This is a follow up to my previous post on the MGM Attack.
I’ve been going through recaps of recent cyber-attacks and have seen more than one reference to people as being the weakest link. I’m tired of this excuse. All the tech we use is built by humans, or built by robots, or AI, and they were built by humans. The criminals are humans. We’re at the center of it all.
It’s time we focus on something else.
Processes and outcomes
In the case of the MGM attack, it seems that an administrator’s access was through vishing, which is like phishing, but using voice, to convince someone to perform a password reset, so let’s blame the person at the helpdesk, right? What we don’t talk about is the well-defined script to perform that specific task:
- Ask the person calling to identify themselves.
- Ask specific questions that only the person calling in should know the answers to.
- Verify the ticketing system for any notes pertaining to this person.
- If all proceeds as expected, reset the person’s password and/or MFA.
Assuming the person in the helpdesk follows the defined process, how can they be blamed? It’s like getting a speeding ticket for driving at the speed limit; It doesn’t make sense.
If the process can’t guarantee the desired outcome, you’re introducing risk. Depending on the risk, you can implement additional safeguards and controls to reduce it further, but there’s rarely a point where you eliminate it completely.
How do you know there’s risk?
Any time you can’t ensure a process ends in only one of two results: success or failure.
Let’s apply this to the password reset process: Can this process be trusted 100% of the time to ensure that only the actual person (employee or contractor) can reset their password? We know the answer is no.
Can we improve the process?
Yes, you can add more validations, questions, callbacks, and other steps, but unless you have something that makes it impossible for a criminal to obtain, you can’t be 100% sure. You must decide how many steps can be added before it causes too much friction and people complain or stop following the process, at which point you’re doing worse than before.
Are we done?
Of course not! As I said, if you can’t eliminate the risk, you need to consider additional controls and safeguards. For staff with administrative privileges, do they need elevated privileges full-time or only for specific activities? Are those activities managed by a change management process, possibly dictating when the changes can happen and how?
This can help control and monitor activities and most importantly, detect when something doesn’t fit a process or doesn’t match an expected outcome.
Easier said than done, and everyone involved should be incentivized to improve their processes and document how anomalies can be identified.
Last but not least, you need an external set of eyes to look at what you’re doing to see if you’ve missed anything. .
Because your environment changes constantly, and you don’t know what you don’t know.