1. Inability to Conduct Security Reviews of “Pinned” TLS Traffic Bypassing Decryption
Many enterprises decrypt web traffic, inspect it for security issues, re-encrypt it, and then forward it to their users. However, destination websites that use “certificate pinning” (as defined in Transport Layer Security (TLS) Version 1.3 protocol) prevent inspection of traffic for “privacy” reasons. If the destination website uses “certificate pinning” and the website is not on the enterprise encrypted traffic bypass list, then the enterprise blocks the traffic, thus causing operational issues. If the website is on the bypass list, security cannot inspect the encrypted traffic before the traffic enters the enterprise. The greater the number of bypassed addresses, the higher the risk. Websites hosted on cloud storage systems are more problematic because often the websites can appear anywhere in cloud address space, meaning large address ranges bypassed for millions of unintended websites.
2. Inadequate Defense against Attacks Launched via Malware-infested “Customer” Devices
Despite multiple layers of defense1, enterprises fail to defeat malware attacks launched via customer devices. Enterprises cannot mandate customer devices employ the same controls as enterprises for high-risk devices2 or even ordinary enterprise-owned devices.3 Customers intolerant to “solutions” requiring agents/software on customer devices and enterprises intolerant to constantly updating applications.
Case Study: https://www.wired.com/story/massive-fraud-operation-stole-millions-online-bank-accounts/
“A Massive Fraud Operation Stole Millions from Online Bank Accounts”—crooks used emulators to mimic the phones of more than 16,000 customers and drain millions of dollars from online bank accounts in a matter of days.
The Fallacy of Zero-trust4 and Vendor Software—The Solarwinds Compromise
A likely Nation-State cyberattack (assumedly originating from Russia) infiltrated infrastructures around the globe via vendor-supplied software (SolarWinds) to permit unauthorized access to networked resources. One victim, FireEye, publicly disclosed the cyberattack on Sunday, December 13, 2020. Reports indicate the cyberattack likely began in September 2019. Compromised servers contact resources outside the US, again increasing the difficulty of detecting the attack. While many enterprises have a wide variety of defenses against cyberattacks, none likely detects compromised vendor software. There are likely few if any security assessments accomplished against vendor products—vendor SOC2 reports or Internet-facing security reviews (e.g., BitSight) do not address products. Apparently, impacted organizations across the US (including 425 of Fortune 500 companies, many Federal departments and agencies, and all military branches) are similarly limited since this cyberattack went undetected for a year.
Lemming-like Migration to “Secure” Cloud Solutions
Most believe cloud services are cheaper while “experts” (of the “Garten” variety) advise that no matter what your enterprise security is today, the Microsoft “Ecosystem” will provide better security. Do security staff consider unauthorized access of cloud personnel to information or whether enterprise data might reside outside the US (perhaps in emergencies)? The cloud will likely process a broad spectrum of enterprise information (not the narrow subsets of typical vendors) thereby making cloud services more than just ordinary vendors. Migrating to the cloud likely requires in-house cloud-aware security experts (likely more expensive than those managing on-premise resources).