Companies tend to spend a great deal of time, money and resources securing their network and systems implementing a layered model of security. This form of security is based on the premise that, the deeper a layer is, the more secure it should be. Each layer has a different purpose and as such, is composed by different stacks of hardware and software.
Since breaching these layers is hard, attackers target the users via phishing techniques to make them install malware or reveal their corporate credentials. After, they are able to use the disclosed information to breach the layers and gain privileged access to the internal network. To prevent these situations, there are a lot of tools (ex: Trusteer Apex, Confer) that use different techniques to detect anomalous behaviour and try to block the information disclosure.
Security layers example
What if we told you that it may be possible to obtain the corporate credentials via a third party that are totally outside your control? To understand this, we have to look at the rules of corporate credentials, more precisely, the password policy.
Most companies correctly enforce a set of rules on the password in order to make it stronger and thus, preventing the success of brute force attacks. The rules are normally composed of:
- Minimum length;
- At least one uppercase letter;
- At least one lowercase letter;
- One "special" character;
- One number;
- Time limited passwords;
By enforcing these rules, users end up with a strong password that is very hard to guess. However, this also has a downside.
Since users get a strong password that is not easy to memorize, the probability of reusing it on other places outside the corporate environment once it is memorized is non-neglectable. The password may end being used on the social networks, email services, online stores, travel agencies websites and so on. This behaviour, may pose a serious problem.
Due to the fact that, not all sites properly secure the user information and passwords, if an attacker is able to steal this information, there may be a chance that he can obtain the corporate password. Some examples of such hacks are the ones that have occurred on Sony, eBay, Home Depot. These, are just some of the "great ones", now think about the small business stores that have websites that require users to authenticate but offer little or no security. One may argue that companies enforce password rotation at predefined time intervals, however, most people tend to rotate between two or three passwords.
From here, all the attacker needs to do is associate the users to their companies. Well, if only people would share everything about their lives somewhere… Oh that's right; we live in the social networks era. Once identified, the attacker may now try to break into the company network via internet facing services using the collected passwords. Guessing the usernames should be an easy task via social engineering.
The point that we want to make with this post is: although companies spend a lot of money creating a "bulletproof" perimeter defence, if users are not "educated" to clearly separate corporate "life" from the "personal" life, breaches will continue to occur. These, and other such situations, make users the weakest link of your corporate security policy.
Since security is not only about technology but, also involves people and the processes that they use, companies should start educating their employees about the importance of separating personal and corporate life. To do this, companies should rely on their Human Resources department to, raise awareness about the problems of mixing both, promote training courses, or even educating people on this subject.
Since security is not only about technology but, also involves people and the processes that they use, companies should start educating their employees about the importance of separating personal and corporate life. To do this, companies should rely on their Human Resources department to, raise awareness about the problems of mixing both, promote training courses, or even educating people on this subject.
0 comentários :
Post a Comment