IT security has evolved from being a completely binary operation to taking a more nuanced approach. Back in the days when R, S, and A first got together, it was sufficient to do security on this pass/fail basis – meaning a large part of security was letting someone in or not to your network. Or, it could mean allowing them to use a particular application or not, or allowing them access to a particular network resource (e.g. printer, server) or not.
In my blog post earlier this month, I have mentioned this nonbinary approach in passing, particularly when I have talked about adaptive authentication. This is the core reason that the authentication “adapts” to particular conditions. For example, if someone is attempting a second login with “impossible travel” conditions. Or, if you are trying to authenticate not just the user but their device as well.
But the nonbinary issue is bigger than authentications. It is a product of our times: First, because of the pandemic and more remote working conditions, IT has made drastic changes to their infosec policies, procedures and products. But more importantly, a nuanced approach is needed more than ever because everyone has somewhat different security circumstances.
“It isn't just one size doesn't fit everyone; it is that one size doesn't fit many circumstances,” said Erik Jost, the Chief Technologist for NTT Data in a recent conference session. Everyone’s network infrastructure is different and has changed greatly since the beginning of the current disruption. Let me give you a few examples:
- Figuring out attribution to the source of an attack. Sometimes there are shades of grey that could indicate a variety of outcomes, or even that an attack wasn't from an adversary but just from a badly configured laptop of an employee. Or, an attacker may deliberately confuse things by planting false flags in their code so they can slip inside your network undetected, such as by disguising their malware as a normal piece of code that is part and parcel to the underlying operating system. The ability to block these clever methods requires a nuanced approach so you can link the various steps in a malware’s kill chain and make it harder for an attacker to move around your network before more damage is done.
- Password rules that are too complex. Many IT teams put in place requirements for password construction that are too onerous: 20-character passwords that must be changed every month, for example. This makes employees more motivated to come up with more predictable passwords that they can remember and manage, which defeats the whole purpose of having complex passwords.
- Over-protective endpoint security. While it is great to plug as many holes as possible across your endpoint collection, if you lock down your endpoints too much, employees will shift their work to the cloud and their personal devices. That is also self-defeating.
- Finding "missing" network segments. It is just human nature: we can be forgetful, and in some cases, as a result of misconfiguration, we can forget about an entire network segment or collection of servers. Your endpoint/intrusion detection tools tend to be more pass/fail on this and can give you false results. If these tools offered a more nuanced approach, you might recognize that the forgotten equipment is legitimate and you need to modify your system asset tables to properly account for them, rather than collect a bunch of false warning messages.
- URL shorteners. Remember how they were all the thing not too long ago? Now they are less favored, because they can hide malware or take you to places that will compromise your endpoint’s browsing session. Again, nuance please. Customers of a popular email provider gave the shortened URLs generated by the software an automatic pass. That was mistake. Turns out, it was one way attackers could compromise their customers’ accounts.
- Dealing with detecting impossible travel. The impossible travel situation once was absolute: after all, no one can travel across the globe very quickly. But as more of us work remotely and make use of VPNs, that means calculating what is possible is a lot harder to do just by computing the raw distance between the implied geolocations. If I change my VPN endpoint from one continent to another, does that mean my account has been compromised or is it because I am trying to obtain a better or faster Internet connection? Nuance once again.
- Sloppy outboarding of former staff. Did your recently fired employee access your network? We don’t always outboard former staff completely and can sometimes leave residue of access rights scattered around the network. Detecting these mistakes will require a finer, and more thorough, touch.
As one article written back in 2017 stated, “Cybersecurity requires a more nuanced approach than rushing headlong into the cybersecurity marketplace to snap up the shiniest solutions, sanctioning wholesale Internet separation, or locking out USB devices entirely. Senior management of large organizations should also be wary of blanket cybersecurity policies that conflict with local operational needs.” I couldn’t agree more.
David Strom is an independent writer and expert with decades of knowledge on the B2B technology market, including: network computing, computer hardware and security markets. Follow him @dstrom.
Check out his latest work: