From a security perspective, workstations (desktops, laptops, smartphones) can never be completely controlled, equating to a plethora of possible breaches CISOs must foresee and navigate. Simply advising employees to be wary of predatory behavior from unknown attackers is not sufficient. Knowing a) what to protect, b) which possible dangers exist and c) who the hypothetical attackers are, is necessary for every CISO.
“We have just been connected!” I hear my Nixu Red Team colleague yell. A client has requested an internal security test, and we have sent eight emails in succession. We avoid excessive messages to ensure that it remains discreet. The email includes an attachment, a MSword file containing a macro. The macro “rings our office” and now my colleague controls the clients’ workstation.
This kind of bait and switch method works the majority of the time, even with companies that have integrated customized security protocols. In this case the workstation is fully patched and no vulnerability used. It is functionality of Windows which is relied upon. This cannot be repaired (with a patch) because it is not severed/broken.
My colleague sends out messages to employees of our client; they receive a pop-up notification asking if a macro can be initiated. If the client does not permit the macro to run, we cannot complete our attack. However, that is why we send eight emails – there is always someone who does. This may be humorous for my colleagues, but less so for the CISO, whom I am often standing with on the work floor.
The reality is that workstations (desktops, laptops or smartphones) cannot be completely controlled. If your allowed software is not white-listed, you don’t even know which software is running. Nor can you be confident that an end user will always make the right decision when it comes to security. In this example the user is even an employee working in the IT department and should be aware of the risk. Next to this it is also impossible to know where the laptop has been, who has had physical access to it and which networks the device has been connected to.
Advising employees to be “mistrustful” may seem exaggerated, but one must consider the scale of the situation. Propose that we were not speaking about a workstation, but the delivery van of a company. The ‘boss’ has no way of knowing what the van is carrying at every given moment. He can trust the employee, but he can never be completely assured that the employee will not cause damage. If the employee wants to abuse this situation, that is possible.
Security begins with knowing: what you want to protect, the possible dangers that exist and who the hypothetical attacker could be.
The discussion surrounding applications on Chinese network devices is a very relevant example. We don’t know exactly what they need to protect, because we aren’t yet familiar with the future applications of the 5G network. Nor do we know how attackers can penetrate the devices connected to the network. The objectives are not always clear: Spying? Sabotage?
Preventing digital theft is probably a bit simpler than blocking corporate spies. The latter is searching for information that is unique to you and in the past we have learnt that these kinds of attackers do indeed gain access. Most likely via a user that is misled, but also possibly with a physical breach. Criminals will not bother you if someone else is an easier target.
In all cases, it is improbable that workstations are what attackers are aiming for. You cannot ignore the possibility that there is sensitive information on a single device, but the notion that one device holds all of the corporate information is exceptionally rare. Criminals use workstations as a means to connect to servers which support files or databases.
Therefore, it is time to start treating workstations as if they are random web-connected machines that belong to someone else. It is more important to monitor servers that are processing the most valuable data, deep down in the networks.
Companies should carry out a Business Impact Analysis (BIA) to create an inventory of which information and systems are important. Workshops for the most important users and the system administrators should be hosted to explore how their systems could be hacked, what the signs are when they have been breached and how such a situation can be managed. To be fully prepared for such a scenario, practice is essential.
After dispatching the eight emails, my colleagues were busy for an hour…waiting. Then at once they gained access to the workstation. Their goal? To reach a server. Were they caught on time? Ask the CISO.