Businesses need to protect the full cloud security chain, not just part of it

CASBs protect cloud data usage only when in fact, there are three other links in the security chain that could jeopardize the entire cloud security operation. The identity of the user and devices accessing the platform, the security posture of the device being used, and the security posture of network through which the connection is made.

Only a trust-based platform that ensures that only trusted users, using trusted devices, connecting through trusted networks to trusted cloud services, can access corporate data. Any other solution that does not encompass the full security chain, CASB included, will leave the operation vulnerable to data leaks, stolen credentials, and malicious software such as ransomware and malware.

Why CASB is not enough
For example, CASB will allow a user to use a rooted device that might damage the entire cloud operation due to its vulnerability. It will also allow a user to connect to the cloud using a compromised hotel WiFi network leading to credentials or data theft. , CASB will allow access from a public or temporary device that does not belong to the user or the enterprise having no knowledge of ransomware, malware, keyloggers, etc. that might compromise such device. Not only will CASB allow all of the above (and more), it will have no visibility into the potential risks and threats.

Therefore, it should be clear that in order to secure cloud operations, there is a need to handle the full security chain (user, device, network and service) and to provide visibility, access control and data control, rather than just use CASB which handles the data usage control on the service side.

The importance of having good visibility into all security aspects

To accurately detect threats that put corporate data and reputation at risk, all activities along the cloud security chain need to have clear visibility, access control and data control. An automatic actionable assessment needs to be made in the context of user identities, security posture of the devices they use, the networks they connect to and service properties. Real visibility for the full cloud security chain (user-device-networkservice) must be a priority for an organization’s security operation in order to meet most regulatory requirements and leading security practices. Only when achieving such visibility, risks can be identified and mitigated in real time. Using a CASB, which only has visibility into a user’s actions on the service itself, provides a very limited point of view that cannot satisfy security compliance and leaves organization exposed.

Better visibility equals better control

Only with granular visibility into the whole chain one can set access control rules to provide access to specific user identities and the terms of its access, e.g, authorized device and network, as well as location based (geo-fencing) rules limiting access from specific locations.
For example, certain information and services can be used just in the office. Combining detailed visibility with easy-to-operate access control eliminates the threats of malware and ransomware infiltrating the cloud infrastructure, and prevent cloud data leakage through the device or network used.
The final step to ensure a well-protected work process with cloud services does not end after access is granted, but only after it is guaranteed that the user is using corporate data safely. It needs to be set up in advance and monitored to understand what activities are allowed by whom, to prevent sensitive information from getting leaked or transferred, prevent malicious and unauthorized activities, identify malicious actors on services etc. While most CASBs excel the field of data control within the cloud services, they do not support access control (which user, device, and network are secured and authenticated to access the service), and rarely provide reasonable visibility, if any.

Integrated solution vs. all-in-one

Integrating all four factors of the security chain; user, device, network and cloud, through multiple security systems such as MTD, containers, proxies, gateways as well as CASBs requires substantial time, budget, and effort, as well as trained, dedicated teams to operate it. While the modern IT needs keep on growing this becomes impossible to maneuver, both from the personnel and the financial point of views. In a world where “simplicity is king”, this primitive way of combined services just doesn’t cut it. If it is not simple, it simply will not work. Only a fully automated system, connecting all four parts of the chain, can truly supply full end-to-end protection. A Single and strong engine controlling all cloud security aspects is the only way to eliminate the need for multiple systems implementation. The entire operation should be preintegrated to all popular SaaS and IT tools and have a “set it and forget it” state of mind, shifting from anomaly detection to compliance and trust declaration.

Summary

CASBs protect cloud data usage only, when in fact, there are three other links in the security chain that could jeopardize the entire cloud security operation. CASB has no visibility into the potential risks and threats in the device, the network, or the user. Having visibility only into a user’s actions on the service itself provides a very limited point of view that cannot satisfy security compliance leaving organizations exposed. 

Attention decision-makers at marcomm agencies – whether that’s a public relations, advertising, digital media or marketing firm – when is the last time your firm truly thought about network, device or data security? If this answer isn’t “yesterday” or “today,” then your agency­, and the client data it is entrusted with, is likely at risk.

Today, the vast majority of most agency’s clients invest in cybersecurity (some more than others). However, because of budget, time and resource constraints, as well as the lack of any industry standards or regulations mandating compliance, most creative and communications agencies have not followed suit.

Such cybersecurity apathy has made agencies an attractive target for cyberattacks – whether they realize it or not. Why? It’s simple: agencies have access to a treasure trove of client data and proprietary information of which not just employees, but also attackers, can easily access via insecure networks, systems and devices. For savvy hackers, exploiting an unprotected agency as the means to gain unauthorized access or spread malware to their primary target (the agency clients) is not only significantly less-risky, but doing so is also less expensive and more time effective.

What’s at stake for agencies?

In today’s threat landscape, there’s a lot at stake for creative and communications agencies should they be hit by a cyberattack, including:

• Diminished business continuity: Just last year, WPP was crippled by the infamous NotPetya ransomware attack, leaving staff at both its flagship and subsidiaries unable to access their systems and networks, according to AdWeek and other media outlets. In total, the attack cost the holding company more than $19 million and many of its subsidiaries were shut down for days. This incident has broad implications for smaller shops as well, since they rely on their agility and nimbleness to meet and exceed client demands. With that in mind, continuity means everything, and disrupting that with an attack could be catastrophic for agency-client relationships with the inability to get time-sensitive work done.
• Client/employee turnover: Both are already at record levels (average agency-client tenure has shrunk from 7 to less than 2 years) and a successful cyberattack would surely expedite departures, as it is unlikely that clients and employees would retain a relationship with an agency after their data was breached or identity compromised. In addition, employee turnover creates opportunities for departing workers to take data with them, either intentionally or inadvertently. Such data could then be leaked or sold, creating reputational, operational and financial risk to both the agency and the client.
• Reputational damage: From login credentials and cloud app passwords to customer databases, billing/routing numbers and more, agencies are the custodians of some incredibly sensitive strategic and brand information. In other words, agencies have access to what attackers want, with little to no security to protect these assets from internal and external threats. If an agency has weak or no security protocols and they’re the cause of a systemic breach or data leak ahead of a project launch or another initiative, then that would likely result in irreversible harm to the brands reputation, ultimately diminishing client relationships, new business prospects and employee morale. Ironic, the agencies often hired to build or change reputation would be forced to spend much of their time doing the same reputational management tasks internally, or risk going out of business for good.

• Cyber insurance premium spikes: Recently, a report by PwC estimated that the cyber insurance industry will grow to $5 billion in annual premiums by the end of 2018, and $7 billion by 2020. Those numbers are staggering, given how new the industry is. Moreover, since it’s such a new industry, there is inherent risk and volatility, and security breaches will impact insurance premiums not just for the company that suffered the breach, but across the entire industry. Most agencies that have the means to purchase cyber insurance do not have the financial leeway to incur massive spikes in premiums.

Unfortunately, any one of these consequences could ultimately lead an agency to shut its doors for good. So, what can creative and communications agencies, regardless of headcount and revenue, do to protect their company from cyberattack? Here are seven safeguards that agencies should implement in 2019:

• Conduct an agency risk assessment to determine where the company’s greatest vulnerabilities lie.
• Purchase cyber insurance so your organization can be more cyber resilient when an attack strikes.
• Implement a quarterly security awareness training session to enforce technology policies and to help educate employees on emerging attack trends.
• Set up advanced password protection so unauthorized users can’t easily compromise the integrity and confidentiality of your client’s data via password theft or leaks.
• Secure your inbox, because more than 90 percent of attacks begin with a malicious email.
• Create an incident response plan so all employees, clients, stakeholders etc. know how to react and what actions to take during and after a breach.

Last but not least, agencies should invest in data breach protection platforms, like Coronet. It’s extremely common for agencies to use cloud apps like Box, Dropbox, Office365 and Slack, yet despite some security built in, such tools are ripe with vulnerabilities. Coronet can monitor your agency’s cloud applications for data leaks, cyber-threats and regulatory violations that put your business at risk and remediate them without added costs or any disruption to agency continuity.

In recent months, the debate over the future of BYOD has intensified. On the one hand, we really don’t need Gartner to tell us what we are already witnessing —  that more than half of all businesses will require employees to bring their own device by the end of 2017; while on the other hand a study by CompTIA has indicated a near a 20% drop in BYOD friendly companies since 2013. The latter study concluded that 53% of companies have actually banned private devices all together, in stark contrast to 2013 when only 34% did so.

A recent study conducted by Crowd Research Partner did find that there is wide disparity in how companies are implementing BYOD, if at all. 13% of companies have not and will not allow BYOD, 32% of companies only allow BYOD for select employees and 40% maintain a completely open policy for all employees. Meanwhile, 9% of companies plan to start incorporating BYOD over the course of 2017, while 3% have recently ended their allowance of BYOD altogether.

Current Policies Are Insufficient

One of the trending issues that IT teams are facing is facilitating popular employee demand for BYOD on the one hand and demands from the executive board, HR and legal teams to create enforceable procedures for policy and compliance. IT knows full well that everyone is checking company email and accessing cloud files from wireless networks from their homes, coffee shops and hotels but there is nothing they can do to stop it.

A critical mistake that many organizations make is by focusing exclusively on the upper layers, while ignoring the lower layers. The OSI model is divided into two parts.

• The host (upper) layers, includes the application, presentation, session and transportation, which controls the applications that run on a network. 
• The media (lower) layer, which is comprised of the network, data link and physical and controls the delivery of messages over the network and is responsible for formatting and encoding data.  

There is no question that IT must contend with an array of threats to the upper level however, there is a distinct knowledge gap regarding the changing landscape between the device and the LAN/WAN. Criminals are not only manipulating wireless networks to launch attacks, but are setting up their own malicious access points, which is undetectable to the endpoint user. Cybercriminals are doing this in a number of ways that will leave your company’s data vulnerable.

Wireless Network Manipulation + Femtocel = Risky 4G.

In recent months, it has come to light that the fast and reliable 4G LTE, while certainly fast may not be all that safe. Cyber criminals can easily take advantage of the LTE failsafe, which was designed for emergency situations, like a natural disaster when a cell tower might become overloaded. The failsafe automatically redirects the phone to another tower, allowing cellular service to continue uninterrupted. The attacker takes advantage of this by switching the device to a femtocell, which the phone recognizes as a legitimate tower.

Once your device is taken over via the femtocell, any cellular data going in and out from the device can be captured. Additionally, attackers have the capability of downgrading the device from 4G LTE to 2G, which means the device is even less secure. So, if you are a CISO or IT professional instructing employees to use a personal hotspot via their phones 4G, as a way of maintaining a level of safety, you are out of luck.

Rogue Access Points a Growing Threat

The issues with 4G security only reinforce what we already know about the vulnerability of existing wireless networks. Furthermore, the growing threat by the use of Rogue Access Points, should be concerning, because of the challenges it poses to IT policy and compliance. The fact is, that creating a rogue access point is cheaper than ever before and the ability to deploy them is easier than ever. There are a number of questions that an IT team should clarify, including; the capacity to seal any area (on or off premise) from wireless threat or maintaining full visibility into the various networks to which employees are connecting. Since traditional hotspots are not going away anytime soon and IT must find a way of securing this space.    

Rogue Access Points are divided into four categories, which is important to understand in order to know how to implement a solution. They are Evil-twin, Improperly Configured, Unauthorized, and Compromised.

Evil-twin – Fairly easy to set up and based on a software installed on a portable device. Because SSID and BSSID, which are the only identifiers in IEEE 802.1,1 can easily be manipulated, the evil-twin remains indistinguishable from the legit access point.

Improperly Configured – This could simply be a problem with the authentication, encryption settings or improper update. These misconfigurations can leave the door open for outsiders to take control.

Unauthorized – While a rare occurrence, it has happened that unsecure and misconfigured WLAN antennas have been set up within larger organizations to create easier access to the internet within the workplace. This in turn can compromise the entire system.

Compromised – WPA-PSK and WEP secure communication between the user and access point via shared keys. If these keys are hacked, the access point can go rogue. Hacking software that  does not require any deep knowledge is very readily available, so a compromised AP is certainly a threat to be contended with.  

Many experts suggest using a VPN to counter rogue access points, but they are not foolproof for three reasons.

1. VPN  could only be a potential solution in combating certain types of rogue access points, like evil-twin.
2. With Port forwarding, an IP can be easily be uncovered by luring an unsuspecting user to clicking a phishing link.
3. The gap between launching a VPN and connecting with the network, leaves the device venerable during those few critical moments.

What can be done?

IT policy and compliance need to be broadened to cover both the upper and lower levels of the OSI model. Only when IT has control over the communication channel between the device and cellular network will they be able to truly secure the endpoint. Coronet provides a holistic cloud based platform that protects and seals any area within the office or without from wireless threats to complete your BYOD policy.

With workers relying more than ever on mobile devices to provide quick access to information, BYOD and BYON have become as ubiquitous and as necessary as office furniture. Yet, even though the “Bring Your Own” approach has revolutionized business, many companies still have a pre-revolutionary view to network cybersecurity.

Companies still place great emphasis on protecting the network in the office by relying on many security layers: the firewall, Internet Protocol restrictions and network access control, even though they don’t hermetically protect their wireless networks. But outside the company’s wireless network, all bets are off. Convenience trumps security as employees freely hop onto wireless networks that security teams can’t monitor.

Without IT oversight, employees are unwittingly – and sometimes willingly – exposing their devices to malicious hacking and thus exposing their employers’ network and digital assets. That’s not revolutionary at all. It’s an imbalanced approach that too heavily favors convenience over security.

Dubious Wireless Networks Invite Cybersecurity Risks

Rogue, compromised and misconfigured (such as those on wireless printers and screens) wireless networks are everywhere. People think they’re connecting to a safe and known public Wi-Fi network or a trusted cellular network when they’re in fact holding out their devices to hackers who are using inexpensive tools to intercept wireless communications.

In busy Manhattan, hackers in Sept. 2016 took over an AT&T low-power cellular base station and intercepted calls, data and messages, according to the consulting firm Frost and Sullivan. At nearby Penn Station, travelers who thought they were a using Google Wi-Fi connection were snared in a fake access point that mirrored the legitimate free public service.

That same month in Singapore, a Karma machine was used to hack into devices being used at a taxi stop, and a wireless printer was used as an “arrowhead” to penetrate enterprise devices.

The device owner’s credentials are laid bare when hacked, starting a crumb trail toward account passwords and other identifying information that can lead to his employer. The device is open to all sorts of manipulation, and hackers can also use social engineering tricks to prompt the victim to release sensitive information.

Hackers can also hit unsuspecting users with malware, eavesdrop on conversations and messages, or commit DNS spoofing to lure a user to another computer. No matter how resolute their internal security is, companies have no visibility into all those malicious networks and can’t protect corporate assets that are at great risk from what seems like ordinary Wi-Fi and cellular use.

The hidden threats lie in the numerous wireless networks used by your employees and it is crucial to remember that VPN won’t protect your network from them.

A New Partnership that Balances Security and Connectivity

There’s a new paradigm shift in wireless network security that no longer keeps companies in the dark and also allows workers to continue to take advantage of BYOD and BYON. Security and convenience can coexist.

Wireless security advances now let you partner with your users, creating a two-way street on which mobile users can be productive and security teams can have improved visibility. Throwing up barricades to wireless connectivity only encourages employees – especially those who need access outside of the office at any time of day – to find other ways around preventative measures, increasing the likelihood of exposure to malicious threats.

This new paradigm – or new partnership  rests on three pillars of mobile enablement:

• Real-time monitoring and intelligence of threats on the wireless networks that surround the devices that are inside and outside your workplace.
• Pinpoint detection and risk evaluation distinguishes the good from the bad, the legitimate from the illegitimate, and lets you know which networks are safe to use.
• Policy enforcement that’s easy to manage and control so that you can tighten it in the face of threats but still allow employees and executives to use their devices without impractical restrictions.

With visibility of every device and network, you no longer have to deny access. You can enable access without fear.

With wireless security, it’s all about visibility. Look around a coffee shop, airport, or even an office building and it’s impossible to miss all the smartphones, tablets and laptop computers. Just about everyone has a wireless device.

But the downside to all these devices – and thus the downside to BYOD also – is a security threat that’s not clearly visible: rogue access points. The proliferation of mobile devices prompted a surge of wireless access points, enabling people to connect anywhere and at any time.

While an abundance of access points – including the hot spots on personal devices – helps productivity, it also allows fake ones to hide in plain sight and exposes a company network to malicious activity. Unfortunately, cybersecurity teams can’t see, let alone monitor, every fake network service that their employees unknowingly connect to, whether those rogue access points are in a coffee shop or under the company roof. It’s an enormous blind spot that puts organizations at significant risk.

Many Rogue Access Points, but not Enough Security Sense

Hijacking access points is easy. A wireless device, usually connects to a Wi-Fi access point with the strongest signal. If a hacker with a fake access point sits between the access point to a legitimate Wi-Fi signal and an employee who unwittingly will connect to an unverified source, the device can be compromised.

Previously, only governments or hackers with massive resources and knowledge  could establish an access point, but with open-source software, hackers can cheaply and easily create malicious Wi-Fi or Cellular access points to intercept wireless communications.

There are more than 76 million commercial and community hotspots, combined, in the U.S., and more than 179 million total worldwide. It’s difficult to pinpoint how many hotspots are fake, but security experts believe there is an increase in man-in-the-middle attacks such as those carried out by rogue access points.

The prevalence of fake Wi-Fi hotspots has done little to strike caution into the hearts of mobile device owners. Instead of wondering if they’re connecting to a legitimate and trustworthy source, few people question basic security: more than 60% of people think their personal information is protected when using public internet and about 50% are unaware they are responsible for securing their own data.

Most of the time, users pay little mind to Wi-Fi security until they have had their personal information stolen and their employer’s assets compromised through a man-in-the-middle attack.  It happened last year when millions of college basketball fans unknowingly put their personally identifiable information at risk by using a popular but unsecure CBS Sports app during the frenzy of the NCAA March Madness tournament.

And it can happen right in the office. A majority of unknown-but-connected access points are installed by employees for the sake of convenience, usually without Wi-Fi authentication or encryption.

Wireless Security that Clearly Sees Risk

Despite the known risks of wireless communications, enterprises still need to invest more in visibility and control.

Many companies continue to focus on the upper layers — application, presentation, session – of the OSI Model while paying little attention to the lower layers – transport, network, data link and physical – that handle formatting, encoding and transmission of data over the network. It’s not that IT security doesn’t recognize the vulnerabilities of the lower layers, it’s just that they’ve been busy protecting the upper layers.

Security teams of course, don’t want to impede productivity and growth with draconian security policies that all but tether devices to office desks and hardline network connections. Consistent training about the use of free Wi-Fi hotspots and automatic connections can diminish risk, but as those surveys showed, people will still use unsecure public Wi-Fi or a friend’s mobile hot spot when in a rush to get connected.

Enterprises can finally get a strong visual on rogue access points by using a network security solution that can not only see those fake access points, but also trace their network connectivity, estimate their physical location and examine visible Wi-Fi parameters to automatically respond to any threats they pose.

Clear and accurate wireless visibility should be a priority for all companies. Staying on top of wireless is only going to get more complicated: Intel says the number of connected devices could surge to 200 billion by 2020, and Cisco and Microsoft have both predicted 50 billion devices will be connected to the Internet by 2020.

Enterprises need a solution that manages, controls and enforces security policies on wireless devices at any time and also allows employees to connect to any device from any location, access any service and maintain privacy without any inconvenience. Coronet offers this exact level of visibility and control; contact us to learn more.

If you browse to a major website on the internet, chances are you’ll see something next to the URL—a tiny lock icon, next to the prefix “HTTPS.” This indicates that you’re currently using a secure version of the Hypertext Transfer Protocol. It means that the connection between your web browser and the application you are viewing is encrypted via TLS (Transport Layer Security). In effect, it is very difficult for a potential attacker to eavesdrop on what users are doing on a site that’s protected by the HTTPS protocol.

HTTPS Has Never Been Unbreakable

Difficult as it may be, however, the HTTPS protocol is not unbreakable. Hackers commonly employ what’s known as a man-in-the-middle attack” (MITM). In this instance, attackers may use a phishing email to direct users to a fake website. The website might look exactly like a real banking or ecommerce site, thus tricking users into inputting their personal information, such as address info and credit cards. A version of this attack was used to scam eBay users back in 2014.

Similarly, a website might end up using an outdated version of TLS or SSL to encrypt its communications. These outdated variants are subject to several bugs that might allow attackers to decrypt communications. The most famous example of this was the Heartbleed bug. This bug allowed attackers to exploit outdated versions of SSL to output a site’s password, user database, certificate codes, and more.

Now, there’s a new bug to worry about.

An Outdated Protocol Leaves Users Vulnerable

Security researchers have now discovered a way to bypass HTTPS encryption entirely. The exploit, which was demoed at BlackHat this summer, relies on a browser element called Web Proxy Autodiscovery (WPAD). WPAD is actually obsolete—like many elements of major exploits—but it’s still supported by all major browsers. Essentially, WPAD would tell browsers to download a file at a certain URL, and then execute it in order to find the proxy for a web browser.

Bad actors can get around HTTPS by using this obsolete protocol as an attack vector. When a computer connects to a new network, it sometimes has to request a proxy autoconfig file (PAC) using WPAD. If that file is malicious, it can deliver attackers the plaintext version of a user’s destination URL, before the HTTPS connection is initiated. The most vulnerable users are ones who often connect to networks outside their home and office—at airports, cars, coffee shops, and so on.

Protecting Users from Unholy PAC

This vulnerability, deemed Unholy PAC, may find itself resistant to easy fixes. WPAD functionality has been embedded in web browsers since the late 90s, so simply removing it might cause a cascade of additional problems. While there are a number of potential patches and workarounds that might also work, none have yet been released, leaving users out in the cold.

At Coronet, we’ve long recognized the vulnerability of users who find connectivity outside their home networks. This new PAC bug appears to make these remote workers even more defenseless. Fortunately, Coronet users will find themselves well-defended. Our machine-learning software can quickly adapt to recognize when a user’s connection is being threatened. In response, it can help make the targeted endpoint nearly invisible to attackers.

For home users and enterprise professionals alike, SMS-based two-factor authentication (2FA) has become a relatively annoying fact of life. Type your password into your computer, wait while a text is sent to your phone, and then race to type in a second passcode before it expires. It’s a bit of a hassle, but for many it’s been the most important line of defense between hackers and confidential, SaaS applications, and financial information. Now, all of that may be about to change.

A new draft of the Digital Authentication Guideline issued by the U.S. National Institute for Standards and Technology (NIST) indicates that the days of SMS-based 2FA are numbered. The reasons are manifold. In short, new mobile snooping technology has made it easier for hackers to spy on the one-time passwords that are sent to mobile devices. With the use of this technology, hackers are able to bypass this once-foolproof protection mechanism.

How to Break Mobile 2FA

Two-factor authentication is necessary, in short, because passwords are bad. Many users—even people who should know better—often use the same password for more than one account. Thus, it’s both easy and quite possible for a hacker to steal a password from one account, and log into another. At the same time, it’s much harder for a hacker to steal a user’s phone. Where mobile 2FA is concerned, a user’s phone acts as a “token” which allows them to verify their identity in a way a hacker cannot.

As mobile technology has matured, however, there are now a number of ways that hackers can break into a user’s phone. Some of these methods involve redirecting the confirmation text message away from the victim’s phone, and into the attacker’s phone. This usually involves a social engineering attack, as was the case when a group of teenage hackers compromised the email accounts of CIA director John Brennan and other top intelligence officials late last year.

Another method involves mobile malware. Malware that specifically affects mobile devices isn’t too common yet, but its incidence has been steadily growing. Earlier this summer, security researchers discovered a sophisticated mobile malware package known as ‘Pegasus,’ targeted at iOS devices. Among other sinister capabilities, the malware had the ability to read text messages on an infected device. This would have allowed attackers to intercept SMS passwords in order to break mobile 2FA.

Lastly, there’s straight-up eavesdropping. You may have heard about something called a ‘Stingray’ device. This hardware essentially impersonates a cellphone tower, and forces nearby mobile devices to connect to it. Once they’re connected, the device captures cellphone metadata, and some versions can read SMS messages. Stingrays are usually used by state and federal law enforcement, but it is totally possible for garden-variety hackers to build and use them as well.

A Stronger Approach is Needed

There’s more than one way to hack mobile phones and break two-factor authentication. Social engineering, malware, and eavesdropping are just scratching the surface. A creative individual, not overly burdened with morals, has a plethora of choices if they decide to break into an account protected by mobile 2FA.

Fortunately, Coronet provides a robust buffer against individuals who wish to intercept two-factor authentication and break those solutions. Our service determines whether an attacker is present in the WiFi or cellular network your laptops and mobile devices are connected to, and prevents them from eavesdropping. 

What do hackers and street artists have in common? If you asked that question to the average person, you probably wouldn’t get much of an answer. But it turns out, both the hacker and the artist are equally capable of exploiting gaps in wireless security.  

This isn’t hyperbole. In fact, an artist by the name of Kyle McDonald has been making a living as both a street artist and a hacker, albeit with no malicious intentions. With the help of a friend, the North Carolina artist recently created an art installation at Moogfest, which they call the WiFi Whisperer, whereby they collected insecure data from festival attendees who walked by their booth and displayed the info through monitors and speakers. It’s as clever as it is scary.

Their goal was to not only call attention to the fact that mobile devices are vulnerable to network attacks, but also to give people a sense of exactly how it feels to be violated by a WiFi hijacker.

McDonald feels his responsibility as an artist isn’t to raise awareness of this issue but rather to help people experience these threats firsthand.

“I realized that whistleblowers are good at raising awareness, and artists are pretty good at something else, which is giving people direct experiences of things,” he said in an interview with Wired.

Over the past few years, network hacking has become more and more prevalent. Thanks to high profile incidents such as the Dark hotel hack in 2014,  Hello Barbie hack in 2015 and the Jeep Cherokee hack from the summer of that year, consumers and companies increasingly understand the risks their mobile phones and other wireless devices expose them to. But only recently has become painfully obvious as to just how easy this type of attack has become.

The Simplicity of Network Attacks

What should be even more concerning is the lack of expertise the artists had and how little sophistication their breaches required. The sniffers were built from eight Raspberry Pis and wireless antennas tuned to different open wireless channels.

Most of the information gathered were through several key vulnerabilities:

•        Leaving device WiFi and Bluetooth accessible
•        Connecting to unprotected WiFi networks
•        The information flowing into and out of secure apps

General belief is that these vulnerabilities can only be exploited by expert hackers, but the fact is the technology and knowledge available to steal sensitive information is readily available to anyone who wishes to Google for them and purchase tools on eBay.

Future Network Threats

Luckily, artists like McDonald aren’t the only ones experimenting in this area and bringing their findings to light. From our example earlier, security researchers Charlie Miller and Chris Valasek recently demonstrated their ability to wirelessly carjack a Jeep Cherokee. The hackers developed their zero-day exploit technique which gives them access through the car’s WiFi connected entertainment system and allows them to control dashboard functions, steering, brakes and transmission – all remotely.

This is another application which should help demonstrate to companies the extent to which they are vulnerable to network hacks. Hacking conforms to principles laid down as early as Sun Tzu’s “The Art of War.” Attackers will direct their assault at areas where the enterprise does not think to defend. If the enterprise defends the devices that are under their control, the hackers will go for uncontrolled devices that are still trusted nonetheless—such as your CEO’s car.

When anyone – even artists – can infiltrate your sensitive information, it’s important to have a comprehensive security system in place; one analyzes real-time threats and attacks in the vicinity of the device.

Let’s face it. Cybersecurity professionals are a rare commodity, and the demand for qualified workers in this field is, by many measures, at an all-time high. With more than one million cybersecurity job openings to fill this year, executives and hiring managers are scrambling to find, and retain the right resources to safeguard our networks and enterprises.

According to a recent market report, cyber attacks can cost global businesses $400 to $500 billion per year, with substantial costs attributed to post-attack damage and recovery from disruptions in business operations.

Rebuilding from these attacks puts an undue strain on retail, financial, corporate and government entities to regain their losses, restore their reputations, and prevent and mitigate future attacks.

Why the shortfall?

Firstly, not all agree that there is indeed a shortfall.

Tech company layoffs indicate that there are more qualified workers than there are open positions. Still, with a seemingly never-ending cycle of cyber-attacks, there’s no denying the recent shift in focus to obtaining more cybersecurity professionals, and the numbers support claims of a shortage.

On the flip side, the Cisco 2015 Annual Security Report warns that the worldwide shortage of information security professionals is at one million openings, even with cyberattacks and data breaches increasing each year.

[Tweet “In the U.S., more than 209,000 cybersecurity jobs are unfilled,”] and postings are up 74 percent over the past five years, according to a Peninsula Press analysis of numbers from the Bureau of Labor Statistics. By 2019, the demand is expected to rise to six million globally. As a result, executives and universities need to devise creative strategies and collaborate to combat this labor epidemic.

Hiring managers and executives across all industries grudgingly admit that they cannot find suitable candidates to fill open positions, and a number of factors contribute to the shortage of qualified professionals.

Cybersecurity expert Ira Winkler disagrees with the widely-held thought that there’s a shortage of skilled workers. Instead, he believes plenty of people graduate from cybersecurity programs but they lack the technical chops for not just entry-level security positions but any computer-related entry-level position. Instead of earning a specialized degree in cybersecurity, Winkler recommends cybersecurity aspirants first get a job doing general computer work to learn how to administer and configure a computer system so they can eventually understand how to effectively secure it.

Still, many experts believe that specialized training for future cybersecurity professionals needs to start even earlier: in college.

A Call for Colleges to Teach Cybersecurity

Christopher Young, vice president of Intel’s Security Group, believes cybersecurity isn’t a priority in U.S. colleges and calls for his industry to reach out to academia to explain the importance of reconfiguring curriculum to focus on cybersecurity training. “We just have to get after this problem,” he said. “Students will tell you that even if you’re a technical major in college, cybersecurity isn’t a core part of the curriculum.”

Educators such as Northeastern University’s David Kaeli agree that cybersecurity has to be taught but should be integrated with other subjects, regardless of the area of study and not just in the technical realm. “Security has to be a topic that’s covered, whether you’re teaching a digital design course or you’re teaching a programming language course or an operating course,” Kaeli told PBS NewsHour.

As a result, Northeastern offers cross-disciplinary degrees in cybersecurity as well as scholarships for students who serve two or three years in federal, state and local government cybersecurity jobs. Also, the university’s Research Institute for Homeland Security gives students an opportunity to solve real cybercrimes in the programs it offers.

Similarly, Britain’s Engineering and Physical Sciences Research Council (EPSRC) funds programs such as Royal Holloway’s Centre for Doctoral Training (CDT) in Cyber Security. Through a multi-million pound EPSRC grant, CDT has partnered with industry leaders like IBM, McAfee, Thales, Vodafone and Logica in an effort to foster a cohort of new security warriors whose job will be to protect the global computing ecosystem of tomorrow.

Government Initiatives Aim to Fill the Gap

With much discussion about a cybersecurity job shortage, it would seem that hackers have the upper hand, but the war against cybercrime is far from over.

In the U.S., President Obama has increased federal cybersecurity funding for the 2017 fiscal year by $5 billion, making cybersecurity a top priority and matter of national security. In addition, the White House will soon hire its first Chief Information Security Officer (CISO), and $3.1 billion has been allocated for upgrading technologies and networks across various federal agencies.

Britain’s government is on a similar path with its “Cyber Safe” initiative for cybersecurity startup businesses. In an effort to promote the U.K. cyber security industry, this “first of its kind” program will give entrepreneurs the skills they need to develop, test and validate the commercial viability of their ideas and transform them into businesses.

Rent-a-Professional Until Help Arrives

Until students are old enough to enter the workforce, other solutions are needed. For example, cyber-staffing firms with professionals “for rent” are on the rise, providing the much-needed supply to meet the ever-increasing demand. IBM offers its seasoned professionals via its CISO-as-a-service, IBM Security Services. Positioned on-site or virtually, a strategically placed IBM employee can serve as CISO for short-term or multi-year assignments. Basically, the CISO is “on loan” for as long as a company needs them.

Internships and apprenticeships, such as those offered through Virginia’s Department of Labor and Industry are also viable options that will allow business to grow their security-based workforces. The Virginia program offers state funds to companies to offset cybersecurity training, providing up to $1,000 per year per registered apprentice, or $10,000 per company.

Until the one million vacant cybersecurity positions are filled, recent events predict that cybercrime will only continue to increase. A strong attempt to draw more qualified professionals by industry, government and academia hopefully will eliminate the shortfall. But if your organization will be in need of cybersecurity professionals before then, it’s time to think outside the box until the cavalry arrives.

The advantages of city-wide, free WiFi seem obvious. Internet access for people of all income levels, convenience and constant connectivity are attractive to most urban-dwellers.

However, municipal WiFi is one of the most dangerous places to conduct online activity. It is a hotbed of lurking commjackers. These commjackers take advantage of the open network and the thousands of trusting users.

Commjacking an Entire City

While this may sound far fetched, it really is not. A city equipped and connected with free, public and unsecure WiFi places an entire population at risk of personal data theft and consequential cyber crime. A cybercriminal can gain access to users’ phones, tablets or laptops with even the most limited knowledge of hacking. With under one hundred dollars and some open source software, [Tweet “#commjackers can set up fake WiFi networks to lure public users to connect.”]

If you’ve been following this blog, you’ll be aware of the numerous examples of commjacking over the past 18 months, from hotels to airports and airplanes. Even the CoroNet CSO experienced an attack from using an airline’s free WiFi. Some hotel chains have routers susceptible to easy hacking, which puts customer information and access to the hotel’s reservation database and keycard system.  

A commjacker walked into a Dutch café and in minutes could see the online activity of everyone around him. He discovered one patron had recently traveled from Heathrow airport and was staying at a hostel in Amsterdam. “So what?” I hear you say. Well for one, this commjacker now has your personal login credentials for many of your accounts. Secondly,  knowing this, imagine the same patron receiving an email along the lines of, “We’ve found your credit card at Heathrow Terminal 5.” You’d click on that, right? Maybe even give your contact details? Bingo, that is an excellent phishing email  that comes as a result of knowing personal stuff about you. Even the smallest amount of data can be telling of an individual’s history. And knowledge, as we know, is power in the wrong hands.

Mitigating the Risks

Free WiFi and a connected world are the way forward but as with all good things, precaution is required to ensure public safety.

Don’t leave your wifi security up to the municipality. One of the best ways of staying safe on a public network is to always use an SSL session when conducting private activity, such as email, credit card transactions or anything involving personally identifiable information. If accessing a highly-secure network from public WiFi, it is smart to use a VPN or IPSec to protect all data being transmitted across networks. These tips should keep users safe if they are practicing wise Internet behavior.