Forget the Gates, the Huns are Inside: Thoughts on Secure Programming, Education and BYOD
While attempts to attribute this phenomenon to a single shift in the computing world may be futile, certain conditions do influence the prevalence of client-side threats. Among these, a few stand out not because of their severity, but due to our apparent inability to address them adequately.
Secure Programming, or Lack Thereof
Despite increased calls from the security community to institute reforms in the manner in which software is developed, vulnerabilities that arise from either the software development process or developer error continue to persist. If we add to this the growing ease with which individuals can learn software development without having a security mindset, efforts to curb these types of vulnerabilities are likely to be handicapped. When was the last time you saw a programming guide that discussed proper input validation?
Even with intensified efforts to find vulnerabilities, most notably in the form of bug bounties, these are only stop-gap measures that fail to address the root of the problem.
Education, Are You Listening?
Client-side attacks are effective regardless of the intended target. Let’s face it; targeting humans simply works better than compromising machines. In the context of a corporate setting, the repercussions of such are greatly magnified. One needs only to cite recent cases such as the Syrian Electronic Army’s (SEA) campaign against the New York Times or the RSA hack back in 2011. While relatively unsophisticated, phishing attack coupled with these client-side vulnerabilities allows attackers to gain access with little effort.
While corporate campaigns to educate employees on the importance of awareness and “thinking first before clicking” is part and parcel of every security team’s efforts, the message still does not seem to be getting through. It appears that removing human decision-making in potentially dangerous scenarios is the next best thing, but even that has its own pitfalls.
Nothing is Written, Everything Is Allowed
When was the last time you went to work without your smartphone or tablet? The BYOD phenomenon is a boon to end-users but a potential disaster for any security professional. The ease with which end users can connect to corporate systems with little or no oversight increases the overall attack surface of an organization.
While not strictly a client-side “threat,” these devices bypass most if not all of the standard security controls of the majority of corporate environments to date – leaving most of the security decisions to the user. As a result, this races the possibility of a slew of threats ranging from device-borne malware to the potential for data theft due to a lost or stolen device.
Nothing stops system administrators or the security team from implementing anti-BYOD policies. Such an action would most likely draw the ire of employees – especially since most existing corporate security standards are not likely to provide explicit guidance with regards to the use of one’s own device. This in turn reduces the likelihood of instituting any form of technical security control.
Our growing demand for computing technologies to be seamlessly integrated with our lifestyle continues to fuel the move away from a centralized and regulated computing model. Inevitably, this places a strain on our ability to address threats – especially since the existing mindset appears to have been developed for an environment that is quickly disappearing.
Will we continue to be this exposed to threats? Yes. Can this be addressed? Yes, but in time. As we have learned from the last decade or so, we can address security threats to the point wherein the majority, such as external threats, for the most part, is no longer the primary concern of a prepared organization. This, however, assumes that we can adapt to the current environment in which we work in sooner rather than later.