Personal Mobile Devices in the Enterprise

The portable device conundrum and a logical solution

Disclaimer: This article represents the observations, views, opinions and general ramblings of its author and is not the policy, opinions or views of the authors employer, management or fellow employees.

User's want the freedom to bring in personal portable devices for business and personal reasons, both of which can improve the employees overall quality of life, work and job performance.

Be of no double that this does pose a security risk, BUT when properly mitigated there can be a measurable benefit to the enterprise. Happier employees are without doubt more productive employees. They are also healthier employees which impacts the companies bottom line for health insurance coverage.

The initial thrust of personal device introduction to the enterprise came with personal cell phones. These phones are now smart phones and susceptible to attack and compromise in much the same ways as computers and laptops. 

Personal laptop computers and more recently tablets, like the IPad line from Apple, represent a more vulnerable threat vector than cell phones, but developers and IT personnel often utilize these tools for work and also for brief periods during the day to refresh their focus. Short breaks during the day can positively impact personnel performance.

A practical solution

The issue of personal devices at work can by addressed piecemeal, by a patchwork of policies and controls, or Boldly and I would argue successfully by a single, all encompassing management led solution.

I propose that the enterprise that wishes to solve this issue cold do so with the following simple steps which would have the added benefits of raising employee moral, reducing support costs and eliminating much of the portable device risk.

1. Give an apple IPhone and Apple IPad to every Employee. Employees who do on call support will have company subsidized devices, and other employees would have to use the phones at thier own cost. The benefits to support are that all users will become familiar with the same operating system and can gain advice and support from each other in addition to the usual channels.

2. Buy a mobile device management solution for apple devices only. 

3.  Regulate to prohibit through policies and enforcement, that use of any other devices within the confines of the enterprise in prohibited and provide a quarantine area when prohibited devices can be dropped off by users and picked up after their work day ends.

4. Add additional value by creating an apple development group and producing applications for your in house systems which customers need to access.

The main point is to standardize on a single platform and reduce support costs. It is an added bonus that Apples IOS is less exploited by hackers than windows.

S. Russell Dyer BS CISSP CRISC

Security wanderer and event handling Lackey.

DISCLAIMER: The views expressed in this article are solely those of the author and not those of his employer, company management or fellow employees. 

Scan Everything 

Previously I proposed that monitoring the wire is vastly more effective for alerting and generating events.

Now I'll cover the other piece of he equation, Vulnerability scanning.

Disclaimer: the views and opinions in his article are entirely mine and not those of my employer, fellow employees or management. 

Back to Scanning.

Firstly, scanning has to be all encompassing, regularly repeated, and something has to be done with the results.

The first caveat of cunning is that you you can't scan when you do not know about. The network needs to be accurately documented and Visio diagrams are a must if no automated solution is in place to dynamically enumerate the network.

The second caveat is that everything gets scanned repeatedly, and preferably on a Weekly basis.

Weekly scanning will more rapidly show you what is changing and the new vulnerabilities. You can then match these vulnerabilities to traffic alerts on your network and you will know when to be concerned.

The third caveat is that you need a good scanning solution that has audits updated more than weekly, and that doesn't crash or fail you when you need results. The solution needs to be all encompassing and able to scan internal and external facing systems regardless of their operating system, level of hardening or age. Just because its only been around for a year or so is no excuse for a scanning vendor not to support scanning of it. The scanning solution must be able to do credentialed or uncredentialed scanning. A solution which can select from a list of credentials depending on the detected system type is a valuable feature.

Finally, vulnerability scanning seldom lay causes issues on target systems and limiting scans to a narrow weekend window gives no flexibility to work around other network or system changes. 

So what scanning solutions hav I used? 

1. EEye Retina and REM was ok but has stability and support issues so I cannot recommend it.

2. Tenable Nessus has a few more features and the government likes it, but alas I do not. There is a better option.

3. Core Impact. While you can in theory scan for vulnerabilities with core its a penetration testing tool and not a vu operability scanner. You may as well tie your shoe laces with mittens on. While you may have success, you won't excel and the results will be mediocre.

3. Rapis7 Nexpose. Options available to scan internal and externally facing systems. Can select credential from a list depending on system detected. Integration with Metasploit for pen testing and validation. This is the preferred commercial solution.

For a cheap alternative..... Can't think of any at the moment.

Thanks for reading and once again, these are my personal views and not those of my employer, its management or fellow employees.

S. Russell Dyer BS CSSP CRISC

Information security guru and slave to the cause of securing networks and users.

Securing the network

Disclaimer: the views expressed in this article are mine alone and do not reflect the views of my employer or fellow employees or management and are expressed because we live in the and of the free where speaking your mind usually doesn't result in beheading.

After many years of navigating the information security maze I have come to the conclusion that concentrating on event log correlation from servers, workstations and network equipment and alerting on these events is not the best path to securing the network and preventing security breaches. Indeed, I believe it's defunct and outdated and will eventually fade into oblivian.

Collecting the vast amounts of logs and sifting through them only tells you what has happened in the past, or more importantly, what each log source thinks has happened. It is implausible to think that each system on the network has been programmed with event triggers for every concievable event and if we know what triggers events and alerts, then hackers also know this and may e able to navigate around and avoid these triggers. Collecting all the logs at a central location and then attempting to write triggers is also a monument opus waste of resources, as the network and systems on it continue to be upgraded, replaced or decommissioned, the event triggers need ever increasing maintenance, and their complexity morphs to a point where they no longer perform their originally intended task.

Compliance and Audit requirements often require us to continue collecting and storing and reporting on log data, but we should not rely on this same process for securing the network in real time. It is in reality only useful for after action analysis once an incident has been identified and contained.

The only way to truly know what's happening on the network is to see the traffic on the wire in its raw form, before its received by target systems and interpreted into log data. Assuming that this is our goal then there are several guidelines which must e followed to be successful

1: Use multiple LAN taps or span ports to see the entire picture. If you try to watch your network with one span port then you are one big fool. To know what happening on the network we need a span port on he outside of the firewall to see what's trying to get into the network. if there are multiple Links to the internet, then each needs a span port. Another span port is needed between the dmz and the workstations to see he traffic between then. Another span port for your wireless network. Always remember, unlike  federal spending, more is better when it comes to span ports. BUT also avoid duplication.

2: Centrally collect and monitor data from each spam port. While historical data is nice, don't over do it and try to store months of data. You have event log archiving for that istorical stuff and while its not perfect, it will do nicely.

3: Select the best system you can get that meets the following criteria.

 - from a recognizes vendor who has been in this space for several years

- has a central dashboard with drill down access and does not need the analyst to switch do other screens / applications to trace an event.

- the vendor supplies event trigger updates at least weekly

- reporting is customizable so management and technical staff can get the reports they need.

- integrates with other industry recognized solutions using non proprietary communication vectors.

- vendor supplies support and is in you time zone, but preferably 24/7 support.

NetWitness is a great solution and I have used it so can test to its ease of use, intuitive interface and its interfac is lightening fast. Unfortunately it's been acquired by RSA so I'm not sure what will happen with that.

Trisul. (Trisul.org) is a much cheaper solution and worth investigating. I have used this and seen its value. And if you onl want to be able to look back 3 days, it is free.

4. Assign dedicated staff to monitor, maintain, and run the system. (A note to management - If you jerk your staff around from one tool to another and expect them to be masters of all they will end up being good at none and the only jerk will be you. Sorry to be blunt, but it is what it is)

Finally, when your watching all that traffic on your network, you will need policies, published, backed up and preached to all by the executive management in order to get the traction you need to tighten up your network security.

Disclaimer again. This article represents my views and not those of my employer, an agent or my 5 year old son Michael. No matter how much they may agree or disagree.

Thank you

S. Russell Dyer BS CISSP CRISC

Security Analyst and Network watcher for over 20 years.

The election approaches

When November arrives and along with it Election Day, I'll vote for the least worst candidate along with most Americans.

The Democratic incumbent openly supports abortion and gay marriage, while testifying to being a Christian.

The Republican challenger is a Christian, but Mormon and not baptist. He republicans are also closer to big business than I would prefer.he Republican challenger is a Christian, but Mormon and not baptist. He republicans are also closer to big business than I would prefer.

When November comes Ill vote Republican because I'm a bible believing baptist and the bible says that thou shall not kill, and marriage shall be between one man and one woman.

 

 

 

Posted with Blogsy

Greenfield village<span id="selectionBoundary_1347236102968_5678466688841581" style="line-height: 0; display: none; " class="rangySelectionBoundary"></span>

Vintage cars everywhere at greenfield village

ICloud &nbsp;- a double edged sword?

iCloud - a double edged sword

There is an inherent logic to using iCloud to backup your I devices. The security of being able to restore from a recent Backup while you are on the road being a major advantage. Apple may have created a stable O/S and a great phone and Tablet, but they are still not bulletproof and my 5 year old can still send them into the dead zone with ease. Dont ask me how, but he does something to send them beyond a simple reboot to recover.

There is also the comfort of being able to locate a misplaced phone and sync data across the iPhone and iPad.

Enter the Corporate conundrum !

Trying to prevent data leakage and restrict access without inhibiting employee efficiency is a problem which dogs corporations across the globe. This balancing act becomes more difficult with the passage of time as more services and features become cloud enabled.

As a Security Analyst I used to be totally anti-cloud but this has become an untenable position as my device usage has increased.

I believe the ICloud may now represent an acceptable risk for the corporate environment....with certain caveats.

ICloud backup of iPhones will enable more support options for executives who now spend a large portion of their time out of the office, and often out of the stae or country. Being able to talk a stressed executive through an iCloud based restore is certainly preferable to having the, wait while a new device (without his or her contacts , calendars and data)is sent overnight. 

Locating a lost device is also a great feature.

The non cloud alternatives for back are insufficient in my opinion. A local iTunes backup is useless when your on the road and gone if your hard drive on your pc dies.

There will be data leakage to the iCloud for sure, but no level of policy, procedure, controls and monitoring can totally prevent cloud leakage. So the logical choice is to embrace a single cloud solution, and the best value, and most compatible is iCloud.

That's all for now.

S.Russell Dyer

BS CNE CISSP CRISC Security+

Test

Thus is just a quick test.