How can a CISO best negate the threats that BYOD and mobile devices pose to their organization?
Ever since there have been humans, there have been human errors – and some of them have been whoppers (like the Japanese trader’s “fat finger” trading error that cost his company $600 billion). Doing tasks that they really don’t understand, or mistakenly pushing a button or pulling a lever, people are the root cause of 90% of air traffic control errors, over 50% of factory equipment failures after maintenance, 37% of downtime at pharmaceutical firms, and in one of the biggest flubs of all time, human error nearly destroyed Kansas.
Such errors can destroy a company, too – by allowing hackers access to sensitive data. Trying to detect and deflect such attacks is often fruitless; the solution security officers need to concentrate on is a prevention-based one.
It seems that there is a correlation between human error and an employee’s lack of understanding of what a job entails – a problem that is responsible for tens of billions of losses for companies every year. And it also appears that the more complex a job or system is, the greater the level of human error. So it should come as no surprise that human error, negligence, a lack of understanding of what they are supposed to do, and similar human failings are responsible for more than a third of data breaches, according to a Ponemon Institute study. Computer systems today are extremely complex, and the way organizations operate today – from focusing on detection of breaches and outage issues to encouraging employees to bring their own devices to work – only increases the chances that someone at some time will make a mistake, one that could prove fatal to the organization.
Examples of how errors by workers led to data breaches are rife – and many of them rely on social engineering, spear-phishing, and other e-mail and Internet-based exploits. In 2014, hackers ran a phishing exploit that netted them credential information from as many as 100 eBay employees, that enabled them to get access to the company’s systems – undetected – for months. In 2015, hackers got hold of personal data (including social security numbers) from employees and customers of Anthem Blue Cross and Blue Shield, apparently using social engineering techniques via an e-mail or other communication. And in one of the most infamous breaches of all time, hackers got access to Sony’s network using phishing techniques.
Phishing and social engineering are far from the only source of human error-related data breaches. BYOD – where companies invite employees to use their own personal devices or laptops in the office, either for convenience or to save money – bring a load of security issues into the office. In 2014, a hacker managed to breach a BYOD service used by UK insurance giant Aviva to invade employee devices, possibly stealing credentials. And of course there are the “run of the mill” mobile device security issues; thousands of new mobile malware strains appear every day, and in fact, according to a major security study, some Android devices are coming with the malware pre-installed, making the work of hackers easier and more convenient than ever. And since nearly half of employees who use their devices for work don’t even think about about security as an issue, BYOD-friendly organizations could easily find themselves experiencing “perfect storm” security crisis at any time.
What’s a CISO to do? Well, the natural response among most security officers – especially when they have been targeted – is to take inventory and see where the breach came from, and how to close up the “hole” that allowed the data breach to occur in the first place. And since, as we’ve seen, most of these breaches are due to human error, there are some specific responses that promise to limit the damage.:
1. Just Don’t Click
When in doubt, that is. Many organizations have educational programs that stress over and over the dangers of clicking on suspicious links, or opening attachments. Sandboxes, firewalls, and anti-virus programs check incoming data six ways ’till Sunday. And in some companies, IT managers send out fake phishing messages in order to see whether employees have learned their lessons. Between the security systems and employees’ self restraint, phishing/social engineering exploits that use links or rogue script in attachments should be a thing of the past.
But as we see, they aren’t. Hackers keep up with the times, and they are able to slip malware code into files that sandboxes won’t catch; the malware is programmed to hide itself while it’s in the sandbox – and if the attack is a zero-day exploit (as most exploits today are), there is no way a signature-based anti-virus program will prevent a hack. And many phishing exploits are cleverly hidden in e-mail messages that employees would swear look legitimate.
2. Best BYOD Practices?
By allowing -in many cases requiring – employees to use their own devices at work, IT security teams automatically increase their workload by a large amount. Now they are responsible not only for the security of their network, but for the security of the devices that connect to the network. To prevent breaches, organizations have developed acceptable use protocols: What apps can be installed on a device, what apps cannot be used, how and when to connect to social media, etc. In addition, many organizations require the use of encryption for organization communications and connections.
Which is all well and good – except for the fact that enforcing such policies is more difficult than enforcing network security. After all, the device belongs to the employee, who paid good money for it (or at least got it from the company for business and personal use). And while a really dedicated employee might be at his or her desk for 60 or more hours a week, there are still plenty of other hours in which they will be able to use their devices out of view of network personnel. Can a CISO guarantee that an employee won’t accidentally copy a file or sensitive data from an enterprise-approved app to their Facebook page?
3. Mobile Mess
Related to BYOD is the whole phenomenon of using mobile devices for work-related purposes, especially for e-mail and text messaging. While having access to the office – and managers having access to employees – at any time is certainly convenient, the risks of mobile in this context are high. Two-factor authentication to access apps could help, but it won’t prevent copying mistakes as described above. In addition, devices are vulnerable to many kinds of hacks that could allow cyber-criminals to attack devices. Text messages, for example, could include links to rogue sites that download malware on a device and implement key-logging techniques to steal credentials. The problem is so bad in fact that NIST, the National Institute of Standards and Technology, NIST, recommends dumping SMS as an authentication method, because it is too easy to hack.
Is this the best CISOs can hope for? It is, if they plan to fight hackers who have already gotten credentials, or are attempting to do so via a phishing/social engineering/malware attack. If hackers can beat sandboxes, a long-time venerable technology that organizations rely on to protect them, they can beat a company’s best educational efforts, penalty programs, or security protocols. The methods by which employees can slip up are just too many and too easy, and organizations cannot rely on such arrangements.
What has to be implemented is a system that keeps threats away from employees and the IT system altogether. Network segregation goes beyond sandboxing; not just checking files and connections for rogue activity, but actually executing code and making connections in an isolated environment. If a problematic connection or file attempts to execute, it will do so – in a virtual container that keeps the executed code or connection way from the real network until it’s purpose is clear. If the connection or code checks out – and does what it is supposed to do, based on its profile – then it is allowed to move forward. And if not, it just gets rejected, kept away from the IT system altogether. Network segregation can also be used to isolate devices, keeping them from passing malware or copying data from an IT system. Thus, the threats of mobile and BYOD are obviated as well. With a system like this, CISOs can rest a little more easily, knowing that they did their best to plug up the many “security holes” that are a feature of the human experience – and of human employees.