Employees today are desiring access to company resources from all their computing devices rather than being limited to accessing company resources from only those devices owned and managed by the company. Social media and social media applications are also entrenching themselves in the everyday lives of consumers, and to reach many demographics today marketing plans are increasingly focused around social media. To many companies who have seen their revenues and profits drop during the global economic downturn, having employees use their own computing devices (“Bring Your Own Device” or “BYOD”) might now be seen as essential strategy when a few years ago it was unimaginable. If you as a security professional are wondering what steps you need to take in order to protect your organization during this wave of social media use and BYOD, you are not alone.
First, let’s examine the individual currents of this wave. The BYOD employee is the administrator of their own machine, installing programs as they like and often in charge of patch management of the operating system, anti-virus program, and other third-party programs such as Adobe Reader, Adobe Flash, Microsoft Office, and the Java Run-time Environment. These programs have been targets for intruders for years, but these third-party programs are widely installed on various computing platforms and are becoming primary targets of hackers in today’s security climate.
Rather than having a standardized list of allowed applications on employee devices known to company security managers, with BYOD the list of allowed applications on computing devices is often non-standardized. Further complicating the issue, company IT staff might not even know which device(s) employees use, and might not now be allowed to connect remotely to employee devices for patch management, virus scans, and other security concerns. It is also much more likely that the BYOD employee will be sharing their devices with others that are even less skillfully trained on computer security than your employees are, such as their children or other family members.
Social media relies extensively on blind links, user comments, third-party websites, and browser add-ons which have the potential for a slew of security issues. Further, social media encourages users to share what was formerly very private information about themselves. Thus it has never been so easy to find out heaps of information about company employees that might be used in security challenge questions because many are willingly posting this information on social media.
Just when the average user is becoming familiar with the dangers of viruses, worms, and spyware lurking in spam emails promising enhanced anatomy and revealing photos of celebrities, a new breed of criminal has been created who doesn’t mind spending several hours, days, or weeks surfing the pages of your company executives’ LinkedIn and Facebook pages during reconnaissance, or even hijack accounts for focused attacks akin to social engineering. This more determined criminal knows that users and company security personnel are more educated these days and much more likely to be updating operating systems with security patches as well as having up-to-date anti-virus and anti-malware protection. Because of that, this determined criminal knows attacks against the operating system directly are not going to be as successful as attacking Flash, Reader, Word, Excel, or Java vulnerabilities because these programs are often not patched as regularly as the operating system and anti-virus are. This more determined criminal also knows that some degree of human error is inevitable no matter how well trained the user, yet the users with the highest levels of access to company resources (such as owners and senior managers) might be among the most inexperienced users of computing devices in your company and thus the most likely to choose simple passwords, reuse passwords them across numerous accounts on numerous websites, and generally make more errors while responding to security threats.
Simultaneously, criminals and other nefarious persons operating online have powerful tools available at their disposal to use in penetrating your company network and extracting valuable information. What are the attack vectors they will take? First of all, either the attackers will be focused on your organization specifically, or they will have stumbled across your organization in a wide scan for the “low hanging fruit” of easy targets. If they are focused on your company specifically, they will likely have a wealth of information available online about your company’s technical infrastructure and personnel to start with including “secret” information used in security challenge questions and weak passwords such as company executives’ mother’s maiden name, first job, kids’ names, pets’ names, birthdays, and hobbies.
Recent high-profile attacks against security companies such as RSA, defense contractors such as Lockhead Martin, and websites such as Google during the “Aurora” attacks have all spawned initially from unpatched vulnerabilities in Adobe Reader and Flash. Also recently, online and offline research coupled with brute force password and security challenge question guessing by an individual with limited technical skill led to the compromise of cell phone accounts of celebrities such as Scarlett Johansson, Vanessa Hudgens, and Jessica Alba. If someone with limited technical skill could compromise the cell phones of numerous Hollywood starlets, what could an attacker with lots of technical skill do to the senior executives of your company? And not just them, but those close to them, too?
Accounts on social media websites (as well as instant messaging and email accounts) can also be compromised and used to attack unsuspecting users who believe they are communicating with friends, family, and other known acquaintances rather than criminals who have hijacked an account. By taking over accounts of those individuals known to the target, the attackers can achieve a much higher level of implicit trust by the target and thus can achieve much more disastrous results. If your “boss” emails you and asks for the login to your company DNS registration, would you send it back without seeking any offline confirmation? What if your “mother” asks you to read a PDF file? Attacks using hijacked accounts have been some of the most successful I have seen recently, and I expect that to continue and be adapted for many different purposes such as social engineering attacks including tricking an unsuspecting user into opening some type of compromised file.
What Can Be Done?
“Defense in depth” means layers of security defenses protecting valuable assets and is a well-respected methodology for protecting your network. Attackers are going to try and parlay any breach of defenses into a wider breach of defenses until they have complete control of your network and its valuable information. Assuming certain corporate defenses can’t be totally breached simply by knowing one of your company executive’s mother’s maiden names or first jobs (these are common security challenge questions for your company’s corporate website registration or hosting), attackers will have to probe to find the easiest route to penetrating your network and often the easiest route into a corporate network in today’s security climate will be through popular third-party applications such as Adobe Reader and Flash. Due to the amount of personal information available online about company employees, it is easier than ever to craft emails written to specific individuals (aka “spearfishing”) that can trick them into visiting compromised websites or opening infected third party application files that can breach lines of security defenses. If you’re the “low hanging fruit” in the crosshairs of an attacker, it might be because they already tricked a user to open an infected Flash or Reader file that successfully penetrated at least one line of defense, or because the attackers have already brute forced at least one of your user accounts.
Training for End Users
Without a doubt, one of the biggest factors in network defense is the security knowledge of network users. Attackers will find your least-skilled user(s) with access to critical information (often company owners and senior managers) and exploit them. With more administrative tasks being shifted to the end users and more information available online that can be used as ammunition against your network defenses, user training is more important than ever. End users likely are being tasked with doing more with less resources, so their time is also more valuable than ever, and a security training program that fits their demanding schedules while being well-received by the employees and business management is ever more of a challenge.
Instead of trying to set up large, lengthy security training seminars, focus on extending the employee communications already used within your company to provide short, easy to understand security tips. Five to fifteen minutes should be enough time to convey several important security tips without overwhelming non-technical users, and in this current economic climate, it will be seen as a cost advantage to add an extra few minutes to existing employee meetings for security training rather than schedule new meetings specifically for security training. Regular training across diverse media is also important for end user retention, so try to include security tips frequently in company emails; record audio and video training about security topics and post in a company wiki; manage an internal blog of important security tips and information; have employees role play scenarios with IT staff so that they are familiar with the situations where they make crucial decisions regarding security; and/or require employees answer short questionnaires on security awareness.
Focus on the education of your users, rather than blaming them for past or potential security lapses, and your security training will be much better received. Security awareness training will also be much more effective if you only have a few points to emphasize at a time rather than trying to educate the user on 20 or more security topics in a 15 minute time span. Give the user more frequent, easier-to-digest bits of information without being monotonous, and you will experience much less user pushback the next time a security awareness meeting comes around. Also, try to highlight any attacks that were successfully thwarted during your next security awareness meeting so that your end users receive positive feedback for a job well done. Praise publicly while keeping any criticism limited to private meetings.
Training for Network Administrators and IT Staff
The continued need for training of IT staff, even in a difficult economy, is critically important to corporate safety. I encourage both vendor-neutral and vendor-specific training and certification for your IT staff. At a minimum, your staff should be familiar with the SANS Institute list of the Top 20 Critical Security Controls (Version 3.1, http://www.SANS.org/critical-security-controls/).
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations of Hardware and Software on Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Security Software
7. Wireless Device Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training to Fill Gaps
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Security Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control
17. Data Loss Prevention
18. Incident Response Capability
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises
Take note that inventories of hardware and software are at the top of the SANS list of critical security controls, while properly configuring equipment is only ranked #3. In an organization of any size at all, managing an inventory list of hardware and software can be a challenge, especially if your staff are using their own computing devices. If your organization goes BYOD, managing the list of acceptable devices and software may be seen as too much administrative overhead for your company. If your company makes this policy decision, it is imperative to counter this with additional security controls elsewhere. It is especially important to have secure configurations of your laptops, phones, and workstations as well as the best available anti-virus and anti-malware protection if your organization is not keeping a comprehensive list of approved devices and software. Using remote management apps that are cross-platform such as TeamViewer (TeamViewer.com), your IT staff can help your end users keep their devices secure, even if your end user is responsible for most or all of the patch management and anti-virus scans on their own devices.
Honestly, most organizations struggle to keep up-to-date lists of approved devices and software even when their employees are only using company-owned phones and computers, so this a broad area that most companies can improve on considerably. The amount of devices needing to be inventoried may double or triple when your users start using their own devices for work, but the additional security provided by the effort is worthwhile. If you suspect a security compromise, having an accurate list of allowed devices and software can dramatically increase your effective response time.
Written Security Policies
Security awareness training relies heavily on written security policies to underpin the foundations of security knowledge you are seeking to establish in your end users. They add another layer to your security defenses by giving your users something concrete to refer to if they are ever in doubt of your company’s security policies. Additionally, written security policy serves to coordinate management agreement on aspects of how to secure the organization.
At a minimum, I recommend having all users read and agree to in writing an Acceptable Use Policy, a Password Policy, and a Non-Disclosure Agreement at their time of hiring. These policies should be reviewed frequently with end users, and your company may wish to have your users renew these contracts annually. Not all your company’s security policies need to be written in contract form, with consequences stated for non-compliance, but they should all be written in easy-to-understand language, dated, and released with version numbers. The more professionally written your company security policies are, and the more committed to the security policies your senior managers are, the more likely your employees are to follow them. Consider having posters created of your information security policies to post in common areas such as the employee break room much like OSHA workplace safety posters are in the United States.
An Acceptable Usage Policy traditionally lists items such as applications to be used or not used by the end user, how the user is to connect to company resources locally and remotely, and acceptable use of things like social media and instant messaging. In this era of BYOD, the Acceptable Usage Policy should be expanded to prescribe patch management policies for all installed programs, not just the operating system and security software, as well as anti-virus / anti-malware scanning and removal policies for those users that administer their own computers. Password Policies for those users that administer their own devices will be harder to enforce than on company-owned and managed devices, but still should be used.
As the tech landscape continues to change, the way your company handles technology will have to change with it. Security administrators don’t usually like change, because with change comes unknown security risks that could be exploited and reflect poorly on us, however two things security administrators have resisted strongly for years are now here to stay for many: social media use in the workplace and employees using their own computing devices (BYOD) for mission critical tasks on a day-to-day basis. Additionally, third-party programs are increasingly becoming the attack vector criminals are using in very targeted attacks to breach security defenses. However, time-tested techniques such as training for end users and administrators; aggressive patch management; comprehensive device / software inventories; and written security policies can keep the criminals attacking your enterprise at bay.
This article first appeared in HAKIN9 Extra, May 2012 on Adobe Security.