Securing data needs to evolve beyond building moats around castles

CastleTarget, Home Depot, JPMorgan Chase, Salesforce - every week brings a new report of a security breach. Despite increasing investments in security software, it seems our data has never been less secure.

As the way we work has shifted, the risks to our data have been spread far and wide making it even more challenging to protect.

The first shift is away from locally housed data and applications to web apps that can be accessed via the browser.

The second - to some degree enabled by the first - is an increasingly decentralized workforce, including a dependency on outsourced relationships.

Our teams consist of a mix of employees and contractors, many of whom work remotely or are on the move.

The result: users anywhere on any device can access business apps and information using any network with credentials that they manage. This bypasses many, if not all, traditional security measures that focused on establishing a strong, secure perimeter around defined systems.

In our excitement to embrace the cloud, we have lost the points of control that used to exist between a user and sensitive data. The perimeter that IT needs to secure has literally grown to encompass the entire world and grows daily as users introduce new devices and networks to the mix.

So let's get specific on some of these risks:

Uncontrollable exploits against devices

The browser is a kitchen sink when it comes to mixing business data with personal browsing. This gives hackers a perfect avenue to gain access to the local environment.

There are various methods for effecting control, but the recent Dyre exploit, targeting a range of sites including Salesforce.com, illustrates this type of attack.

The attack targeted users through a phishing scam. The user opened the email and it downloaded malicious code onto their machine. When they navigated to the Salesforce website, Dyre took them to a lookalike page and captured the credentials by logging the keystrokes.

Significantly, the attack circumvented two-factor authentication by logging in simultaneously with the user and intercepting their one-time password. Over the past year alone, we have seen a dramatic increase in the incidence and sophistication of this type of attack.

Network hacks

As users, we often blindly trust and automatically join convenient free public Wi-Fi networks where data is easily compromised. The most common network hacks are rogue access points or evil twins, two variants of the man-in-the-middle attack.

The low-cost WiFi Pineapple can be configured in about an hour and used to automate the creation of evil twin access points that attackers could use to steal data.

A recently released set of tools called Mana represents an evolution of this type of attack that is even harder to stop. We did a quick test with the WiFi Pineapple to see how susceptible people in the offices around us were.

Within minutes, we had several users connected to our rogue access point and were intercepting any data they sent over the connection. We could view any images users browsed as well as any API calls.

All in less than half an hour and the "victims" had no idea we were listening.

User error

Simple user error when interacting with data is probably the most pernicious risk organizations face. Without appropriate controls, it's just too easy for users to download sensitive data to random computers, upload it to cloud stores like Google or Dropbox, or be casual when it comes to choosing and storing passwords appropriately.

In most cases this activity is happening innocently. But as the adage goes; users will be users.

So how can we protect our sensitive data in this rapidly evolving, always-connected world? There are the usual measures that get regurgitated in every security article, like running updated client security software, or setting strong/unique passwords. But most are either impractical or don't go far enough.

Vendors need to rethink and redesign security from something that is implemented in a singular place to protect a defined surface area, to something that extends down to the user and device regardless of where they are. It requires a major shift in approach.

Until that happens, we'll keep seeing data breaches as hackers continue evolve, discovering new ways to find and attack the weakest links in the ever growing chain.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

No comments yet.

Leave a Reply