Headlines may tend to highlight the climate of fear around the ever-present threat from hackers – but are you aware that the biggest threat to your company’s information security might actually come from your own employees?
That’s not to say that they necessarily mean to compromise your corporate security, WatchGuard ANZ regional director Pat Devlin says – but simply that the explosion of mobile apps, cloud-based applications, and bring your own device (BYOD) policies is introducing complex new weaknesses that can easily create weak points in any organisation’s security defences.
“People tend to be very focused on what the likes of Anonymous and malware authors are doing,” Devlin explains, “but in the vast majority of cases we deal with, the higher percentage of breaches are happening because people are – inadvertently or deliberately – doing something from inside the network that’s either opening their environment up to an attack, or accidentally sending the wrong data out.”
Much of the exposure comes from increasingly insecure mobile apps. The sheer volume of new apps produced every day means that app stores are being plagued with software that can easily abuse built-in software privileges to siphon off sensitive information from otherwise well-meaning employees.
“Everyone wants to bring every device to work, but not every device has the same sort of walled garden philosophy that Apple have,” Devlin says, noting the harm caused by fake offerings such as the LinkedIn lookalike app that was simply designed to steal users’ LinkedIn credentials.
Other fake apps have been pushed, for popular services like Instagram and Skype, and new variants continue to be published with the hope of spreading malware to the devices of unsuspecting mobile users.
“This kind of thing is absolutely rife in app communities, and it’s very difficult for the average user to tell a legitimate from a suspicious app,” Devlin continues. “The service providers do a fair bit of vetting on their software, but it’s impossible to vet all apps down to the finest detail. And if I’m allowing people to store critical data or use various methods to navigate around company resources, it can easily be something I can’t control or affect.”
Many companies only seek help once they find out they’ve been hit with malware – and in a growing number of cases, this is happening because an employee inadvertently gave a high level of access to an app that they shouldn’t have been using.
Such events are prompting Devlin, like many others in the security community, to promote the importance of user education and policies to complement technological defences that are proving far too readily circumvented by careless users.
User education has often been poorly handled in the past, and has become difficult because malware authors have become so good at deceiving users. For this reason, Devlin recommends that companies seek to educate users by outlining exactly what users can and can’t do in the context of company security policy.
For example, companies concerned about data leakage may not want employees to forward work emails to their home email addresses, which may be hosted on insecure messaging systems. This should be addressed with “a strong policy that’s in plain English,” Devlin says.
“If you had a lawyer write it up, it might well be unintelligible and threatening. There’s a big disconnect between what policy is written, and what it’s trying to achieve.”
Technology may not be able to compensate completely for the inexperience of users, but it’s nonetheless an important tool in the fight to retain control over networks being riven by security vulnerabilities.
Modern unified threat management (UTM) platforms can monitor incoming and outgoing traffic to detect for anomalous behaviour and botnet command-and-control signals. WatchGuard’s latest security appliance, for example, can apply rules-based filtering to multiple 10Gbps data streams in real time – giving companies a powerful tool in the quest to keep control of their corporate data.
This unified approach requires the technological consistency that has eluded companies cherry-picking best-of-breed security solutions, which end up with many different solutions that don’t interoperate and can therefore readily miss the more subtle signs of malware infiltration.
To effectively deal with the new threats of BYOD, the components of such fragmented security infrastructure must be unified to ensure that anomalous behaviour isn’t lost in the incompatibilities between systems. “More and more, as you get access from anywhere, it’s very difficult to protect users in any way,” Devlin explains.
“The one thing that’s consistent is that [malware traffic] has to go out on the network somewhere. We’ve invested heavily in the gateway space for both connection AND content filtering. To examine content we are able to fingerprint data and understand how it moves around the network. Making it simple, keeping it easy to manage and putting it all in one place is the only way you’re going to get consistency across all ingress and egress points – and that’s the only way to stay safe..”
You may also be interested in these articles: