Focusing too much on protecting only the crown jewels of the enterprise might leave gaps in security for criminals who are seeking other valuable assets. The hackneyed expression, “One man’s trash is another man’s treasure,” serves as a reminder that what the enterprise values is often different from what a criminal values.

Defending a network and the critical assets of an enterprise is a lot like safeguarding a home. There are layers of security in homes just as there are in the enterprise. From the windows to the doors to the locks and alarm systems, home owners know the vulnerabilities and put protections in to keep criminals out. 

Ryan Stolte, CTO, Bay Dynamics said, “The big idea is that people are very specifically and deliberately attacking organizations.” The intent of those attacks, however, is not always the crown jewels. In order to defend the expanding network and everything that connects to it, “You need to put yourself in the shoes of bad guys."

In planning their attacks and seeking their victims, criminals look for the easiest access point, whether that is the organization that has, “Minimal security tools, lax security policies and/or exploitable employees and third party vendor users,” Stolte said.

“They collect their own social intelligence, gathering information about the victim business regarding what its surface areas look like, where it stores its most valuable data, which third-party vendors have access to their network and how they gain access, and which employees log in remotely and how they gain access to the network,” Stolte said.

In most breaches, organizations are being hacked by individuals. “It’s not just people sitting in China,” said Stotle. What most criminals want is data and their goal is to get access to credentials to get that data. “After they have breached you and gotten inside, they do it all over again, but from a different layer, to continually get deeper into an organization,” Stolte said.

The easiest ways for outsiders to gain access is by trying to compromise a particular person or to sneak in through an open door. “Technical engineering and social engineering go hand and hand,” said Stolte.

Social engineering is made a lot easier by the extensive use of social media platforms.  Increasingly criminals are patient and take a longer and windier road to reach the final destination of their intended target. 

Tim Erlin, director of IT security and risk strategy, Tripwire said, “Shodan allows anyone to search for vulnerable things. They are scanning company networks and gaining access to internal networks by probing the individuals who interact with customers or the public. The one that is increasing is the supply chain attacks. Instead of attacking directly, they are going after their vendors and contractors to gain access.”

Public information provides a gold mine of useful tidbits for criminals. Will Gragido, head of threat intelligence at Digital Shadows said, "Gleaning career and relationship information, like the names of colleagues, mentors and friends from sources like Facebook, LinkedIn, and alumni sites helps establish cover for spear-phishing and other social-engineering campaigns.”

While these commonly used social media have much to reveal, there are others that can be more revealing of information about software and code that is really useful to criminals. 

Gragido said, “Online profiles that might be easily misconfigured, such as GitHub accounts, frequently leak other types of information publicly, such as the identities of specific software developers in targeted organizations and snippets of the code they are working on, which, taken together, yields a lot of useful intelligence."

The expanded network has posed many challenges to security teams, and Gragido said, "Other sources of reliable attack intelligence are exposed storage devices and cloud platforms.” In Gragido’s experience, he has seen instances of sensitive corporate information, such as strategy documents and board meeting details from a health insurer, that were publicly 'over-shared' by being posted in cloud sharing sites with inadequate password controls.

Gragido said, “Likewise, we have seen sensitive files pertaining to banks' ATM networks, for example, accidentally broadcast to the Web because employees have placed them on misconfigured remote storage drives in their homes."

Criminal acts

Ryan Stolte, CTO Bay Dynamics recommends asking these 5 questions from the perspective of a criminal:

• Which websites does the victim business host?
• What does their infrastructure look like (i.e. where are their doors and windows)?
• How do insiders remotely gain access to the network?
• Who are their third-party vendors?
• Who has the keys to the kingdom (think about employees who have the highest level of access to the business’s valuable information)?

If only there were an easy answer that didn’t require time and resources beyond those which are already stretched and limited. The first step is recognizing that it’s important to prioritize what is secured. 

All of this exposure creates avenues for criminals or other hostile groups to find an organization’s weak points for more targeted and efficient cyber-attacks, said Gragido.  “There is a greater premium on getting in front of these exposures with better situational awareness today, so that affected companies can recognize and eliminate these leaks at the source, outside their walls," he continued.

A combined focus on technical and human surveillance is good security practice.  “Have employees be aware. Lock doors and windows. There are a lot of technology things you can do. Bad guys have as good of technology as the good guys. We scan and find, but bad guys do too, but they act before the hole is fixed,” Stolte said.  

A slight shift in language when talking about security and data can also help security teams think like a criminal. Erlin said, “It’s a very common best practice for organizations to identify sensitive data. Using the term valuable instead twists perception away from what organizations feel is sensitive to what might be valuable to a criminal.”

Regardless of what other information criminals might find valuable, the crown jewels will always remain sensitive and top priority. Stolte said, “Organizations do the surveying, but one thing they fail to do well is protect the crown jewels. They need to know where they are and use that information to close off and fix the highest priority stuff.”

Think like a bad guy. Stolte said, “Take an inside-out approach to vulnerability management. Ensure that you are patching the right servers and that people don’t have more access than they should to layers of the network. Only the right people should have access to sensitive information at the application level.” 

Erlin said, “Threat modeling should be a continuous exercise. Threats change and evolve. It’s valuable because no one has infinite resources, so you have to focus on the most probable and impactful threats.”

Criminals are always after the weakest link, and they search for anything on the internet that might provide some kind of access. Information is out there, and security teams who use what criminals learn as part of their strategic security plan might be lucky enough to act before a breach.

By Kacy Zurkus for CSO Magazine

The damage, the damnation, the truculent total churl of the event was this: all of the new Interent of Thingies/IoT/KewlGear has no cohesive security strategy. It's a mosh pit of certificates, easy-auth, Oh! Let's Connect Our Gear Together! (add breathy sigh!) meaninglessness.

Let's now take this in the curmudgeonly risk-averse cloud space, bit by bit:

1. Yo, consumer, get the cool gear! Ignore the fact that we're constantly sucking location-based data from your (fill-in-the-blank of wearble, drivable, or otherwise not tethered-with-a-power-or-Ethernet-cable product) into some database somewhere so we can glean as much intelligence (which will probably be ignored by anyone that might care or sold to some bidder that will use it for your personal actuarial assessment) as is possible!
2. The example of the Internet Tea Kettle shows there is no long list of must-have-security for any of the devices seen. So any particular device is an unknown entity, in terms of systems security, whether it's inside your ostensibly secure perimeter or reporting to the cloud. Worse, most wearable devices inside your physical secure perimeter are dutifully trying to report their data not only to the user, but to some mothership—from inside your offices, or home offices, or automobiles, including the auto's data itself.
3. Does this mean that we must now scan individuals walking into offices, plants, corporate/organizational traffic for their IoThingie devices? Each of these devices is as dangerous and rogue as the average smartphone, perhaps worse, as there is no security regimen in the industry relating to what data they use, keep, transport to a mothership, etc. Will these tiny devices start to clog up your wires, too? Will your cloud resources get bogged down by the importance of sending steps-walked data instead of line-of-business apps?
4. The IoThingies have no secondary auth capabilities. Think about that, and the standard that your organization applies to fixed and mobile computing resources. Cringe. Consume Zantac. Rinse. Repeat.
5. The cloud is seen by most IoThingies as the perfect place to store data, and most products come with the leech of requiring data to be stored somewhere. No one knows if their practices are as sloppy as Anthem, Target, or the OPEM. Perhaps they are better, I cannot know. But there is no inherent methodology to certify that even the most modest of security procedures are practices, not that a Good Housekeeping Seal of Approval is worth anything, anyway. There is no industry organization waiting in the wings to do these certifications, and Underwriters Laboratories, et al, haven't been tapped on the shoulder by the insurance industry to motivate organizations to adhere to anything but basal liability.
6. Drones. The FAA licensing is, at best, nihilistic. From my observations, there were more drone makers than tablet makers at CES 2016. Think about that. FAA licensing is also, at best, doing nothing for safety, industry, or users of drones. There is no inspection program, there is no safety program, there is no security program, there are only huge numbers of drones with cameras attached. Close your curtains. Is that a drone doing a video and some screen caps of YOUR R&D labs?
7. Bluetooth as the control mechanism became real, as did combos of Zigbee, Bluetooth, and non-Wi-Fi data transports. Again, no security methodology, and no method to create a bastion perimeter. I saw that Yubico has a new product, the Yubikey NEO, which uses Near Field Communications (NFC) for smartphone auth, using the FIDO U2F standards. It's a start.
8. Some top traditional IT vendors are adapting to the sense that their business ecosystems can make headway into consumer products, via Microsoft in-dash products, Apple compatibility and sometimes blessings, but much is open source. Much is also NOT ABLE TO BE UPDATED. Software provenance in terms of what's actually inside of a consumer product is often a secret sauce, and therefore a total mystery. What old versions of SSH or the root keys to an IoT device are lurking beneath the surface of innocuous devices?

Consumer and entertainment electronics are now “smart,” meaning rife with features, and that means microprocessors, FPGAs, and custom CPUs. In lieu of knowing what's inside of these devices, you'll need to shore up security, and be unwaveringly diligent, both in terms of local security and your cloud resources.

For two decades I've been warning that there is no such thing as a secure perimeter, and the IoT will pressure this point like nothing before in tech history.

By Tom Henderson for NetworkWorld