Many of us work for organizations with an established corporate IT department. IT determines the security policies; sets the protocols, permissions and instructs employees on the best practice. Given the cyber risks that organizations now face is ‘egg-shell’ security enough?
Some of you may remember Bob from my previous post. Let’s continue to see what Bob is doing to explore how safe corporate IT really is. Bob is a senior manager for ‘Megacorp’ who has been given local admin rights for his laptop allowing him to install much needed demos whilst on the road.
Is someone in your browser?
While travelling Bob still needs to access systems within the corporate network. After all the day job doesn’t go away! Using a web browser Bob accesses the procurement system to approve some POs, logging on with his domain credentials and the RSA secure key token. All secure so far?
It was. But a few months earlier Bob downloaded a browser plugin that scans business cards and stores them in Outlook for him. In fact, the plugin was a Trojan application which allows Eve to monitor his browser. Taking legitimate PO numbers, Eve submits duplicate invoices to Megacorp with new payment instructions. The online finance workflow directs them to Bob for approval. This time it is Eve’s plugin that automatically approves them; sending the money straight to her account. No-one notices until the auditor spots it!
Have you opened the door for a stranger?
Passing the time before his flight Bob surfs the Internet, clicking on the ever popular cat videos. A pop up window informs him he needs the ‘Octopus media optimizer’ from a company called ‘OrangeMi Networks’. It’s OK, he’s heard of OrangeMi and agrees to download and install the plugin.
Unfortunately, Eve purchased a lot of ad-words for cat videos and the plugin has now given her control of Bob’s laptop allowing her to install a root kit. When he logs onto the office network, Eve is able to scan for machines with vulnerabilities. She’s cracked the outer layer of defense (the egg shell) and is inside essentially a wide open network.
Over the next few months she slowly gets more and more control until she has enough information. Sending all the corporate data to wikileaks, Eve then deletes everything from the corporate servers.
Securing the point of interaction
In an earlier post, I described how it is possible to secure the browser. In this Corporate IT example the added advantage would be layered defenses including tamper detection, early warning security services as well as proactive analysis. On top of that, an extra layer of encryption can be added to the traffic between the browser and organization.
All this hardens the egg’s shell making it more difficult to crack! Employees like Bob are unlikely to use their computer securely but with this technology it is possible to detect and stop these issues escalating.