THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Protected AccessOne of the issues that comes to mind when looking at whether you should permit BYOD (Bring-Your-Own-Device) on your network is the potential threat that they pose. Whether it is from how the device is set up or configured, the device poses a threat to your network since the network administrators won’t directly manage it. This could lead to a potential compromise that is out of the hands of those that are responsible for securing the corporate network. Security Concerns vs. Privacy When addressing the idea of having BYOD on your network, it should not be looked at as much as a threat, but also from the benefits that they offer the company with a more responsive and effective workforce. This is the idea that the end user will use the device in order to respond to the business operations quicker than if they didn’t have a device. It is because of this access to the corporate network that security concerns should be squarely addressed by the IT Security Team. Whether it is installing a remote wiping application, or requiring specific security software or configuration settings. The purpose here is to help to secure the corporate network while allowing access when needed. Privacy is another concern that companies have when it comes to allowing BYOD on their networks. Where is the line that they have to make sure they don’t cross? This should clearly be outlined in any documentation or acknowledgement that is given to the employee. (Consultation with legal council should always be done prior to having employees signing any sort of document that may restrict their rights). Privacy can be broken down in two ways, one being that the company owns the device and it’s assigned to the employee for business purposes. Therefore, all the data and content on the device belongs to the company. With the later of the two ways being, the most common to deal with the most those companies find themselves. When the employee accesses company assets with the device (email, documents, Instant Messaging Service) owns the device. With clear delineation and documentation in place as to what is considered the employee’s information and that which is the companies can help to elevate these potential legal concerns. Vulnerability Management When it comes to BYOD assets on the network it will be important to manage the vulnerabilities that they could pose to your business. Whether it is the devices configuration or the applications that are running on it. Each of these areas will pose a risk to your network. Here are some ways to help to protect your critical infrastructure:
Targeted Attacks
There are a growing number of potential threats that are used by targeting a specific user. These threats may come in various forms, and they may be used in conjunction in order to provide a more evasive target to stop. These targeted attacks can take aim at the user’s non-business related accounts and application passwords in order to gain access to company resources or data. While most of these attacks are stopped by changing passwords on the user’s online accounts, other attacks continue for a length of time using different methods that may be invisible to the user. Attacks on business assets or owned BYOD devices should be reported using designated reporting processes. Attackers gaining access to sensitive IP or access to business resources can put the rest of the business at risk. Gaining an understanding of the breadth of the attack can determine what other areas of the company may be at risk and what potential steps might be taken to prevent them in the future. Breach Notification Even if a mobile device has not accessed corporate data, the attack should be treated as a breach. The reason for this is the large amount of data that is available on mobile phones these days can amount to as much if not more than what is stored on a computer (not to mention access to a large amount of data available in the cloud). In addition, various services on the mobile device may access while on the corporate network may have connected the device to information that may not have been downloaded, but which could be accessed is so desired by an attacker. In breach notification, documentation will be help to provide a detailed picture of what happened and how it evolved over time. Sometimes this documentation takes place long after the initial compromise and may be able to link together a chain of events that may not have made sense if viewed individually. Documenting each step and action taken by support personnel will allow the investigative team to determine the full scope of the compromise and what sort of information may have been compromised. This will help in determining if further controls need to be implemented in order to protect the network from a similar threat in the future. Summary With the growing need for employees to be connected to the business, it is important to remember that each device that accesses the corporate network can be a potential risk to the company. While this may be a reason that you don’t allow a user to use their devices on the network. As an IT Security Professional, you can implement controls and processes that help to lessen the risk to your network. Whatever is decided by the business, it is important to remember that the overall goal is to help to enable the employee to be more effective in doing their work. Controls should not hinder the work that is going on, but instead should enhance the security posture that is already in place.
0 Comments
Securing BYOD on your NetworkWhen it comes to enabling our users to be the best employee they can be. It is important that IT Security be the department of ennablement and not the department of “NO”. With this mindset, it is important to remember that our job is to protect our network. When you enable your users to use their own device on your network, you should remember that certain steps can be taken that allow you to maintain the security and still be able to enable your business to profit from the enhanced productivity that will come from allowing BYOD (Bring-Your-Own-Device) on the network. Rules Establishing rules that will allow the usage of BYOD on the network is the first step in allowing user owned devices on the secured enterprise network. The rules or policies should clearly define where the business ends and what employee’s areas of responsibility are clearly delineated within those documents. For some companies this may be a difficult area to define, since they may offer the employee a phone to use for business purposes. (Where do you draw the line between the company and the employee for text messages or personal email content?) While consulting a legal adviser is always good practice, it is especially important that it be done during the creation of your BYOD policy. While employees may take offense to having the IT Security Team digging around in their personal information or device, it is important that there is some mechanism that allows the company to have that control. In addition, having the employee sign a document that ensures that they will follow the guidelines that you develop will go a long way in maintaining that control. Device Support Now that you will be allowing BYOD on your enterprise network, it is important to determine what specific devices you will be willing to support. While there may be several different manufactures, you will need to spell out specific details, such as the following:
Exclusion List
Just as it is important to have a list of devices that you will support on the network. It is also important to have a list of items that you will not support. The most mentioned item when it comes to BYOD is a “cracked” device that has had its OS altered in some way. The reason for this is that you will not be able to determine what sort of specific features that it will have. This is due to it being altered from its original configuration. While there may be benefits to the user for doing this, the risks outweigh the benefit in this case. Exclusion lists may include the same information as the list of permitted devices and OS versions. In addition, some specific software may not be permitted on the network, which will need to be spelled out to the end user. Without these specific details, you will have end users trying to get all sorts of devices onto the network because you never spelled out that they couldn’t do it. Customer Support One of the biggest mistakes that IT Security teams make is taking the place of the employee’s cell service provider. There is a reason why they went with the provider they did. Any sort of service of the device needs to go through the provider and not your team. Failure to draw this line in the sand will make your team liable for any damages done to the device by your staff. This is not a good situation to be in when you are trying to enable your end users, and you now are their go to team if they have any issues with their device. Software Additions Some businesses that enable BYOD on their networks due so because it just makes good business sense to do so. In addition, there may be some productivity applications that the company may want to include on the device to make the employee’s job easier. Organizations will also deploy remote wiping software that will allow the business to remove all information that belongs to the company from the device. This process may also be part of your Security Incident Policy, which spells out the responsibility of the employee if they lose or misplace the device. Summary While there are some clear benefits from allowing BYOD on your corporate network. You should look into what specific requirements you will ask of your employees and how you will enforce those policies across the enterprise. Enabling our end users should be something that we all want to strive for, but we need to do it with an eye on security. This focus will ensure that you have an effective policy and process for allowing your employees to use the devices that they have purchased in a responsible manner. IT Security Challenges AheadWhen you think, of the Internet of Things (IoT) most of us that think about our connected smart-homes and devices such as Google Home and Alexa and all of the assorted devices they are able to control. While this is a large market for these such devices, this is not the only place they are making an impact. It is precisely the area of healthcare that most of us will be impacted by the use of IoT. Connected Healthcare If you enter a hospital these days, it is like you are walking into a futuristic sci-fi fantasy world. It’s where you have connected devices that are able to share and transmit data to the providers in a way that makes the information actionable. This all helps the level of healthcare that can be provided to the patient. Being connected to all of those sensors and equipment, you have to ask about the security of them. Who has access to the data? How will the information be stored? Either way you look at it, security needs to be well thought out. Benefits of IoT Several benefits also come with the adoption of IoT, with some of them being the following:
Inherent Risks Several specific issues arise from the adoption of IoT technology within the healthcare industry. The biggest of these issues is being the security of the devices and the networks in which they connect to. This connectivity to the Internet can pose a risk to the use of the device. The security protocols that are used for IoT devices may not be as robust as they are for the corporate network (which is what most IoT devices are connected to) versus a segmented network that allows for restricted access controls. The connectivity poses risks in that the devices could be accessed from outside the network due to lax security controls on the device itself. Attackers are looking for any chance to compromise a network, and an additional access point that an IoT device might give could provide this. Access to the device itself and the settings could pose a risk to a patient in that an attacker changing the settings may affect their personal health by causing adverse health effects. Security Controls Needed
While IoT devices connect to the Internet utilize the current protocols, there should be additional controls that are established that help to prevent the data that is stored on the devices themselves from being compromised. Patient information is already protected by HIPAA (Health Insurance Portability Accountability Act), but additional controls or standards should be outlined for the use of IoT devices within a healthcare environment:
Security is Coming While there is a growing need for security protocols and practices to follow, the IoT market has been slow to adopt them due to the need to get devices out to market. This has prevented some devices from including security protocols at all. When IoT devices are connected to a network they are in a mode that will allow them to connect to any sort of network and may even have the default password set (some will let you change this through an internal device portal) but this is usually known to all those that purchase the devices from the manufacturer. Security protocols and procedures need to be developed that protect the patient and the sensitive data that the device might collect on them. This has to be implemented by both the healthcare provider and the industry as a whole. Either the industry creates and implements their own guidelines or the government will mandate it through other mechanisms or regulations. Either way, security will be coming to the IoT industry that provides healthcare devices. Summary All of these areas can hamper the adoption of the use of IoT devices within the healthcare industry which effects the patient and care they are given. It is also important that this particular part of the IoT industry that is focused on the healthcare market look for ways to make their devices more secure than those that are used in the home. Dealing with a patient’s personal and sensitive data requires those devices that collect it to be more secured than those do that just process it. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|