[BreachExchange] Should CIOs take employees offline to improve security?

Tue Aug 29 19:11:43 EDT 2017

http://www.idgconnect.com/blog-abstract/27742/should-cios-employees-offline-
improve-security

Welcome to your first day at Insecure IT Solutions. Here's your new office.
It has three doors and five windows with no locks on any of them. We keep
all the sensitive business information in this open filing cabinet in the
middle of the room.

"If you want to send a message to anyone in the building, just write it on
a postcard, fold it into a paper aeroplane and throw it out of a window:
it'll get there eventually. Don't worry about all the strange pipes leading
off into the walls and ceiling. We've no idea what they're for but it's
probably fine.

"Oh, and you might find random strangers loitering around or sneaking in
and looking at your work from time to time. As long as they do it quietly
we ignore them. Any questions?"

"Erm... what?"

 --

Years of costly vulnerabilities and high-profile attacks have taught wary
IT directors and managers to block all ports and services that aren't
routinely used for business communications. Doing things any other way
smacks of naivety and a false sense of security, or someone whose
plate-spinning skills would better suit a career in the circus.

In enterprises where security is taken seriously – which is most of them,
since those that don't are likely to be rapidly hacked into commercial
oblivion – the precautionary principle holds sway. New staff may be set up
with email, web, local file-sharing and messaging services, with all other
ports and services locked or disabled.

But even those permitted services within the first 1024 ports range are
potential malware transmission vectors. WannaCry spread through SMB – a
service for file-sharing and printer access – while 'web access' covers a
multitude of services such as DNS and DHCP as well as HTTP(S), maybe FTP
and NTP, and so on. Email is a major vector for spear-phishing. Malicious
code lurking in web pages is almost impossible to completely mitigate
against, even with carefully locked-down browsers.

Still, the WannaCry experience was a wake-up call, right? At least now
everything will be tightly locked-down, won't it? Actually, no it won't.
According to recent research, there are still millions of devices with the
same vulnerable ports open to the world. That's not due to laziness but the
sheer difficulty of ensuring that services work while keeping the ports
they use secure.

What's today's stressed IT manager to do? Continue to block, patch and
hope? That approach is getting harder to justify, given the rate at which
new vulnerabilities appear. The problem is compounded by the fact that
there are almost certainly existing vulnerabilities that we – excluding
certain national security services – don't know about.

Does it still make sense for all of an enterprise to be online? The answer
boils down to a cost-benefit analysis:

What's the benefit of everyone being connected to the outside world?
What's the potential cost in terms of hacking, loss of commercial secrets
and downtime?

Until recently the benefit outweighed the cost, but now it's not so
clear-cut, because some of the costs are hard to determine. For example,
while researching an article on security a couple of years ago I spoke to
the head of an APAC security firm who told me an enlightening anecdote.

He'd spoken to manufacturing firms who were amazed at how quickly Far East
clones of their products were appearing on the market. “It takes just a few
weeks for them to reverse-engineer what we sell and copy it!” they
exclaimed. He pointed out that this wasn't true. In fact, the cloners had
simply hacked into the firms' systems months earlier and stolen their
designs, leaving no trace of their presence.

Maybe we're reaching a point where we have to admit that the security war
isn't going to be won – ever. Maybe it makes more sense to simply leave the
battlefield. Extending the precautionary principle further, it may be time
to disconnect most internal systems from the outside world altogether. If
this sounds restrictive and difficult, it probably is. But perhaps not when
compared to losing swathes of company-wide productivity to hacking,
phishing and ransomware attacks.

Too hard? If the Singapore government can manage it – a decision that now
looks prescient – so too could other organisations. In fact Singapore's not
alone. Certain government departments already use closed systems, as do
banks and other financial institutions. Specific devices may be connected
to the outside world, but those devices are fully air-gapped from internal
networks.

For some organisations, of course, connectivity is fundamental to business
growth. There's really no alternative to everyone being connected all the
time. But in many other places of work, the assumption that every employee
needs internet access should now be carefully questioned.

Only policy advice and board-level guidance will bring about a reduction in
security risks. No matter what hardware and software is in use, it will
never be entirely free from vulnerabilities. Changing policies from the top
down to prevent unnecessary connections to the outside world could at least
reduce the impact of those vulnerabilities.

The alternative is to keep on blocking, patching and hoping, in which case
good luck keeping those plates spinning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170829/5a4c2236/attachment.html>