Merlin Labs Memo: Is the Future of Work BYOA or Bust?
Bracing Cybersecurity for the Era of Bring-Your-Own-Application (BYOA)
Recent research shows that “disallowing workers’ preferred apps fuels resentment and non-compliance.” Given the explosion of readily-available device-agnostic cloud-based applications, remote work, and freedom granted to get the job done during Covid-19 lockdowns, “A new generation of professionals reaching maturity in the era of mobile apps and social media will not quietly adhere to company policies on which particular tools they can and cannot use. If anything, the numbers will likely continue to rise, particularly with a remote workforce.”
A study by Cerby found that “92 percent of employees and managers want full control over the applications they use for work.” The research suggests that people will figure out how to use their application(s) of choice regardless of cybersecurity policies, and/or they will move to a job where they are allowed the professional respect they associate with such freedom. It’s both a technology problem and a people problem, but mostly it’s a problem that cannot be ignored. -- Summary Via Corporate Compliance Insights
Our Take: For those of us whose livelihoods rely on securing IT or whose businesses demand pristine adherence to strict security control implementations, policy and procedure, and zero trust tenets to name a few, this study is bound to induce some heartburn. Behaviors once relegated to the exception category of Shadow IT have erupted into a mainstream, full steam ahead cultural practice. It was bound to happen as the work-from-anywhere, mobile bring-your-own-device (BYOD) movement took root and quickly merged with the easily accessible, highly-available cloud application marketplace. Remember, most people are being paid to get a job done, not to focus on cybersecurity. This means ripping non-compliant, unsecure but highly-effective, well-loved tools out of employees' hands might not be as easy as it would appear. It is also likely to negatively impact business innovation and productivity. Put simply, it’s complicated.
The way I see it, cybersecurity teams have a couple options. First, they can harshly reject all BYOA behaviors through strict policies/procedures, carefully crafted security controls, and heavy-handed enforcement. There is no doubt that there are business and agency scenarios that would require this sort of extreme, Fort Knox-flavored approach to application use. This will be true even if the research suggests that such an approach may still leave an organization vulnerable to the impacts of varying amounts of BYOA. The other approach involves embracing what seems to be an inevitable characteristic of IT systems moving forward – one that deals with BYOA head-on. Those solutions must:
It's time to innovate and creatively leverage the aforementioned technologies and approaches (and possibly invent some new ones) to support the wave of BYOA use cases knocking on all of our IT system doors! -- Sarah Hensley, MS-SLP
Additional Reading:
No Target is Too Small for Ransomware Hackers?
Cybersecurity and Infrastructure Security Agency leadership recently confirmed that ransomware hackers are not exclusively targeting large organizations and businesses, but smaller entities too.?At an industry event, CISA Executive Director Brandon Wales said, "We have certainly seen a willingness for these ransomware operators to target critical infrastructure of various sizes. And they're looking…to target companies where they believe they'll pay because they can disrupt their services, have an effect in operations, and that the companies will pay quickly in order to get their operations back up and running."?-- Via GCN
Our Take: Smaller companies and government entities are often not well prepared for ransomware attacks and believe that because they are small, they are less likely to be targeted.?CISA is warning against this complacency and encouraging these smaller entities to think more strategically to deal with cyber threats.??
Transit agencies in particular are poorly prepared; researchers at the Mineta Transportation Institute at San Jose State University found that the entire industry needs a “twenty-first century security upgrade.”?Jonathan Holmes, a supervisory special agent with the FBI in Pittsburgh, warned against paying cyber-attackers, emphasizing that doing so doesn’t guarantee any information or data will be returned.?He also noted, “I think the vast majority of the time the subjects are going after targets of opportunities.?They have computers that they have access to through a lot of different means. And then based upon that, they’re going to try and choose whatever illegal activity is going to make them the most money.”?
In addition, both public and private organizations are finding that their cyber insurance premiums are rising significantly due to the increased demand for coverage as well as the sharp increase in attacks.?Insurance companies are requiring more robust controls in order to provide coverage, such as updated software and firewall protections, a backup system, cyber training for staff, vulnerability testing, and multi-factor authentication systemwide, including for remote work.?These practices, along with organizations establishing risk management strategies that incorporate cybersecurity threats, are highly recommended. ?
领英推荐
Another key protocol in preventing cyberattacks across all entities is the implementation of incident reporting requirements to federal agencies, which CISA considers a “top priority.”?The obligation of the requirements under the Cyber Incident Reporting for Critical Infrastructure Act, can be challenging for some corporations with limited resources.?To alleviate this burden, CISA will soon be issuing a request for information to receive input on the details required for reporting. -- Joe DiMarcantonio, PMP
Sources:
Every Day I’m Bruggling
"Bruggling" is defined as data exfiltration via browser bookmark synchronization (browsers plus smuggling equals bruggling). Researcher David Prefer found that with a bit of Powershell scripting, he could encode large amounts of information and save the information as URL bookmarks in various Chromium-based browsers, including Chrome, Edge, Opera, and Brave. These bookmarks could be saved in subfolders not readily evident to end-users, should a user’s syncing account be hijacked. Once synced, the data is available anywhere and the Powershell script can run in reverse to decode the information.
Our Take: The good news is that secure and isolated browsing is emerging as a security tool for organizations. These can be locked down?– sync can be disabled with Group Policy, for example – but hardening alone doesn’t prevent an attacker from running another browser instance for the data exfiltration. Application allowlisting has to enter the scene to prevent that from happening. Scanning for syncing URL traffic from unauthorized browsers and then blocking it can also help deal with the issue. Browser developers have their own “to do” list, but those on the end-user side have the above to help us out. -- Dean Webb
EDITOR'S NOTE: The investment arm of our business, Merlin Ventures , recently participated in a $100M Series A funding round for Talon (by Palo Alto Networks) . Our newest portfolio company, Talon provides a browser with enterprise-grade security and has built-in protections against bruggling. Learn more.
Additional Reading:
Canary Tokens: Deception in Cyberdefense
The concept is simple: have a credential or API key that an attacker could discover and then, as is routine for an attacker, attempt to use. The usage of the credential or API key is set to trigger a high-confidence alarm that an attacker is actively attempting to harvest and utilize credentials. That such deceptive credentials are emerging in defenses is causing cyber attackers to slow down how they progress in attacks and exercise greater caution with lateral movement.
Our Take: This is a great development in cybersecurity, with a number of big companies backing the effort. They can be easy to deploy and beg the question of how much more can cybersecurity benefit from other deceptive measures? Anything that slows down an attacker is a good thing and worthy of implementation. Bear in mind, attackers are already being deceptive, so there’s no reason to be nice to them. -- Dean Webb
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!