An employee uses business credentials to shop online. Another clicks on a link in an e-mail message from a complete stranger. A systems admin goes to a forum for help with a problem and gives detailed hardware, software, network and configuration information.
The exploits, payloads and motives may change, but the single biggest security threat to the enterprise is still its employees.
“Every one of you is owned, I absolutely promise you,” Kris Lovejoy, vice-president of IT risk with IBM Corp., told an audience of security professionals at SC Congress in Toronto on Wednesday.
And with companies putting more data and applications into cloud infrastructures – wherein development and administrative rights are sometimes given to employees who aren't in the IT department – the time-to-ownership window is getting smaller. Lovejoy's estimate of spin-up to compromise is about 15 minutes.
Often, “it's really hygiene that's the problem,” she says – developers disabling antivirus to compile faster, not changing passwords, leaving default services open.
Lovejoy breaks down security threat into four categories: inadvertant breaches by employees constitute about 60 per cent; unsophisticated, opportunistic attacks make up 20 per cent; and hacktivists and “advance persistent threats,” or APTs, each contribute less than 10 per cent to the threat landscape.
Hacktivist collectives like Anonymous are on the more sophisticated end of the scale, and are a widespread threat. “There's no end to the reasons that people get mad at you, “ Lovejoy says. But it's the APTs – organized criminals, terrorists, mercenaries and, speculation has it, national interests – that worry Lovejoy.
“They're getting real estate on our systems and leaving logic bombs,” she says. “How are they getting in? Through our people.”
A typical targetted attack goes something like this: An attacker searches LinkedIn for a systems administrator at a particular company. Profiles and activity on social networks will reveal preferences, trusted contacts, recent industry activity, and common online destinations. That'.s enough information to spear-phish for access information by posing as a trusted source, infect a third-party Web site to compromise a visiting machine, or guess passwords.
It can be difficult to detect, says Lovejoy, because the exploit could stay inactive for months before installing a keystroke logger, downloading command and control software, leaving logic bombs that will disrupt the system at a later date, or stealing data.
In a later session on risk management through situational awareness, Winn Schwartau, security guru and founder of mobile security company Mobile Application Development Partners LLC and The Security Awareness Co., the focus returned to the human element. Not many companies are dealing with it well, he said.