Skip to main content

Bring your own device - don't get excited yet

I have been hearing more and more IT department and companies suggest that the days when they used to manage or control the company assets is over and it is time to allow people to bring your own device.  The possible savings from those companies who are trying to save every penny seem worth it, possible reduction in hardware costs, maintenance costs, support/helpdesk could be reduced (assuming you rely on the users themselves to build and configure their own devices).

Along with the possible savings though there is a certain amount of risk that you have to be able to manage or establish controls to prevent breaches based on your new open door paradigm.

  1. Asset management - a lot of IT people will scoff and say we don't manage the assets (well) now so this isn't much of a change.  The current environment in many places has a limited set of operating systems, patch levels, software, and configurations.  This is helpful in troubleshooting when you have an unexpected event occur, or if you need to identify a system that is behaving strangely.  What controls would you use to mitigate this?
  2. Software management - again in the current standard IT environment you can only load certain software, and usually the company handles the software licensing (and is liable in the event that the software licenses are misused, etc.).  This can end up to be a real cost/risk to a business (companies like HP, Microsoft, IBM, and Oracle often will require annual audits to verify compliance with software licenses).  How do you manage software licenses? would you required software management tools on the systems that your users bring in? are they any legal or privacy issues with managing what is installed on a system that is not owned by the company?
  3. Configuration management - again the current idea is that systems are centrally built to a specification by a professional IT department that understand the infrastructure requirements, software compatibility issues, etc. this creates an "image" that reduces the risk of failures, compatibility issues, and security risks.  What is the way you would manage this?  how would you mange what operating systems are deployed, in what configuration, and how would you be able to assess your company risk posture or find out where/if you have a data leakage issue?  
Maybe these are only issues for companies with data that is worth protecting (like financial data, health care data, intellectual property, trade secrets, etc.) if you work for a company that has nothing of value, then this might be a great idea - everyone else needs to seriously assess the risks that a policy like this exposes your company to.

Here is the article that got me thinking about this again:
Article

Comments

Post a Comment

Popular posts from this blog

Requirements for Information Security

If you want to get into Information Security you HAVE to be a/have this skill... Why this is total BS. Almost daily I see someone posting on twitter, trying to be helpful to folks who are looking to get into InfoSec. Often I see "If you want to be in Information Security (Cyber Security) then you HAVE to be a programmer" or "If you want to be successful you have to be a hacker/have a criminal record/have abused systems without permission" etc. While having technical capabilities (such as programming) and having the ability to compromise a system shows a specific skillset neither are required. When talking to people who are interested in Information Security I often refer to it as a cake, there are tons of slices, many flavors, many pieces and parts you can sample, choose to focus on, will be expected to know something about, etc. Incident Response and Forensics (my current focus) is not the only part of Information Security, and certainly not the only part tha
Post a Comment
Read more

Busting the myth of the malicious insider

The Myth of the Insider Threat Too often after the announcement of a new breach, the first reaction from the victim company and the media is "another malicious insider attack".  Case in point, I was catching up on news from various sources and came across the following: http://www.idgconnect.com/abstract/19647/lessons-sage-leak " “We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation,” the Newcastle, England-headquartered firm said in a statement." Of course an internal login was used to access the data, as part of the attack lifecycle, during your reconnaissance phase you identify accounts to target for possible compromise, based on the access/role of the individual.   Phishing attacks or other simply attacks are often successful in gathering login credentials for individual users, which can then of
Post a Comment
Read more
Weekly recap and why you should be concerned about "attackers" even if you have "nothing to hide" Why you should be aware of, defend against, and prevent attackers... even at home: I often hear from future victims "well I don't have anything to hide/anything of value/why would they target me!?" It's really not about you, usually the attackers aren't looking for your data (if they get it, or have easy access to it, they may try to profit from it, but the people doing the compromising aren't usually the same folks that monetize). What the attackers want are compromised systems they can use to do what they want at scale. So if they can compromise 50 systems, they can send 50X the amount of SPAM... 100 systems, 100X, etc. Some operations get paid based on the number of emails they can send per day. Of course the email will likely not just be SPAM, but may also be malicious (ransomware, etc.). http://thehackernews.com/2017/09/linux-ma
Post a Comment
Read more