By Jayson E. Street, Infosec Ranger at Pwnie Express
I broke into a bank in Beirut, Lebanon in 2 minutes and 22 seconds. While I don’t speak Arabic or French and had never been to that bank before, I walked right in and managed to insert a USB drive with a malicious payload into a networked computer, compromising all of the bank’s security. I’m what you’d call a “White Hat” hacker, exploiting cyber vulnerabilities so they can be secured before real criminals get there.
The Beirut bank (as with most places) was vulnerable because of how its employees used the technology in a secured network. Nine out of ten times, network compromises are due to human error, intent or accident. The challenge of securing data is only going to grow as our refrigerators start tweeting, toasters update a Facebook page, and more of the “things” in the Internet of Everything (IoE) come online. All of these connected devices create more entrances into a secure network—and more exits from it.
The way we understand and guard data needs to change. People, businesses and governments are still trying to protect data like it’s in a vault, which stops anyone without a key from entering. But my work in Beirut is one example of why the vault concept does not work in today’s high-threat digital environment. There are too many doors and too many keys. We need to guard data the way a retail store approaches theft prevention. Higher-end items are equipped with a security tag that sounds an alarm when it leaves the store. A designer jacket is worth more than a pair of socks, and a retailer applies an additional level of security to guard against high-value items leaving without permission.
Personal credentials, accounts and network programs can be compromised in many ways, and as well as trying to stop incoming threats, alarm bells need to be ringing when high-value data is leaving the store.
That means applying an updated way to monitor data movement, which requires an informed and aware workforce. Companies invest heavily in ensuring an employee knows how to make, sell, or process a widget, but they seldom show employees how to secure the widget in the process.
Education and action is also important for the consumer. Networked devices do not come secure straight out of the box; they need to be configured to limit incoming and outgoing data. For now, the onus is on the consumer to understand the need and method for securing their piece of the IoT. However, as data security increasingly becomes a factor in buying decisions, companies should recognize that security is a product advantage—and a selling point.
Even with a big steel vault and modern cybersecurity tools, that bank in Beirut never saw me coming. Technology will not ultimately save us from today’s digital threats. Instead, a better educated public and workforce, paired with changes in how we monitor outgoing network traffic, will make all of our information more secure.
Jayson E. Street is an Infosec Ranger and “White Hat” hacker at Pwnie Express, a company working to mitigate emerging threats created by the Internet of Everything. He is also a Senior Partner at Krypton Security and CEO of Stratagem 1 Solutions.