A New Security Capability is Needed

Over the past several years, the security industry has watched the threat vectors that attack information security systems change and adapt to overcome the increasing security controls that individuals and organizations have established in the environment. In response to improved technologies to identify and address vulnerabilities, such as malware, web-application code weaknesses, and direct system exploits (Dey, Lahiri, & Guoying, 2014), the attackers have taken back channels to gain access into systems. Instead of frontal attacks on systems, the attackers utilize the authorized individuals, and their approved credentials and roles within systems, to gain access to targeted systems (Dey et al., 2014). This generally comes in the form of some type of social engineering attack that, when successful, contaminates a user’s endpoint and then uses the access the user creates through his/her credentials, to gain the stronger foothold into backend systems and data (Purkait, 2012).

Industry’s Historical Response

The industry has focused on three approaches to mitigate this attack vector: technological improvement in detection and prevention of phishing-type attacks; technological improvement in detection and prevention of malware infection from such attacks, and; improved training and awareness of end-users to recognize such attacks to avoid becoming victims of them (Purkait, 2012). Absent from the approach is a strong effort to improve application security that would detect anomalic behavior from an authorized user (or his/her credentials) to alert or mitigate the anomaly.
Take, for instance, a user with an infected system who is accessing (with appropriate credentials) an organization’s customer information systems. Role-based access controls, which are increasingly being offered in systems and applied by organizations, are intended to limit the type of data that the user has access to. However, application security controls typically are not developed to identify when the user is accessing records that are not associated with an authorized work task, accessing records at a higher-than-usual rate, or other actions that are authorized via credentials but anomalic to the user. 
 

Limitations of Industry’s Response

This is a significant weakness in software security when considering that 40% of breaches that organizations have experienced in the past two years has found its root at a compromised endpoint using a compromised user’s valid credentials to extract valuable data from the system (The eight most common causes, 2013). In essence, information security technologies and practices have been increasingly effective at preventing a breach of a door to the organization’s data. Security has not, however, been effective in ensuring that the activities through a properly opened door are not breach-related. 
 

The Challenge of Addressing the Limitations

This gap exists in software security for two reasons. First and foremost, developing security capability to “block the door” has been the mainstream focus of security efforts for the past two decades (Drinkwater, 2014). A shift in momentum and approach will undoubtedly take notable time to manifest. Secondly, identification of malicious activity within connections, transactions, and sessions between that are otherwise authorized has notable technical challenges. Embedding the kind of analytical capability into a software system is doable, but comes with additional cost. Generally, budget and business considerations look to drive down the cost of software and to bring the software to market quicker (Pass & Ronen, 2014). In addition, there are considerations that would have to be added to the implementation approach to the software. In current technologies that attempt to identify anomalic behavior, there is a period where the software must “learn” normal behavior patterns of users in order to identify such anomalies in the future (Purkait, 2012).

 

Summary

A current challenge in the area of software security is to move past door blocking and role-based access controls, which were relevant controls in the past, and increase the capability to detect and prevent anomalic behavior that is initiated by the authorized user through the open door. Attackers are effectively using social engineering to plant malware on endpoints that ride on the authorized sessions of end users to perform data extraction on systems. Often this data extraction activity is atypical in one or more characteristics of how the end-user engages with the system. A shift in focus in the industry, and improvements in technology, are needed to be effective against this breach type. Data shows that the traditional preventive controls that have been implemented in organizations are ineffective against this attack type.

References

 

Dey, D., Lahiri, A., & Guoying, Z. (2014). Quality competition and market segmentation in the security software market. MIS Quarterly, 38(2), 589-A7. Retrieved from http://ezproxy.library.capella.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=iih&AN=95754036&site=ehost-live&scope=site

 

Drinkwater, D. (2014). Data breach discovery takes ‘weeks or months’. SC Magazine. Retrieved from http://www.scmagazineuk.com/data-breach-discovery-takes-weeks-or-months/article/343638/

 

Pass, S., & Ronen, B. (2014). Reducing the Software Value Gap. Communications Of The ACM, 57(5), 80-87. doi:10.1145/2594413.2594422

 

Purkait, S. (2012). Phishing counter measures and their effectiveness - literature review. Information Management & Computer Security, 20(5), 382-420. doi:http://dx.doi.org/10.1108/09685221211286548

 

The eight most common causes of data breaches (2013). Information Week. May 22, 2013. Retrieved from http://www.darkreading.com/attacks-breaches/the-eight-most-common-causes-of-data-breaches/d/d-id/1139795?