Security alerts from the Apple box show the risk of ghost computing

0
13

As long as the company's computer will not really understand that its own internal systems must be as easy to use as any iOS application and learn like an iPhone, potentially damaging data breaches will occur, threatening confidentiality from the company. Apple is not immune.

Apple and the human interface

The news is that information from some of the world's largest players in the market, including Apple, Edelman and Discovery Channel, could have been accessed through Box Enterprise, which provides businesses with custom archiving and file-sharing services. , based on the name of the company, with the help of this URL construction:

https: //.app.box.com / v /

The problem – according to a report on adversis.io – is that files stored on the service were susceptible to brute force attacks. Of course, it's not all users – most do not use this type of sharing links and the links used in Box (public) are not affected. However, for those who are, it is possible to guess the file names and try to access them, apparently, thousands of files (including confidential data) could be accessed this way.

Although they need to be files stored on the service that uses chosen to share with a public permission that were built in this manner (see below).

To be fair, Apple employees sharing documents with other people via Box Enterprise public links did not use an unauthorized application to do so. It was an internal Apple tool officially used.

Box is not to blame. The company reacted quickly to remind users of best practice safety tips very soon after the story appeared and added that this was also the case. work to solve this problem.

Box itself had previously warned users that it was possible to guess URLs and advised administrators to limit sharing to "people in your company" and to regularly check for public / open links. It even offers tools to create unconceivable links to content.

Nevertheless, the scenario shows that convenience and apathy are good, arguing that good safety advice is not always enough to guarantee good safety practices.

In the IT shadow

This is of course the story of the renaissance of BYOD / Apple.

Just as new employees expect to be able to use Apple kits at work, they also expect the software solutions they use to be accessible and intuitive.

This is fine if your company has verified and approved such use as part of its security policy, but what about apps you have not verified?

It's important to group your solutions where your employees are.

After all, there are some applications for which employees will no longer be able to live. For example, more than half of officeless employees use daily messaging applications such as WhatsApp and Messenger, but fewer than one in five (16%) of them had informed HR of this use.

The same logic applies to the entire matrix of the application.

Mobile or office, most employees will use the solutions they find most intuitive rather than more complex applications – the simple fact that your company offers a word processor that does everything does not mean much if employees found an alternative. solution that performs the same task faster.

From their point of view, their time may be your money, but their time is precious too, and the desire to constantly increase business productivity means that stressed workers will look for and use these shortcuts.

Employees using an iPhone know that Apple stores typically offer an "app for that".

Where they are

Strengthening a strong security policy requires a realistic approach.

Your employees will use solutions they are used to. It makes sense, then, for security teams to review them to provide sound security advice to ensure that what's happening on social media stays on social media – and that business secrets do not remain Never ever make secrets there. The same applies to any other service.

It is not enough to propose an authoritarian, selective top-down approach to the choice of employees. It is more essential and more useful to provide accurate risk assessment, advice on best practices and to block some of the worst offenders in the security sector (including capitalist surveillance networks). your internal networks.

MDM, sandbox content, efficient file sharing controls, asset tracking, and even AI protections on intranets and corporate intranets can help prevent and / or or identify bad security practices.

However, as long as the systems you provide are more difficult to use than the many popular alternatives, you will still have a parallel computer problem – and the least you can do for the services your company supports is as follows : small print rather than assuming everything is beautiful straight out of the box.

Please follow me on Twitteror join me in the groups AppleHolic's Bar & Grill and Apple Discussions on MeWe.