Rapid 7 summit: Attacks are personal so risk analytics need to get personal too

Delegates at Rapid 7’s United 2013 security summit heard how security needs to be personal as cyber attacks become personal

Security attacks are now more personal so security and data analytics need to become more personal too, Hugh Thompson, co-author of The Plateau Effect told delegates at Rapid 7’s United 2013 security summit.

During his presentation – Attackers, Plateaus and the Future of IS – Hugh Thompson observed that, previously, an attack was easy to identify through something as simple as too many spelling mistakes: “But now the bad guys can spell. Now it’s more personal – they go into LinkedIn and cross reference with twitter to find out the security guy is on holiday and that you can build an email that is so unique and personal that the individual will be inclined to click it.”

Thompson noted that the technology in our personal lives is now much better than in the business world, so users will find a way to use it.

He said: “That’s happening and it doesn’t matter what policies you set internally. People will always optimise their own stuff. You’re fighting against a user’s desire for convenience and to be more productive. You can’t ignore that you have to lean into it. Everything is becoming an adapt-to-me-service.

“Understand the risk and know when it’s coming so you can prevent it. Analytics are becoming more personal,” said Thompson.

Personalising security risk

Thompson gave the example of a gymnastic during a double bar routine who is putting herself at risk: “The spotter makes the routine possible because he knows her so well. He knows when she’s in her comfort zone and knows when to catch her. Spotters are usually in the background. They have a lot data and analytics on the gymnast and can protect her in a very intimate way. This means she can go out and do great thing, as he is there to catch her.

“In technology users are taking great risks too. Some services are not sanctioned internally, they are just happening and sometimes these are happening in groups. So you need security that knows the individual.”

According to Thompson, security should also recognise that people react differently to different situations.

He explained that he was recently on a flight from San Francisco to London, when the passengers realised a bird had managed to get trapped on the flight. The bird was eventually secured in one of the bathrooms, where it stayed until the plane landed.

“I called my wife when I landed and the first thing she said was, 'Did the bird make it ok?' But when I met with a security professional and told the same story he thought about how he could build a mechanical bird with an explosive and have it enter the plane whilst crew was loading. He realised there was a weakness exposed there, as the plane couldn’t even detect a wild animal let along a mechanical one,” he said.

He added: “When a security certificate warning flashes up on the screen, my wife is the kind of person who just wants to click out of it as soon as possible; whereas a security professional is thinking about why that appeared, what domain they clicked on, for example. 

"Security information is starting to realise that people are different and that controls need to be uniquely different for them.

“Controls are something that shouldn’t affect what we do, but instead give us confidence. Ground truths don’t exist in security, so you have to adapt and change constantly to fit the environment."

Sustaining awareness of personal security

Thompson questioned how you can you take security to the next level after it starts to plateau.  

“People become immune to the same techniques and they become useless as an alert, like a car alarm. It is a signal for something bad happening, but nobody seems to care anymore,” he said.

He described the concept of the pesticide paradox, where pesticides are used in a field but some bugs as immune to that particular pesticide: “The answer to this is solvent diversity. Using different solvents in the same field means that the bugs that are immune to the first pesticide can’t remain and grow. This should be the same for testing. Changing up can shake you out of an immunity plateau.

“People test software in the way that they think users will use it and they look to the past to achieve that. You need to incorporate diversity into testing too.”

Distorted data and risk

Another area he mentioned for improving plateaus was the issue of distorted data, saying that we often react based on distorted data and sometimes measure inaccurately or inappropriately access risk.

He gave the example of headlines about shark attacks on humans increasing 25% in 2010 when actually this number only increased from 63 to 79. The actual risk for humans that entered the ocean in 2010 barely increased: “You would have more chance of being hit by a bus painted like a shark on the way to the beach, then you would getting bitten by a shark. You come up against figures like this in security and risk all the time.”

According to Thompson we are also vulnerable to recent data: “This means we may over weigh things and think they are more important. The solvent here is to ignore the noise and recognise the signal. The key is to boil out the impurities of data.”

Read more on Identity and access management products