Preparing for the Unknown: Future Enterprise Security Threats

The IT organization of an enterprise business has a formidable task to balance implementation of innovative technologies with maintaining the privacy and security of company assets and data. The enterprise cannot successfully operate a business in fear of the unknown, though it can certainly prepare for it.

Today, businesses spend time, money, and resources monitoring and responding to known security risks and attack vectors. However, if the attack comes from inside the organization using employee credentials or via a possible backdoor in hardware or software, it will not be detected using known external patterns. Future threats to the enterprise could be as unique as the business itself.

Placing backdoors into products is very controversial and vendors will often publicly deny having any. Only in recent years (since the Snowden and other Wikileaks revelations), have vendors—notably in the U.S.—been more forthcoming on the existence of backdoors, stressing that they are required to implement them in certain products by law for the specific and exclusive use of the U.S. government. Since 2013, some security-focused European vendors have been keen to market their origins, and lack of business in the U.S., as a guarantee against U.S. government-required backdoors.

The problem is not so much that backdoors exist, but that vendors are not upfront about their existence, that certain U.S. government agencies have been using them likely beyond their fitness for purpose, and that they can very easily be leveraged by undesirable (hostile or criminal) elements for nefarious purposes. Transparency as to their existence would allow users to at least be aware of the potential risks, and apply risk mitigation policies accordingly. No knowledge is the worst possible option from a security perspective.

Many legitimate uses for such remote access tools (i.e., servicing a device, providing remote management, patching, updates, etc.) exist. Others can be sold exclusively as legal interception tools, only to be disclosed and provided for specific law enforcement purposes. Consider the attack and theft of payment card details in 2014 from the U.S. retailer, Target. The initial infiltration is believed to have been made through an HVAC system attached to Target’s corporate network. The backdoor in this case was due to where and how the HVAC network access was established, which could have been caused by a simple contractor oversight. The proliferation of devices and Internet of Things (IoT) attached to business networks creates millions (and/or billions) of potential new vulnerabilities for enterprise IT to identify and monitor.

Unfortunately, enterprises rarely discover these security risks on their own, falling victim to, “We don’t know what we don’t know.” Security professionals and insiders (notably in government) are often the ones to publish information on backdoors. Sometimes, because of hacking between warring cybercriminal organizations, details can be disclosed and dumped publicly online about backdoors being used. Commercial threat detection solutions for virus and malware exist, however, they only track established and identified pattern signatures. This approach provides no awareness to an IT organization about deviations from normal operational processes.

Enterprises need tools that observe baselines of behavior (“normal”) in network traffic, authorizations, network paths, roles-based usage, etc., which are personalized to the business with the ability to escalate and act upon variances outside established thresholds. For example, if a user starts transferring a significant amount of data outside the organization, what checks are in place to determine if this is a legitimate exception to normal behavior or not?

Information is keen, and organizations need to consider the likelihood of technology products and services containing potential backdoors. Further, technology, even without backdoors, can be broken in the future and therefore, allow for potential exploitation. A few fundamental steps for the operation of a future-ready IT team include:

• Build a map depicting how data moves throughout an organization and define standard network behaviors.
• Consider all assets as potentially vulnerable and develop appropriate risk mitigation strategies.
• Implement multi-layered and comprehensive protection mechanisms for hostile and unfavorable scenarios.

Cybercrime, cyberattacks, cyberespionage, whether between legitimate organizations, nation states, or criminals, are more openly researched, analyzed, and discussed than ever before. Enterprises are free to access this vast wealth of data to make informed decisions of the vendors and products they may wish to use. Backdoors should always be considered a possibility, and cannot always be avoided. Enterprises should ensure that they have an action plan in place for when a backdoor (and a zero-day or other vulnerability) is discovered, that corresponds to their level of risk acceptance.

Whether for cybersecurity or adopting emerging technologies in general, enterprises must become comfortable with the ambiguity that accompanies these solutions. There is no amount of investment that makes an enterprise 100% secure from current threats, let alone future ones. Depending on the level of risk acceptance that the business is comfortable with, the amount of change needed to evolve business practices could require only a little more diligence to monitor internal network behavior. If the company is not comfortable with the uncertainties that come with anything less than 100% security monitoring and mitigation, the business could find itself at a competitive disadvantage by maintaining the status quo.