So, if you’re reading this, it’s probably because you or your company has suffered some sort of cybersecurity incident. At least that’s what Microsoft found in a recent survey.
Notice that the statistics also show that an attack on another firm could be the stimulus for increasing a cybersecurity budget, but my guess is that this would be an attack on a similar company or a company in the supply line. General news on a cyber attack tends to be shrugged off unless it is of earth shaking proportions.
In any event, if a company finally does decide to rebuild their cybersecurity infrastructure, they will probably be told that employees are the weakest link in cybersecurity. But what does this actually mean? Does it mean the employees were trained to be cybersecurity-aware but failed to use this training? In that case, maybe the training was ineffective. Does it simply mean that the employees see cybersecurity as a nuisance and an inconvenience? Maybe clear penalties for irresponsible behavior need to be implemented. Does it mean that there is something wrong with the devices employees are using to access the corporate network? Then maybe there’s something wrong in the company’s endpoint management. Blaming employees is often the easiest and most shortsighted way to explain cybersecurity weaknesses, but it often explains nothing at all.
When we speak of employees as cybersecurity risks, we are really saying that hackers will always try to exploit network-connected employee devices (endpoints) to work their way into the core of the corporate network. Criminals must manipulate the employees in control of these endpoints in some way in order to achieve their goals. This endpoint problem spiked recently when the pandemic-induced lockdown occurred. In fact, according to one source, phishing attacks increased by 667% in March alone, just as most regular companies suddenly became work-from-home companies. However, the interesting stat here is that 65% of these work-from-home endpoints were not managed at all. This means that the endpoints, most often smartphones, had unmonitored access to company networks. This indicates that the cybersecurity of these companies depended on the responsible cyber behavior of its unmanaged workforce. That’s a very risky proposition. It’s even more risky when phishing attacks on Android and iOS devices have become far more sophisticated in recent months. Expect to see more companies falling victim to cyber attacks in the months ahead.
And if you think the work from home paradigm will be ending soon, think again. Many companies now feel this will be the new normal. In fact, Bitglass found that “84% of organizations consider it at least somewhat likely (44% of them very likely) that they will continue increased work from home capabilities in the future due to increased productivity benefits.” The bad news is that these employees will mostly be using their own and not company supplied smartphones or devices. This is a situation known as Bring Your Own Device (BYOD).
Some companies will require their employees to use phones that they supply. If the employee wants to remotely access the company network, they can only do so with this phone. In this way, the company can add security parameters to the phones that cannot be easily circumvented. But this is an expensive road to go down and one that does not necessarily lead to success. For this reason, Gartner predicts that, “by 2022, 75% of smartphones used in the enterprise will be bring-your-own device (BYOD), up from 35% in 2018.” And that was a prediction that was made before the pandemic. And why is this important? Because, according to the Lookout Mobile Phishing Report, “mobile phishing is successful because employees are allowed to use their own devices in the workplace”.
Keep in mind that over 90% of cyber attacks on corporations begin with a phishing email. The last available estimate from 2016 is that 30% of phishing emails are opened. That seems a bit high if the email was filtered into the spam folder; however, if it manages to get into the inbox, this stat may be higher. It will be higher still if the email is targeted towards the employee. These crafted spearphishing emails are now becoming more prevalent and have a high success rate.
The growing acceptance of a BYOD environment creates a platform from which any well-designed mobile phishing attack can operate, and these attacks are appearing by the thousands every day. I’ve reported on a few of these that are now getting ready to work their magic. Many take advantage of traditional hacking vectors . However, one of the most exploited features on smartphones is their small screens. They enable hackers to hide information that may appear on devices with larger screens. Such attacks are often referred to as iframe attacks. Hackers also have an easier time designing fake login screens that appear to be authentic. Could you tell which of the Verizon login screens below are fake?
The answer is the one on the left. Maybe targeted employees would know that they had been directed to a fake login screen, but there’s a good chance they would simply sign in and give their credentials to criminals who, if the target had higher network privileges, would use these privileges to work their way through the corporate network, taking whatever they needed along the way.
The only problem hackers will have is in getting the victims to this malicious URL. That’s normally done through a phishing email, but it could also be accomplished through an SMS/text message that appears to come from upper management.
If the attackers want to get a remote access Trojan (RAT) installed on a device, they usually need to make the victim open an attachment, go to an infected website, or download an infected app. Infected apps have been a preferred vector of late. Most users know they should not download apps from unofficial, third party sites, but, recently, these dangerous apps are increasingly appearing on official app store sites like Google Play. This is because some of these apps have found ways to remain undetected by Google Play’s algorithms. The usual way for these apps to gain full control of a device is by having the user give the app more permissions than they would ever really need.
All the forgoing shows that endpoints are being barraged by attacks from multiple angles. Traditional endpoint protection depends on algorithms and databases that use information on past attacks. However, most companies realize that their biggest vulnerability is their inability to protect their endpoints from zero-day attacks. These are attacks that use previously undiscovered vulnerabilities in a network’s software to gain access to the network. A Ponemon study found that companies realize they are vulnerable to these attacks but are baffled about what to do about it.
Even when a patch appears for a new vulnerability, it often takes a company an average of 67 days to get it installed, meaning that they are vulnerable to what is known as a 1-day or n-day attack in the interim. The Ponemon study also found that zero-day attacks alone are expected to increase by 42% in the coming year. To put it bluntly, companies’ endpoints are in the criminals’ crosshairs and most companies simply feel powerless to do much about it.
The InZero Solution
Irresponsible employee behavior, bad apps, well-designed spearphishing emails, and zero-day attacks targeting endpoints all pose what appears to be an unsolvable problem for companies trying to protect their networks. On the surface, it would seem as if only a cumbersome collection of software and cloud solutions could even begin to protect endpoints from attacks. However, one company, InZero Systems, has found a way around this by developing security architecture that begins at the hardware level. What they have done is enable one phone to, in effect, be divided into two phones. This architecture can be implemented on a BYOD device so that the user is not inconvenienced and the company saves money on purchasing its own phones. By keeping sensitive network connections isolated on one half of the phone, the employee can behave as irresponsibly as they want on the other half. They can be attacked in every way mentioned above and the company network will remain safe and unaffected. Let the criminals employ all of their time and money to find a zero-day vulnerability. It will make no difference. Sure, the employee may have their half of the phone attacked, but the attack stays on that half. It cannot cross the barrier to infect the half that is connected to the company network because the barrier preventing this exists at the hardware level, which criminals cannot get access to. For details on this innovative approach, go here. There is no longer any good reason to be powerless.