During a recent SearchCompliance webcast, Georgia Weidman, founder and CTO of Shevirah, Inc. and Bulb Security LLC, discussed how modern mobile technology is creating cybersecurity gaps for enterprises. Here in part three of this four-part webcast, Weidman discusses how changing mobile endpoints should make organizations reconsider their data protection strategies such as cybersecurity awareness training.
Editor's note: The following is a transcript of the third of four excerpts of Weidman's webcast presentation about how enterprise cybersecurity is being influenced by mobile, IoT and non-traditional endpoints. It has been edited for clarity and length.
Georgia Weidman: Employees are typically selecting their own devices, and organizations are just dealing with it. There's a varying degree of how much we're dealing with that being a risk. I've worked at places or I worked with places where, basically, there was the Wi-Fi password in the breakroom and whatever you wanted to put on the network was what you were going to put on the network. We're seeing less and less of that, but, unfortunately, in my experience, not always.
We've got employees using whatever devices they want. In IT, you're not going to be able to keep up with everything that's in the network. Did you ever think when you signed on to be in the IT Department that you were going to be in charge of seeing whether somebody's home television was a security risk? But that's what you need to be doing, right? Somebody just got the TV, it hooks up to the phone via Bluetooth -- if either one of those is compromised and then it comes to work or logs into work, then you've got a problem.
As I said in the beginning, the perimeters don't exist anymore, it's all about these devices. But with all these networks running around that you don't control and all these devices running around that you don't control, how can you possibly expect something like PCI compliance to solve all your problems? The main problem with compliance is that it's so limited. There's a specific set of checks that you do, and if you pass those checks and nothing more than those checks, you are compliant. It gets a lot of flak for that reason, I guess, but having a set of checks to get you started with something like PCI or HIPAA is, certainly, a step in the right direction. But when was the last time you saw anything about near-field communication, or Bluetooth, or anything like that in your compliance?
Everybody tries to shut me down at this point and say, "But Georgia, this mobile thing has been going on for a really, really long time, right? You've been up there on these stages talking about how this mobile apocalypse is coming for several years now, and it never seems to come. How is it that you can still continue to say that mobile is such a risk?"
At which point, I like to say, "Well, how many like intrusion detection systems are checking for things around mobile devices?" Are you able, with your current infrastructure right now, to be able to say what data someone has on their corporate email and it is not being sent out like via the cell carrier?" Of course not. There's no like technology being sold on the market that can do that. With things like this, the controls just aren't there yet so really only the thing we can do is test.
Endpoint security awareness
I do a fair amount of phishing engagements and I really do see the places that have the secure culture -- they think about the security stuff, they talk about it. They know that these are threats. Social engineering still definitely works, but then you start bringing in these mobile devices. You start bringing in all these other devices and they don't really fit the picture of our cybersecurity awareness training. One of the things I'm trying to fix is getting security awareness training to where it does cover these kinds of new endpoints.
See other excerpts from this webcast presentation on cybersecurity
I think that people have shown that the cybersecurity awareness training does, to an extent, work. Now, we need to bring security awareness training up to speed in order to get to the rest of these end-points. This brings us back to compliance, because I've never seen any compliance that does anything around requirements for things like security awareness training and phishing.
Think about your internal network -- it's probably a rich place to hang out as an attacker. We don't have a perimeter anymore, so using the mobile device that's been compromised to attack other devices goes a lot of places, it sees a lot of things. It's a really good place to hang out, if you're an attacker and, again, it allows you to bypass all those perimeter controls. If I attack another machine in the network, it's caught at the perimeter, by the firewall, by intrusion detection -- all that catches it and it cuts that off. Your data loss prevention gets rid of it.
Well, if I'm using the phone, then I can send it out, again, through that cell tower and your perimeter never saw it. There was no way it could see it because it's, again, sitting at the perimeter. And I'm not on the Wi-Fi, I'm on the cellular network so you didn't see that data leave, you never knew it left.
Some of the larger enterprises are using things like enterprise mobility management and things like that, which still have a long way to go, as well. A lot of people also want to only allow, "Corporate-owned devices only that only do corporate things," and we don't see that working very well. People don't like that and just end up, breaking the policy and using their own things anyways.
So what should you do? The only way, really, to do this around these new devices is, one, we've got to figure out what our risks are through testing. How well do the security controls you have in place protect you, and what do we need to do to fill in that gap?
If we're going to stay able to do business, we are going to have to have every device that comes into the network be subject to security testing. That's just how it's going to be. Again we're going to figure out what our current risk is, figure out how well our mobility program is working, see how far like a malicious actor could get using a mobile device. We have the problem that when we do security testing, particularly around compliance, we limit it so much. We say, "This is what compliance requires, so this is what we're going to test." And the malicious actors are not following the compliance script.
What's weird about mobile is that it's really not static, so you're going to have to keep changing this and updating these policies for new devices that come out and new ways of communicating. Near-field communication, and Bluetooth, and all these things weren't necessarily things we had to think about in the enterprise not so many years ago so.
I think we're still kind of in the Dark Ages about what corporate security is and what kind of testing we need to do to be compliant. I get that if you check the box, you're compliant, but I really think we need to take this a lot farther in order to actually provide security.