What happens when users or employees take it upon themselves to decide what tech they want to use and how they want to implement it? From my vantage point, InfoSec faces a constant challenge of trying to keep up with threats, let alone stay one step ahead. But as the Internet of Things proliferates, and human nature takes its course, we cannot out-engineer human failings and susceptibility—that device, and the freedom to use it as the user sees fit, overrides anything we currently put in place. Welcome to the Mordor of security, where the eye of BYOD reigns supreme, and the proliferation of easy-to-use devices is creating an unprecedented level of end user entitlement. A little knowledge has become a very dangerous thing by letting people “help themselves” to data and network access. This is the world of Shadow Data/Shadow IT, where rules are known but not observed, where risks are taken regardless of known consequences, and where “keep it secret” definitely does not keep IT safe. How do we regulate a society that is essentially device-driven? It isn’t just the servers and desktops at the office... everywhere we go, anything we touch – we’re connected. Fitbits, Apple watches, tablets, flash drives, smartphones – this ability to portably “plug in,” and then help ourselves is one we don’t understand and have lost what little control over it we had. As we usher in the era of “Big Data,” where more information than we could ever have imagined is literally at our fingertips, we don’t have the policies and processes in place to effectively secure the data we were trying to manage. Guarding data from the wolves outside our perceived fortress of security won’t make much difference if the risk is just as great from the workers within. Confidential reports, files containing sensitive information, financial transactions – all of these are regularly accessed and stored on any device capable of connecting and downloading. Devices that have not been identified or registered with existing corporate inventory; devices that have questionable, if any, anti-virus or security built-in. A little knowledge has now become an increasingly dangerous thing. Side-stepping existing company policy in favour of expediency happens everywhere, every day, simply because it’s that much easier to just download a desired software program online rather than go through the approval process. Furthermore, tech-savvy staff who know how to do it for themselves and operate under their own autonomy are sought out as the rogue IT department. Who needs guidelines when you have Google? My presentation at BSides Las Vegas shines the light on what’s being kept in the dark, done outside the approved parameters of Information Security. How do we rein in all the devices and better secure all that data? What is the one “ring” to help us rule them all? Those who attend my BSides presentation this August will gain a deeper understanding of how our human fallibility over-rides any intrusion/detection system we engineer and of where our next big threat has been hiding.
About the Author: Cheryl Biswas is an InfoSec analyst, researcher and writer with JIG Technologies in Toronto, Canada. She loves working with her team to bridge the gap between those in tech and those who aren’t. In her role she handles communications; researches and delivers weekly InfoSec briefings; and advises on Disaster Recovery and security processes for clients. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock