I was not surprised to see that another office item which has gone through changes in technology is now compromised. Is seems Columbia University has been able to hack the office phone and turn it into a eavesdropping device ( See “Popular office phone vulnerable to eavsdropping hack, researchers say” ). This time it is the good guys, i.e., researchers who have found the vulnerability and it seems have cuased the phone manufacturers to work on a solution. It is pretty scary to think that the innocent phone on your desk may be listening not only phone conversations but other conversation you may have at you desk.
We have had lots of conversation about BYOD to work and I was not too surprised but very concerned to see the rise in insiders threat in the United Kingdom ( See “Half of business networks breached by personal devices in 2012” ). Although, for SMB’s the news was better with only 25% of them experiencing the same problem. However, expect this number to rise as number of SMBs allowing BYD also rises. It seems we are also going to be faced with some interesting privacy decisions as businesses develop policies to help make BYOD more secure ( See “Do you want to bring your own device?”). We may have to compromise some of the freedom that the new mobile devices bring and restrict the sites that they can access in order to use them even for limited business use. As new policies are put in place for BYOD we will see conflict over who owns what data on the devices and also over liability when a device is lost or compromised.
Know Your Enemy
Many of the predictions I have seem security experts making for 2013 indicate that they expect a sharp increase in targeted attacks like spear phishing. I also saw a very interesting article that classifies attackers into two general classes (See Know The Enemy – Mass Producstion vs. Boutique Hackers). If the trend towards more targeted attacks is true it is an indication that the boutique hacker as described in this article is on the rise too. The article also speaks about the use of data monitoring system as a defense against these attacks which I whole heartedly agree with. In most of the Advanced Persistent Threats I have learned about it was many times the data flow out of the company that was the clue to the attack. Another defense is to shape the battle space for success See “Cyber Shaping Operations – How to Affect the Threat Before it Enters Your Area of Operations”). A shaping operation is an operation that creates and preserves conditions for the success of the operation. In the case of cybersecurity one wants to establish conditions that make the enemy conform to your plan and not theirs. This includes using all the tools at your disposal such as defense in depth, secure design of your networks, obfuscation from open source data collection, the use of honey pots, using good naming conventions that do not disclose information unnecessarily, segmentation of networks, … and most importantly building a security awareness in your workforce. Our weakest link continues to be the human factor and cybersecurity awareness is a major tool in reducing our risks.
Finally, I know that many people still think that cyberwar is not an issue but it is sobering that 79% of the security professionals attending the recent Information Systems Security conference believe a “major” cyber terrorism event will occur in the next year See “Security pros predict “major” cyber terror attack this year”).