With the proliferation of the Internet of Things (IoT), near-field communications, touch-less digital mobile payments, and wearable devices, attack surfaces are increasing immeasurably, according to Bryant G. Tow, Managing Partner of Cyber Risk Solutions LLC. In a recent interview with EDGE360, he talked about how mobile devices contribute to the network perimeter disappearing while they extend the potential attack surface, and said that many businesses don’t consider that in cybersecurity planning.
“These devices also hold your business email, but, because they aren’t considered targets, the focus is not as strong on security for them,” Tow explained. “They are not as well protected, so you might have a wearable device with a vulnerability, and when you attach it to your network, maybe to download your health information, you have introduced the vulnerability to your network.”
Tow also said using multi-tenant data centers to house data in the cloud can introduce vulnerabilities. Some cloud service providers connect customer processes to maximize efficiencies; databases are separate, but oftentimes server memory is shared to maximize processes.
“To maximize efficiencies, these seemingly independent businesses are actually sharing back-end resources, and the bad guys know it,” he explained. “Attackers are spending their time looking for vulnerabilities in hypervisors. There is a huge opportunity to infiltrate a cloud-based server that is multi-tenant. If they can get to one, and they can compromise the hypervisor behind that, then they can get to multiple tenants.”
Because there is no “silver bullet” to protect a business from today’s sophisticated attackers, strategy and training are key.
“If you’re going to invest in one thing this year, it should be an effective program that starts at the executive management level and sets ‘Tone from the Top,’” Tow explained. “It should start with a cyber strategy that includes business processes, creates solid cyber policies and procedures across the business, and ensures that incidence response plans, business continuity, governance documents, training, education and awareness are in place.”
Listen to the podcast below.