The year is 2014, a period in which we would seem to be fully dependent on wifi-everywhere, and technology to support our businesses, and personal commitments. 2014 is also a period in which society is fully engaged with technology, to conduct their online banking, to embrace the sales on Black Friday, or to simply watch TV. And to underpin a maximised user experience, a vast number of us are enjoying the always on, always available channels of communication though high capacity broadband. However, many of us also recognise that this is a Perfect Storm for Insecurity, and as we enter 2014, we as a society are very much aware that the Cyber Landscape of exposures, vulnerabilities, and cyber threats are just about as high as they can be, with criminality very much on the front foot, with the rest of us playing catch up – so yes, we live in high risk times when it comes to technology.

Given we know where we are, things could not get much worse – right? However, whilst we are starting to acknowledge the ‘Houston we have a problem’ moment, we enter the age of the Smart Phones, Mobility, and what I refer to as Bring Your Own Disaster [BYOD]. Here, with big name organisations encouraging their users to bring their own systems to work, upon which valuable and sensitive business related information will be processed and stored– with BYOD sometimes being well thought through, and on some other occasions, a disaster waiting to happen. Thus both personal, and business related mobility, could just represent the new channel of insecurity.

Before we move on to look at the current threats, let us consider the past, which stood to one side, and allowed this now, ever-present hand-held set of exposures gain their small-footprint grip. It was in Q3 2010 when I recorded a programme for the BBC World Service on the subject of Smart Phones. At the time, whilst a number of the global Anti-Malware providers such as McAfee, and Symantec were dipping their toes into the waters of Smart Phone Security, it was the more niche vendors like Sophos, and Kaspersky Labs who were demonstrating a tangible commitment to research, into what was then, the new era emerging threats, aimed at the new age Micro-Computers – AKA Smart Phones. Devices with its hand held power, functionality, and storage, far in excess of those early, and very clunky 8086 PC’s, along with connectivity opportunities in the form of WiFi, Bluetooth, PAN, and interface to the PC. In fact it was at that time when, as part of a Research Project I visited a number of the High Street Mobile Phone Outlets, as asked the question ‘should I take any additional steps with security when using an Internet connected Cell Phone?’, and ‘Do you sell Anti-Virus applications to protect Cell Phones?’ – Without exception, from the Carephone Warehouse, to O2, they all responded that there was nothing to worry about, as they ware secure!

But of course, it was only a matter of time to see the more conventional threats aimed at the Internet connected PC in the form of Spam, Trojans, and Malware, morph into the hands, bringing with it the very real opportunity of on-the-move compromise.

But sadly, the picture did [does] get much worse, with the obtuse act of self-inflicted compromise! With the appetite for more apps, and increased functionality, the Smart Phone user does have a tendency to download the latest and greatest new toys as they appear in the market place. Take the installation of an application which allows our user to store all of his/her passwords, say relating to Internet, banking, or other sensitive account information, which will in turn be committed into the brand new password vault. Upon installation this new application notifies our user that to proceed, the app requires full authorisation access to the Internet, storage/memory, and in a nutshell, needs to be completely embedded into the host Smart Phone Operating System – to which the average user agrees, and allows the installation to continue, with complete integration of an application, of a relativity unknown origins to be embed with their own personal device! And remembering, this could represent a BYOD which may be connected to a corporate asset, this may not just be a matter restricted to personal compromise!

When it comes to company sponsored BYOD, here to we encounter challenges. One example is that of a large Oil & Gas company, who went to great pains to deploy a secure desktop via virtualisation, which not only locked in the user to the installed Virtual Machine [VM], but actually went on step further to enforce a policy, which only allowed access to data when the VM was connected to the Corporate Mother Ship. However, one of the limitations was, the Security, and IT Department had not considered the end-users need, as they required access to their resident data assets when the device were off-line, in order to meet their operational commitments. But as we all know, when it comes to resourcefulness, there are none as ingenious as frustrated end users, and the solution was easy – the answer was to send all the sensitive documents up into the cloud [Dropbox, PogoPlug etc.], and then transfer them down onto the unsecured hard drive, where they were always available, both on, or off line. And given the company in question had not stated any Security Minimum Standards for the personal device, such as FIPS-140/2, all data on the Physical Drive was exposed to ease of access, and left the data resident, and extant no matter any processes or procedures being invoked to delete the VM, and its business related assets.

And then we come to another element which often gets overlooked – that of communications. In 2012, I was hosting an e-Crime event in London at a very well-known City hotel, which was attended by around 100 Cyber Security Delegates, who, as one would expect were all working from hand helps, WiFi enabled laptops, and their IPads surfing the web, or doing some catch up emailing. However, as I am just a tad more paranoid than most, before I connected to, I ran a quick audit just to see if it were safe, and the findings were a revelation, with ports open, and services in various states of paly, from TCP/IP Port 1, through to 65301, hosting:

dtk Deception Toolkit
CyberCrash
doom
Nessus
BigBrother Monitoring Server
NetOp [Remote Control] Netbus [Backdoor Trojan] Kunang [Backdoor Trojan] Back Orifice

To name, but just a few. I did of course alert the delegates, but noticed that, no matter VPN, or not, the majority of the ‘Security Professionals’ continued to use the AP! And when we come to mobility, smart phones, and other such needs of mobile communication, remember, it’s not just about static locations, but when on the move also, so there is no room for complacency.

Last but not least, I would wish to close on the subject of ‘Knowing your Assets’. I was working on a project with a large security company in London [that’s correct, I repeat, as ‘Security’ Company’]. As they had deployed a Public Access Point for their users, and Visitors to connect to, I ran a little test, and set up a rogue AP, mirroring their own company credentials [e.g. ***LondonOffice]. I then invited the CISSP qualified Security Manager to scan the promiscuous WiFi space, and to explain what he had discovered. However, to my astonishment, whilst he did locate the AP I had injected into their Office Space, he indicated this was their very own authorised AP – worrying, as this was the Security Manager, of a large Global Security Company!

As a conclusion, it is my opinion that all of the aforementioned observations and comments come down to two factors. 1] A lacking in the area of education and training, commensurate to the relative level within the organisational structure, and 2] A distinct disjoint in the area of pragmatic and meaningful understanding at the coal-face of operations. If there is one true fact in any area of IT/Cyber/Digital that should not be ignored, it is that of Training!