Page 10 - index
P. 10
Expanding Attack Surface
How do attackers get in? Increasingly, it is via mobile devices. More than 70% of
organizations today have BYOD, or Bring Your Own Device, policies that allow employees to
use mobile devices for both business and personal use. These devices are powerful enough
to support corporate applications - and advanced malware. The lines between personal and
business use are blurred, and users consequently underestimate threats and introduce risk.
In general, mobile security behavior is sloppy. A big back door just opened up into your
network. The attackers no longer need to try to find the weakest link in your network security
– they have it. Malware can be injected through social engineering attacks, downloaded
apps and more: mobile messaging exploits and denial of service attacks are becoming
commonplace. These can lead to unauthorized network connectivity, sensitive data leakage,
and exfiltration.
Increasing Network Complexity
Network complexity is perhaps the biggest root cause. Today’s networks are no longer
simple, easy-to-understand and explainable in a Visio diagram. Rather, they have grown
increasingly complex. Organic growth alone contributes to complexity, as newer systems
and approaches are layered on top of existing systems. Even in a well-planned network, the
loss of “tribal knowledge” due to employee turnover can quickly lead to major gaps in
corporate understanding. And when you factor in mergers and acquisitions, the situation can
rapidly spiral out of control.
Even the savviest IT team probably doesn’t know exactly what the network looks like, much
less how it is working. In many organizations, the most recent network map is at least five
years old. Many of the devices currently in the network didn’t even exist when the map was
made. Out-of-date maps make it difficult to validate whether vitally important initiatives, such
as secure enclaves or vaults, have been set up properly. But the task of updating the
network map never rises to the top of the priority list.
Confronting Next Generation Threats
The task of securing critical information in this environment is not easy. The bad guys don’t
care about the cause of the vulnerability – they just need to get in, via the path of least
resistance, and then explore: which people talk to which other people, what systems talk to
what other systems, where does critical data (such as credit card data, personally-
identifiable information, trade secrets) probably live? And from there, what are all the
avenues that could be used to take critical data out?
It turns out the knowledge is the security “killer app” – in this world security is built on
knowledge. Make sure your employees know the risks and responsibilities that come with
mobile devices, and are trained to avoid social engineering attacks. Bear in mind that the
path to increased user awareness is slow and bumpy. That’s why it is imperative to
constantly monitor and protect your network, since the threats can only be reduced but not
eliminated.
10 Cyber Warnings E-Magazine – August 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
