By now, almost everyone knows that the easiest way for a hacker to get into a corporate or institutional network is by compromising one of its endpoints. Endpoints are simply those devices (computers, smartphones, tablets) connected to a network. Cyber criminals have many ways to take administrative control of these endpoints. Often they use phishing or spear phishing attacks that seem like valid emails with apparently valid attachments. The attachments, however, once clicked on, will install malware that takes control of the device. After one endpoint is compromised, criminals can move throughout the network gaining more privileges as they go until they eventually gain full administrative rights to access anything on the compromised network. Of course, there are many other ways criminals can gain access to endpoints, but phishing has become the vector of choice.
Last year’s Cyberedge Cyberthreat Defense Report called endpoints “IT security’s weakest link.” As the diagram below shows, at that time, companies and institutions knew very well that phishing attacks on endpoints were the biggest cyber security threat that they faced.
Furthermore, about 60% of organizations had experienced a rise in attacks on endpoints in the 12 months prior to the survey.
This statistic was likely an underestimate for the simple reason that some attacks may have gone unnoticed. In fact, a 2015 Ponemon study confirms that the number of endpoint attacks was higher (68%).
It is often reported that the vulnerability of endpoints have made organizations reconsider BYOD (Bring Your Own Device) policies. Clearly, the safest option would be to deny any access to a network from mobile devices. However, most organizations do not see this as a viable option. In fact, about 75% of organizations either already had a BYOD policy or were considering implementing one.
So let’s put this in some perspective. Companies realized that they and their endpoints were under attack and, yet, they planned to have BYOD policies anyway. On the surface, they seemed to be running headlong into the abyss. The reason for such behavior is often linked to the pressure organizations feel from employees who want continuous access to corporate and institutional networks via their mobile devices. Employees now want the freedom to work from anywhere at any time. However, employees are not alone in putting organizations at risk. Organizations also benefit from such an arrangement as employees can be available for work around the clock.
Organizations often try to mitigate such security risks by implementing Mobile Device Management (MDM) policies. These policies are put in place to control how endpoints are used. Unfortunately, but predictably, employees often rebel against companies trying to tell them how to use their own devices. When they become too upset, they may find ways to circumvent these policies and, in the process, open themselves and the organization to cyber attacks. Companies are well-aware of the dangers these employees pose to them. Ponemon found that 78% of organizations said that “negligent or careless employees who do not follow security policies” were their number one concern.
Another strategy employed to give organizations more control over user behavior is the COPE (Corporate Owned Personally Enabled) strategy. In this strategy, the company owns the device it supplies to the employees. Since they own it, they can then control it in any way they see fit. In other words, the users can only use this particular device to access the network and perform other permitted tasks. The problem is that network users will often have to carry two devices around with them or find ways to compromise the corporate device to use it more freely (for example, downloading apps or visiting social media sites).
Thus, the problem with both MDM and COPE strategies is that they are not easily managed. Ponemon found that 70% of IT practitioners said that it was difficult to enforce endpoint policies. This security risk came in second only to the use of commercial cloud applications. Though most IT practitioners consider use of the cloud risky, according to the Ponemon study, 71% say they will be increasing their use of it. Again, we see organizations adopting a cyber footing that they know in advance is risky.
It is not surprising, then, that this years Cyberedge Cyberthreat Defense Report found, for the first time, that over half (51.9%) of all the organizations surveyed had been breached between one and five times in the preceding 12 months and 62% feel that a future cyber attack is likely. As the report concludes, “there are signs that pessimism – or perhaps it’s realism – is increasing among respondents.”
The good news is that companies and institutions are beginning to understand that simple antivirus programs are not enough to insure safety. More money is being allocated for more sophisticated cyber defense architecture. Among the most mentioned security upgrades are to virtualization and containerization. The problem is that, though these may add another layer of security, these strategies cannot guarantee that a system is breach-proof. Virtualization requires its own special security to protect it and, if breached, may result in the permanent loss of important data. Containerization has similar problems. As one security expert notes, “this form of virtualization can present security risks due to the shared kernel, as breaching a containerized kernel instance allows potential access to all the containers associated with it: the keys to the store, if you will.” In other words, organizations may be upgrading to more complex security solutions only to encounter more complex problems when breaches occur.
Obviously, the next stage* in the evolution of cyber security would have to resolve the problem with the shared kernel. One company has solved this with the following solution which puts a different kernel on two sides of a device, in effect, making one device into two devices, each with its own separate operating system.
This solution solves the problem with irresponsible user behavior compromising an organization’s network. The user, within such an architecture, can be as irresponsible as they wish. They are free to use the internet, visit social media sites, download apps, and even open phishing emails. Whatever malware they may pick up along the way will only affect their side of the device and cannot cross the hardware barrier to wreak havoc on the business side of the device.
The danger of irresponsible user behavior cannot be overstated. The 2016 Cyberedge report shows that IT experts consider it the greatest threat to any company or institution.
It is not that the network user is necessarily malicious, just uninformed. This is why they and their endpoints are so often targeted by cyber criminals. One would think that this situation would require mandatory training programs. However, the report states “greater effort and investment in user awareness training also wouldn’t hurt. But we’re not holding our breath on that one.” Implying, perhaps, that companies aren’t all that interested in plugging this hole. Yet, even if they did, other studies have shown that network-user training meets with only modest success.
Changes are occurring, however. Organizations are allocating more money to security than ever before. In fact, security budgets were found to be increasing by 74% over the previous year. Companies complain that there are a “lack of effective solutions available in the market” which, on the positive side, at least means they are looking for more effective solutions.
If money is, in fact, put into innovative and more effective technologies, we may see, for the first time, at least a slowing of the death spiral into the security breach abyss. I wouldn’t expect this to occur within the next year, but, perhaps, in the next 5 years, we may, for the first time, see a more hopeful cyber security landscape.
*Disclaimer: This blog is associated with InZero System’s WorkPlay Technology with its hardware-separated architecture. Nonetheless, it would be irresponsible and illogical for me, simply at the risk of sounding promotional, not to mention this technology in the evolution of endpoint security from software, shared kernel, to unshared kernel solutions. For those not interested in this evolution, simply continue reading from the next paragraph.