Security Issues That Deserve a Logo, Part 2: Subversion
During the past year, a new trend in security experienced a meteoric rise, with headlines in both the mainstream and tech media, simply because vulnerabilities were marketed with catchy names and logos. In this blog series, I share with you critical security issues that haven’t captured the media’s attention, but that deserve serious discussion.
What is your biggest security issue?
When talking to senior security leaders in an organisation, one of my favourite questions to pose is “What is the biggest security issue you currently face?” The responses vary wildly depending on the maturity of the company, geographical region, current issue du jour being discussed at conferences, or just their plain old bias. However, the common theme often centers around a particular nation state, an interesting emerging threat vector, a lack of buy-in from the business to solve the problems faced, and compliance crushing their ability to do what is right rather than what is mandated.
One of the most surprising responses I received recently was from the Head of Risk and Compliance at a bank in the Middle East. We started chatting after we both delivered presentations at a conference, with his covering the important and interesting issue surrounding the communication of risk to the business. After the usual ice breakers, I went ahead and asked what his biggest issue was, interested to hear his perspective. Rather than going for the more expected range of answers, he caught me off guard with an eloquent rant that led to my next security issue that deserves a logo and catchy name: Subversion.
With the workforce in his region—often transient and frequently from outside the host country—he had experienced multiple issues with several staff being bribed for information. It seems that the technical controls his team had put in place were circumvented by a well-placed $10,000 investment in a disgruntled or apathetic employee. Have you spent $250,000 on firewalls? That can be easily circumvented by persuading the right person to install a small bit of code for a wad of cash that would be difficult to walk away from. Do you have the latest and greatest encryption and DLP to protect your data? A $1000 back-hander to the cleaners could buy a surprising amount of information printed on old school paper.
Insider threat is a well-known problem that many professionals face, but is often seen as less of a priority
Insider threat is a well-known problem that many professionals face, but is often seen as less of a priority with the mindset of border defence and defending against outsider threat still getting more focus. It’s not surprising; we are constantly hearing about another cybercrime gang plundering millions from unsuspecting businesses via the latest zero day rather than the more sensitive and trite issue of corporate espionage, but it doesn’t make it any less important or likely to occur.
Attackers won’t use a sledge hammer to crack a nut, they’ll use the easiest and cheapest path to achieve their goals
One of the first lessons I learnt in information security is that attackers won’t use a sledge hammer to crack a nut, they’ll use the easiest and cheapest path to achieve their goals. Why risk the discovery of a previously undisclosed and valuable vulnerability to gain a foothold in an infrastructure when someone is willing to give up access for a smaller price? In fact, why use a valuable vulnerability at all when there are probably many already disclosed and unpatched issues waiting to be exploited? But that’s a rant for another day.
Mindsets have to change from a border-centric security approach to a data-centric perspective
There are technical and physical controls to mitigate many of the problems caused by Subversion. Continuous monitoring for unexpected and anomalous behaviour, secure shredding solutions for paperwork and clean desk policies, siloing of data allowing visibility to only those who should have access. But mindsets have to change from a border-centric security approach to a data-centric perspective. Otherwise, Subversion could be leveraged to spirit away corporate secrets and customer information easily—something I think that is worthy of a logo and a catchy name.
In my next blog, I’ll introduce you to EagerBeavers.