Why is my cat’s name required to recover my password?

When opening an account online, you are sometimes asked to provide an answer to a trust question. It could be the name of your pet, your mother's maiden name or your favorite movie… And it's not to complete your profile, but for a story of trust. But what is confidence in IT security?

[Article issu de The Conversation, écrit par Laurent Bobelin, Enseignant Chercheur en cybersécurité, INSA Centre Val de Loire et Sabine Frittella, Maîtresse de conférence en informatique, INSA Centre Val de Loire]

It is the central element on which security is based on a daily basis. For example, when we use encryption to communicate securely, we trust software that encrypts. We assume that they are flawless, a confidence undermined in recent years by flaws like Heartbleed Or Shellshock For example. We also have confidence in the robustness of the mathematics underlying this encryption, confidence which is called into question by quantum computers which, if developed, will make it possible to break current encryptions without any problem.

What is trust?

This same confidence is also central in the technique of phishingfor example: by trying to make his message as realistic as possible, the attacker hopes that you will trust him enough to click on the malicious link he offers you.

From a philosophical point of view, trust is an abandonment: we abandon ourselves to someone, letting down our guard, to entrust them with something precious. In computer security, the same is true: as an individual or as a computer system, trust is the questioning of one's security to allow an exchange. Not interacting with anyone provides a form of security. Interacting with another entity means calling this security into question, and therefore running a risk.

Isolating oneself to be safe is a classic method in the most critical environments: in military or nuclear installations for example, computer networks are physically isolated, file transfers being carried out when necessary via physical media (key USB for example). But even this very restrictive insulation is not infallible as proven Stuxnet : this attack on Iranian uranium enrichment centrifuges was carried out by engineering a virus that only activated in their isolated environment. It spread, and made its way through all the physical and software barriers that existed between it and its target, eventually destroying these centrifuges.

Insulate to better protect

There are classic security models that we apply in business. The most used since the end of the 1990s is network segmentation: computer resources are separated into subnetworks, and firewalls control the traffic between them. We organize these subnetworks in depth: the resources exposed to the world, such as websites for example, are in demilitarized zones, but the most critical resources (accounting, HR, production, etc.) are in subnetworks hidden by numerous firewalls: the attacker must therefore pass through them to be able to access these resources.

But this security model is undermined by 2 elements: the phishing and the post-Covid explosion of use of virtual private networks, or VPNs (for virtual private networks). During an attempt to phishinga malicious link clicked on can install software to take remote control of a machine. Once installed, this software will securely contact a remote server to ask it for instructions to execute on the machine of which the attacker has just taken control. The connection being initiated by the machine inside the network, and being encrypted, it goes unnoticed by firewalls which protect the machines from external attacks.

When communicating via VPN, the machine outside the company finds itself inside the network itself: the VPN creates a secure communication (called a tunnel) so that communications from the outside machine are sent directly into the network. the company, as if it were physically installed in this network. This therefore allows access to company resources in a transparent manner, but at the cost of having an external machine in a potentially sensitive network. In the case of phishing Like a VPN, firewalls are bypassed, leaving machines on the subnet defenseless. Inside a subnetwork, all machines trust each other implicitly, and no control is carried out within it.

A new model, called Zero Trust (no trust) attempts to overcome this implicit trust, and follows a simple, but misleading motto: “never trust, always verify”. In this model, an entity within the network is responsible for continually assessing the trust that can be placed in any communication. It verifies that the user at the origin of a request is correctly identified, that their account is not hacked, and that they used secure means to prove their identity, by giving both a password and a code sent to him on his phone, for example. Trust is therefore still there, but in these systems it is evaluated and quantified: each communication has a trust score. Below a certain threshold, it is refused. But how do you quantify trust?

Estimating and quantifying trust

It depends on what you trust. For information, it will depend on its credibility in relation to our own knowledge or on the reliability and competence of the source. Trust is therefore not assessed on one, but on several dimensions. To have confidence in the identity of an entity with which we communicate, we will ask it for proof which will always be based on one of the following three notions: what it knows, what it is, or what it possessed. For a human, we will ask them for their identifiers. We can also try to ask him what he is, for example by asking him to show his fingerprints, or even ask him to show that he has a digital certificate (the equivalent of an identity document).

But none of his measures are infallible. What I know I can divulge, what I have can be stolen from me, and what I am can be copied. It is now possible, from a high definition photo, to reproduce the fingerprints of someone who greets! But how do you quantify this risk or trust in someone's skills, in their loyalty, or in their ability to keep their password secret?

Generally speaking, it is complicated to give a percentage of confidence: the notion is too flexible, and the risks too variable. In addition, it is often a human who will quantify the trust to be granted, and it is difficult for us to differentiate between a trust of 67% and a trust of 68%… To overcome this, we often use a set of values ​​(” totally confident”, “not very credible”…) to express a quantity of confidence, and we define mathematical functions which make it possible to aggregate the different dimensions of confidence to obtain a score.

Reduce doubt and measure uncertainty

If doubt still exists, we can nevertheless strengthen confidence. For example, by using several authentication methods simultaneously: this is called multi-factor authentication. You have already used it when you are asked to provide both a username and a password, then asked for a code by SMS. In this case, trust is built because you have proven that you know something (your credentials) and that you own something (your phone).

Uncertainty is a companion notion to trust, since trust cannot be absolute. We classically distinguish two dimensions in uncertainty: random and epistemic. Random uncertainty is irreducible and refers to the intrinsic variability of an event, such as a coin toss for example. Epistemic uncertainty comes from a lack of knowledge and could be reduced by collecting more information: it is possible to establish whether a coin is biased and what its bias is by performing a sufficient number of tosses, and therefore reduce this uncertainty.

Your operator will try to reduce epistemic uncertainty by establishing your profile. If your behavior is usual, it will not arouse his suspicions. If, on the other hand, he is unusual, he will try to strengthen his confidence by offering you a challenge. You have probably already had to give a code sent by SMS when you go abroad, or connect from an unusual network. The entity you are communicating with is trying to increase its trust by lowering its epistemic uncertainty. The same applies when you have forgotten your password: if we come back to the trust question mentioned above, this is when you will be asked to answer it again.

Towards more confidence

This information that we ask you is therefore not used to profile you, but to establish confidence in your identity. There is therefore no risk of disclosure of your private life or exploitation of your personal data without your consent in this case. On the other hand, we have in fact already collected enough information to establish your profile, except that this collection was done automatically: by recording your connection habits, the machines from which you connect, and the way you work. .

In most computer systems, suspicious activity results in an alert. This alert must be examined and processed, which is long and tedious, and their number makes work related to IT security difficult in real time. However, 80 to 90% of alerts are benign! It is therefore necessary to reduce uncertainty as much as possible. In this area, the trend is towards an increase in the types of data collected and the massive use of artificial intelligence to improve the quality of confidence score estimation.

More news

The Creator of the Golden Owl Unveils a New Treasure Hunt Offering a Prize of €750,000

This time, players set out in search of a historical object worth 750,000 euros. For now the only information on the new hunt is ...

“Long Live the Warrior King”: The Royal Navy Introduces Agamemnon, Its Sixth Nuclear Attack Submarine

On October 3, 2024, the Royal Navy, the marine branch of the British army, officially launched the HMS Agamemnontheir sixth Astute-class nuclear attack submarine. ...

Unidentified WWII ‘Ghost Ship’ Discovered Intact Off the Coast of California

The recent rediscovery of the USS Stewart, an American destroyer captured by Japanese forces during World War II, represents a landmark advance in understanding ...

Leave a Comment