An employee uses business credentials to shop online. Another clicks on a link in an e-mail message from a complete stranger. A systems admin goes to a forum for help with a problem and gives detailed hardware, software, network and configuration information.
The exploits, payloads and motives may change, but the single biggest security threat to the enterprise is still its employees.
“Every one of you is owned, I absolutely promise you,” Kris Lovejoy, vice-president of IT risk with IBM Corp., told an audience of security professionals at SC Congress in Toronto on Wednesday.
And with companies putting more data and applications into cloud infrastructures – wherein development and administrative rights are sometimes given to employees who aren't in the IT department – the time-to-ownership window is getting smaller. Lovejoy's estimate of spin-up to compromise is about 15 minutes.
Often, “it's really hygiene that's the problem,” she says – developers disabling antivirus to compile faster, not changing passwords, leaving default services open.
Lovejoy breaks down security threat into four categories: inadvertant breaches by employees constitute about 60 per cent; unsophisticated, opportunistic attacks make up 20 per cent; and hacktivists and “advance persistent threats,” or APTs, each contribute less than 10 per cent to the threat landscape.
Hacktivist collectives like Anonymous are on the more sophisticated end of the scale, and are a widespread threat. “There's no end to the reasons that people get mad at you, “ Lovejoy says. But it's the APTs – organized criminals, terrorists, mercenaries and, speculation has it, national interests – that worry Lovejoy.
“They're getting real estate on our systems and leaving logic bombs,” she says. “How are they getting in? Through our people.”
A typical targetted attack goes something like this: An attacker searches LinkedIn for a systems administrator at a particular company. Profiles and activity on social networks will reveal preferences, trusted contacts, recent industry activity, and common online destinations. That'.s enough information to spear-phish for access information by posing as a trusted source, infect a third-party Web site to compromise a visiting machine, or guess passwords.
It can be difficult to detect, says Lovejoy, because the exploit could stay inactive for months before installing a keystroke logger, downloading command and control software, leaving logic bombs that will disrupt the system at a later date, or stealing data.
In a later session on risk management through situational awareness, Winn Schwartau, security guru and founder of mobile security company Mobile Application Development Partners LLC and The Security Awareness Co., the focus returned to the human element. Not many companies are dealing with it well, he said.
What are employees saying online that has security implications for the company? Is there a company policy regarding what employees can say in forums and social networks? Can employees use their company credentials, or do they have to use their personal accounts?>
“I've seen it occur at the C-level. They're completely clueless” about the security implications of what they're divulging online, Schwartau said.
Companies should also be monitoring what's being said about them online by outsiders, too. If there's a lot of traffic about you in Eastern Europe, for example, “does that present a road to a potential attack?” he asked.
While how much monitoring of your employees is politically acceptable varies from organization to organization, Schwartau said that simply doesn't apply to Internet activity. In that case, it's not an invasion of privacy.
“If it's on YouTube, it's not private, it's public. If it's on Facebook, it's public,” he said. Screening employees' social network profiles helps answer the question, “Does this person make good decisions or not?”
Robert Parnham, director of the information security practice at Marlabs Inc, agreed. If employees are using a company profile, it's the company's responsibility. “There's a need to do due diligence in your hiring,” Parnham said.
Schwartau calls himself a big fan of profiling employees and potential hires.
“I want to know if, as an employee, you're going to screw me,” he said. But for vetting new hires, he recommends someone who's trained in “deception detection,” the ability to gauge physiological responses questioning (think Tim Roth in the TV series Lie to Me).
But even those companies that do profile their employees often forget to re-vet the employee periodically, Schwartau said. Financial situations, personal situations and domestic situations change. “People's lives change,” Schwartau said.