Imagine a circumstance where a significant investment has been made into a data loss prevention (DLP) solution in which it paves the way for a lip-service approach towards cyber security, with the very real-world association of unknown exposures. As amazing as it may seem, here is such a case in history that may leave you with two opinions, which are, in the first instance – ‘amazement’ followed up quickly by the fact that you may start to understand just why cyber criminals are so very, very successful. Here we have an organization who had gone to great lengths to mitigate any opportunities for data leakage to exist. Notwithstanding the significant investments made in tools, personnel and capabilities, they had been proven to be completely ineffective and thus left the organization completely exposed to the prospect of real-time data leakage from their production environment, whilst at the same time, the security team existed in a sublime state of ignorance, being of the opinion that the enterprise was fully protected against data leakage – while it was not. One of the first major flaws in the security posture was the fact that a BYOD Policy had evolved. Driven by users who had decided no matter what the policies may say (see below), they would nevertheless bring their own devices and connect them to company assets. In this area of exposure, it was soon very obvious that an increased number of employees were observed copying sensitive information onto personal unauthorized external devices – action which was of course in breach of the Acceptable Use Policy (AUP). However, in this area, the first responder support was a very slow to deal with such events, and engaging the user in question – which, in a majority of cases, saw the desktop visit and investigation only occurred days post the event when the data horse had bolted. When it came to the policies that encompassed BYOD, here the organization entered yet another dead-end street. Whist they had evolved the necessary guidance to cover the company position on all things BYOD, it had only made available to Technical/User Areas and Managers. It did not communicate the company position to those ordinary mortal users, thus as far as they were concerned they were not contravening of any such promulgated security policies, or AUP. Agreed that the deployed DLP strategy had been somewhat successful in identifying casual use of media, or well-intentioned unthinking transfers of data to other forms of unauthorized media, it was by no means comprehensive enough to deliver a security posture which secured the organization from a determined attack to circumvent their employment of DLP. In fact, they suffered from one event which hit the press with some considerable impact on their reputation, post a user exfiltration of some very sensitive data to an external location, which saw heads roll in real-time. However, the problems didn’t stop there, and peculated down to a desktop build, which badly provisioned users with approximately 10 potential methodologies and security workarounds in which data could be invisibly migrated under the view of the in-house DLP Team, and the associated lackluster DLP capabilities – in a number of cases, it also supported exfiltration through the firewall with synchronized replication to external devices. It should be further understood that, in the case of synchronized replication from an internal system to an external awaiting asset awaiting an auto-replicate to assure the latest copy of data was resident at the recipient machine. This was a proven capability with a simple drag-and-drop exercise employing what was a running instance of Groove (then called SharePoint Desktop). When it came to the O/S build itself, it made available power tools to ordinary users, command line opportunities, utilities, such a wmic.exe, and options to access power utilities. This would allow a knowing user to:
- Deploy tools and utilities to a remote system to attack the environment or in some cases, take a remote image of the drive for later interrogation
- Build an application to mask contents in a specialist file format, or to enable the user to deliver payload to attack a target user, or local system to either compromise that user or the end-point system
- Enable the ordinary user to interrogate a local, or remote system to identify any potentially intrusive applications (listening, or monitoring [audit]) or to see if any other interesting services were running) – an opportunity used a lot by savvy insider attackers, and remote attackers who compromise systems and applications
But when such tools and applications are provisioned to all ordinary users as part of the desktop default gold image build, the potential of the internal attacker, or even any external infiltrator who have managed to gain access to the inner sanctum, is further maximized to enhanced and underpin very easy levels of compromise and successful attack conditions. It is the last, but no means the least observations of insecurity which focuses on the guest WiFi environment – let us not ponder on the promiscuous capabilities being provisioned with no AUP, and expectations as to how a visiting user would employ or abuse its routing to the internet. Let us not consider the fact that once a user was (is) provisioned with access to its external routing facilities to who knows where, they are granted extant access as the password is never changed. It is the conjoined aspects of mismanaged, misunderstood security postures aggregated into one place, which implicates to me why those nasty cyber criminals are not necessarily that smart; they are merely leveraging the inabilities of others who fail to recognise the holes enabling the eCrime mission in this era of adversity. As one hacker commented to me, "Long may it continue?" Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
