The “One Thing” in Cyber
The “One Thing” in Cyber
Cyber security professionals often borrow terms from public health. A “disease vector” is the path an infectious disease takes through a population. Parents will intuitively grasp the two main disease vectors — their kids’ schools and their own workplaces. In cyber, we talk about “threat vectors” or “attack vectors” in much the same way.
These are the paths which an attacker pursues his efforts to compromise a system and steal its data. Even non-technical professionals will not be surprised to discover that no less than 91% of all “hacks” use email as the principal “vector” by which information is obtained and then used to compromise a system.
The single most effective — and affordable — step industry can take to guard against this is to adopt “digital signatures” for all email communications.
Means and Methods
While the strategies used by hackers can seem technically and psychologically sophisticated, at the end of the day they are attempting to use email to impersonate someone you know and trust. Often they will follow up on an email with a phone call to further this effort. Once they succeed at making you believe they are someone they aren’t, it is very easy to defeat even the most advanced technologies deployed to secure a network.
It is important not to over-complicate what is happening here. Just like a real-world disease virus like the flu can be easily disrupted by simply washing one’s hands frequently, when we understand both the “means” of a cyber attack (email) and the “method” — impersonation — we can devise a relatively simple and affordable way to disrupt the vector.
“Digital Certificate” Identification
Without getting too technical about it, the Internet features what is called the Public Key Infrastructure (PKI). Understanding the in’s and out’s of PKI is not necessary. What matters is it offers the ability to “assure” you of the true identity of the person from which you receive an email. (Cyber security is also called “Information Assurance” (IA).)
This is accomplished by obtaining a “digital certificate” from a recognized “Certficate Authority” (CA). Google, for example, publishes a list of CA’s they consider trustworthy. Examples from this list of CA’s which offer email certificates online are Commodo, Identrust, & GlobalSign. These “Trusted Certificate Authorities” also work with vendors like Microsoft and Apple to ensure their current “root” certificates are in regular security updates to your computer’s operating system.
These CAs will use various methods to verify your identity. Depending on the kind of certificate you are buying (e.g. those accepted by the U.S. Department of Defense) you might be required to send a notarized application as part of the process.
The CA will provide directions on downloading their current “root” certificates and importing them into your computer. Once you receive your certficate (a specially formatted file) you can import it into most email clients, and then configure your email client to “sign” each email with your certificate.
To strengthen this even further, companies can adopt a “smart card” approach for company badges/ID cards. These “smart cards” are almost identical to recently adopted “EVM Chip” credit cards which are placed in a card reader at the point of sale. These “smart cards” can be configured with a PIN, and then have the digital certificate written to the chip. Now, in order to “sign” an email, the user places the smart card / ID into a USB card reader and is prompted for the card’s PIN when sending. (Most email clients will cache this PIN after its first entry and keep it in cache until you close the program so you are not constantly prompted for the PIN.) A smart card approach is an example of “two factor authentication” (2FA) — it requires the user to possess the badge itself, and to know the PIN.
By implementing digital certificates (and optionally the smart card employee badge), now all employees can send signed emails internally and externally. Depending on the email client used by the recipient, they will see some form of icon in their email list showing that the message has been signed. Opening the email and clicking the icon then shows the name of the person to whom the certificate belongs. If an employee receives an email representing itself as coming from a trusted fellow employee / company executive — but the email is not signed — the employee should immediately treat it as suspect.
As companies increasingly adopt this technology internally, it will become practical for companies to expect their external business partners, vendors, etc. to also be signing their emails with digital certificates. When we understand that email impersonation is the predominant “attack vector” in cyber security, the relatively inexpensive costs offer tremendous return on investment when considering the “assurance” provided that the person sending you that email is, in fact, who they claim to be.
Generally speaking, a digital certificate valid for three years should not cost much more than $300. Smart cards are relatively inexpensive when bought in bulk, and many vendors offer ID card printing services. USB smart card readers run between $10 and $20, and are now often built into keyboards and laptops.