The current threat landscape
With the prevalence of always-on connectivity and advancements in technology that is available today, threats are evolving rapidly to exploit different aspects of these technologies. Any device is vulnerable to attack, and with Internet of Things (IoT) this became a reality. In October 2016, a series of distributed denial-of-service (DDoS) attacks were launched against DNS servers, which caused some major web services to stop working, such as GitHub, PayPal, Spotify, Twitter, and others [1]. Attacks leveraging IoT devices are growing exponentially, according to SonicWall, 32.7 million IoT attacks having been detected during the year of 2018. One of these attacks was the VPNFilter malware.
This malware was leveraged during an IoT related attack to infect routers and capture and exfiltrate data.
This was possible due to the amount of insecure IoT devices around the world. While the use of IoT to launch a massive cyber attack is something new, the vulnerabilities in those devices are not. As a matter of fact, they've been there for quite a while. In 2014, ESET reported 73,000 unprotected security cameras with default passwords [2]. In April 2017, IOActive found 7,000 vulnerable Linksys routers in use, although they said that it could be up to 100,000 additional routers exposed to this vulnerability [3].
The Chief Executive Officer (CEO) may even ask: what do the vulnerabilities in a home device have to do with our company? That's when the Chief Information Security Officer (CISO) should be ready to give an answer. Because the CISO should have a better understanding of the threat landscape and how home user devices may impact the overall security that this company needs to enforce. The answer comes in two simple scenarios, remote access and bring your own device (BYOD).
While remote access is not something new, the number of remote workers is growing exponentially. Forty-three percent of employed Americans report spending at least some time working remotely, according to Gallup [4], which means they are using their own infrastructure to access a company's resources. Compounding this issue, we have a growth in the number of companies allowing BYOD in the workplace. Keep in mind that there are ways to implement BYOD securely, but most of the failures in the BYOD scenario usually happen because of poor planning and network architecture, which lead to an insecure implementation [5].
What is the commonality among all the technologies that were previously mentioned? To operate them you need a user, and the user is still the greatest target for attack. Humans are the weakest link in the security chain. For this reason, old threats such as phishing emails are still on the rise. This is because they deal with the psychological aspects of the user by enticing the user to click on something, such as a file attachment or malicious link. Once the user performs one of these actions, their device usually either becomes compromised by malicious software (malware) or is remotely accessed by a hacker. In April 2019 the IT services company Wipro Ltd was initially compromised by a phishing campaign, which was used as an initial footprint for a major attack that led to a data breach of many customers. This just shows how effective a phishing campaign can still be, even with all security controls in place.
The phishing campaign is usually used as the entry point for the attacker, and from there other threats will be leveraged to exploit vulnerabilities in the system.
One example of a growing threat that uses phishing emails as the entry point for the attack is ransomware. Only during the first three months of 2016, the FBI reported that $209 million in ransomware payments were made [6]. According to Trend Micro, ransomware growth will plateau in 2017; however, the attack methods and targets will diversify [7].
The following diagram highlights the correlation between these attacks and the end user:
Figure 1: Correlation between attacks and the end user
This diagram shows four entry points for the end user. All of these entry points must have their risks identified and treated with proper controls. The scenarios are listed here:
- Connectivity between on-premises and cloud (entry point 1)
- Connectivity between BYOD devices and cloud (entry point 2)
- Connectivity between corporate-owned devices and on-premises (entry point 3)
- Connectivity between personal devices and cloud (entry point 4)
Notice that these are different scenarios, but all correlated by one single entity: the end user. The common element in all scenarios is usually the preferred target for cybercriminals, which appears in the preceding diagram accessing cloud resources.
In all scenarios, there is also another important element that appears constantly, which is cloud computing resources. The reality is that nowadays you can't ignore the fact that many companies are adopting cloud computing. The vast majority will start in a hybrid scenario, where infrastructure as a service (IaaS) is their main cloud service. Some other companies might opt to use software as a service (SaaS) for some solutions. For example, mobile device management (MDM), as shown in entry point 2. You may argue that highly secure organizations, such as the military, may have zero cloud connectivity. That's certainly possible, but commercially speaking, cloud adoption is growing and will slowly dominate most deployment scenarios.
On-premises security is critical, because it is the core of the company, and that's where the majority of the users will be accessing resources. When an organization decides to extend their on-premises infrastructure with a cloud provider to use IaaS (entry point 1), the company needs to evaluate the threats for this connection and the countermeasure for these threats through a risk assessment.
The last scenario description (entry point 4) might be intriguing for some skeptical analysts, mainly because they might not immediately see how this scenario has any correlation with the company's resources. Yes, this is a personal device with no direct connectivity with on-premise resources. However, if this device is compromised, the user could potentially compromise the company's data in the following situations:
- Opening a corporate email from this device
- Accessing corporate SaaS applications from this device
- If the user uses the same password [8] for his/her personal email and his/her corporate account, this could lead to account compromise through brute force or password guessing
Having technical security controls in place could help mitigate some of these threats against the end user. However, the main protection is continuous use of education via security awareness training.
The user is going to use their credentials to interact with applications in order to either consume data or write data to servers located in the cloud or on-premise. Everything in bold has a unique threat landscape that must be identified and treated. We will cover these areas in the sections that follow.