Catchy title huh? But what do I mean by that. Hackers take advantage of this kind of chaos, are you ready?
You know when your grandma told you to save your pennies for a rainy day, well the rain is here…a lot of it. In case you hadn’t noticed, a large portion of the civilised world is in the deepest recession in 60 years. This kind of mass economic meltdown is serious business for anyone in the IT Industry. Especially if you are responsible for security. There are three big and common issues that will sneak up on you during times like this.
Here is why this is such an issue right now. First, one of the things that happens a lot in these kinds of situations is that companies vanish, especially small to medium ones. They are either shut down over night, or they are subsumed by a larger company that was smart enough to save money for a rainy day.
In the fist instance, those companies have lots of proprietary data that has to go somewhere. So let’s give them the benefit of the doubt and say that they didn’t owe anyone anything so they aren’t being liquidated. What happens to the drives their data is on? The most commons ones I’ve seen are:
So what if they are lower on the capability maturity model scale and don’t have well established IT policies regarding data destruction? What happens to your data that was stored on those drives? I have seen countless accounts of people buying laptops off of eBay, or at liquidation auctions. When the buyer got them home, they booted up their shiny new toy and it was just like the last guy left it complete with corporate data.
Do you think the buyer is going to report that to authorities so that all the affected people can be notified? NO. his new toy would get confiscated.
Maybe you should start protecting that sensitive data now…just in case. Use Bitlocker. It’s easy, fairly painless and fixes this problem. Maybe you shouldn’t carry around so much old email and old client data on your laptop. If you don’t need it for your current work, keep it on your share at the office. If you really don't’ need it, delete it!
Maintain good data retention policies, and keep that stuff from falling into the wrong hands because you didn’t have time to wipe the drive before the company folded. Sad thought, but very realistic given the current situation.
Poor Merging of Access Control Systems
So what about the other case? The case where instead of just closing, a company is purchased by a larger one? This situation faces a different set of problems.
When you merge two companies, well when one eats the other, you have to combine networks, user authentication systems, and line of business systems. All of these things have to be mashed together to get to one stable system that everyone uses. This can be pure chaos.
Think of all the little things that complicate this as well. Not everyone gets to keep their jobs during these things. So who is responsible for restricting the accounts of people that didn’t make the move? The old company, the new company? During all the chaos of merging, did anyone remember to not include their accounts in the import? Did their data shares get deleted, imported, or abandoned?
How about all of the various CRM systems? Which customer base do we start with? Can we do a smooth import, if we can do one at all? Did we get all of the customers and if we did, are we sure we didn’t overwrite good current information with outdated information?
This kind of chaotic environment provides a ripe hunting ground for hackers. They know that authentication and authorisation systems are being merged and will likely be fairly loose with lots of spare Admin rights floating around until things settle down.
The know that line of business applications are being merged, loaded, deployed, dropped and security reviews are the last thing on the IT Departments mind when everyone is struggling to maintain a plausible bottom line.
What normally happens is that the LOB applications from the child company get dropped onto existing hardware from the new parent company. This causes things to break so configuration on the box is changed until the thing starts working. ‘Just until we sort it out’ of course.
This weakens the security of the existing applications as well as the new temporary squatter applications. So here we open another hole for bad guys to start poking things into.
Then there is my favourite bad issue. The Malicious Insider. I’m sure by now we all know someone who got laid off. I would imagine we all also know someone who probably wasn’t happy about it. What kind of damage do you think they can do before they make it out the door? How many employees had too many privileges? Like the ones that never got revoked after they took on a new position, or when they were given Admin rights for the duration of a long dead project so they could get things done…that were never revoked?
Hey, I know for a fact that the badge I had as a contractor for a place I worked at about 5 years ago, still works and I can still get into the buildings with the door pass. And it’s not a trivial organisation either.
With all of the chaos in these times, the criminal, and malicious elements will flourish. They will take advantage of chaotic merged authentication / authorisation environments. They may even be able to do it with a laptop they picked up on eBay that still had the VPN intact. Or perhaps they used to work for the company and after a layoff they want revenge.
All of the line of business applications that got squashed onto existing hardware are fighting for resources, and have recently changed host configurations. They are ripe for the picking.
In times like these, when you think that you can least afford to think about security, with all the other crap hitting the fan, is the time when you need to think about it the most. Sun Tzu instructed us to take advantage of chaos in your enemy’s camp, and you can bet the bad guys are doing just that. Don’t get caught out because you were distracted. Keep someone on watch in the security space!
IT Departments are flooded with work trying to keep things going while they are loosing staff left and right to budget cuts. They are busy, life is chaotic, and they have too much to do for any of it to be done well. Not to mention the pressure of looking for a new job in case this one vanishes on them.
For the management out there, don't be too hasty to cut back on IT by dropping contractors and staff from your IT budget. If you must, make sure they have a proper hand-over of everything they know or you may find yourself in an untenable situation.
For those of you protecting LOB applications, keep your defences up. If new apps come in that require too many config changes, raise the alarm. Make sure you aren’t leaving yourself wide open because you had to do a bunch of rush deployments. If you do, keep track of all the things you have to go back and shore up in big red letters on the calendar.
Make sure that all of the corporate and legal data handling policies are adhered to. Don’t get sloppy when trying to auction equipment or give stuff to those loyal employees. Remember that the law won’t care if you were having a bad day.
Make sure that when the unenviable situation occurs where people are escorted to the door that their accounts are properly restricted and their badges, VPN, and other access is cancelled. Don’t create an enemy with the keys to your network.
If we all pay attention, we can get through this without too many headlines.