In 2013, malicious actors stole 40 million credit card numbers and the personal details from 70 million customers in what has become known as the Target data breach. For those of you that don’t know, Target is a very large retail chain with locations around the world. In addition to credit card numbers, the cybercriminals also got away with PINs, customer names, email addresses, phone numbers, expiration dates, and security codes. This incident combined with the Home Depot Hack forced retailers to move away from magnetic strip type cards to chip-based cards. In addition, the mechanism used by the hackers forced all major retailers to dump their existing swipe machines and replace them with more modern devices that enforced end-to-end transaction encryption.
So how did the malicious actors carry out their crime? Enter Fazio Mechanical Services – a contractor that was retained a Target store in the Midwest to maintain their HVAC systems. A technician from Fazio Mechanical Services used a computer connected to the Target network used to manage the HVAC systems to check work email on that device. A message that was sent to this employee contained malware. The malware was used to gather the employee’s credentials and ultimately provide the malicious actors with the access they needed in order to implant additional malware on Target servers and upload malicious firmware that was pushed to credit card readers in order to exfiltrate data.
In 2015, the Democratic National Committee (DNC) was compromised by two different Russian groups. The attackers targeted John Podesta, the campaign chairman for Hillary Clinton’s presidential campaign. The malicious actors did not target his corporate email. This email was being filtered by my former employer, AppRiver and we were involved in part of the investigation. Instead, the attackers targeted Mr. Podesta’s personal Gmail account. Mr. Podesta access this account using his browser on his work-issued device. The malware that led to the data breach was access though emails directed to his personal account but accessed on his work device. The exfiltrated data was later provided to and is posted on the WikiLeaks web site.
There are thousands more examples of people commingling work and personal access on corporate devices where the result was an extensive data breach with far reaching negative results for the business. I am confident that the victims of these attacks never dreamed that the simple act of reading a personal email on their corporate device would lead to such dire results.
These examples stress the importance of maintaining a strong separation between your corporate and personal identities. But what does this really mean? How do we maintain separation? How much separation is enough?
Let’s start with what is means to separate identities. It all starts with containment and trust. I’ll be working from the corporate perspective. Employers provide employees (users) with the devices they need to perform their role within the organization. Typically, this means a laptop or desktop computer and access to software and tools that serve the needs of the organization. Users are provided with the credentials needed to access the appropriate company resources. Many of those resources are cloud-based and can be accessed from any device with an Internet connection. The data contained within those cloud applications varies in the level of sensitivity and importance to the business or the employee. The more sensitive the data, the more restrictive the access to that data.
Organizations manage the devices they provide to employees by making sure the devices are running only approved software, the operating system and software is kept regularly patched and policies are put in place to ensure that the devices are in a state that makes compromise less likely. Additional controls like Endpoint Detection and Response (EDR) and remote logging are deployed to monitor and respond to breach attempts. Other controls may be in place to prevent the inadvertent sharing of data with parties that should not have access to that data.
You can imagine that accessing certain organizational resources using an unprotected, unmanaged device greatly increases the risk of exploitation and data exfiltration. Here are some things one can do to maintain identity separation:
- Use corporate credentials managed by the organization to access corporate resources.
- Do not use personal email accounts to generate access credentials for corporate resources.
- Do not use corporate email accounts to generate access credentials for personal resources.
- Do not reuse passwords ever.
- Maintain separate personal and corporate password managers and do not store corporate credentials in personal password managers and vice versa.
- Do not initiate cloud accounts with your corporate email address as the owner of the account. IT should create a distinct alias account distributed to the main admins for each cloud account created.
- Do not access personal email accounts using corporate devices (remember the stories).
- Do not install personal software on corporate devices.
- Do not use your personal iCloud account on your corporate Mac.
- Do not allow your family members access to your corporate device. It’s not a gaming computer for your children.
- Don’t access corporate resources on your personal devices without proper authorization.
Maintaining a secure separation between your work and personal identities isn’t difficult but it does take intentionality and understanding the risks. The IT department provides the resources you need to keep your corporate device separated from your personal device. We can even implement controls to guide users in keeping their identities and activities separated. What we don’t want is to be responsible for your personal data on your corporate device.
Every business has to determine the degree to which they need to maintain separation. This decision is dependent upon the sensitivity of the information and data to which the user has access as well as the damage that would result from the accidental disclosure of that data.
I have worked in organizations that implemented much stricter controls than we have in place at my current employer. Some of those controls were implemented after users failed to follow published policies. Our goal should be to have a security mindset, understand and operate using best practices and keep our personal and corporate identities as separate as we possibly can.