Information security has never been easy. But, in retrospect, securing the standard business IT infrastructure of the past – mainly Windows-based, located primarily on-premise – is beginning to look simple in comparison with the highly heterogeneous, mobile, employee-owned infrastructure of tomorrow.
Employee-owned mobile devices are an area of keen interest, and delegates at Information Age’s latest Enterprise Security event were keen to hear the pros and cons of ‘bring your own device’ (BYOD) policies.
Keynote speaker Quentin Taylor, head of information security at imaging company Canon, explained that since the release of the iPhone, the idea of allowing employees to use their own devices for work has shifted from a security ‘no no’ to a perceived ‘no brainer’.
”Sure, we had people bringing in shiny things before the iPhone, but never to the same extent,” Taylor said. “It suddenly appeared that no return on investment was required to implement ‘bring your own device’ (BYOD), since every employee already had one.”
But without a clear ROI for BYOD programmes, the likelihood that an organisation will implement one is a function of how ‘gadget friendly’ the CFO is, he said. “You could correlate how quickly your BYOD projects get signed off with the gadget friendliness of the executive who signs off the project.”
BYOD presents many potential headaches for the IT department, he explained. “Lost devices, data proliferation, entitlement, costs, personal data, app deployment and patching on multiple devices are just some of the things you need to think about when building a BYOD policy,” he said.
Interesting Links
Indeed, Taylor said, BYOD is likely to challenge the IT department’s ability to exert any control over the business computing environment. “IT are the biggest losers from bring your own device,” he said.
Many organisations are turning to mobile device management software in order to retain some control over the business computing environment in the face of BYOD. “If the enterprise doesn’t own the devices, how does it patch them?” Taylor posited. “Ask users to do it? Have you seen the number of people still using Internet Explorer 6?”
But some MDM mechanisms, such as creating a secure sandbox on the employee’s phone where they can access business data, can rub up against employee’s sky-high expectations for user experience. “If you’ve just had someone jumping around on stage in a black turtleneck raving about their calendaring app, your users will be disappointed when you tell them they have to run a virtualised calendar in a sandbox,” Taylor explained.
Still, as Ian Evans, managing director at mobile device management company AirWatch, told delegates, the proliferation of employee mobile devices is unstoppable. The average number of mobile devices in the enterprise per employee is now 1.4, and that is rising fast, he said.
One way to contain the chaos is to restrict the number of models that the organisation will support in its BYOD programme. “Organisations can’t leave the list of usable devices wide open,” Evans said, “as it would take far too long to make sure they are all secure.”
Evans reported that the complexities of BYOD are particularly acute for multinational organisations, as data protection, privacy and HR law varies wildly – even within Europe. Switzerland’s data protection law prohibits any data created within the country from leaving its border.
“Swiss banks will tell their employees to leave their smartphone in the country if they leave Switzerland, and to take a Nokia 6160 instead,” Evans said.
Cloud security
There are elements of the new, distributed computing environment that promise to make the IT deparmtent’s life easier. Cloud computing, for example, offers to remove some of the undifferentiated leg work required to deploy IT systems.
But as John Walker, chair of the London chapter of security organisation ISACA, told delegates, cloud computing contracts are like any other outsourcing agreement – the customer cannot abrogate responsibility for security of data.
“You’ve got to communicate your security policy, and not just contractually,” he explained. “I went out to a project in India where the organisation was very careful about writing their security policy requirements. But do you know where they put them? In the contract. There’s a problem there: nobody on the shop floor sees the contract, so nobody knew what their security objectives were.”
He noted that cloud computing may well be more secure than in-house hosting, as cloud providers are specialists in their field. But this is not always the case: Walker told the conference about one client which had adopted a cloud service and was examining its data loss prevention (DLP) credentials. “I was sitting in the centre of the team, and found 22 ways to circumvent their DLP,” he said.
Another client decided to move all of its database assets into an outsourced cloud environment. “It worked very well until people went to get to the data and found that they couldn’t,” Walker said. “Their on-campus policies for firewalls were at odds with the cloud policies, so they could never talk. The company had to break their on-campus security policies in order to access their cloud, so more holes were appearing in the firewall, more adjustments and exceptions were made to allow them to integrate.”
That same company, according to Walker, also realised that none of its cloud servers were being patched with the latest updates. “They sent an angry email [to the supplier] saying ‘what are you doing with our data?’. The cloud provider just sent back the contract, and said we are hosting your applications for development. The management of the systems and patching levels are with you. The client hadn’t realised that.”
Social hacktivism and the advanced persistent threat
The source of information security threats has changed dramatically in the past decade. Once, hackers were primarily interested in demonstrating their technical prowess. Now, motives include theft, protest and even international espionage.
This latter motive lies behind what have come to be known as “advanced persistent threats” – sophisticated, state-backed attacks designed to steal commercially valuable information, Henry Harrison, technical director at BAE Detica, explained. “APT is a phrase that I loathe, but I’m having to learn to use it.”
Harrison pointed out that while state and industry are generally seen as separate, government-sponsored espionage in support of business interests is nothing new. He referred to 19th Century Scottish botanist Robert Fortune, who stole the secret of making tea from China after striking a deal with the East India Company.
Today, he said, many British businesses have had their IT networks compromised in attacks that appear to have been support by foreign governments.
Some of them have decided to address it. “I know of one organisation that decided it minded enough to set up a new security program,” he said. “This security program has a steering committee which encompasses half of the members of the executive committee. That’s the level of commitment that we’ve seen some organisations take.”
“I’ve heard anecdotally of another organisation that has funded its (APT) programme to the tune of £1 billion,” Harrison countered.
But others may take the view that the cost of eliminating the risk of an APT is greater than the potential intellectual property loss.
“I think itis fine if, as a business, you learn about this stuff and you conclude that you don’t mind,” Harrison said. “Perhaps you recognise that it’s quite likely that foreign intelligence services are stealing your information and passing it to your competitors, but you don’t think it will be very useful to them. That’s a reasonable business decision. What’s not reasonable is to assume it’s not going to happen to you.”
The other information security threat to have emerged in recent years is hactivism – data theft or online vandalism designed to make a political or social point. Hacking has been used as a tool of protest since the very early days, but what has changed in recent years is the ability for non-experts to join in.
Roy Scotford, of data security company Imperva, calls this phenomenon “industrialised, automated hacking”. The advent of controllable, distributed botnets means that anyone can launch their own cyberattack. With the barriers to entry coming down, cyber attacks cease to be the realm of disgruntled programmers, and become social.
“These are people who want to join in with a culture,” Scotford said. “They might think that Russian cartels are wrong, or dislike the Catholic church. They’re trying to break into those websites, take them offline, deface them. The mainstays of ‘social hacktivism’ are the people who want to be part of something, not those with technical skills.”
Scotford notes that one Imperva customer was targeted by social hacktivists for a period of 25 days between June and November last year. “The attack took that long because it had to ramp up. The organisers were building momentum, rallying more supporters that could use simple tools to attack our customer,” he explained.
Naturally, Scotford credits his client’s survival to the presence of Imperva’s web application protection firewall, but his story does demonstrate that cyberattacks can be born out of little more than dislike, fomented into malice over the Internet.
But for all the emerging technology environments and developing security threats, the last presenter of the day reminded delegates that the best way to compromise any organisation remains ‘hacking the homosapien’.
Ethical hacker Graeme Batsman gave a run down of the numerous ways in which hackers can trick employees into divulging information or clicking on links that install nefarious malware.
“The best way for a hacker to get into the enterprise?” Batsman asked the floor. “Leave a malware CD in the bathroom with STAFF REDUNDANCIES 2012, written across the front in permanent market. That’s the easy way.”