When speaking or consulting on security, I often point out that if we were to build comprehensive and truly bullet-proof security, we would still be at the mercy of social engineering. Social engineering can be defined as “the act of duping you into giving away your credentials in order to gain access to a system”. There have been many creative attempts to pull this off, including the sly approach of ringing you up, pretending to be the help desk, and casually asking you for your password as part of a “random check on company PCs”.

It is worth noting that social engineering only works if the access credentials required are of the “user name/password” variety. If the “credentials” used to gain access are more sophisticated, then they form a far more formidable barrier.

User Authentication

User authentication is about “proving you are who you say you are”. You can think of there being different authentication techniques. Going from the weakest to the strongest they are:

1. User name/password. The weakness of this approach is that talented social engineers can usually break it in some way. It’s breakable using keylogger trojans, which record key strokes and then inform the hacker who infected your machine. It can also be broken by software password crackers that simply try every possibility. Depending on how long the password is, password crackers can usually break in within minutes.
2. Two Factor Authentication. Technically there are different versions of this, but they all have the same characteristic, which is that they involve a unique digital key that you carry with you. It’s unique in the sense that it will only provide you personally with access, so if you lose it it’s unlikely to be useful to anyone else and as soon as you report it missing it becomes invalid.
3. Biometrics. This means measuring something unique about you (finger print, palm print, face recognition, iris of the eye, etc.) Such things are as unique as DNA and if they can be read accurately are fully bullet proof.

Software Authentication

A second and equally important aspect of authentication is software authentication. While you might not be able to gain access to a computer if user authentication is strong enough, another way in is to force some rogue software onto the target machine and have it do your work for you, whether that involves stealing identities, or other data, or making a false transaction occur.

Aside from viruses, worms and other forms of malware, there are a variety of techniques for breaking into a computer that can be classified under the heading of “code injection”, all of which involve fooling the computer into running some code that you pass to it. Such code can then attempt to carry out nefarious acts of one sort or another.

However, if all software that is vulnerable to code injection (i.e it accepts external input in one way or another) has its permissions highly constrained (in other words it is only allowed to run the processes it is intended to run and cannot launch new processes or open ports) then the code injection will get nowhere.

If you now couple that with running a whitelist so that only recognized and authenticated executables can be run, then you’ve closed off a whole set of vulnerabilities.

Data Authentication

Technically, the problem of data authentication was solved a long time ago by PKI encryption. You encrypt the data with a private key and send it to someone and they know it is authentic because they can read it with the public key you provide.

Similarly you can impose DRM (Digital Rights Management) which involves data authentication, using an encryption scheme. You provide data, but only those who have your permission (e.g. they have paid for a key) can read it (or play it).

This is the first in a series of postings intended to cover the wide topic of IT security. I’ll be adding more in time.