Target, Home Depot, JPMorgan Chase, Salesforce – every week brings a new report of a security breach. Despite increasing investments in security software, it seems our data has never been less secure.
As the way we work has shifted, the risks to our data have been spread far and wide making it even more challenging to protect.
The first shift is away from locally housed data and applications to web apps that can be accessed via the browser.
The second – to some degree enabled by the first – is an increasingly decentralized workforce, including a dependency on outsourced relationships.
Our teams consist of a mix of employees and contractors, many of whom work remotely or are on the move.
The result: users anywhere on any device can access business apps and information using any network with credentials that they manage. This bypasses many, if not all, traditional security measures that focused on establishing a strong, secure perimeter around defined systems.
In our excitement to embrace the cloud, we have lost the points of control that used to exist between a user and sensitive data. The perimeter that IT needs to secure has literally grown to encompass the entire world and grows daily as users introduce new devices and networks to the mix.
So let’s get specific on some of these risks:
Uncontrollable exploits against devices
There are various methods for effecting control, but the recent Dyre exploit, targeting a range of sites including Salesforce.com, illustrates this type of attack.
The attack targeted users through a phishing scam. The user opened the email and it downloaded malicious code onto their machine. When they navigated to the Salesforce website, Dyre took them to a lookalike page and captured the credentials by logging the keystrokes.
Significantly, the attack circumvented two-factor authentication by logging in simultaneously with the user and intercepting their one-time password. Over the past year alone, we have seen a dramatic increase in the incidence and sophistication of this type of attack.
The low-cost WiFi Pineapple can be configured in about an hour and used to automate the creation of evil twin access points that attackers could use to steal data.
A recently released set of tools called Mana represents an evolution of this type of attack that is even harder to stop. We did a quick test with the WiFi Pineapple to see how susceptible people in the offices around us were.
Within minutes, we had several users connected to our rogue access point and were intercepting any data they sent over the connection. We could view any images users browsed as well as any API calls.
All in less than half an hour and the “victims” had no idea we were listening.
In most cases this activity is happening innocently. But as the adage goes; users will be users.
So how can we protect our sensitive data in this rapidly evolving, always-connected world? There are the usual measures that get regurgitated in every security article, like running updated client security software, or setting strong/unique passwords. But most are either impractical or don’t go far enough.
Vendors need to rethink and redesign security from something that is implemented in a singular place to protect a defined surface area, to something that extends down to the user and device regardless of where they are. It requires a major shift in approach.
Until that happens, we’ll keep seeing data breaches as hackers continue evolve, discovering new ways to find and attack the weakest links in the ever growing chain.