A colleague of mine last Christmas declared 2011 as The Year of Living Dangerously for Information Technology (IT) Security Officers. He said that he could see many pitfalls looming this year for the unwary in IT security and that many would end up on the dole.
2011 has indeed unleashed a wave of unprecedented security breaches that have left many people reeling – Epsilon, Sony, WikiLeaks, PBS.org, RSA Security and HBGary Federal to mention only some of the victims. So to put this all in context, and provide a cautionary tale of the challenges facing IT security professionals, I have drafted a fictitious scenario to illustrate the 5 best ways to get yourself fired so that hopefully you never do! Happy reading.
Donald Dodgem, Horticultural Specialist and ex-IT Security Officer of Cloudy Water DataCentre (in receivership) has some advice for all CISOs who momentarily let their guard down – think before you make even one of the five cardinal sins of IT security or you could end up joining the queues of the unemployed. The story is in his own words:
I thought my new job of ensuring IT security at a large data centre was going to be the big one – the job that would set me up for retirement. Well it did – but much earlier than I expected and without the large wedge of wonga I had hoped for. In fact the only wedge I saw was the one they levered me out the door with.
The employees were quite wary of me at first. They thought I was a figure of authority. My first priority was to be accepted – I wanted them to trust me before I bared my fangs. The first several days were full of the usual bedding-in activities – all that HR stuff big companies are so fond of.
My induction programme was more about Health and Safety and how much my new corporation loved and cared for me. After a week I was ensconced in my nice new corner cubicle with my expensive ergonomic chair and my shiny new PC, smart phone, tablet computer and laptop. The first thing I did was update my Facebook and LinkedIn pages with my new job title before I got distracted by work.
I was talking to an outsourced IT provider when the fragrant lady from the accounts department, Mary, came in and asked if I could attach her new Android smartphone to her PC. She wanted to synchronise a few client details she had downloaded from her old PC after an upgrade, but had not had time to upload the data to her new machine.
She was rather flustered and wanted the task completed, “..really quick…” because it was the end of the quarter. Mary had to send information out and didn’t have much time to meet the cheque run. So I helped her link up her Android smartphone to her PC. The look of relief on her face was a sight to see. I felt like Westley in The Princess Bride when he finally gets his Buttercup. Inconceivable!
The pressure was on from the board to get the big IT outsourcing plan ready and I was struggling already – iNTatters Outsourcing didn’t have an IT security officer that I could speak to! But no sooner had I gotten my head down into the details of how much we could save by moving our company’s IT into their Cloud, than my corner office door was almost taken off its hinges with enormous force.
It was Dynamite Dave, the company’s crack salesman and he looked a sight. I knew it was dress-down Friday but fluorescent green Hawaiian shirt and shorts? He said: “I’m off on a weekend golf jolly with Orrible Software but I need to send sales figures back to base on my new iPaddle tablet– can you hook it up to our system pronto so that I can do that good buddy?”
I wish that I had listened to the name of his device just a little closer. Now, as any IT bod knows, the iPad is very secure. The iPad in particular is fortunate in that it runs on Apple’s tightly-controlled iOS operating system which, unless jailbroken, doesn’t permit any piece of software which hasn’t first been checked and authorised by Apple to run on the device. It’s a very robust OS, although that doesn’t necessarily mean it can’t be exploited.
Now I’m not an utter idiot. When I saw it was an HP tablet, but a model I did not recognise, I did ask him about it. He assured me it was enterprise-ready. It said so on the box.
Anyway Dynamite Dave had no sooner disappeared than the lovely Laura appeared at my desk with a cable in her hand. “Hi Donald,” she said, “I’ve got a favour to ask of you.” I was a bit busy but she had helped me on my first day so I said “How can I help you?” It turned out she had lost the power cable to her iPod and needed another one.
I quizzed her about the corporate policy on iPods and she assured me that in her department, where the boredom of the work would make sentry-duty look exciting, they were allowed to use their iPods. I wish now I had asked a few more penetrating questions about the exact usage they put their iPods to.
I went to lunch. On my way back through the open plan office I noticed a super-user on one of the machines with an open excel spreadsheet that seemed to have every password in the company logged in it. I gave them a dressing down and made myself a note to get that Enterprise Random Password Manager software I’d seen demonstrated by that nice American from Lieberman Software at InfoSecurity this year. Now where had I put his card?
On Thursday I finished the outsourcing plan. I was due to present it to the board on my second week in the job. But Monday morning had other plans for me. As soon as I sat down my Google alerts told me that Cloudy Waters had just hit the headlines. InfosecurityHell magazine’s headlines screamed our name.
Someone had hacked in to the accounts department where they had found a file of all our customers’ credit card details, which were now on sale across the entire globe. How was I to know that financial applications for smartphones can be infected with specialized malware designed to steal credit card numbers and online banking credentials and that Mary’s phone, complete with all our customer’s details from her old PC, had been a victim?
My cubicle resembled a scene from TV show The West Wing during a nuclear attack. The Chief Operating Officer was screaming at me, the Chief Information Security Officer was foaming at the mouth, the Chief Executive Officer was screaming at me, the head of accounts was screaming at me and I was trying to find someone to scream at.
It was then that I noticed the TV was screening a story about a company IPO which had just lost the bank 80% of its predicted share price because some idiot from Cloudy Waters had used an iPad over a non-secure wireless connection. The gossip he had just heard into all the company’s major problems had been intercepted and leaked. Yes – you’ve guessed it – the idiot was Dynamite Dave and the iPad was the one I had set up. We were going to be sued for gazillions of Euros for this.
The internet provided me with my next piece of bad news.
The COO – now slumped behind my desk – drew the attention of the CEO to my open Facebook page. I think that’s when they called in the police. I’m not sure because their faces both resembled the scary ones pulled by Jim Carrey in The Mask – horrible and angry to behold.
How was I to know that failing to properly log off from a social network app could allow an imposter to post malicious details or change personal settings without my knowledge? My Facebook page was now a horribly defaced version of what it had been and was covered in personal remarks about the CEO, board members, canteen workers and even had a picture of the COO’s wife as a Hippo with the chief auditor sitting on ‘her’ back. They didn’t see the funny side of it.
Luckily the police eventually believed that nothing I did was deliberate. I would have gotten out before Christmas if one of them hadn’t lost half his savings in the disastrous IPO.
What’s my advice now? If I had just stuck to enterprise IT security best practices when it comes to adding any of these devices to the network I might still be in the IT security business. If I had just limited their connectivity options to reduce exposure to threats, and generally secured them in the same way I normally harden my network against potential smartphone-borne threats, I would have been ok.
I should have made the mobile device conform to corporate security policies, even though many of these devices are not company-owned, but personal purchases. And I definitely should have educated the users on basic Web security techniques – something that will remain the key to tablet security until the security industry can develop more reliable solutions. As for that password manager….
There you have it – a tragedy of almost Shakespearian proportions. Luckily you can avoid Dave’s tribulations by simply following these five straightforward rules:
1. Smartphones must adhere to corporate policy
2. Tablet computers must have secure operating systems and be securely attached to your VPN
3. You must automate privileged password management – IT staff cannot do this manually
4. You must have a social media security policy – there are apps available for hackers which enable them to get into your social media pages and impersonate you and alter your profiles and security settings
5. iPods and any other storage devices can carry viruses and malware – they must be banned from attaching to your network or must be attached securely