When we think of Cyber Security most of us think firstly of firewalls, passwords, Intrusion Prevention, IoT (Internet of Things) and secondarily securing cloud assets, compliance, and restricting access.
Security awareness training is an afterthought perhaps. Methods & Procedures for appropriate administration of critical infrastructure? Almost never in the commercial space.
Here’s an example of why both matter and need to be brought closer to the forefront of the Cyber Security Discussion. First, a brief explanation of what a mobile device manager (MDM) is, for those who are unfamiliar:
A mobile device manager (MDM) is a platform used to control what corporate mobile devices may have in terms of documents, emails, applications, and enforcing corporate policies. A more complete explanation can be found here. https://en.wikipedia.org/wiki/Mobile_device_management
To make MDM magic happen the MDM platform needs granular administrative control of the mobile device. If this sounds like one of the keys to the kingdom that’s because it is, and cyber security criminals know it.
Security researchers at Cisco Systems Talos threat intelligence unit discovered a campaign, believed to be in operation since August 2015, using a compromised MDM service to remotely install modified versions of legitimate apps onto target iPhones. These compromised apps gave access to SMS and private messaging, stole contacts, compromised real-time location, and photos. The threat actors (“hackers”) compromised secure messaging apps such as WhatsApp and Telegram.
Amazingly, it’s believed the attackers likely used either used a social engineering mechanism such as a fake tech support call or had physical access to the device.
Now to the point about Security Awareness training and Methods and Procedures.
If a social engineering campaign was leveraged against those IT personnel with administrative access to the MDM solution then they failed to spot and stop the social engineering attack. Where key administrators part of a security awareness training campaign? Likely not and that’s an issue in a day and age where “human hacking” is just as key to a successful breach as any other technique.
Why do methods and procedure come into play in this scenario? Optium has two answers.
First, while it goes without saying that critical IT infrastructure needs to be physically secure with highly restricted physical access. What procedures were in place to secure and administer who has access, when they have access, and why they have access to key critical infrastructure? I say that because I cannot tell you how many times I walked into a corporate environment, dropped the right name, said the right things and got led into a room with access to critical IT infrastructure and no one called to verify my story or even checked my ID. Good thing I was onsite to work on a project and was not a malicious threat actor. Irrespective of my intentions, that scenario that never should have happened.
Second, when granting access, especially remote access to product support engineers M&P’s need to be in place to ensure those personnel are who they say they are, and that the access methods are secure and verified closed when done. This seems obvious but this doesn’t appear to have happened in this scenario.
Methods and Procedures should always be in place, and well understood, to guard and verify appropriate physical and electronic access to key IT infrastructure. Optium Cyber Systems, Inc. consulting practice can provide Security Awareness Training for all personnel especially C-Level and IT staff. We can also provide consulting services to help build appropriate methods and procedures wrapped around who and how electronic and physical access is granted and maintained.