I recently read a couple of articles that started me thinking again about the current state of affairs in the cyber security world. We certainly have had a lot to think about with the Snowden NSA disclosures, question about the security of the new federal Healthcare site, and the continuing and ever-present evolution of more and more ways to attack our data, privacy and other assets.

A Creative Recent Set of Research Data on Vulnerabilities

The first article from October 26, 2013, which I think is relevant is from Adam Penenberg – “I challenged hackers to investigate me and what they out is chilling”.  This article provides amazing real-world insight into the balance we currently have between privacy and security.   The range of exposure of our data is insightful, we have data on the Internet from our activities in social media, exposure of our data in public hotspots, accessibility of banking and financial information not only from devices and communication but from people, etc.  Appropriately for us near Halloween, the results of the author efforts are, as he said “chilling”.

On a personal level our privacy, assets and reputations probably have never been so vulnerable.  We have greatly expanded our ability to access information and knowledge via information systems but we may have unwittingly given that same ability to the bad guys for access of our information.  You may not think you’re a target but these days everyone needs to be wary.  One look at the trend in negative political ads, where intimate details of personal lives are exposed to the public can give you an idea of our exposure to deep dive investigations, which can uncover even our most private secrets. By the way, the social engineering attacks used by some of the investigators in the article prove that Kevin Mitnick’s legacy is alive and well. His definition of social engineering was: “Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker.” It is just as true today as it was in Mitnick’s attacker heyday primarily because the human factor always proves to be the weakest link in most of our defensive security efforts.

On top of the weakness of the human factor, many of the enabling technologies that bring us benefit also provide new attack surfaces for the bad guys. For example, our use of GPS allows people to gather location information from us and even from our photos and can be used for someone to (unknowing to us) track our movement and correlate our actions. The way we shop, and the data gathered about our shopping habits is garnered from most Point of Sale systems. For the most part,  data can be gathered without us knowing that we may have already given our permission for that when we got our credit card and it is now part of the sale transaction process. This trend of technology friend or foe will continue, which is the segue to the next subject I want to cover.

BYOD Is A Challenge, But Wait Until Wearable Devices Really Hit

We in the security community are all aware of the challenges the Bring You Own Device (BYOD) trend brings to enterprise security. How will that challenge evolve when the computing devices are part of the clothes we wear, our glasses, our watch, our shoes, our jewelry, etc.?  We can compound the effect of this when we look at articles like “Generation Y Users Say They Will Break BYOD Rules” and “Coping With Wearable Gadgets In The Workplace”. Worker abilities to record information and communicate are on the rise and employees may have multiple devices with these capabilities on them at any given time.

The article on wearables makes a good point: “If a business is going to embrace wearable technology, and many would argue it is only a matter of time until businesses are forced to, it will require clear policies determining who is allowed to bring the equipment into the workplace and connect to the network”. Who is going to develop these policies? Will employees be willing to make the necessary compromises and trades between privacy, usability and corporate policies? On top of this, it is not only employees, but it could be contractors, suppliers, or even families of employees wearing these devices.  Further, there is a bandwidth issue as the wearables a user has will be in addition to the normal devices like laptops, tablets, and mobile phones. The article projects that the numbers of wearable’s per person could be very high – “in matter of years this could skyrocket to 15 to 20 per employee”.  The article also make related prediction:  “The good news for businesses is that being prepared will greatly mitigate against the worst side effects. In fact, those organizations that actively engage with the challenges of wearable technology in terms of policies, security, network management and monitoring will find themselves at a huge advantage …”.

As with other technologies, BYOD standards are evolving and maturing (See  “NSA Mobility Program”  and its associated “Mobility Capability Package” as well as NIST 800-124 – “Guidelines For managing the Security of Mobile Devices in the Enterprise”), but it is not clear if they are scalable with the predicted rise in the number of wearable products. The good news is that enterprises that start early in looking at the issues and challenges facing us this area will be the ones most prepared for the new technologies.