October is Cybersecurity Awareness Month and this year’s theme is “See Yourself in Cyber” an attempt to highlight the people part of cybersecurity, providing information and resources to help educate the public and ensure all individuals and organizations make smart decisions when it comes to cybersecurity hygiene and best practice.
A key engineering principle says that your system is only as strong as its weakest link. As computer systems and software have become more secure, humans have increasingly become the weakest link in the security system and the critical vulnerability found in most cybersecurity incidents. Building on the “people part of cybersecurity,” this post will examine five ways humans form singular failure points in cryptography.
Improper or Insufficient Training
Cybersecurity training is often thought of as anti-phishing videos or GDPR awareness courses. Necessary as they are, they are not sufficient. Those handling cryptographic secrets or privileged access routinely are unaware of the power that they have been entrusted with. The obvious example is administrative passwords or login certificates, but even bigger issues exist.
At the DevOps level the attention paid to these details is often lacking and not available in any training due to the very specific nature of the risks. For instance, engineers have been known to check certificates with secret keys into repositories, or such keys are copied to private laptops, or being backed up to redundant archives accessible by many. Most are trained to build efficient modular software or maintain pools of systems. Few have been trained to do so securely and be aware of the potential consequences.
Despite the best of training, some practices seep into organizations and simply cannot be cleaned up. Examples of this are default passwords that become part of the culture, convenient as they are, most folks know they are just not a great idea. We hear the justification, “it is only used within the firewall perimeter.” But this type of well-known behavior creates fertile ground for significant lateral movement and creates the opportunity for a devastating ransomware attack.
Other examples include movement of sensitive data to the home computer. This is effectively a data exfiltration and those that do it know that it is against the rules, but they believe they are being responsible, more secure, and extra careful.
Selecting a Bad Strategy
The issues highlighted above are tactical – daily decisions minor in themselves. They can often be cleaned up with education and discipline. Larger, strategic errors are harder to spot. The classic example is the lopsided spend to build a secure enclave, resulting in a failure to build adequate incident response capability. This same problem manifests itself in cryptography. The VPN is selected for easy-of-use or other conveniences, assuming all are created equal in terms of protection. Likewise, few would notice an over-reliance on a single security tool suite made by a single vendor. This applies to cryptography as well. By itself this may not be a singular failure point, but it does create a structural fracture in the armor that gives rise to a variety of weak spots.
Humans Can be Bribed or Manipulated
On the darker side of the spectrum, not all people on the inside can be fully trusted. This is a major singular failure point and can be difficult to engineer around. Most enterprises will operate an internal certificate authority (“CA”). Just like the ones at the top of the PKI food chain, these intermediary CAs function to sign certificates and validate them. This can be used to create proxy or fake certificates for any website or service you visit and allows firewalls and other devices to decrypt the traffic for inspection or performance evaluation. For this to work, the public key of the enterprise CA must be installed on the corporate devices, something done during installation. All corporate issued devices will therefore trust this CA. This means there are a few folks in every enterprise that have access to the keys that can decrypt all traffic from all endpoints. The difficulty here is, once these keys leave the organization, how would one know? The private key of an intermediary CA is just a file of a few kilobytes, and small files are easy to copy.
Failure to Recognize Singular Failure Points
This is a meta-weakness, but very real and very bad. Ask civil engineers, automotive or aeronautical engineers, any engineer in charge of life safety. Their principal mode of operation is to ask, “what are the consequences if this thing fails?” The ability to spot singular failure points is unfortunately not engrained in most cybersecurity professionals. Even though it is a skill that is actually very easy to acquire, it does require initial practice. What happens if my assumptions don’t hold? Cryptography is mathematically secure; crypto libraries are well tested and bug free; keys are truly random and won’t leak; the list goes on. Learning to spot these cryptographic assumptions as single points of failure is a necessity and will play a bigger role in the overall security posture of an organization in years to come.
These five human-driven factors form a significant weakness in the security of our data and communications networks. In the not-so-distant-future, nearly every organization in the world will be undertaking a major cryptographic transition, replacing their legacy encryption with quantum-safe cryptographic algorithms, and humans will be doing the migration. The issues listed in this blog post are often systemic and take work to fix. Chip away at them whenever possible and think long-term about your organization’s overall crypto management policy and the human risk factor.