One concern often not touched with the move to work from home is how do you verify who you’re speaking to really is who they say they are? It’s easy to make a deepfake voice and it’s getting easier to use that for fraud. We live in a post-security world where you don’t only focus on preventing a breach, you accept it as an eventual inevitability and focus on limiting the impact. Credentials will be breached, but access doesn’t necessarily have to be.
A password used to be enough, but with shared password, simple passwords, weak encryption, or even just system breaches, getting a password compromised is easier than ever. I take many precautions and I’ve had it happen to me due to exploits with the provider. Passwords aren’t the only things you need to be worried about either.
You have the technical requirements to work from home, and you need to make sure you can keep it secure. If your encryption is broken, it doesn’t matter how complex the password is. Likewise, if your password is cracked, there’s no need to break the encryption. Each layer of complexity leads to a new potential attack surface. Security was 2D in the early 90’s, and now we’re at string theory. Social engineering isn’t just wearing a vest into a building anymore, it’s a mix of technology and human fallibility.
Why Should You Verify?
With changes in technology, and the number of ways security can be breached, if you can’t see the person, how do you know they are who they say they are? I might have talked to a client many times, but what identifying information do I really know about them? If you’re in a help desk or a large office, what do you actually know about Kenneth in accounting or Jane in marketing?
Most people know very little about their coworkers outside of their immediate coworkers (except at the smallest companies) and what they reveal at work. What does John in the next cube do in his free time? How many kids does he have, if any? Where did he grow up? You might know some of these, but not all of them, and that’s normal. While working from home, what happens if “John” calls you and needs a financial transfer? How can you tell if it’s him or just sounds like him?
When you become their IT provider, what do you do when you need to somehow verify that Sam in accounting needs to get access to John’s computer? How do you know it’s Sam working remotely and not a potential threat? You can’t reasonably learn every employee at every site or even a large subset, so what do you do?
Verifying Clients and Multi-Factor Authentication
You have to draw a line somewhere in order to trust someone. A password can be compromised, but 2 different passwords is less likely. This is the general principle behind 2FA and standard MFA solutions. 3 simple passwords can be substantially harder than 1 extremely difficult password. 3 challenges in sequence is harder to crack than 1 challenge.
When I write a login to something that’s going to be public facing, I like to add in a nice half second delay between all attempts. That includes going from the login to 2FA with legit credentials. It doesn’t matter if they’re using a super computer to brute force the login, they get at best 2 attempts a second.
2FA and MFA are great for logins, but what do you do when a person needs to speak to you to describe their problem or login issue? You need to figure out a way to do the equivalent without crossing ethical boundaries and without creating an imposition. You need to rely on a secret and make it scalable.
While this sounds like a daunting task, the trick is to be secure enough to make breaches have time to be verified rather than aiming for perfect security. Sending a code to a specific email or a cell phone can be more than enough combined with making the user provide that information. How likely is your hacker to get physical access to your client’s employee’s phone, their password to gain access, and their IT information?
Your hacker might have memorized every fact about John, but if he can’t pass the authentication, you don’t provide service. The real John at worst has to go home and get their phone or reach out through a controlled channel internally for further service.
Verification Solutions
Most verification solutions require you to install something or use some kind of 2FA application. The problem is, a lot of users don’t want to be inconvenienced. You can ask a company what they want, and they’ll tell you security until you ask what they’re willing to sacrifice.
Using a verified method of contact is what every major company does, but most private verification solutions still want you to use an application. Your client is all for security until it becomes hard. If the CEO or owner refuses, what’s the point of verifying anyone else at all at that point? Your site is compromised at the highest level easier than anywhere else.
A good verification solution needs to approach the technical challenges while making them as transparent as possible. Our ID 20/20 tool aims to do this. We operate under the basis of if they can get access to every communication method an employee has and can act as that employee, it’s past the point of sanely being contained. Obviously, there is special handling for user setups and similar though.
What Makes A Good Verification Strategy?
You don’t plan your company around information being leaked to moles at every level if you want to stay in business. A verification solution needs to take into account the human element for both security and usability. People hate to be inconvenienced even if it is for their own good. That extra few minutes going through obscure information, that extra application they need, etc. can all be points of dissension. The door that’s a huge pain to unlock usually gets left open or held during working hours.
You are only as strong as your weakest link. Raising the bar on social engineering to 2 times or 10 times the physical security or technical security doesn’t mean you’ve made it 2 to 10 times harder. You’ve just made it the less likely target. You are only as secure as the weakest link in your security stack. When everything is roughly equal, you have better security than having many strengths and many weaknesses for dedicated attacks.
Don’t neglect security, but don’t waste resources striving for a goal which makes no sense. Security almost always comes at a cost, and if you aren’t willing to pay it to shore up weakness, you’re vying for an impossible dream. Just because your company firewall is near bulletproof, doesn’t mean that Jim’s admin account password of “Firebird1” isn’t going to get cracked in 10 minutes. If you neglected the 2FA, anything else you did is statistically a complete wash.
Conclusion
Focus on your clients, focus on your users, and focus on security. Don’t throw the baby out with the bathwater while completely missing the point of what your security is supposed to accomplish. A help desk security measure is supposed to make it easy for a user to prove they are who they are, not leave them wondering how you know about their second aunt on their mother’s side’s blood type and the date it was tested.
The more security you throw at users, the harder they tend to fight back. You need to make security easy and trivial while keeping it secure. Can you contact them from a predetermined contact source? If so, you have the right person or a way, way bigger issue on your client’s hands. It’s good enough for your bank, your utilities, and pretty much any major service, why isn’t it good enough for you?