by King, Steve
With the government failing to create any sort of standardized security regulations, the private sector is left to wonder what level of network security will be best for protecting company and client data. As the popularity of personal smart devices being used in the workplace increases, policies must be enacted in order to maintain a secure network.
The first step is to create a corporate policy on how employees will use smartphones and other personal computing devices on your network. Make sure that human resources and your legal department weigh in and that your policies become part of new employee orientation and ongoing employee training. But what other steps can be taken?
Here are six precautions to take to ensure security in the BYOD (bring your own device) era:
1) Training & understanding
All information technology networks are exposed to the difficult-to-control human element. Upgrading your servers and ensuring your firewall is solid is great. Right up until one of your employees clicks on a phish and your network is infected. A surprising majority of our clients (over 80 percent) offer no regular security training to their end users.
IT departments should conduct annual security and BYOD training for all users, teaching workers to avoid common security threats like phishing attacks and using established best practices for dealing with them when they occur. Since phishing attacks are so common, we assume that everyone knows how to handle them, but most employees have no idea how to recognize an attack or a scam. Companies that ignore this sort of employee training are unnecessarily exposing their networks to cyber threats.
2) Encrypt any data you don’t control
Over 70 percent of our client IT organizations don’t encrypt all of their cloud data and almost all of their cloud transactions. The reason is that it is costly in terms of bandwidth and requires faster and more expensive servers. Most public cloud services offer encryption services, and companies would be smart to both avail themselves of those as well as make sure that their most sensitive corporate data is encrypted. If the loss of the data doesn’t put your company at risk, then there is no need to take the extra steps, but if compromised data affects your bottom line, then it must be encrypted.
3) Start using a monitoring system
Now that you have defined a corporate policy to deal with personal smart devices on your network, you must implement a system to register, track, monitor and report on personal mobile device activity. You want to be sure that any smartphone an employee brings into the workplace to be used for company business is registered on your network and associated with that particular employee and his or her authorizations.
When an employee downloads an app to their device, you want to be sure that the employee is authorized to access the data and programs the app uses and that their behavior is consistent with a user profile (employee is stationed in New York, but her iPhone just accessed the Order Processing app from San Francisco).
The system should notify your network administrators when anomalies occur as well as prevent unauthorized access. It should also track and report on specific usage and activity created by these mobile devices, so you can optimize your network and identify suspicious behaviors.
4) Rotate SSH keys (at least) annually
Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. SSH keys serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. One immediate advantage this method has over traditional password authentication is that you can be authenticated by the server without ever having to send your password over the network. Anyone eavesdropping on your connection will not be able to intercept and crack your password because it is never actually transmitted.
Additionally, using SSH keys for authentication virtually eliminates the risk posed by brute-force password attacks by drastically reducing the chances of the attacker correctly guessing the proper credentials.
A huge majority (over 80 percent) of our client IT departments fail to rotate SSH keys every 12 months. Because employees turn over about every two years on average, failure to rotate SSH keys at least once a year leaves critical network infrastructure wide open to malicious access from former staffers. And there are usually a few pretty unhappy former staffers. This should be done at least every year.
The differences between 1024-bit and 2048-bit are academic in that both have proven to be uncrackable. Most companies have not upgraded their encryption keys and are in serious danger of unnecessary exposure to brute force cyber attacks.
5) Have a plan for replacing compromised certificate authorities (CA)
Digital certificates are vulnerable to fraud, and must be replaced when they are compromised. We have found that most companies we evaluate have no management processes in place to ensure business continuity by quickly replacing a compromised certificate and its accompanying encryption keys.
There has already been a lot written about the CA compromises at DigiNotar, GlobalSign and Comodo in 2011. Browsers accept certificates as trusted in that they have the signing CA certificate in their local browser store. Browsers do not check that a particular CA is authorized to actually issue a particular server certificate. The trust is universal. That is why the attacks on DigiNotar, GlobalSign, and Comodo are so serious and have global impact.
If it is even suspected that your CA may have been breached, make sure that you have processes in place to both replace them and to evaluate their vulnerability on an ongoing basis.
6) Make sure your encryption keys are up to snuff
We have seen lots of companies that don’t use appropriately strong encryption keys, relying on the old 1024-bit symmetry. Back in 2011, NIST began reporting that 1024-bit encryption keys have depreciated in effectiveness, and minimally, the 2048-bit encryption should be used for all encryption keys. The shorter key length has already been broken twice, which is why you can’t guarantee that it won’t happen again with your website. You should make sure your root key is at least 2048-bit when generating your CSR (Certification Signing Request). This encryption level hasn’t been cracked yet and it is safe.
Ultimately, there is almost nothing an enterprise IT Manager can do to prevent these sorts of attacks and this is a technical and procedural problem that the browser vendors and device makers have to fix. In the meantime, however, we can at least replace any certificates that we know or suspect to be breached.
While the Electronic Frontier Foundation and other groups have spent months arguing over the various faults in the Cyber-security Act that just died in Congress, here is where the federal cyber-security legislation might actually have come in the handiest. We could actually use a central, non-bureaucratic organizing agency that concerned itself with issues like the global compromise of Certificate Authorities and support the required trust in our Internet enabled world, but alas, that may be just a hopeful oxymoron.
In the meantime, protect yourself with BYOD policies, a network that monitors and controls, encryption that makes sense, and employees who are smart about network security and the ways in which it may affect them.