Clippy wasn’t deemed much of a security risk at the time, just an awful user interface (fortunately you could switch it off), but in 2000 ZDNet reported a security loophole in the nuisance assistant. “The hole, which allows an attacker to write a script that can do anything once on a user’s computer, gets activated by clicking on a Web page or HTML-enabled email. The script can then add or delete files,” ZDNet reported. In effect, Clippy was the burglar who hides in your trunk and who you drive into your garage after which, you presume, you can safely lock the door, only to find you yourself have conveyed an intruder into your personal space. Office Assistant is Active X-enabled so it can act as a back door for malicious users to write destructive and damaging scripts. At the time, Microsoft claimed human error and released a patch that prevented Active X control of the Office Assistant via the web, and there was no real harm done. But it just goes to show, you can’t trust anyone. Today’s Intelligent Personal Assistants (IPAs) are far more functionally sophisticated but also far more potentially vulnerable to privacy and security breaches from cyber criminals. Let’s first take a brief look at what a modern IPA does and why organizations need a security policy in the workplace.
What is an IPA?
Some functionalities put IPAs into the class of super-bot, like Pepper, a kind of humanoid that can analyze human facial expressions, body language and verbal cues, and then respond in human-like conversation. He was originally created for use in SoftBank Robotics Mobile retail stores in Japan. The makers say Pepper is “kindly, endearing and surprising.” More popular IPAs include: What makes an IPA unique in the modern world of artificial intelligence (AI) apps is that it uses natural language and can be text- or voice-controlled. Sample questions you might ask your assistant:
What’s the wind speed today? How many miles to the next Burger King? Who won the tennis match? How much is in my checking account? Who am I lunching with today?
You have to set it up to have access to the kind of information it needs to operate as your personal assistant, e.g. your location (so it can send you a weather report for the area), be able to access your contacts’ list (to remind you of your spouse’s birthday) and know a bit about you and your preferences (jewelry sites and rifle ranges) to be truly useful. An IPA is very useful in performing dull and repetitive tasks, for reminders and to request information from online sources. You can ask it to find and send a report to your boss or send your time sheets daily to the HR department. Now, here’s the rub. Your IPA ends up knowing more about you than your mother does and this information is stored in databases in the cloud; your privacy at the mercy of the security implemented by the creator of the IPA. Need for a security policy In 2012, IBM banned Siri on its corporate network saying the app could snoop on the company’s clients’ data, posing a security risk. (To put this into perspective, IBM also bans Dropbox and many other cloud services.) It’s difficult to personalize information and customize it for individuals without opening their virtual drawers and reading their diaries. But, what exactly are the risks?
IPAs may need passwords to have access to private data, like your cloud calendar in order to let you know about a meeting. This also means they may have access to other personal data and sensitive company information. IPAs store details of your requests in a data center, so the privacy of this information is pretty much out of your control and your privacy is at the mercy the security conscientiousness of the data center. The biggest all-round concern for cyber security experts is that IPAs are programmed to constantly listen, essentially eavesdropping on all your conversations. Your location, personal details, and other information about your habits and preferences can leave you vulnerable to cyber criminals who can sell this information on the black market. A cyber thief with access to your smartphone could conceivably configure your IPA to perform any number of automated tasks, e.g. automatic debit orders into the criminals’ accounts, downloading of viruses or a Trojan horse, and sharing your secrets with the crooks who’ve hijacked your phone. The operating systems running many popular IPAs remain vulnerable to cybercriminals. In 2015, a security flaw in iOS 9 was discovered that allowed anyone with a locked Apple device (read “stolen”) to view its contacts and photos without having to enter a passcode. Not a complete disaster as only personally sensitive information such as personal photos and contacts were viewable, but criminals are getting smarter, so it’s a worry not to be discounted.
There is good reason most companies have security policies for Bring Your Own Devices (BYODs), and these are pretty much applicable to IPAs too. A good IPA security policy has a four-pronged approach:
Prohibiting the use of certain apps, e.g. Google Calendar, and simultaneously creating or allowing access to in-house applications, e.g. calendar or email, to help maintain productivity Implementing different security levels depending on the employee role Equipping smartphones and BYODs with additional protections such as encryption software and device wiping protocol Mandatory security awareness training
Let’s take a look at some policies you can implement, depending on your business and existing mobile device and internet security policies. A sample IPA security policy Tip: Companies may find it useful to create a separate personal device use policy (PDUP) that works with existing company security and privacy polices but is specially designed to address specific IPA issues. [Your company] grants employees the right to use [name of IPA] but reserves the right to revoke this privilege if users do not abide by the following policies and procedures. Employees may not use internet access in such a way as to interfere with the duties of employment or to expose the company to any cost or risk of liability. Overview
Acceptable business use is defined as activities that directly or indirectly support the business of [your company]. This policy applies to [e.g. all employees, including full- and part-time staff, volunteers, outsourced agents, etc.]. This policy applies to, but is not limited to, all devices that fit the following device classifications: [acceptable IPAs]. [Your company] reserves the right to monitor how employees use company-owned property, including computers and networking equipment, and employees should be mindful that any and all web browsing they do on the company’s premises may be monitored.
Acceptable use
Smartphones belonging to employees that are for personal use only [are/are not] allowed to connect to the corporate network.
Network and data access must use secure data management procedures. All device users must ensure all company data stored on the device is encrypted using strong encryption. Employees must follow all enterprise-sanctioned data removal procedures to permanently erase company-specific data from devices once their use is no longer required. Adequate privacy settings must be configured; if necessary, unplug the device when not in use (e.g. Cortana). Where applicable, use in-house applications for email, calendar, storage, etc. rather than a device’s built-in apps. All employees are expected to follow applicable local, state and federal laws and regulations. For instance, employees who are charged with traffic violations resulting from the use of their phones while driving will be solely responsible for all liabilities that result from such actions. Any personal devices must have current antivirus software loaded. Antivirus signature files must be updated on a regular basis. Passwords and other confidential data not to be stored on devices or their associated storage devices (such as SD and CF cards.) The IPA should lock with a passcode needed to reactive it after [e.g. 5 minutes]. Devices and/ or IPA software must be password protected using the following rules: [e.g. no less than 12 characters including at least one upper case letter and one numeral]. The employee’s device may be remotely wiped if the device is lost; the employee terminates his or her employment; IT detects a data or policy breach, a virus or similar threat to the security of the company’s data and technology infrastructure.
Unacceptable use
IPAs may not be used without the IT Manager / CIO’s knowledge. Employees are blocked from accessing certain websites during work hours/while connected to the corporate network, including [website list]. Employees must ensure that their computers and handheld devices are not connected to any other network while connected to the company network.
Employees must ensure IPAs are not operational in locations where potentially sensitive information is passed verbally.
IPAs may be allowed to access the following content: [e.g. email, calendars, contacts, documents, etc.] IPAs may not be tied to corporate accounts used for purchasing or sensitive transactions. Employees may not create open WiFi hotspots. Employees may not disclose the full name, home address, or phone number of any other user to the IPA. Vandalism and mischief are prohibited. Vandalism is defined to include any attempt to harm or destroy data of another user, on the corporate network or on any connected networks, including by making IPA requests. Employees may not use an IPA to request information that is of a sexual, financial or criminal nature unless within the boundaries of their company role. Employees may not try to elicit personal information about other employees or sensitive company information via the IPA. Any user identified as a security risk or having a history of violations with other computer systems may be denied access to the organization’s network. Devices may not be used at any time to:
Store or transmit illicit materials. Store or transmit proprietary information or intellectual property. Harass or bully others. Engage in outside business activities.
Excessive personal use of IPAs during the workday can interfere with employee productivity and be distracting to others. The use of camera or other video recording-capable devices on company premises is prohibited without the express prior permission of senior management and of the person(s) present at the time. Never voice sensitive information, like passwords, within hearing distance of a record, microphone or other person. Employees agree to never disclose their passwords to anyone, including family members.
Security
The IT Department will manage security policies, network, application, and data access using whatever technology solutions it deems suitable. Any attempt to disable or bypass this security will result in disciplinary action. If a user identifies a security problem on the network it is expected that he or she will notify the IT department immediately. Employees in possession of company equipment are expected to protect the equipment from loss, damage or theft and [your company] has the right to inspect this equipment if and when an employee leaves the company
Conclusion Your employees are the biggest cyber security risk at your organization because they:
Often don’t understand the risk Think security training is a waste of time Are susceptible to social engineering, and Being human, make mistakes
So, the best policy for secure IPA usage is for all employees to undergo security awareness training periodically. The level and type of training will depend on the employee’s role. Speak to Infosec Institute about their enterprise security awareness training for organizations.