Cybersecurity is always a balancing act. Good security personnel find ways in which to implement security controls that enable business users and the business. Good Security leaders make decisions based on quality risk management techniques, ensuring that costs are managed. What happens when we identify risk that cannot be appropriately mitigated?
With COVID-19, our world has changed, and we have been forced to make decisions. I have heard from security professionals who say that they are ready to quit their jobs because COVID-19 has opened up a world of insecurity and that “the execs don’t care”. I submit to you that the executive teams DO care, these professionals simply have not presented the information in a manner that allows for an appropriate decision.
This article is not one that is designed to have people migrate from any specific device or to create stir in the Android community, it is one of finding ways in which to balance risk. The Android platform is a great example.
Before I get into the risk management part, let’s use an example that you are likely facing;
Some years back, we (the company I worked for and myself) implemented a Mobile Device Management (MDM) solution. We then allowed select users (a small test group) to connect their (company owned) devices to segregated parts of the network. My SIEM quickly lit up, telling me that many (almost all) of the Androids were compromised and communicating with nefarious servers. I also began to receive complaints from end users that ranged from data being overwritten, to their phones not ringing, after the MDM encrypted the company data on the phones. Needless to say, we began to investigate and identify problems. We had to conduct a large amount of research and ultimately concluded that we could not use the MDM solution if our users could not receive great service. We also could not allow these devices to connect to our network as the data we were accountable for would be placed at risk.
We discovered that applications (apps) were being downloaded from the App store that were wrought with malware. We also found that the devices were almost all different with different parts, different versions of Android, and a variety of problems. Here is an example story about hacked apps; https://www.forbes.com/sites/kateoflahertyuk/2019/10/30/new-google-android-threat-malicious-app-installed-by-40-million-play-store-users/#759b0b50511e
This morning, I read a Wired article about Qualcomm releasing a fix that will affect around 90% of US user’s Android devices. The article presents the idea that “A BILLION OR more Android devices are vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researchers reported this week.” The article can be found here; https://www.wired.com/story/over-a-billion-android-devices-are-at-risk-of-data-theft/
In this situation, we have some choices that MUST be made;
- We can ignore the issue, citing the fact that users have to be able to perform their jobs.
- We can ban the devices.
- We can add compensating controls (which must be tested and validated).
- We can limit the user experience and lock the devices down.
- We can elevate our concerns to management and ask for guidance.
What is the correct answer? Often, we make assumptions about what other people think that are wrong. Those Cybersecurity people who are ready to quit can breathe a sigh of relief; so can your executives!
As we deal with this situation, or any other situation, it is critical that we follow basic risk management techniques because the answer is going to depend upon the company, culture, type of data, and a variety of other factors.
As security professionals, we have an obligation to ensure that the company is successful and that the business is enabled through the use of cybersecurity. With COVID-19, this becomes a widespread concern. I hear this from customers and other decision makers daily. They ask me about how they should build secure home environments as their users are working from home. My answer is ALWAYS, “Consult your risk assessment!” If your risk assessment does not help you with an answer, I would recommend that you conduct a more mature risk assessment.
Proper risk management begins with discussions about the definitions of risk; each company is different. This flows into a process of understanding the risk tolerance of the organization. We then look at the business and determine the risks (this is a lengthy process that should be pages, not lines). We identify the likelihood and criticality of the risk being realized (I like to score the areas of Compliance Risk, Confidentiality Risk, Integrity Risk, Availability Risk, AND Company Image Risk). We then calculate the effectiveness of the controls we have in place that mitigate the risk to determine the residual risk.
Here is where it gets fun. We now must put together a comprehensive plan to address the risks. This should include multiple options for treating the risk, including the acceptance of risk. As security professionals, we are accountable to treat the risks we identify when they are within our ability to treat them. When they fall outside of our reach, we escalate them to management; not with a story of how we will be hacked, but with a discussion about the true concerns surrounding the risk. We then allow them to make an informed decision. We document their decision and move on; readdressing the risk when changes occur or upon agreed upon intervals. This is a cyclical process that must be done anytime something changes and at least annually.
When this process is followed, your risk assessment will guide you. Security practitioners will be relieved to know that they are not accountable with risk outside their control and executives will know that the security program is not just a money pit, it is a tool for the successful enablement of the business.