In part two of this four-part webcast on enterprise cybersecurity, Georgia Weidman, founder and CTO of Shevirah, Inc. and Bulb Security LLC, details the assumptions surrounding the modern corporate network paradigm and explains what the reality actually is. Weidman also delineates the threats in the hyperconnected world and how employees are bringing increased security risks to the workplace.
Editor's note: The following is a transcript of the second of four excerpts of Weidman's webcast presentation on how enterprise cybersecurity is being influenced by mobile, IoT and nontraditional endpoints. It has been edited for clarity and length.
Georgia Weidman: There is the assumption that employees work from their offices, but pretty much in any industry, you've got people working from home now. And there is the assumption of IT services being internal, but that's outsourced in a lot of places, too. Security as a service is a thing now.
Then there is the assumption that customers, partners, suppliers are not in the corporate network. That's the number one way that people are getting in, aside from social engineering. As a pen tester if you find that you have a really hard target, but if any of the partners or suppliers are within scope, that's, generally, a really good way to enter the system because there is a certain trust relationship. As an individual, you're much more likely to trust an email from someone with the same domain as yours and corporations are the same way with trust-relationships.
I do a lot of subcontracting and with some organizations, in order for me to get to work there as a pen tester, I have to jump through hoops. I have to have a security posture of my very own. And then some organizations that just say, "Okay, you're a subcontractor now. Good luck." So, some organizations have the policies in place to deal with security issues and some don't.
I'm here to talk about what we're actually seeing in our corporate network. Today you've people working at coffee shops and you have people traveling for work. These are places where, chances are, that even the infrastructure itself may attack you. But your employees have to travel because they have work that they must do and they must bring their devices along. But when they come back, the devices re-enter the workplace potentially compromised.
Take smart cars for instance: It can tell drivers if they are veering off their lanes. But with each of the conveniences that we get, be it with our smart phones, be it with our smart cars, there are security vulnerabilities. But it depends on the individuals whether they are willing to accept the risks or they are oblivious of the risks.
Smart cars are susceptible to security hacks and car hackers have a lot of media attention these days. Corporations are part of this risk, too, because if an employee's phone is hooked up to a smart car and it reads their work emails to them and, for instance, if there is a threat actor in the car radio, then they have access to the corporate data on the phone.
There is also the assumption that if we put big boxes with blinky lights at our corporate network perimeter that detect intrusion, then everything's going to be okay. But we've got all these other third-party sites that we're hooked up to like Dropbox, Salesforce.com and Evernote. Even Microsoft Office immediately syncs to the cloud now. You Google something and the next thing you know, Facebook is showing you ads about it. But that's the world we live in.
See other excerpts from this webcast presentation on cybersecurity
Today, it's hard to tell where the enterprise ends and where the individual ends. You literally have people's entire lives being part of the enterprise and that comes with additional risks. They've got corporate data on their phones; they've got corporate data on their laptops. If you do a network traffic capture with basic pen-testing tools like Wireshark or tcpdump you will see your computer calling out to various cloud services like Skype, Dropbox, Google Drive with potentially, your data.