Since the 70s, social and technological evolution has progressively changed the paradigm of work, previously traditionally carried out within the physical spaces controlled by the employer. This progression has undergone an acceleration never seen before due to the recent health crisis. The consequent containment and management measures, in fact, forced the recourse to the agile work, moreover also through electronic devices not controlled by the employer's technological platform; devices, among other things, not always in line - as can be easily understood - with the recommendations or standards of the certification or approval bodies.
The effects on information security and on the operational continuity of networks, IT systems and information services were not long in coming. And the next few months will likely bring out further evidence of a systemic vulnerability entirely new in terms of dimension, the daughter of two concomitant aspects, the effects of which have shoulder to shoulder each other with exponential results: the sudden misalignment created between the IT security perimeter and the physical security perimeter; andmassive use of personal devices to make up for - to a marked extent in the first phase of the crisis - the lack of enterprise client (smartphone, tablets and computers assigned by the employer to employees, so to speak) necessary to ensure "smartworking".
Yes, because the world of work woke up one morning and had to deal with a reality - home confinement - which has diverted the flow of work information and business operations to the technological segments of domestic intimacy, public administrations and third sector. A mass of traffic, not exactly "leisure", has fallen on the small router family (the cybernetic front door of the house), on the computer in the children's room - used in promiscuity also for distance learning lessons - or on the latest version of smartphone of "far-eastern" manufacture, on which videoconferencing work sessions, varied active playfuls and the most extravagant interactions of social networking.
All seasoned by the fact that, for obvious practical and economic reasons, these newborn and improvised network segments have predominantly shifted the emphasis - on a physical level - on radio technology (Wi-Fi), less reliable than copper cables and of the optical fiber.
In short, in the face of gateways, portals, firewalls and remote access servers (i.e. cyber-battleships deployed to protect the networks of barracks, ministries, organizations no profit and companies) the enemy had the opportunity to bypass the defense front and break through laterally via the modem hidden in the home closet of the "teleworkers".
The argument is of such importance that the National Institute for Standards and Technology launched a “Call for comments”, mobilizing the collective intelligence of the sector to adapt the standardization of processes and security methods to the changed reality. And in the homeland, the topic is under the attention of CSIRT Italy (the Cyber special forces of our Republic, so to speak), which among other things has launched a specific awareness campaign.
So let's take stock - from a bird's eye view - of the risk profiles to be monitored.
First of all, the perimeter of analysis to be considered consists of three process areas, partially overlapping but conceptually different: "telework", that is, the performance of work outside the organization's physical security perimeter; the "remote access", that is, the possibility to access - from the outside - the non-public IT resources of an organization; the "BYOD", acronym for "Bring Your Own Device" and that is the possibility of working with smartphone, tablets and computers not controlled by the employer, i.e. those owned by the worker or by contractual third parties (contractors).
The risk under discussion must be framed by making four basic assumptions. The first derives from the consideration that you cannot protect what you do not physically control. Telework works - by definition - outside the employer's physical security perimeter and therefore the organization's “clients” can be more easily dispersed, stolen or temporarily remain out of the worker's availability. The consequence here can be the loss of the data saved in the lost device or the attempted fraudulent access to the server infrastructures, exploiting the authentication mechanisms of the stolen device.
The second refers to the fact that, with costly exceptions generally linked to the circulation of strategic information for defense and national security systems, the "remote access" takes place via networks - radio or wired - made available by third parties (providers) and whose security is not controlled. From this derives the whole issue of the illegal interception of data traffic for purposes of theft or information sabotage, typical of the offensive tactics of Man-In-The-Middle (MITM).
The third, of great conceptual affinity with the current health crisis, consists in danger of contagion from computer viruses through infected devices that have been allowed to connect to the organization's internal network. This, for example, is the terrain of election for tactics Initial access cyber-pirates who aim to infiltrate the victim's computer environment with an executable to carry out actions of sabotage, damage, theft or clandestine command and control.
The last assumption must be made with reference to the internal resources that it is decided to make available for access from the outside, especially if made by BYOD, such as the contractor's laptop, smartphone staff of the employee, the tablet of the consultant. Here, in comparison, the approach of being careful in giving the house keys to the gardener applies, so that you do not happen to lock you out of the house or burglarize the apartment in your absence.
A series of supplementary risk assumptions must be made specifically for BYOD. Let's briefly describe them: first of all there is always a “thickness” gradient (robustness of the degree of security) between the employer's IT environments and personal devices: this smudging constitutes an advantage factor for the opponent. In fact, by nature smartphone personal are intended for leisure use and are understandably thinner (so to speak more fragile) than employers' infrastructures, where security and operational continuity requirements require them to be more robust than flexible. Furthermore, any illegal traffic generated by BYOD connected to the employer's network can be attributed to the employer, with obvious legal complications and reputational damage.
Finally, an employer network that allows BYOD connection can be an unconscious battleground between third-party devices. IS make safety it is not just about protecting our assets; but also prevent someone from exploiting ours asset to launch attacks on others!
To learn more:
https://csrc.nist.gov/publications/detail/sp/800-46/rev-3/draft
https://www.difesaonline.it/evidenza/cyber/2020-un-anno-di-hacking
https://www.difesaonline.it/evidenza/cyber/microsoft-sicurezza-e-privacy-ai-tempi-del-covid
