In the course of working with our clients to improve their security posture, I have come across several common factors that often limit a business's ability to assess and mitigate cyber security risk. Last month, we looked at a few of these themes and some real-world examples of how they apply. Let's now take a look at a few more. You can't secure it if...
You Don't Know Who Has Access to It
Outsourcing has become more prevalent in today's business world. At the same time, the number of access points to our data has increased at pace. Several prominent data breaches in recent years were traced back to a third-party vendor, such as what happened to Goodwill and Jimmy Johns. In 2016, we saw numerous instances of outsourced payroll service data breaches that resulted in identify theft and fraudulent tax returns, including one which affected a Maryland-based construction company. As author James D. Burbank pointed out in "Threat’s Identity: How an Outsourced Workforce Can Harm Your Cybersecurity," the "outsourced workforce has become one of our primal threats." Hopefully, your employees have received training on handling your company's data, but have your outsourced workers received the same training? Do those work-from-home employees use access tools that meet your company's security requirements? You can't secure it if you don't know who has access to it.
You Don't Know What They're Doing With It
In 2014, SCMagazine published a piece on a report from Globalscape entitled, "Employee file sharing practices put corporate data at risk, study finds." A survey of 500 company employees found that "63 percent of employees use remote storage devices to transfer confidential work files, 45 percent of employees use consumer sites such as DropBox, and 30 percent of employees use cloud storage services." Two years later, the trend continues, as reported by Business News Daily. At the same time, a survey by Softchoice found that "one in three cloud-app users has downloaded an application without consulting IT." If your employees are using personal cloud-based storage services and perhaps portable devices to transfer data in and out of your network, you have a security problem. I often find this is a result of a failure to communicate between employees and IT staff. It's the responsibility of IT staff to make certain employees have the tools they need to do their jobs competently and comfortably, and it's the employee's responsibility to ask IT for the tools they need rather than working something out on their own. If your habit is to "Just Say No" to employee requests, you may find that your employees are making end-runs around your security measures and putting company data at risk. You can't secure it if you don't know what they're doing with it.
You Don't Control It
The ubiquity of Internet access in the past few years has caused many changes in the logistics of delivering goods and services on a regular basis. While many of these procedural changes have increased efficiency and reduced expenses for the vendor, they can wreak havoc with network security. For example, many snack and drink vending machines now require Internet access to report on the inventory on hand. Long gone are the days when a delivery truck came around every week to restock the machine. Now, daily reports of stock on hand are transmitted to the central office, and a truck rolls only when a certain number of products have reached a certain low level. "The vending industry is going through a sea of change," reports readwrite magazine. While vending machines provided directly by larger companies (like Coke) typically provide their own Internet access, many smaller companies are taking advantage of a variety of available platforms (whether wired or wireless). Additionally, it is not unheard-of for an installation technician to simply plug the new drinks machine into an open network jack nearby without asking for permission. Along those same lines, many copy products companies now provide small "black boxes" that count the copies made, the level of toner, and drum life left. They then report this information directly back to the vendor via your Internet connection. Again, it's quite common for the technician to simply plug this device into your network without the knowledge of the IT department. Oftentimes, the floor managers who supervise the installation are unaware of the security risk this poses, particularly if your company doesn't have a written policy and training programs in place that cover these scenarios. In one instance, a client had installed a new VoIP phone system that was experiencing quality issues, so the vendor installed a "quality control device" on the network. Months later, when we arrived for a site inspection, that unmarked computer was still sitting on the floor of the data center. Turns out that "quality control device" was basically a packet sniffer, and it had been sitting unattended on the client's primary data network for several months. The client had no login on the box and no control over it. What happens when the vendor's server is hacked and a new firmware upgrade is applied to that little black box, vending machine, or quality control device, thereby turning it into an open door to your network? You can't secure it if you don't control it.
You Don't See It
Brian Krebs wrote an interesting piece entitled "What’s in a Boarding Pass Barcode? A Lot." It revealed the wealth of information that is often contained in barcodes on boarding passes. Because the human eye can't read a barcode, we tend not to think about what data it may contain. Since reading that piece, I've noticed dozens of photos on social media that display student IDs, employee badges, and more with visible barcodes that can easily be read with a scanner app on my phone. I've even seen boarding passes and hospital admission bracelets with barcodes discarded in public trash cans. Are you or your employees inadvertently revealing important data via discarded or photographed barcodes? What about those QR codes that are seen in advertisements, posters, real estate signs, coupons, etc? There are now real-world examples of malware being distributed by QR codes. Remember, just because your human eye can't read it doesn't mean it can't be read. Learn to see the hidden data around you. Acquire the habit of properly disposing (shredding) of printed items, hide or remove badges before photos are taken, and don't scan QR codes if you don't need to. You can't secure it if you don't see it. Managing cyber security risk is first and foremost a matter of paying attention to details. The CIS 20 Critical Security Controls make up an excellent framework for identifying potential holes in your security and addressing all the scenarios I've described in this blog post. You can download the detailed documentation free of charge from the Center for Internet Security at https://www.cisecurity.org/critical-controls/.
About the Author: Glenda R. Snodgrass has been lead consultant and project manager at The Net Effect since the company’s inception in 1996. Ms. Snodgrass is primarily engaged in cyber security training, threat analysis and mitigation for commercial, nonprofit and governmental organizations. In addition to conducting security related workshops, corporate training and delivering cyber security defense presentations at professional conferences and conventions, she spends time drafting network security protocols and developing employee security awareness training programs for clients. Ms. Snodgress is President of the Gulf Coast Industrial Security Awareness Council, as well as an active member of InfraGard, ASIS International, and the Gulf Coast Technology Council. Ms. Snodgrass holds a B.A. from the University of South Alabama (1986) and a ma î trise from Universit é de Paris I Panth é onSorbonne in Paris, France (1989). Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
