Two Meters or Two Kilometers?

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

General Dodonna: Well, the Empire doesn’t consider a small one-man fighter to be any threat, or they’d have a tighter defense. ….. The target area is only two meters wide. It’s a small thermal exhaust port, right below the main port. The shaft leads directly to the reactor system. A precise hit will start a chain reaction which should destroy the station. Only a precise hit will set off a chain reaction. The shaft is ray-shielded, so you’ll have to use proton torpedoes.

Wedge Antilles (Red 2): That’s impossible! Even for a computer.

Luke: It’s not impossible. I used to bullseye womp rats in my T-16 back home, they’re not much bigger than two meters.

So, sometimes the weakness appears small but turns out to be significant. I don’t use Apple products, not for any other reason than I started with Windows and Android and never had a reason to change. For a long time, Apple users felt somewhat superior because the overwhelming majority of security issues were in the Windows or Android world. That is changing as more attacks are aimed at Apple devices. Part of the reason for the apparent lack of attacks on Apple was the numerical difference in users. Most businesses used Windows products. Apple was also very strict about what a user could do to the system and what software could be installed. That seems to be changing somewhat.

This article highlights the fact that any system can be poorly configured.

“Last Thursday, a United Airlines flight was prepping to leave the gate at San Francisco International Airport when several passengers inexplicably received a photo of a gun via their smartphones.

After those passengers notified flight attendants, the pilot announced a “threat on board,” reports SF Gate. That initiated a three-hour delay, while officials evacuated the plane, re-screened all the passengers and searched the aircraft.”

There was no physical gun involved, just a picture. However, this reveals an opening into business networks. The person on the plane sent an unsolicited file to strangers. This was done using AirDrop, which has three options that control whether files can be received: Receiving Off, Contacts Only, or Everyone. The ‘Everyone’ setting allows anyone in range to send files to the phone, and they will be accepted without any owner intervention.

This article from April of this year describes a weakness in AirDrop that allows security to be circumvented even if AirDrop is set to ‘Contacts only’.  This article from January highlights some other security issues with AirDrop. In this article, two things to help mitigate the issues are:

• Keep AirDrop turned off unless you’re actually using it.
• Don’t use AirDrop unless you’re at home or in another private area where you are certain there are no attackers within 30 feet.

My goal here is not to pick on Apple. There are no perfectly secure devices. Regardless of the efforts on the part of designers, coders and manufacturers, there will always be security issues with devices. The challenge is to be aware of them and take appropriate steps to minimize your risks. The two suggestions mentioned above need to be conveyed to users. Keep in mind that if your users bring their phones to work and get on the network, the security of that device is something you need to address. BYOD is a trend that is unlikely to go away.

Are you aware of how your network is impacted by employee devices? Are your employees educated on the potential issues if they are careless with their devices? What about your work-from-home employees? Now their device is not on your network directly, it is on their home network. Is their network connected to yours via VPN? Then their home network is on your network. What security issues does that raise? A few minute’s reflections on this situation should illuminate a large number of potential issues, depending on how things are configured.

This can get very complicated depending on what you allow and how you configure network access for your employees. In Star Wars, there was only one weakness that could be exploited but it was enough. Today’s businesses have plenty of potential weaknesses that could be exploited. Business owners need to get educated about what they are and how to reduce their exposure. For most businesses, this means that they need to partner with someone who has the appropriate expertise. Businesses exist to make money. They do this by focusing on something that generates income. Network security protects that effort.

The ’two meter’ exposures can come from zero-day exploits and other things you have no control over. The things you control (or don’t control properly) can be the ‘two kilometer’ exposures. Whether your exposure is ‘two meters’ or two kilometers, it only takes one successful attack to bring an end to your enterprise. Don’t make the same mistake as the Empire did.