Photo Credit: Darwin Bell via Compfight cc
Here’s the first contribution to the project that comes with a soundtrack, because this analogy is inspired by, and based on a song. Play the song below while you read..
If not challenged to behave otherwise, we all are predisposed to believe in what we see as being real. We are predisposed to believe the best in people, and if those people reinforce our perceptions with positive behaviour then we are more likely to overlook pieces of the puzzle that don’t quite fit…
Think of the “telecoms engineer” that shows up at the office to do maintenance, even though you hadn’t expected them. He’s friendly, wearing a high-viz jacket and carrying a toolbox, so must be legit. – right? If they fool reception, what’s then to stop them from wandering around the office unchallenged, opening up wallplates and tampering with equipment? At what point will he ever be challenged again?
Now think about how authentication schemes have evolved over the years. In the past we authenticated at entry only, perhaps with a single factor, perhaps with dual or multiple factors, but once authenticated we were “in”. In a world where we must assume this initial, often fixed format, authentication scheme can be breached, we are increasingly turning to various forms of behavioural analysis to continually monitor the actions of users, assuming nothing absolute about their legitimacy, assessing every action and, combined with other actions assessing the level of risk associated with it, and the chance therefore that this user may not be all that they seem to be. Such methods may well stop a “Lola” in our own organisations, before they are able to get too far…