Leveraging InfoSec

High school physics is a lot of fun for many different reasons: experiments, math (or is that just me?), and falling things in the name of science. It’s good that I liked physics, because I’m reminded of it on a consistent basis. Though not immediately obvious, basic physics terms are used constantly in real life. One of these overused terms is leverage.

Leverage is defined as the usage of a fulcrum to amplify input force – essentially, that using a lever amplifies a person’s ability to do something. In classical physics, that something is movement of an object. In business, the term describes the “leverage” of a primary quantity of money to be used to make more. For example, the debt-to-equity ratio identifies just how leveraged a company is, generally by how much they have invested relative to their primary capital.

But physics and business aside, leverage is incredibly important to security. Most threats are really just the extended usage of one or two leveraged assets. Targeted threats are almost always based in calculated leverage – using smaller players in the quest to attack some larger target. In the case of the actual Target, that “in” was a small HVAC company. By leveraging a compromised computer, the attackers were able to access the backend of the Target system and infect the Point of Sale systems.

Another classic examples of leverage in Information Security is the malware “leverage” seen in ‘bots. With one compromised computer, a single attacker can create an army.

Pwnie Express has been pointing out the importance of the remote site for a long time, as they can be extremely dangerous to the security of an overall organization by providing an “in” for the attacker. An attacker can use the credentials stolen from a remote site as leverage to access databases, headquarters, or other mission-critical sites. Rogue devices are another perfect example, though not nearly as well-known. An employee with a compromised smartphone gives attackers the perfect doorway into the enterprise.

So maybe the next time you realize that yet another security hole needs to be plugged, take a moment to thank Archimedes.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *