SecurityLah - the Asian Cyber Security Show

S2E09: CWE-655

SecurityLah Season 2 Episode 9

CWE or the Common Weakness Enumeration by MITRE is a catalog of identified weaknesses that should be looked at and addressed. In this episode, Doc goes into this particular weakness and shares how most organizations miss this and how it affects security for the organization. 

Hello and how's everyone today? I hope you're doing well. Unfortunately for me, I'm going to be flying solo for this episode because my fellow crews have unfortunately abandoned me for this couple of episodes. So today we are going to talk about a weakness or a vulnerability. All these weaknesses or vulnerabilities are coded into a document called the CWE which is the Common Weakness Enumeration by the MITRE Foundation.[Music] Ladies and gentlemen, welcome to SecurityLah podcast, season two. Now most of you would have known MITRE from the MITRE Attack Framework and the MITRE Defend Framework. They also document these vulnerabilities. So today we are going to talk about CWE-655. Now what's CWE-655? It refers to insufficient psychological acceptance. So what has psychological acceptance got to do with security? Actually a fair bit because when we talk about cyber security, we talk about users and most often than not we tend to blame users to say you know users the weakest link in the defense, they should have done better or they shouldn't have done something that they shouldn't do. Reality of the situation is that users are often forced to make decisions that they may not want to or simply because it makes their work easier. Now nobody likes to take 10 steps if you could do it within two steps. That makes more sense rather than having to do the same thing and achieving the same result without going through a lengthy process. So what does this mean? So MITRE has defined it as a software protection mechanism that's either too difficult or inconvenient to use which indirectly encourages users whether malicious or non-malicious to disable it or bypass the mechanism. Well this can happen whether it's by accident or on purpose. So in this context we assume all users are quote unquote innocent and they just happen to want to get their work done as soon as possible. This reminds me a time when I was one of the first users of Hotmail before Hotmail was acquired by Microsoft and those days you don't have post parameters in HTTP, you only have GET. I still remember looking at the address bar on the browser when I logged into my Hotmail account and to my horror I could actually see my username and password. So the running joke those days was that oh you know why don't you use my laptop and and log into your Hotmail account? So we could actually figure out what the other person's password was just looking at the address bar right? But of course this runs slightly away from psychological acceptance but to give you a view of how security has moved from a GET variables into POST and all other means of sending communication back and forth. So some of the examples given on how these mechanisms can fail and the most common one is if you go into any organization if you're a user if you're an internal user guess what happens? You'll be given with this 20-30 page of security policy and and one of it is password policy. Thou shall use uppercase, lowercase, symbols, numbers and a combination of all this together with a few emojis before you decide how your password is going to be right? So guess what the average Malaysian or Singaporean user is going to have his password? Chicken rice 66 at I don't know where's a good chicken rice place um no not coming to my head okay so I think you can guess what the password is going to be chicken rice 66 at some makan or eatery shop. Yeah it's long, it's complex, it has a symbol in it and it works right? So guess what happens now that I have this chicken rice at 66 makan place now I have to sit down and remember this password. I may forget it if I go on a holiday or if I take my downtime the next thing I'm going to do is hey what's the password and I don't want to change the password because once I change the next 90 days I'm going to change it again so I have to figure out how to have complex passwords and yet at the same time preserve that level of complexity so guess what I do I got all these nice colored sticky notes so I'm just going to write it and so that no one knows where this sticky notes is I'm just going to put it below the keyboard and innocently pretend as if nothing happens so in one of my roles in in a large multinational organization we did a walk-by check during lunch so the only thing we did was we lifted keyboards up that's it nothing else so we lift the keyboards up and from about 200 desks that we visited we got about 50 one out of four that's a really good odds for me to penetrate into the organization and and some people are very friendly in their nature so what they do is they even have a sticky note on their monitor that says this is my username because well unfortunately usernames are not that intuitive so to say so when I was working for a manufacturer it was the first character which is whether you're a full-time employee or not two characters which is acronym of your name and a running number so if I go back to that organization anytime in the future that's my user id for life that's not going to change right so in these kind of instances user ids are fairly predictable if I want to know someone's user id the easiest way is I just go and look at their email address and chances are the first bit of their email address not going to be their full name but it's just going to be the user id so I got one piece of the puzzle the only thing I need is the password right in one of the organizations where I remember implementing a longer password because one of the audit finding was that passwords are too small easily cracked you need to make it longer so of course that's that presented with a two-pronged issue the first one was the fact that whether systems allowed us to make changes to increase the password size because some systems are very old they don't go beyond eight characters and in fact you are lucky if you can hit eight characters some systems are stuck with even six characters so then how do you how do you change those systems that's another problem right and of course then you have systems that allow you to accept longer passwords great now I'm an average user right forget about what my IQ level is but I'm your normal average user and I'm presented with this problem I now have to have a password that is long enough hmm somehow I managed to crack whatever little gray matter cells I have and I got this eight character password so now I have to change it to 16 or 20 or whatever number of characters what do I do let me think okay why don't I do this let me take the same password I type it twice lo and behold the system accepts it so awesome I've now met the corporate security requirements by ensuring that I use long enough password and I can remember hmm right some users are a little bit more tech savvy I have this nice awesome tool called Microsoft Excel or Microsoft Word so what do I do I create a file passwords.xlsx or passwords.docx and I put them in and then I categorize them very nicely application a this is the username this is the password application b username password and guess what I have a list of all the passwords and if I need to change them within 90 days or whatever I know what the old password was all I probably need to do is add a character or add a number or add a running number two digits just to make it a bit longer and put in two digits and guess what awesome it works the whole objective of having long passwords is so that you can't brute force it you can't run a dictionary attack you you can't do something that is easily guessable but unfortunately for the average lay person they will not understand this they would say you know what this is just a password that I got to put in I'm just going to put in the password I don't care what it is I just need to know I am able to remember it so that the next time I got to change it I know how many digits to add or what digit to change right so depending on different kind of users you have different kind of password hygiene type of forethought right and this what about this word document or this excel document I don't need a password for it it kept it keeps my password so why do I bother having a password for password right and guess what someone gains access to that file and they now have all of that particular user's access credentials well in some of the apt attacks we've seen that's one of the low hanging fruits now low hanging fruit means that something that I can easily grab and start using and you'd be surprised to see that high credentials or high privileged accounts such as domain admin accounts or forest admin accounts have been found on these kind of excel passwords right now that's just one example of how this feels now if you use websites you will traditionally see this set of images you know that's going to say that okay please click on a school bus and I can bet you 100% of the time the image of a school bus is not the image of the school bus that you are accustomed to if you are out of the United States of America you will always see a United States of America bus you'll always see a United States of America traffic light or pedestrian or something so guess what I'm not from the USA I wasn't born in the USA I wasn't raised in USA well thankfully I had a couple of years of education in the USA but you know that kind of helped me know ah this is a school bus right and click this click this click this reality of the situation is a person who's not gone out of the US or gone to US would have any idea how a school bus in the US looks like and I can tell you if you start googling how school buses look like say in Asia for example in Singapore or in Indonesia or in India you're gonna see that they look totally different and sometimes the images are so complex you end up scratching your head and say which one am I gonna select and I've gone to a point where you know being a security professional I end up selecting some images and it says error you still haven't selected the right images so it gives me a whole load of friction into how I can use that site more effectively and enjoying the show so far subscribe now so that you don't miss out on the latest episode we are available on Spotify Apple podcast Google podcast and many other platforms visit podcast.securitylah.asia to get the links to subscribe the other thing we we notice is that security is often something additional up and above what an average user uses right so if you're part of the elite group or you're part of the guys who are technologically savvy you will use these options and these options are made available for you and guess what the average user who's going to have his social media account hacked chances are they're not even going to have their two-factor authentication enabled because you know why every time I gotta do this I gotta open my app I gotta check the app and I gotta say okay and it's kind of like counterproductive right I just want to post this picture why do I have to do this right and becomes very difficult and at the end of the day if you give users the option to disable them chances are it will be disabled and I can challenge you on this create a website get decent enough people and have the option for them to disable password login and I can bet you at least more than 50% of them will disable password logins because I have to remember the password I've got to do something to log into the system there's always that one step that I have to take for me to get into the system so what happens as a result you now have to best way to do enable security by default and get it as part of the enrollment process so to make for example two-factor authentication mandatory so that users will have this two-factor authentication and to be honest to me two-factor authentication is great but there's still a lot of friction between the two-factor authentication and me as a user right so now I have for example in my phone I have about more than what about 25 30 two-factor authentication codes so guess what I'll be doing going to the site oh yeah oops it needs my two-factor okay hold on let me find my phone so I scoot I get my phone I come back so which one is this again uh Amazon oh okay I have a problem here I got an admin login to Amazon to my cloud instance I have one account with Amazon I have another one with Amazon India hmm so let me try all three by the time I get to the third one's like I think we think you have a problem with your two-factor authentication right and I can't get in right so that stems from an issue of how security is always seen in in solutions or how organizations roll out security in most organizations that I've seen security is always an afterthought it's something that you bolt after once you you've gotten your system so think of it this way you buy this nice brand new sports car awesome top of the line gives you about thousand horsepower running on a 2.9 liter Ferrari engine v6 gives you about yeah about 500 to a thousand horsepower everything is nice but guess what there are no locks on the door so what do we do hmm I gotta put a lock in this door so what's the easiest way to for me to to put a lock in this door I get a latch I drill some holes put the latch put a padlock I'm done secure and if you look at it a lot of organizations take this approach it's not seamless it's not something that you want but you just gotta do it because you just gotta do it right and this creates a problem so now I have this nice car and I have this ugly little latch outside of the car locking the door and I have this big whatever brand of padlock that you want put it there and I jiggle jiggle around my pocket and then I do something and I unlock the car all right interesting thing when you talk about car security a researcher has found a way to replay the security code that's sent from the remote to the car using a sniffer a fairly cheap sniffer and they've shown proof that they are able to replay the codes and unlock the cars primarily from Honda manufacturers and that's out that's out on the internet so you can google it so how do we solve this problem the first thing is that security should never be an afterthought it shouldn't be something that you think okay you know what I need to get the project up and running let me get it up and running and then I'll worry about it right so when you bolt it on after that the users are going to say oh yeah this is so ma-fan sorry my Cantonese this is so tedious I shouldn't be doing this is there a way for me to enable this can I bypass this and the users are always going to find the way to bypass that right so how do you get this as part of the solution and and most likely when you're doing solutioning for an application the developers will usually take the easy way out oh I gotta have this applet for me to do authentication right yeah yeah yeah yeah okay so I'll do this I'll just have this my my usual login screen where you know the users do whatever they do currently and then I take them to another screen where I put in this foreign looking applet for me to use those whatever security functionality either USB, UbiKo key or two-factor authentication and then I return it back into the application so if you notice the whole friction is there for the users oh if I can disable this how do I disable this and the user goes into settings and say I'll disable multi-factor authentication and I just go ahead and disable multi-factor authentication right now taking cue from what has done in the industry one good example is Facebook they've engineered security so well for their internal users that doing things securely is much faster than doing things in the traditional way so they've made multi-factor authentication they've made all this very nice sexy but secure technology secure and they've made it easy for the users to adopt it and as a result the users now are able to log in securely because that's much faster that's something that I can just pick up start using and gain benefit from it right now there's something that I that I'd like to to to say or to quote remember given a choice users will take the path of least resistance so if they want to get something done they'll try to take a shortcut get it done fast and you know thinking about security compliance governance risk and all that is definitely going to be an afterthought if you're an industry that is not heavily regulated this is something that you will never ever ever think about until and unless you've had a huge breach you had a huge data leakage the market is crying blood and you have to do something about it right so if you want to get to that path it's going to be much more painful than enduring that little pain that you have to do before your solution goes out into the market so another story I have is that I was in an organization where they've implemented web proxy they said that oh from a user perspective we want to make sure we improve their web experience and you know so that we can save bandwidth so they went down from 100 meg of internet bandwidth to about 65 70 odd meg because the proxy was actually caching the pages but they now realize hmm I have a proxy what else can I do with it they realized that they could block sites so they found out that 80 you know proxies give you very nice visibility of how user trends are what they do and all that they found out two things number one users were going to pornographic sites they also found out that users were spending a lot of time on youtube they didn't really find out why of course the first one is a big no-no right especially in corporate environment the second one was that they had no idea why users were spending time at facebook so they went zapped youtube and and this pornographic side and the bandwidth went down further to about 45 megs awesome so then a couple of weeks later they found out that their bandwidth was back up to about 89 to 95 percent they checked the proxy the proxy utilization was 45 so they were dumbfounded as to what happened eventually they found out that when they implemented the proxy they did not block internet access directly at their firewall so as a result they implemented proxy they rolled out the configuration down to everyone they missed out that tiny little thing where they need to block all other traffic outgoing from the firewall so the firewall was actually processing outgoing traffic from the proxy as well as the internal user so as a result guess what happens everybody's going to say hey why don't i just remove this proxy setting and boom the traffic is now out so everybody started using the path of least resistance and they're out so if you can give that value out to the customers whether be it internal or external they're bound going they are bound to use your internal methods right so security is not just a single prong approach there's also this huge stakeholder called the users be it internal or external and you need to engage both of them to get into the right level of what you want of course there are other other types of psychological acceptance for example shadow it is a huge problem in today's organizations because organizations rely heavily on the cloud you have product development sales marketing now coming up say why don't i spin off this instance in aws digital ocean vulture azure insert whatever your favorite cloud provider in this list and i can get my job done and the best part is charge it to my card and then i can claim expense so emergence of shadow it is now a big problem because security admin gets this problem and says hmm i don't know how to solve this problem you know why because i can block these cloud providers i'm going to end up blocking 90 or 85 of all these websites that users can't access i can't be blocking ports because there's just too many ports and users are going to end up changing port numbers so i have to block ip ranges and if i block ip ranges i'm going to end up blocking my own app my own instance that users can't access so you're now faced with another conundrum i can't enable security because security needs to be disabled for these purposes and because i disabled security for these purposes i now have to accept this huge risk and of course there are other solutions that's going to help you identify what shadow it is and if you're interested to know more about shadow it what you can do about it drop us a note send us an email info@securitylah.asia or drop us a message on our linkedin security la and we get enough responses then we might do an episode on this so with that i just like to leave today's episode by saying that engage your stake stakeholders identify what you're doing what you're trying to do and if you plan it up ahead and make it seamless so that an average user could actually use it without very much friction it means my motto is frictionless security as much as possible make it less friction so that the users will enjoy using it they love the feature they understand the security importance of why you're doing it not because you have to do it but because it's the right choice to do and it helps to give you that benefit in the long run so having this in place makes you more secure thank you thanks for joining us this week on security lab make sure to visit our website at security lah Asia where you can subscribe to the show in itunes spotify or rss so you'll never miss a show