COMMENTARY
In recent years, large-scale financial and reputational damages have taught organizations the value of IT security. From corporations to universities, many organizations employ advanced security measures, such as implementing multifactor authentication, conducting regular ISO 27001 audits, providing social engineering training, and even conducting penetration tests and red-team exercises. Beyond this, to prevent unaffiliated devices from roaming freely in their networks, many organizations ask individuals to register their devices and apply security policies on them, such as using complex passwords.
This is where the game suddenly changes: Security decisions being centralized completely to the organization’s IT team poses significant risks. Specifically, our key argument is that this issue will likely increase the use of espionage techniques to compromise systems.
Consider the following scenario: An executive of a large organization enrolls in a part-time master’s program. To access university resources and emails, she connects her personal Windows laptop to the university’s network (i.e., Settings > Accounts > Access work or school). Now, her laptop is managed by the university’s mobile device management (MDM) system. If she asks about this, the IT team will assure her that this setup is mainly for ensuring updates and strong password policies — and this is all true.
But what she probably will not be told is that now they have the technical capability to do much more. Many IT teams self-impose limitations on what they can do bring-your-own-device (BYOD) situations to respect user privacy. However, these limitations are policy-based and can easily be reconfigured by a rogue employee. For instance, if such an individual decides to install a program, wipe her disks, or run a script to steal her files, they can adjust the MDM policies to do so. Worse yet, an IT team member who has gone rogue is not only able to do anything she can do on her machine but can also do anything she can do on her company’s network.
Risk Across Sectors
While we used the example of a university in this case, obviously this scenario is not limited to educational institutions; The same risks exist across sectors such as healthcare, corporations, and even gaming. Whenever an IT team is allowed to centrally control IT security, such as through an MDM system, there is potential for abuse.
Given this, traditional espionage techniques — in particular, planting an employee into the IT team or broader organization — become a viable model for criminal enterprises. In fact, unlike most other criminal endeavors that offer similar levels of potential monetary gains (e.g., stealing from a bank), this is not only less risky but also requires much less personnel (e.g., just one individual who deceives their way into the IT team).
This is because, in most cases, espionage completely bypasses security controls, by capitalizing on the trust placed in IT teams. In contrast, trying to hack into a hardened system comes with all kinds of hurdles. For instance, you can try to use a zero-day exploit, but it would cost exorbitant amounts of money. Exploit brokers such as Zerodium pay large sums (e.g., $2.5 million) to buy a zero-day, and then add their profits to the sum while selling it. In contrast, the price of planting a spy, especially within a lower-risk environment like a school or public hospital, is significantly lower. Furthermore, planting a spy in the organization can provide information and access for extended periods.
Therefore, this trend toward centralized IT control makes the use of industrial spies a more profitable and less risky proposition. After all, how many organizations — let alone universities, schools, or public hospitals — can effectively root out a highly trained professional spy embedded within their IT team?
Furthermore, this centralization trend is expanding beyond enterprise environments. For example, many multiplayer games employ anti-cheating measures that operate at the kernel level, granting full access to the gaming company’s IT team. One way to hack hundreds of thousands of users, therefore, is hiring a sophisticated team of hackers to reverse engineer the anti-cheat engine for countless hours to find a zero-day vulnerability. Generally, though, planting someone into the gaming company is a much cheaper alternative.
How Do We Design Our Systems Better?
In response, we need to improve the design of our systems in at least three ways.
-
First, systems must be designed with decentralization in mind; highly centralized systems come with the threat of a single point of critical failure.
-
Second, information security should not be confined to IT teams; we have to embed the zero-trust mindset into all organizational functions, ranging from HR (e.g., recruitment practices) to managerial decision-making.
-
Finally, for IT admins today, the top-level concern is the breach of the servers and domain controllers. However, unwarranted access to personal devices must become another top concern beyond the compromise of the organization’s own servers.
Ultimately, we must recognize that the centralization of IT security elevates espionage to a critical threat, marking the next phase in the evolution of information security.
https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte91cddb612d70531/672501172ae7ced396ae5035/Spy(1800)_Cagkan_Sayin_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop