Data leaks have become an all-too-common societal problem. Still, 99% of the problems do not involve scary zero-day bugs. So why is security still hard? We need to accept that technology isn’t going to save us. Rather, thinking it can, got us in this situation in the first place. We need a new way of teaching and implementing security across our organizations. I am introducing the AVA=Risk Security Model to help us get there.

Credential-stealing and abuse is the most common attack vector. That means there is no use for burglars to break the lock if they can just turn the key they copied and walk in. So, securing the door alone is not enough: how we handle our keys requires our attention as well, assuming we even locked the door in the first place. An emerging trend of explosive cyber leaks involves unprotected databases that are out there in the open. As we speak, organizations are unknowingly spitting out billions of sensitive records to anyone curious enough to look.

What use is having strong technology, if we forget about the people using it or neglect the information we entrust to it? Sure, those databases need to be better protected by technology. They require strong authentication or shouldn’t be exposed to the public web. However, we already understand those solutions and still, we see that these mistakes in setup and maintenance are too easily made. That is a vulnerability in the technology itself, which is slowly addressed by vendors. They may improve default configurations and add scanning abilities, but next time it will be yet another type of vulnerable technology. And how will we cope in the meantime?

Broken communication

Let’s consider phishing scams. While challenging, email security protocols can (and should indeed) be implemented to secure against domain spoofing. But an email mimicking a trusted domain or person will still pass the test. As a result, people will continue to be tricked and have their privileged credentials stolen. Not to mention the extraordinary success of CEO scams, raking in damages over $12,5B in 2018 according to FBI’s Internet Complaint Center. Technology is part of the problem rather than the solution to abuse. Email, as well as the phone, are fundamentally vulnerable. This will not be fixed in the foreseeable future, if ever. That means we need to fight the problem from other angles.

We can use an analogy here. Fighting fire is possible in three ways, and we can pick which one is most effective and practical given the circumstances. Water is often convenient to combat heat, but if you want less oxygen in the case of a grease fire, a fire blanket is safest. Lastly, isolating the fuel can sometimes be most pragmatic: just wait for the fire to extinguish itself. Borrowing from this fire triangle, we can regard security risks as having three sides to attack as well. Spoiler alert: fixing vulnerabilities, let alone software bugs, plays only a part in one of those approaches.

 

The AVA=RISK triangle

Introducing the AVA=RISK Security Model

It’s time to widen our scope of how to teach security and treat risk. First, we should clearly separate information security risks from technology. Unfortunately, security is regarded as an IT or engineering responsibility in most organisations. The AVA=RISK Security Model exposes the illusion of total security through technology. It provides us with a lens to treat risk, by shining light on Actors, Vulnerabilities and Assets. Explain each side for any risk, and mitigation measures can be selected. Usually, addressing only one angle will not suffice. Let’s take the phishing problem as our example. The ease by which hackers can impersonate others through email is the vulnerability. And as we have seen, we do not have enough tools to adequately protect us against this. But water against heat isn’t our only option. Luckily, we can also fight the fire by taking away actors or assets.

Actor

There are two active parties of actors in the phishing game: hackers and victims. We can’t magically block or cure hackers from playing, so let’s work with our colleagues. Security awareness is a fast-growing practice, yet it remains largely ineffective. Gamification, repetition and simulations should improve education programs. But how can we really engage our colleagues? At the core of the problem is the accountability perception that spam filters should do the job. And if it’s the security team who believes this, how can we expect the controller or sales rep to take responsibility? We need to train anyone with an email address to build security hygiene habits. Reducing mistakes through better judgement skills results in fewer victims. And with victims reduced from the equation, there are fewer actors to participate in the phishing game. That will lower our risk of a data breach.

Vulnerability

Securing things by resolving vulnerabilities sounds easier than it is. If email is a fundamentally flawed system, what can one do? To some extent, organisations can decide on alternative means of communication. Slack is essential to millions of businesses, as are collaborative platforms like Microsoft Teams. Their closed and centralized nature is a strength for security. It will drastically lower chances of responding to an impersonated colleague asking for that payment or permission. For external reach though, email still has merit. When it is combined with encrypted file sharing, like the brand new Firefox Send, this vulnerability can be managed.

Asset

The third side requires us to consider what information assets are available and accessible. The “principle of least privilege” should be the golden rule. Its application tends to fade over time as convenience takes over, so data governance is important. The GDPR also provides great advice in this regard. Both data minimisation and data retention are guiding principles to decide on what to process, and for how long. If any one person has access to only a few data sources, a hacker will be limited in the same way, even if a phishing scam succeeds in stealing credentials. The famous criminal Willie Sutton was once asked why he robbed banks. He supposedly stated: “because that’s where the money is.” Data is the new gold, so providing access to it must be thought of in the same way.

Technology is a tool

I’m inspired by how technology, society and policy interact. My professional career started with a decade in web development and a fascination for application security. Later roles in product and management allowed me to reassess our dependence on technology. Now, digital transformation allows us to transform our economy. We can scale our services and optimize our workforce. But technology can also take us hostage if it is not bounded. Security is like the brakes on our car. It may slow us down, but it also enables us to go faster. We should regard technology as just one of the tools in the security toolbox. If security is subject to technology, we are blind to many risks. And worse, we would miss out on great opportunities to combat risk. With AVA=Risk in mind, we can find better solutions and further raise security awareness.