Should CIOs take employees offline to improve security?
Security

Should CIOs take employees offline to improve security?

"Welcome to your first day at Insecure IT Solutions. Here's your new office. It has three doors and five windows with no locks on any of them. We keep all the sensitive business information in this open filing cabinet in the middle of the room.

"If you want to send a message to anyone in the building, just write it on a postcard, fold it into a paper aeroplane and throw it out of a window: it'll get there eventually. Don't worry about all the strange pipes leading off into the walls and ceiling. We've no idea what they're for but it's probably fine.

"Oh, and you might find random strangers loitering around or sneaking in and looking at your work from time to time. As long as they do it quietly we ignore them. Any questions?"

"Erm... what?"

 

Years of costly vulnerabilities and high-profile attacks have taught wary IT directors and managers to block all ports and services that aren't routinely used for business communications. Doing things any other way smacks of naivety and a false sense of security, or someone whose plate-spinning skills would better suit a career in the circus.

In enterprises where security is taken seriously – which is most of them, since those that don't are likely to be rapidly hacked into commercial oblivion – the precautionary principle holds sway. New staff may be set up with email, web, local file-sharing and messaging services, with all other ports and services locked or disabled.

But even those permitted services within the first 1024 ports range are potential malware transmission vectors. WannaCry spread through SMB – a service for file-sharing and printer access – while 'web access' covers a multitude of services such as DNS and DHCP as well as HTTP(S), maybe FTP and NTP, and so on. Email is a major vector for spear-phishing. Malicious code lurking in web pages is almost impossible to completely mitigate against, even with carefully locked-down browsers.

Still, the WannaCry experience was a wake-up call, right? At least now everything will be tightly locked-down, won't it? Actually, no it won't. According to recent research, there are still millions of devices with the same vulnerable ports open to the world. That's not due to laziness but the sheer difficulty of ensuring that services work while keeping the ports they use secure.

What's today's stressed IT manager to do? Continue to block, patch and hope? That approach is getting harder to justify, given the rate at which new vulnerabilities appear. The problem is compounded by the fact that there are almost certainly existing vulnerabilities that we – excluding certain national security services – don't know about.

Does it still make sense for all of an enterprise to be online? The answer boils down to a cost-benefit analysis:

  • What's the benefit of everyone being connected to the outside world?
  • What's the potential cost in terms of hacking, loss of commercial secrets and downtime?

Until recently the benefit outweighed the cost, but now it's not so clear-cut, because some of the costs are hard to determine. For example, while researching an article on security a couple of years ago I spoke to the head of an APAC security firm who told me an enlightening anecdote.

He'd spoken to manufacturing firms who were amazed at how quickly Far East clones of their products were appearing on the market. “It takes just a few weeks for them to reverse-engineer what we sell and copy it!” they exclaimed. He pointed out that this wasn't true. In fact, the cloners had simply hacked into the firms' systems months earlier and stolen their designs, leaving no trace of their presence.

Maybe we're reaching a point where we have to admit that the security war isn't going to be won – ever. Maybe it makes more sense to simply leave the battlefield. Extending the precautionary principle further, it may be time to disconnect most internal systems from the outside world altogether. If this sounds restrictive and difficult, it probably is. But perhaps not when compared to losing swathes of company-wide productivity to hacking, phishing and ransomware attacks.

Too hard? If the Singapore government can manage it – a decision that now looks prescient – so too could other organisations. In fact Singapore's not alone. Certain government departments already use closed systems, as do banks and other financial institutions. Specific devices may be connected to the outside world, but those devices are fully air-gapped from internal networks.

For some organisations, of course, connectivity is fundamental to business growth. There's really no alternative to everyone being connected all the time. But in many other places of work, the assumption that every employee needs internet access should now be carefully questioned.

Only policy advice and board-level guidance will bring about a reduction in security risks. No matter what hardware and software is in use, it will never be entirely free from vulnerabilities. Changing policies from the top down to prevent unnecessary connections to the outside world could at least reduce the impact of those vulnerabilities.

The alternative is to keep on blocking, patching and hoping, in which case good luck keeping those plates spinning.

PREVIOUS ARTICLE

«Mission-critical IT systems don’t always need the latest tech

NEXT ARTICLE

News Roundup: Tech CEO’s ditch the White House post-Charlottesville»
Alex Cruickshank

Freelance technology journalist Alex Cruickshank grew up in England and emigrated to New Zealand several years ago, where he runs his own writing business.

Comments

no-images

JOHN KNOWLES on August 29 2017

one way to approach the going offline strategy is to reduce the risk in the key vectors for the most risky parts of a business - restrict inbound email; white list Internet access. Run browsers and other vulnerable software under lowest privilege; Segregate networks so those that really need more open access don't put others at risk. A risk with all or nothing strategies is that they are put in the too hard basket and nothing happens

no-images

Alex Cruickshank on August 30 2017

There's certainly a difficulty barrier to this type of strategy. Network segregation can be an effective option as long as it's done properly, which means no link whatsoever between networks. That in itself can be hard to achieve, though. It's easy to overlook something.

no-images

Philip Quarrier on September 04 2017

Total isolation of the workplace would cut off necessary communication with vendors, customers, employee's family and legitimate personal needs. It's still going to be a combination of balancing restriction and filtering against company's need to communicate. Secure installations have dealt with the problems and solutions for many years.

no-images

Pete Jones on September 06 2017

This is a nice discussion, however, I don't feel it is realistic to think you can take employees offline in this day and age. Having worked on secure infrastructure projects in the past I have seen people go to quite some lengths to do what they think they need to do. Underlying any technology solution there needs to be some significant people effort in order to make it work. Pete

no-images

Alex Cruickshank on September 06 2017

It wouldn't work for all organisations, but it can (and does - see Singapore) work for some. Separate, air-gapped, stand-alone machines for outside communication are used in some cases. Having worked in secure installations in the past, they certainly do block all communication with family, personal comms, etc., right down to locking all mobile phones in metal boxes on arrival at work. They know the risks and don't take any chances.

no-images

JOHN KNOWLES on August 29 2017

one way to approach the going offline strategy is to reduce the risk in the key vectors for the most risky parts of a business - restrict inbound email; white list Internet access. Run browsers and other vulnerable software under lowest privilege; Segregate networks so those that really need more open access don't put others at risk. A risk with all or nothing strategies is that they are put in the too hard basket and nothing happens

no-images

Alex Cruickshank on August 30 2017

There's certainly a difficulty barrier to this type of strategy. Network segregation can be an effective option as long as it's done properly, which means no link whatsoever between networks. That in itself can be hard to achieve, though. It's easy to overlook something.

no-images

Philip Quarrier on September 04 2017

Total isolation of the workplace would cut off necessary communication with vendors, customers, employee's family and legitimate personal needs. It's still going to be a combination of balancing restriction and filtering against company's need to communicate. Secure installations have dealt with the problems and solutions for many years.

no-images

Pete Jones on September 06 2017

This is a nice discussion, however, I don't feel it is realistic to think you can take employees offline in this day and age. Having worked on secure infrastructure projects in the past I have seen people go to quite some lengths to do what they think they need to do. Underlying any technology solution there needs to be some significant people effort in order to make it work. Pete

no-images

Alex Cruickshank on September 06 2017

It wouldn't work for all organisations, but it can (and does - see Singapore) work for some. Separate, air-gapped, stand-alone machines for outside communication are used in some cases. Having worked in secure installations in the past, they certainly do block all communication with family, personal comms, etc., right down to locking all mobile phones in metal boxes on arrival at work. They know the risks and don't take any chances.

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should companies have Bitcoins on hand in preparation for a Ransomware attack?