In the course of working with our clients to improve their security posture, I have come across several common themes that often limit a business’s ability to assess and mitigate cyber security risk. Let’s take a look at some of these themes and real-world examples of how they apply. You can’t secure it if…
You Don’t Know It’s There
As wireless technology has become more ubiquitous, manufacturers are adding wireless capabilities into devices we don’t typically think of as “computers.” As the price of consumer goods steadily decreases, employees are more likely to provide software or a device on their own, so that they won’t have to “bother” the IT staff for something small. If you haven’t already set policies for this in approved situations (like BYOD), then security is often the loser to rogue devices on the network.
While inspecting a branch office for one client, we discovered a wireless access point that was not previously known to anyone in IT. The device required no password to connect, and encryption was not turned on. We learned that this device had been installed by a sales manager who worked from this office periodically and wanted Wi-Fi for his tablet.
He had followed the instructions for configuring it without exposing the local LAN, but he did not realize that other offices on the corporate WAN would look like Internet addresses to this device. So while the local PCs weren’t visible, every PC and server at corporate headquarters was exposed, as well as every device at every other branch office.
A retail client was surprised recently when we discovered an unknown device on their wireless LAN – a thermostat. When the vendor was called to explain why this was installed without my client’s knowledge, he replied that he could no longer purchase commercial-grade thermostats without wireless capability. Our perception of “computer network” and how to secure it must adapt to these ever-changing circumstances.
There’s a reason that the very first of the Center for Internet Security (CIS) 20 Critical Security Controls is “Inventory of Authorized and Unauthorized Devices.” You can’t secure it if you don’t know it’s there. Read more about the CIS 20 (formally known as the SANS 20) here.
You Don’t Know How To Configure It
Many people know how to make things work, but few people know how to make things work securely – put simply, it’s more difficult. This means that most off-the-shelf technology comes with every option enabled in spite of best security practices. Printers, for example, can be problematic in several ways.
In 2014, security researchers hacked a Canon printer and installed DOOM – not because they wanted to play ’90s-era video games on a printer but to demonstrate the power and vulnerability of a device that many people consider a “peripheral” and not actually a computer.
According to security researcher Chris Vickery, attackers have been taking advantage of printers on the Internet to host and serve up malware. The search engine Shodan reveals that there are hundreds of thousands of printers exposed to the Internet at any point in time.
On a personal note, one of our clients brought in a new district manager earlier this year. He didn’t particularly care for the printer in his office and wanted a multi-function there for scanning documents, but he “didn’t want to bother IT,” so he picked up a device and installed it himself. On our next visit, we discovered the wireless connection to this printer. There was no wireless on the office LAN, but the printer had connected itself to an open Wi-Fi network nearby, thus opening a backdoor to the manager’s PC and the entire network from there.
You can’t overstate the risks posed by IoT devices to our networks. Recently, it was reported that a misconfigured storage device revealed the location of explosives stored by an oil company as well as employee credentials and business contracts. And in October, there were several reported incidents of massive DDoS attacks against various targets on the Internet, including Brian Krebs’ website, OVH and Dyn. We now know that much of this junk traffic came from webcams and DVRs that were hijacked.
These devices are innocently installed by small businesses and individuals with no understanding of how to properly configure them. You can’t secure it if you don’t know how to configure it.
You Don’t Understand How It Works
That Samsung “smart TV” that will change the channels for you by voice command – do you know how that works? Or that Comcast voice-activated remote control? What about Siri, Ok Google, Google Home, or Amazon Echo? Microphones listen for every word and every sound around them, sending the audio feed to servers on the Internet for transcription and to come up with appropriate responses.
Think about all the things you say and do within earshot of your home television set, for example. Do you know which servers on the Internet are getting this information? Who owns and controls those servers? Who owns your data once it has left your device? Can you log into those servers and delete that data when you no longer want to use that service?
If your employees are talking about their day at work, there could be critical business information sent out of your control. If you have “smart” devices in your office, or allow BYOD without restrictions, that risk increases exponentially. You can’t secure it if you don’t understand how it works.
Again, I recommend that you review the CIS 20 Critical Security Controls and think about how many ways these controls are being circumvented by unknown and/or misconfigured devices. You can download the detailed documentation free of charge from the Center for Internet Security at https://www.cisecurity.org/critical-controls/.
About the Author: Glenda R. Snodgrass has been lead consultant and project manager at The Net Effect since the company’s inception in 1996. Ms. Snodgrass is primarily engaged in cyber security training, threat analysis and mitigation for commercial, nonprofit and governmental organizations.
In addition to conducting security related workshops, corporate training and delivering cyber security defense presentations at professional conferences and conventions, she spends time drafting network security protocols and developing employee security awareness training programs for clients.
An active member of the Gulf Coast Industrial Security Awareness Council, InfraGard, ASIS International, and Gulf Coast Technology Council, as well as numerous civic organization, Ms. Snodgrass holds a B.A. from the University of South Alabama (1986) and a ma î trise from Universit é de Paris I Panth é onSorbonne in Paris, France (1989).
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.