In the wake of the recent VTech breach big questions are being raised about Big Data. It’s prompted an excellent response by many knowledgeable folks within infosec which is good, because this is a conversation we’ve needed to have for some time. The data just keeps building and I hate to say this but any sense of control we think we may have over it, especially as regards our Privacy, is illusory at best. Right now what I see is the Titanic sailing straight into a massive iceberg of insecurity.
I wrote a piece in response for LinkedIn Pulse, but I want to build off that here, because there is so much more that needs to be said. We’re battling a culture of entitlement and indifference, which casts a dark shadow across everything we think we know and understand. BYOD reigns supreme. The IOT has run amuck right into our once-regulated work spaces. And when it comes to IT, now it seems everyone is doing it for themselves. Because who needs guidelines when you’ve got google? It’s not just the stuff, it’s the attitude. Which is creating a huge problem: how do we secure what we don’t know?
So what’s going on with BYOD anyway? The view from the trenches isn’t pretty. ”cyber security policy success is having the authority to tell the userbase no and having that decision stick.” @da_667 tweet and “telling users no, when it matters, to protect themselves and your company network” @lslybot tweet #abusepolicy. How do we regulate a society that is essentially device-driven?
It isn’t just the servers and desktops at the office… everywhere we go, anything we touch – we’re connected. Fitbits, Applewatches, tablets, flash drives, Smartphones – this ability to portably “plug in,” and then help ourselves is one we don’t understand and we’ve lost any control over it we had.
In our corporate realm, we have regular users and superusers. And for good reason. We need privileges in order to do certain things and we need privilege hierarchies to establish the right levels of access. With higher levels of privilege come higher levels of risk. The problem is that what we’re seeing happen in organizations and companies is a less discriminating assignment of privilege.
We have all these devices, and a pervasive BYOD culture, demanding access to the networks and the data, all that lovely “big data”. And so we comply. We keep opening doors that should just. Stay. Closed.
When it comes to Access and Privileged identity management, we aren’t controlling what we can and need to control. Per Erika Chikowski, while 92 percent of organizations in the US have some user monitoring in place only 56 percent are handling privileged identity management. Almost a third of those companies do not have someone actually analyzing or auditing how and when employees and contractors have privileged access to systems on even a weekly basis. Meanwhile, 60% of IT decision makers admit to sharing their credentials.
In her recent piece “Employee Password Habits that Could Hurt Enterprises“, Erica shows that we’re still not learning despite recent breaches and training programs. As the line between personal and professional grows more blurry, 60% of employees do work activities from a personal device and 55% of employees do personal activities on work devices. Work data is accessed from personal devices more than once a day by over one third of employees. Passwords remain an Achilles heel that the most novice attacker can exploit to gain access to our networks and then find their way, or stumble upon, our corporate crown jewels. Half of employees reuse passwords at work and that number only increases for personal use. Remember that blurred line – it factors in here.
Cutbacks and reductions mean fewer guardians at the gate in IT. Under pressure to keep things running and meet demands, we resort to the path of least resistance so that we are “simplifying the process.”
Okay. Why not enable users to resolve some of their own problems by raising their status?
What the heck? Let Marketing have access to all the data – it’s just reports.
Why not? Let people update corporate social media accounts – there’s nothing to worry about there.
But here’s the bottom line: Privilege loses its meaning when that account status is being freely handed out.
“It is scary to think that this many people consider it normal for employees to have access to data that they shouldn’t have and for companies to not know where their missing data has gone.”
– David Gibson, VP at Varonis.
One word: exposure.
It is as bad as it sounds. When an employee shares company data from a mobile device with an unauthorized app or third party, he or she is a mere click away from placing corporate data at a significant risk. Data leaks can also be caused by application vulnerabilities exploited by malware. According to a March2015 IBM-Sponsored Ponemon institute Study, nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers.
This scenario is bad enough for your personal information. Now imagine an employee is accessing unauthorized sites. And don’t count on the Do Not Track me setting in the browser. Press it all you like. It’s like that button at the traffic light. Nothing really happens.
There are a whole host of security issues when it comes to data. So what happens when individuals operate as individuals, and make independent decisions about data storage and transmission? What do you do when your greatest security threat comes from within?
Lets talk Legalities. While business may love that employees pay for their own devices, and BYOD is all about convenience, it comes at a cost and everyone needs to be prepared. You can’t protect what you don’t know. And with Shadow it/Shadow data, you are exposed. I’ve spoken with Chris Case, the resident expert on cyber insurance at Dan Lawrie insurance brokers. Most businesses have no idea what they are really covered for. Here’s a sobering thought: the insurance you currently have won’t cover breaches. You need Errors and Omissions, and to make sure your riders address the new cyberrisks your data and reputation face. No. Insurance does not replace good security fundamentals, but it is a mandatory component in your security toolkit.
Let me reiterate something Mark Nunnikhoven recently wrote in his recent piece “The Attack Surface of Data” on LinkedInPulse. He re-establishes a point we all need to remember: The more data you have, the greater the value it is, then the greater your risk. But people keep putting more data out there, and storing it in places it can’t be kept safe. Mark points out that, as we here know too well, security is an after-thought at best. “Typically security teams are faced with dealing with the aftermath of collection decisions. That’s unfortunate because the easiest way to secure the data is simply not to every have it in the first place.”
The situation has evolved drastically from what we are used to protecting. This requires a different level of data breach prevention at the point of network entry. One where we need to really understand the risk profile of the device and the user.
“It’s not good enough to merely resist the rise of BYOD, if people can still access corporate e-mail when they get home…”
Because at the end of the day, what do our continued efforts to secure the corporate walls mean when this is the current reality?