The last two weeks have been among the busiest weeks I've had in years. Most of the security work I've done in the last eight years or so has been largely confined to the realm of embedded systems, IoT, SCADA & friends, but these trying times have brought enough trouble that there's something to be done for everyone.
This has given me renewed insight into the social dimension of security. It's something that everyone talks about in the background but it's never quite as vivid as in these days, when the entire social landscape is shifting.
It's Not Business as Usual
Within a very short period of time, lots of organizations had to quickly transition from "you can work from home once in a while if you're sick" to "you can't come to the office unless there's no way around it". This has exposed -- and sometimes created -- acres of previously unexposed attack surface, in ways that we're sometimes too busy with tech to notice.
Lots of the trouble we're facing comes, I believe, from three sources:
- Rapid adoption of technology that people aren't familiar with (VPN access for everyone, collaboration tools, video conferencing...)
- Massive exposure of previously under-exposed technology (Zoom -- not that it wasn't popular before -- got used on a far wider scale, in a lot of places where it wasn't used before, and for way more sensitive things)
- Significant change in the physical landscape (fewer people working in offices, delivery workers handling even more orders than usual, a mixture of empty corridors and new faces on campuses)
"I've Never Seen Half of these Icons, Hang On!"
Newly-adopted technology comes with an often unarticulated problem: no usage habits. You have fifty people who are seeing these three new apps for the first time in their life and now they have to make sense of them together, with no counseling from anyone and no "official" guidelines. The first VPN meant to be used by people, not a fleet of gizmos, that I've set up in more than a decade, took a good five minutes to test over the phone, three of which were spent looking for the application icon.
Here there be dragons:
Phishing. Setting up new accounts, resurrecting old accounts, and dealing with sign-up trouble is now all in a day's work -- it seems that you need a new app for every single thing you do. It's easier than ever to miss a phishing email. When you get an email from Paypal once in a blue moon, even cleverly-disguised phishing emails can't make it past even the most distracted user. When you get a dozen emails about half a dozen accounts every day, it's a lot easier to miss the cues, especially when you're seeing emails from those providers for the second or third time in your life.
What do we do about it? The first line of response is to use single sign-on solutions wherever feasible and to 2FA everything that can be 2FA-ed (which is less than you'd want in fields where a good chunk of the equipment still in use dates from back when Beyonce didn't have a solo career). A surprisingly useful second line of response is a blanket "call if you have doubts" policy. No one sleeps much these days anyway.
Lack of experience with newly-adopted technology. Lots of companies find themselves on entirely new ground. For example, they quickly have to implement VPN access for everyone -- set up by staff with little experience managing wide-scale VPN access. Cloud storage is now used for things it had never been used before, by more people than even before, under the supervision of people without much experience managing external assets on this scale. This is probably the biggest challenge, because there are a lot of things to which you simply don't have the luxury of saying "not today" or "I'll look into it".
Some of these problems can be alleviated by not solving them yourself, and I have found myself recommending some cloud service or another more often than I generally do. But that's not an option for everything, and sometimes all you can do is make sure you can put the fires out in time.
(What do you mean "what fires?")
Even tools or protocols that are designed primarily for security (say, Matrix) take a while to mature to the point where they can safely be used on a large scale, and for sensitive purposes. But these days, lots of tools that were designed for security only insofar as it did not conflict with ease of onboarding, service monetizations, or the interests of early adopters with lots of cash to spend, have been co-opted for sensitive use.
Zoom is probably a good example. It wasn't an unpopular tool -- it had 10M users back in December -- and it certainly wasn't poor-quality software. But its userbase grew twenty times within a few months, and it was used on an unprecedented scale for things it had rarely been used before.
The wider user base, and wider use base, made Zoom a lot more interesting, for a lot more people, in a very short period of time. And lots of things that were previously obscured have come to light, not because they were particularly well-hidden, but because those who knew they were there didn't realize it was a problem, and lots of other people didn't bother to look, since they didn't think they'd find anything interesting in the first place.
I expect a lot of other up-and-coming services will run into this sort of trouble in the coming months. Trouble is, now that nearly everyone is doing nearly everything remotely, lots of choices aren't completely yours to make. You can decide to use this or that application that you consider trustworthy, but if your customer uses some shady conferencing app, you can't always say no.
"But everyone wears masks"
The official line everywhere is that office presence has been reduced to "essential personnel" only. This isn't exactly true everywhere. In many places it's more of a mixture of essential personnel and people who fly so low under the radar -- junior staff, interns, tech and maintenance staff -- that working from home (in a well-lit room with fresh air, plenty of elbow space, no noise...) is for some reason considered absolutely preposterous.
In short, the physical landscape of offices everywhere has been massively altered. People who sat in the opposite corner from the reception suddenly find themselves the de-facto receptionist. Since everything has to be cleaned and disinfected twice as often as before, two new janitors who no one has ever seen before now drop by every two hours. More people enter office buildings carrying pizza boxes than suitcases.
Social engineering, in a word, is easier to do than ever before. A colleague of mine used to joke that things would be a lot easier if the bad guys just wore masks, the way they do in movies. But now everyone wears masks.
It's not just that empty hallways and food deliverers everywhere make it easier to slip by. Thing is, nearly everyone's anxiety levels are through the roof. Everyone is tired. No one's had a decent night's sleep in days. Everyone is currently wired up to make ten times as many bad decisions as before. It's a swindler's paradise.
Incident response, regardless of cause, is the other victim of the altered physical landscape.
First of all, with all the new things that are being rolled out comes a whole new class of incidents that you have to respond to. That's inherent to adopting any technology -- it's just aggravated by the fact that adoption rate is up.
But, more importantly, lots of standard incident response steps inherently require physical access. For example -- the most common example, really -- physically disconnecting a box from the network, as the name implies, requires physical presence. Lots of incident response procedures have baked-in assumptions about a certain proportion of the IT staff being present, and those assumptions aren't really correct anymore.
No Time Like the Present
For me, the silver lining in all this is that, at the end of the day, the social aspects of security requires a kind of expertise that's been with us since the dawn of time. Computers have been with us for just a few decades, whereas social engineering is at least as old as the Trojan War.
That doesn't mean it's easy to handle it -- just that it's not a mysterious, arcane topic that only few can master. The math, the cryptography, all the "hard" aspects of security are things that we generally learn late in life, and only with great personal effort, in a specific study setting. The social part? By the time you turn eighteen, you already know almost everything you need to know. It just takes a little practice.