon and you have to wonder how many “next generation” or “machine learning” products actually work. I have personally tried some “cutting edge” products and in beta phase even a basic macro virus was let through. With another claiming to block hidden downloads which did not work.
Remember the security triangle you studied for a certification? Security, usability and cost. As security increases cost goes up and user friendlessness goes down. The products a friend mentioned work on looking for patterns not just simple killing or blocking everything not on the list (whitelisting). Take a house for instance, you have by default a front door operated by a key. Add an alarm, it costs you money and makes it a bit harder to get in your house. Increased security with small downsides. Add a second lock and forgot the key, and you cannot get in. Add an outer fence with a swipe card, the layers add great security but cost you dearly and slow you down. Keep everything in your house which is valuable in a under floor safe and each time you want to get a item it takes 2-3 minutes which means you leave the house slower. Get the idea?
Security for the non-physical world is no different. Roll out all the crème de le crème of technical controls available and you would be spending tens of millions for a blue chip firm and it will possibly slow down your workforce. Email encryption is a one I like. True asymmetric encryption is very strong but fiddly to use for the average user. You generate two keys, a private key stays with the sender, the public key goes to the receiver and both need to add the key into the contact. Then you send an encrypted email and perhaps OWA (webmail) or your smartphone cannot decrypt it. Fiddly but it is very strong privacy & security wise. An example we are all familiar with is a car key fob. When cars were invented you simply had a metal key and then a remote locking option was introducted. Nice is'nt it unlocking from a distance but the code can be intercepted.
Many companies use an appliance or hosted service to “encrypt” emails. It simply sends the recipient a link to register for a webmail style account. The email (and forgot password option) comes through, wait for it, using the same email method as a clear text email and then you login to a web portal. Just a standard password is used and it offers a forgot password option with standard email. A little bit like sending a normal email really since all is done through standard email. Encryption, hmm or just a password protected webmail really. Everything is covered by TLS which is encryption in transit not at rest on the server or once downloaded. A big compromise really.
Two factor authentication may increase security but again it is harder to implement, costs more and means the user is delayed by logging in for 20 seconds or so. The stronger the control the harder it is use to use and a hardware token for authentication or encryption demonstrates this. Username & password, software on endpoint, hardware token to insert + pin. Just because users occasionally need to install software it does not mean you should give everyone admin rights or not block USBs. Users do not come to work to play, they come to obey the rules not that most do.
So the next time you compromise think how good is what I am implementing. The same applies to physical security, a relationship or when you buy a product which is cheaper than the next which likely means it has a function or two less than the next one up.