When I started Fractional CISO in 2017, I was a one-man band. In addition to helping my clients run their cybersecurity programs, I was also my own administrative assistant, sales department, marketing department, IT manager, janitor … you get the idea.
Now that the company is growing, my team is taking many of these roles. It won’t be long before I need a dedicated salesperson, and I need to formalize our sales process to ensure it represents what I want Fractional CISO to stand for. The process can’t just live in my head anymore! A proper Customer Relationship Management (CRM) system is in order.
Big problem though: most CRM systems have immature cybersecurity.
The core functionality of modern CRM systems includes automatic logging and workflow improvements of emailing customers. In order to automatically log that a customer has emailed me, or that I’ve emailed a customer, the company needs read/write access to my email account. That means the system can see all of my emails, or even send emails as me.
Put another way, a successful attacker could see all of my emails or send emails as me – putting at risk my company’s data, my client’s data and their confidentiality, my employee’s privacy, and more.
We are asked by apps and services for permissions every single day, and as a cybersecurity professional, it kind of freaks me out! Account permissions should never be given lightly, no matter how trivial they may seem: Facebook requesting access to your contacts and Bluetooth, Slack requesting read access to your Google Drive, a CRM system requesting access to your email provider. When you give another party access to your data, you are putting your security into their hands.
Worse yet, when you give a third party access to your client’s data, you’re putting them at risk, effectively tying your reputation to the performance of a third party you have no control over. This is why vendor security evaluation is so important. If one of your vendors is breached, you and your customers are likely affected.
Root of Trust – Hardware
There’s a term in security known as the Root of Trust. This refers to a known-trusted component upon which the rest of the system is built.
This is an unintuitive idea at first, but you can use the word “root” to help understand. Like every part of a tree is built on top of its roots, everything in the system is built on top of the root of trust. While a tree root supplies water and nutrients to the tree, the root of trust supplies security and trust to the system.
The focus of this term initially was hardware, a small root of trust component is built into computer hardware. This hardware root of trust is tasked with verifying that firmware running on the system is legitimate, making it much harder for an attacker to replace the legitimate firmware with a malicious one.
With firmware confirmed to be legitimate, other pieces of software can run on top of it. The operating system’s bootloader trusts the firmware, the kernel trusts the bootloader, and the operating system’s user interface trusts the kernel. It’s a chain built up from the hardware root of trust.
As a general rule, it’s much easier for an attacker to move up the chain than it is to move back down it.
Root of Trust – Software
The concept of a root of trust has been expanded to software and cyberspace. How can you know that amazon.com is actually run by Amazon and not an attacker? This may seem like a weird question – it feels like we just know that websites are legitimate. In fact, there is a complex system of certification baked into the modern web to make sure users can trust websites with critical things like credit cards and social security numbers.
Modern web browsers contain master certificates as their root of trust for connecting to websites.
Essentially, legitimate websites have to get approved by certificate authorities or else modern web browsers will block user’s access to them. Certificate authorities are companies that verify the owner and operator of a website are legitimate. A couple of examples are DigiCert and GlobalSign. After verifying the identity of a website operator, the certificate authorities issue a website certificate. Web browsers partner with these certificate authorities and include their master certificates and when you connect to a website, your browser looks to match the master certificate with the website’s certificate. If there isn’t a match, you will be warned and blocked.
Certificate authorities and their master certificates are the root of trust for all online activities – all other activities are built upon them. They verify that web domains and the domain name services (DNS) behind them are legitimate. Email is built upon DNS, and our web browsers interact with modern email services.
This is especially important, because these systems also make it possible to confirm the identity of people we work with online.
Human Root of Trust
We are formalizing a newish term called Human Root of Trust. (Existing Google results below. Note that existing sparse use has slightly different meaning than defined here.)
The Human Root of Trust is composed of the key pieces that allow someone to confidently identify a human on the Internet.
How do you know that the email you get from your coworker or a partner vendor is actually them? Much like the Amazon example, you just know, but again there is a complex chain of trust required to make that possible.
1. Certification Authority (CA)
The Certificate Authority (CA) issues certificates saying that a website or other entity is who it says it is. The CA issues a certificate after confirming the identity of a business. Popular certificate authorities include DigiCert, GlobalSign, and GoDaddy.
2. Domain Name System (DNS)
The Domain Name Systems direct web traffic to the right place. Most people will think of web browsing, but emails are another form of web traffic. DNS servers trust CAs have properly certified domains.
Additionally, DNS servers host Mail Exchange (MX) records to facilitate the delivery of email. These records contain information that helps email providers positively identify legitimate email addresses.
3. Email Provider
Email providers like Google and Microsoft are the ones that check the DNS servers to confirm incoming and outgoing mail is legitimate. They rely on the CA and DNS to be configured properly to do this job – they can be fooled.
Obviously, email providers also provide the actual email service, writing, sending, and receiving emails. If an email account is compromised, that account can be used to send malicious email that looks legitimate.
4. Web Browser
Finally, users interface with email providers (usually) through web browsers. Our web browsers trust the email providers are providing legitimate emails and we trust our web browsers are displaying them correctly in turn.
Web browsers themselves can also be compromised. It’s important to use an up-to-date, modern web browser with only reputable add-ons.
It’s not not just emails.
Other online services rely on the Human Root of Trust. For example, a meeting app relies on the same sort of services when routing a call.
Compromising the Human Root of Trust
It is possible to compromise this system at multiple points along the chain, which allows for serious and costly cyber attacks to occur.
If a certificate is compromised, an attacker can move a web domain elsewhere, rerouting and faking emails, infecting browsers and eventually, hardware itself. From there, an attacker could move vertically into other systems. A chain of trust is built upon the root of trust and if one element fails – especially the root of trust – attackers can move along the chain.
This has happened before. Just this week, email cybersecurity company Mimecast had one of its certificates compromised. The scope of access the attacker gained is unknown, though Mimecast claims only a small number of customers were affected.
In November 2020, domain name service and certificate authority GoDaddy, was compromised in an attack targeting cryptocurrency platforms including NiceHash. By gaining access at the DNS level, attackers were able to redirect emails and web traffic away from the legitimate domain and into a malicious one they controlled. Take special note that if an attacker can intercept emails, they can reset passwords to gain access to related accounts.
How did they gain access? GoDaddy simply said “social engineering.” KrebsOnSecurity theorizes voice phishing attacks were used, where attackers call a web service’s support line and pretend to be customers.
Our daily cyber activities are built upon the root of trust that are the certificate authorities, but who ultimately runs the certificate authorities? Humans.
The Human Root of (Mis)Trust
Most people are well-intentioned and generally try their best to not screw things up – but nobody is perfect.
Behind every single web service, from email providers to CRM systems, is at least one person. The ultimate root of trust is human, which makes it a little more like a root of mistrust. Humans are imperfect, persuadable, and prone to mistakes. We give our employees (who are usually humans) access to critical systems.
This is okay, since humans are required for every business to function. But it’s especially important to keep the human root of mistrust in mind when considering account permissions and your cybersecurity program.
All modern businesses use a website, at the very least for marketing purposes. What are the security controls surrounding your website certification and DNS? Could a marketing Intern change your domain? Could a compromised marketing laptop reroute the DNS? A new and inexperienced staff member who hasn’t received cybersecurity training may be more vulnerable to social engineering attacks.
Modern businesses also rely on an enterprise email provider, usually Google Workspace (formerly G-Suite) and Microsoft Office 365. These have lots of excellent security and permissioning options available. Are you utilizing them? Have you given people more access than they need?
It’s typically best to give out user permissions on the least privilege basis – where you grant the exact permissions they need to complete their roles and nothing else. Doling out more privilege to users than is strictly necessary puts you at greater risk. If the marketing Intern doesn’t need access to the website’s domain tools, don’t give it to them!
The least privilege basis can also be applied to third-party apps requesting access to your web browser and Google account.
Browser extensions can see almost everything you do online. Can you trust your grammar-checker extension to protect your privacy?
It might be convenient to connect Slack to your Google account to share a file, but do you need to?
Be extra vigilant with applications like CRM systems that ask for read/write access to your email. If a human employed by that service is fooled, your email and all your contacts are at risk. Plus, your email is the gateway to almost all of your online accounts. An attacker with email access can force password resets to other services you use, gaining access and locking you out.
Planning for the Human Factor
It’s impossible to entirely “solve” the issue of human error, but you can (and definitely should) take steps to reduce the probability that it could happen. Give your employees cybersecurity training, evaluate your vendors’ cybersecurity practices to ensure they do the same. Don’t provide account and data access to people or programs unless they absolutely need it.
If you aren’t currently operating on the least privilege basis, that’s okay. You can start anytime. Don’t put it off too long though, it’s easier to implement a cybersecurity program before an attack than when you’re dealing with the aftermath of one.
Gotta run, Salesforce has a 355-page security document with my name on it.