Petraeus affair exposes BYOD security risks

The obvious lessons spinning out of the Petraeus affair might be “don’t throw stones at glass houses while carrying on with the director of the CIA” and “don’t ever access personal web mail via a corporate network, which can make anyone highly vulnerable to an investigation, virus or hack,” says Caitlin Johanson, security strategist at penetration testing firm Core Security.

In this LastWatchdog guest post, Johanson expounds on the latest high-profile example of how Internet communications in the age of free web mail can amplify the foibles of humans.

Johanson

By Caitlin Johanson

The Petraes scandal shows how human nature and the Internet can make for a dangerous mix. But sometimes mere naivety or even ignorance are enough to wreak havoc. So-called ‘social engineering’ or phishing attacks cause millions in breaches or damages every year to US businesses, and they are increasing in frequency.

One of the main reasons why this problem is so large is because companies rarely prevent employee access to webmail, social networking sites, or just about anything for that matter, that could prevent an employee from stealing company information, accidentally leaking it, or infecting the network.

Businesses rarely stop workers from having Internet freedom because, frankly, it upsets workers, especially younger ones. I’ve even encountered organizations saying it’s easier for them to just pay a fine when a breach occurs than to prevent their employees from logging into other online accounts.

Today, all it takes to breach a system is one trigger-happy employee who was curious about a personal email from a dying Nigerian woman offering a diamond-encrusted estate if they would “clik heer.”

If IT security defensive measures cannot evolve at a rate which can prevent social engineering breaches either allowed or caused by employees, we will end up losing.

It’s not just our national secrets that we have to worry about being exposed, it’s everything we say and send through those magical pipes of the internet. Personal web mail is being accessed from within the same networks that your local military bases, power plants, water treatment facilities, and hospitals reside on. Why are we all so shocked when we hear that another hacker group stole classified documents or broke into sensitive networks like NASA?

The trend known as Bring Your Own Device, or BYOD, only hinders a reality of true security within the workplace, and keeps security personnel up at night. Today’s security teams do not have either the time or the resources to thwart the constant risks that outside software and devices bring to the network because there is enough to maintain as it is.

Until someone invents a patch for stupidity, the key to success is being predictive: assume that the security walls are porous so you can focus your energy on protecting your most valuable information from being stolen or corrupted.

 About the essayist: Caitlin Johanson is security strategist with CORE Security and manages the Technical Support team. She is responsible for running training programs for the CORE IMPACT product line and manages penetration testing projects.