I recently came across this blog post from Harvard Business Review, IT in the Age of the Empowered Employee. The author, Ted Schadler, who recently co-authored a book entitled, Empowered, seems to have coined the term, “highly empowered and resourceful operatives (HEROes).” These people represent 20% of the employees in an organization who aggressively seek out information technology solutions on their own without the IT department’s support.
Schadler recommends managers and IT support HEROes’ efforts:
What caught my eye of course is, “Provide tools to manage risk.” Yes, enable the use of Web 2.0 applications and social networking by mitigating the risks they create. Next Generation Firewalls come to mind.
Constellation Group’s Ray Wang lists five core disruptive technologies: social, mobile, cloud, analytics, and unified communications.
What’s interesting to us at Cymbel is that each of them require rethinking compliance and security to mitigate the new risks their deployments create for the enterprise. In other words, inadequately addressing the security and compliance risks around these technologies will inhibit deployment.
What are the risks?
Social – The new threat vector – the “inside-out” attack, i.e. rather than having to penetrate the enterprise from the outside-in, all a cybercriminal has to do is lure the insider to an external malware-laden web page.
Mobile – All the types of attacks we’ve seen over the years against desktops and laptops are finding their way onto smart phones.
Cloud – Will you put trade secrets and PII out in a public cloud deployment without protecting them from third party access? How will you verify that no third parties, like the administrators at SaaS companies are not accessing your data?
Analytics – Good security technology has only recently taken hold for traditional relational databases that rely on the SQL access language. The new analytics are about new ways of storing and accessing data for analysis. How do you monitor and control access?
Unified Communications – Attempting to apply traditional IPSec VPN technology to converged data, voice, and video networks creates unacceptable latency issues and unstable session connections. And MPLS itself does not provide encryption.
Cymbel’s mission is to provide the information security and compliance solutions which enable these technologies. We help our clients rethink and re-implement defense-in-depth.
Darwin said, “It is not the strongest of the species that survive, nor the most intelligent, but the ones most responsive to change.”
As an Information Security and Compliance Solution Provider, we are enablers of technology change.
George Hulme highlights two technology trends which are increasing enterprise security risks – employee-owned smartphones and Web 2.0 applications including social networking.
Today, more than ever, employees are bucking efforts to be forced to work on stale and stodgy corporate notebooks, desktops or clunky, outdated mobile phones. They want to use the same trendy smart phones, tablets, or netbooks that they have at home for both play and work. And that, say security experts, poses a problem.
“If you prohibit access to the services people want to use for their jobs, they end up ignoring you and doing it from their own phone or netbook with their own data connection,” says Josh Corman, research director, security at the analyst firm 451 Group. “Workers are always going to find a way to share data and information more efficiently, and people will always embrace ways to do their job as effectively as possible.”
To control and mitigate the risks of using Web 2.0 applications and social networking, we’ve been recommending to and deploying for our clients Palo Alto Networks’ Next Generation Firewalls.
Palo Alto posted a well written response to Hulme’s article, Which is Riskier: Consumer Devices or the Applications in Use? Clearly, Palo Alto’s focus is on (1) controlling application usage, (2) providing intrusion detection/prevention for allowed applications, and (3) blocking the methods people have been using (remote access tools, external proxies, circumventors) to get around traditional network security solutions.
We have been big supporters of the thinking that the focus of information security must shift from protecting devices to protecting information. That is the core of the next generation defense-in-depth architecture we’ve assembled.
Corman agrees that the focus needs to shift from protecting devices to protecting data. “Security managers need to focus on the things they can control. And if they can control the computation platforms, and the entry and exit points of the network, they can control the access to sensitive data, regardless of who is trying to access it,” he says. Corman advises enterprises to deploy, or increase their focus on, technologies that help to control data access: file and folder encryption, enterprise digital rights management, role-based access control, and network segmentation.
Having said that, we are currently investigating a variety of new solutions directly aimed at bringing smartphones under enterprise control, at least for the enterprise applications and data portion of smartphone usage.
Bruce Schneier’s article last week entitled, Consumerization and Corporate IT Security, postulates that IT security has no choice but to loosen control in response to the consumerization of IT. In other words corporate use of consumer IT products cannot be controlled by IT Security.
Here at Cymbel, we became aware of this issue back in 2007 and began searching for solutions to this issue. There is no doubt that corporate employees must be allowed to take advantage of Web 2.0 applications and social networking. However, the enterprise can surely do this in a controlled manner and provide protection against the risks of using these applications.
Here are four solutions we offer to corporate IT Security to protect the organization while enabling the use of consumer IT products:
Palo Alto Networks provides a next generation firewall designed and built from the ground up to enable controlled use of Web 2.0 applications and social networking and protection against web-based malware. In the last 18 months, they’ve grown from 200 customers to 2,000 and they are now cash-flow positive. I would expect an IPO in the next 12-18 months.
FireEye provides protection against web-based zero-day and unknown threats using heuristics rather than signatures. It minimizes false positives by using VMWare based sandboxes on its appliances to run suspicious executables prior to alerting.
NexTier Networks is the first Data Loss Prevention system that uses semantics to classify documents rather than traditional fingerprinting. Therefore it can protect against malicious attempts at intellectual property exfiltration as well as structured data without massive pre-scanning or pre-tagging.
Zscaler provides cloud-based proxy services for protecting against web and email-based malware without having to deploy any premises equipment. This is especially suitable for organizations with many small locations. Zscaler also provides a lightweight agent for traveling users so their web and email traffic is also routed through their cloud-based service.
In addition, we recommend Sentrigo, a database protection solution, as another layer of our next generation defense-in-depth architecture focused on applications, users, and information.
CSO Online published an article yesterday called Lifestyle Hackers. It simply points out that younger employees who are very active with Web 2.0 applications like Facebook and peer-to-peer, like to use these applications while at work in the name of productivity enhancement.
The use of these Web 2.0 applications by insiders increases the risk of security breaches. In most cases, these breaches are not malicious, rather inadvertent, but nevertheless damaging.
It's a well written article but not news. I have written about the increased IT Security risk due to Web 2.0 applications several times:
NetworkWorld has an interesting article today on the perils of social networking. The article focuses on the risk of employees transmitting confidential data. However, it's actually worse than that. There are also risks of malware infection via spam and other social engineering tactics. Twitter is notorious for its lax security. See my post, Twitter is Dead.
Blocking social networks completely is not the answer just as disconnecting from the Internet was not the answer in the 90's. Facebook, Twitter, and LinkedIn, among others can be powerful marketing and sales tools.
The answer is "IT Security 2.0" tools that can monitor these and hundreds of other web 2.0 applications to block incoming malware and outgoing confidential documents.
Web security firm, Finjan, published a report (Issue 2, 2009) this week on a more advanced funds transfer fraud trojan called URLZone. It basically follows the now well understood process I blogged about previously, where:
Web site visitors are infected with a trojan, in this case URLZone.
The trojan is used to collect bank credentials.
Cybercrirminals transfer money from the victims to mules.
The money is transferred from the mules to the cybercriminals.
URLZone is a more advanced trojan because of the level of automation of the funds transfer fraud (direct quotes from the Finjan report):
It hides its fraudulent transaction(s) in the report screen of the compromised account.
Its C&C [Command and Control] server sends instructions over HTTP about the amount to be stolen and where the stolen money should be deposited.
It logs and reports on other web accounts (e.g., Facebook, PayPal, Gmail) and banks from other countries.
In the past, the trojan was merely a keylogger that sent credentials back to the cybercriminal. These exploits were mostly against small businesses and schools where relatively large amounts of money could be stolen. But the URLZone trojan has much more sophisticated command and control which enables a much higher volume of transactions. Finjan reports 6,400 victims in 22 days losing 300,000 Euros. So far all the victims have been in Germany.
Every consultant and vendor has a theory about the top cyber security risks. But what's really going on? SANS has the answer. Last week they released their analysis of threat and vulnerability data collected from 6,000 organizations and 9 million systems during the period from March 2009 to August 2009.
SANS says that two threat types dominate the analysis, both of which are tied to Web 2.0:
Threats associated with people using Web 2.0 applications, i.e. their workstations' vulnerabilities that are not patched and are exploited when they visit web sites.
My take: While the hype around NAC has definitely waned, the importance of comprehensive and continuous end point discovery, vulnerability analysis, configuration compliance checking, and patching at the application level as well as the operating system level is increasing.
Organizations' Internet-facing web sites remain vulnerable to threats like SQL Injection and Cross-Site Scripting.
My take: It's clear that using a rigorous Software Development Life Cycle process is just not getting the job done. Web application firewalls are a must have.
Marketing and Sales teams can benefit from using Web 2.0 social networks like Facebook to reach new customers and get customer feedback. It's about conversations rather broadcasting. So simply denying the use of Facebook due to security risks and time wasting applications is not a good option, much as in the 90's denying access to the Internet due to security risks was not feasible.
IT Security 2.0 requires finer grained monitoring and control of social networks like Facebook as follows:
Restrict access to Facebook to only those people in sales and marketing who legitimately need access.
Facebook is not a single monolithic application. It's actually a platform or an environment with many functions and many applications, some of which are pure entertainment and thus might be considered business time wasters. Create policies that restrict usage of Facebook to only those functions that are relevant to business value.
Monitor the Facebook stream to detect and block incoming malware and outgoing confidential information.
Palo Alto Networks, which provides an "Application/User/Content aware" firewall (is that a mouthful?), appears to be able to provide such capabilities. Perhaps we might call it a Web 2.0 network firewall.
Is anyone aware of another firewall that can provide similar functionality?
Two more high profile organizations have succumbed to Web 2.0 based exploits, New York Times and RBS Worldpay. These highlight the shortcomings of traditional IT security. I have no doubt that both of these organizations had deployed traditional firewalls and other IT Security tools, yet they were still breached by well understood exploit methods for which there are are proven mitigation tools.
The current RBS Worldpay problem was merely a hacker showing off a SQL Injection vulnerability of RBS Worldpay's payment processing system. Late last year RBS Worldpay suffered a more damaging breach involving the "personal and financial account information of about 1.5 million
cardholders and other individuals, and the social security numbers
(SSNs) of 1.1 million people."
The New York Times website itself was not breached. A third party ad network vendor they use was serving "scareware" ads on New York Times site. Martin McKeay points out on his blog:
"it appears that the code wasn’t directly on a NYT server, rather it was
served up by one of the third-party services that provide ads for the
NYT. Once again, it shows that even if you trust a particular site
you’re visiting, the interaction between that site and the secondary
systems supporting it offer a great attack vector for the bad guys to
gain access through."
On the other hand, the average user coming to the New York Times site is not aware of this detail and will most deservedly hold the New York Times responsible. Web sites that use third party ad networks to make money, must take responsibility for exploits on these ad networks. For now, as usual, end users have to protect themselves.
I recommend that Firefox 3.5 users avail themselves of Adblock Plus and NoScript. Adblock Plus obviously blocks ads and NoScript by default prevents JavaScript from running.
What's particularly interesting about NoScript is that you can allow JavaScript associated with the site to run but not the JaveScript associated with third party sites like advertising networks. Based on my reading of Troy Davis's analysis of the exploit, if you were using Firefox 3.5 and running NoScript with only New York Times JavaScript allowed, you would not have seen the scareware ad.