The Blessing and Curse of Automation

As data becomes the new currency of the digital marketplace, one of the biggest security challenges organizations face is the number and kinds of endpoint devices that need access to the network. Smartphones, laptops, Chromebooks, tablets, and IoT devices of every function and size, and belonging to both employees and consumers, now regularly connect to some segment of the network to access data.

Many of the devices and apps we commonly use, from GPS to monitors and schedules to social media, require constant access to data sources. These devices are also a repository of some of the most important information in our personal and professional lives. We use them to manage our finances, plan our schedules, map our routes, interact with friends and family, check our personal and work mail and messages, collaborate with coworkers, and access sensitive corporate data.

And since they are so tightly interconnected with the data and resources of other people and devices we interact with, a single compromise can have far-reaching consequences. Which is why some of the latest trends in digital devices should have us thinking carefully about our security policies and practices.

Autoconnect: Doing the Hacker’s Job for Him

Many smartphones, for example, only allow you to temporarily turn off wireless and Bluetooth connectivity. Once disabled, these functions simply turn themselves back on after a period of time. Some of these devices even continue to hunt for known access points even if connectivity functions have been turned off. Once they identify an SSID they are familiar with, they automatically connect without any user intervention. Other devices will automatically turn on a ‘soft AP’ mode so that you can share your connection with your other devices. It’s all about making sure you have constant access to the data and resources you rely on.

While convenient for the user, these can also be an open door for compromise and a conduit for infecting every other device in a user’s ecosystem. It also explains why we are seeing a resurgence in classic threats like man in the middle attacks. Years ago, a hacker connected to the Internet would sit in or near a public space and broadcast their device as a free wireless access point. When unsuspecting users connected to their fake SSID, the hacker would then collect any data passing between the victim and the Internet services they were accessing. Today, that entire process is much more automated, as devices are eager to connect to any service that is available, and can make connections even without the user’s knowledge.

Of course, savvy users simply disable the option to simply connect to any possible access point. But no one wants to have to log in every time they are connecting to their home network, so our devices keep a list of known networks that don’t require manually logging in. That list can get quite long quite quickly. A quick look at your phone or laptop will reveal a long list of “preferred” sites that include restaurants, hotels, work, the Wi-Fi SSIDs of friends and families, and most likely, some you don’t even remember or recognize. Even more challenging, some devices won’t even let you delete an old network unless you’re attached to it, making it almost impossible for users to prune and maintain the number of networks their device will happily look for and attach to.

But even those access lists that are carefully curated can be a problem. New hacking tools allow criminals to scan for devices simply looking for a known wireless access point. When it sees one, rather than broadcasting its own SSID, it simply asks what SSID the device is looking for. The device then responds with something like, “I’m looking for Bob’s Home Wi-Fi.” The malware then says, “You’re in luck. I’m Bob’s Home Wi-Fi!” It then generates the appropriate SSID on the fly and the targeted device automatically connects.

Unfortunately, these sorts of attacks aren’t restricted to an elite set of criminal engineers. Hacking used to require some level of skill to pull off.  But now there are dozens (if not hundreds) of readily available hacking tools and downloadable malware codes – complete with instructions and help desks – that can turn any ill-intended newbie into a relatively dangerous hacker of personal devices.

Autoupdate: Making a Temporary Compromise Permanent

Of course, mobile devices are mobile, which means any connection is going to be temporary, making the chance of collecting important or valuable data remote. The trick is to figure out how to make this chance encounter permanent. Which is where tools like Evilgrade come in. Evilgrade is a toolkit that allows attackers to install malicious software by exploiting weaknesses in the auto-update feature of many platforms and apps.

It starts by using an integrated pentest toolkit to identify the platform of targeted devices, along with any software or apps loaded on it, and because Evilgrade is cross-platform it can run on a wide variety of device platforms. Its modular framework then automatically selects and delivers a corresponding fake update from any of its dozens of available malware modules, which can be regularly updated as new versions become available. And if you have autoupdate configured on your device, you don’t need to do anything at all to be compromised.

Which is just a long way to explain that many of endpoint devices you allow onto your networks may also potentially be a conduit for malware and hackers to access or exploit your internal resources. New polymorphic attacks and cross-platform malware combined with AI mean that the traditional “one attack per malware” model is a thing of the past. And because so many of these devices are interconnected with other resources, including data, printers, collaboration tools, online software and applications, and cloud-based services, a single compromised device can represent a real threat to today’s digital business.

Two Things You Can Do

Train Your Users

As much as possible, it is critical that users understand how their devices operate and how to manage those features that can put themselves and the organization at risk. Surprisingly, most device owners – even younger one - are only familiar with those features and functions they need to use in order to do they things they want or need to do. User training can go a long way towards not only helping your employees discover how to better use the tools and devices they own, but help protect your organization.

Eliminate Human Error

Your security is only as good as the least capable person on your team. Which is why training alone is never enough. Here is a quick list of 10 security measures you need to include in your security strategy to protect your organization from rogue and compromised endpoint devices:

1. Provide and require endpoint security that can protect devices off network.
2. Establish deep inspection along with authentication at access points to detect compromised devices
3. Maintain an inventory of devices to track patching so you can cross-reference connected devices against known vulnerabilities and exploits
4. Segment the network to prevent the lateral spread of malware and to isolate compromised devices
5. Deploy advanced threat protection solutions such as sandboxing alongside your IPS to detect new threats
6. Create a unified security framework that seamless spans distributed networks and cloud environments so devices can share threat intelligence and correlate data to detect threats
7. Employ behavioral analytics to detect unusual or inappropriate behavior
8. Integrate threat intelligence feeds into your security management system in order to detect new and emerging threats
9. Automate as much security as possible, including device configurations, updates, and coordinated responses to detected threats
10. Conduct continuous assessments to ensure that your security standards remain consistent across highly dynamic and elastic environments

Conclusion

What began as a simple BYOD program a decade ago, has turned into a digital revolution that has utterly transformed today’s business networks. When used properly, these devices provide us with the ability to work and interact in ways that were never possible before. When compromised, however, their broad access to data and resources can have a devastating effect on both users and businesses. As this market continues to evolve and expand, it is critical that IT teams get out ahead of the challenge by using a one to many approach that allows you to respond to an increasingly complex problem with a simple, straightforward solution that can automatically scale and respond as your attack surface evolves.

For more information, download our paper and learn about the top threats that enterprise security leaders are being forced to address and the security approaches to evaluate.