“Corporate America is under attack” has become a more regular headline with media outlets. Such reports often describe the attack and loss, but few explain why it happened and even fewer take the time to describe how not to let it happen. Even organizations focus on the attack, loss, and why the attack happened when responding, yet few take the time to really know how to prevent such attacks from happening. A typical organization’s security strategy includes the purchase of expensive firewalls, intrusion detection systems (IDS), heuristic intrusion prevention systems (IPS), and security information and event management systems (SIEMs), many costing upwards of $100K each. With the throw more metal at the problem approach, why do networks still remain inadequately protected? The answer is that the vulnerability being exploited is people: the corporate users and the end users. What the organization misunderstands is that the user is a node on the network, not a corporate owned piece of equipment. User behaviors, unlike machines cannot be governed by a technical policy, or a series of ones and zeros telling it on/off, yes/no.
Risks are introduced into networks by a user’s own digital/Radio Frequency (RF) fingerprint, a digital/ RF fingerprint is the unique RF and trail of data that each person emits, this digital/RF fingerprint is the culmination of device and device usage such as:
- A cell phone’s frequency
- Names of the networks users connect to with their devices
- Bluetooth devices and the connections to and from them
- A user’s device or devices (e.g., laptop, phone, key fob, garage door opener, home security system)
- Social media site usage, email, both personal and corporate, and other traceable internet usage
The issue with the lack of mitigation for this unique fingerprint becomes vulnerability when a user leaves to get coffee, gas, travel to another office, or go home.
Most organizations do not include user behavior as part of its risk assessment and overarching organizational security risk mitigation plan. The organization’s firewalls and IDS are not following its most precious asset and most vulnerable object when it leaves to get coffee or to go home. But the user’s cell phone, tablet, laptop and wristwatch are going home with them, and these are an integral part of their digital/ RF fingerprint.
All of these devices have a signature that can be captured and cloned. For example, attackers know that cell providers track cell phones. A user’s location, WiFi beaconing, and networks that they have connected to can be found online. For Apple, data from iPhones may be found at http://samy.pl/cellmap/. For the Google/Android, data may be found at http://samy.pl/androidmap/. Wigle has been capturing WiFi data from home and corporate router SSIDs since 2001. WiGLE data may be found at https://wigle.net.
Once a user’s digital fingerprint has been so nicely catalogued by all of these databases, a vulnerability database called Shodan (http://www.shodanhq.com) aggregates a user’s data for the attacker. Shodan keeps track of when a home router, baby monitor, or home security system are not secure. After reviewing these resources, an attacker can then look at LinkedIn,Twitter and Facebook to discover additional information about the targets. There is no one tool that can stop this reconnaissance.
In order to effectively prevent corporate attacks, there needs to be more than just hardware protecting the data and people. There needs to be effective mitigations that protect the users and their digital/RF fingerprints. These mitigations include not keeping any private or sensitive data on mobile devices without effective encryption. There are tools for all platforms that allow for a device or specific portions of a device to be fully encrypted in a container for specific data like photos, email contacts etc. Turn off all convenience services such as, auto connect for WiFi or Bluetooth device discovery if these services are not immediately needed at the time the device is or is not in use. In this ever-changing digital world people need to change the way that work and play is performed. Why would you have your Bluetooth connection for your car turned on when traveling on a plane? Why would you have your phone or computer trying to connect to your home network when you are driving in your car? Why would you leave your garage door opener in your car when getting an oil change? Is there really a need to have your personal “private” pictures on your phone, which is connected to your corporate WiFi as well as at the local coffee shop?
By instituting an organizational plan for disabling the auto connect for WiFi on all devices this immediately makes the attackers job much harder. Creating security policies that address user behavior as it relates to attacker reconnaissance efforts will reduce successful organizational attacks where the user is the exploited vulnerability.