Matt Miller Education defense-in-depth, silver-bullet

There is No Silver Bullet in Security

In folklore, the silver bullet is the only thing that can effectively kill a werewolf. Sure, you can trap a werewolf and hide til daylight or concoct some other workaround, but if you are lucky enough to have a silver bullet that is the one-stop shop. You can kill the werewolf and not have to worry about it anymore. This concept has been adapted into a modern expression, and there are many products that claim to be the silver bullet for their segment of the market. The same applies for information security. There are countless products that claim to be a silver bullet, but the simple fact is, there are ways around everything. As an information security professional, our job is to identify all those ways to bypass certain tools and protection techniques. This continually proves that there is in fact no silver bullet and exemplifies why defense in depth is so important.

Let’s take, for example, one of our top recommendations that we give to clients: multi-factor authentication. Multi-factor authentication is as close as it gets to a silver bullet in security for password attacks. With multi-factor authentication enabled, even if I am able to guess your password (one factor), I still don’t have the second factor (a token, or a cellphone with a one-time code, etc.). Because of this, a password attack alone is not going to be successful against multi-factor authentication. With that being said, there are ways around this.

First, there are some interfaces that multi-factor authentication cannot be applied to. For example, Microsoft Exchange Web Services (EWS) is an API that a lot of email clients use to interface with your Microsoft Exchange server. You likely cannot turn it off because user’s will not be able to get their email on their phone or Macs. Also, this cannot be protected with multi-factor by nature of how Microsoft built the protocol. Therefore, even if I get blocked from logging into a traditional email login interface because of multi-factor authentication, I can probably still pull sensitive information and emails from other avenues. Second, there are numerous social engineering attacks out there that are meant to bypass multi-factor authentication. Most are as simple as getting a user to login to a fake portal, and then replaying their credentials, getting them to provide the second factor (one time code) as part of the logon process.

As this simple case demonstrates, there is no such thing as a silver bullet for information security. Even the most ubiquitous recommendations can be bypassed in certain scenarios. Still, with full knowledge of these limitations, we still advocate for multi-factor authentication constantly. Yes it can be bypassed, but it is still a vital part of your overall defense-in-depth strategy when it comes to securing your organization. The key is to have enough bullets lined up to stop most attacks and then be able to detect and respond to the ones you cannot stop.