cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Is Hyperconnectivity Completely at Odds With Security?

Level 10

Happy Columbus Day!

We all want ready access to email and other critical apps from every device, on any network, all the time.


We want to use company equipment and home equipment interchangeably because we work from different locations throughout the day. As if all this wasn’t hard enough for your IT security team, just watch them start to lose their minds when you throw in some social media platforms. Their mantra is: you can’t have all of this and still be secure. But is that really the case?  In fact, with a few restrictions, a little software, and some common sense, most positions in many organizations should be able to achieve this level of flexibility and still remain relatively secure.

Let’s start with devices. Who doesn’t use a mobile platform, phone, or iPad® to conduct at least some business during the day? Many of us use these devices to check email, run IT alert apps, or business tools, like expense management or HR apps. In fact, according to Tech Pro Research, 74% of businesses are planning to use, or are already using, Bring Your Own Device (BYOD).[1]

Most businesses use mobile devices, especially if you count business-purchased mobile phones. Fortunately, Enterprise Mobile Management (EMM) makes it easy to secure corporate data and applications. Features in EMM include the ability to encrypt corporate data, manage applications that reside on the phone, force VPN connections, force a pin, and separate personal data from corporate data. Additionally, mobile devices are commonly used as a secondary factor for authentication and authorization.[2] It is much more convenient to use your mobile device as a soft token than carry around a key fob-based token. However, in some environments, personal devices are not considered secure enough and key fobs are required.

Mobile device risks

Mobile device risk comes from two primary threat vectors. The biggest risk is loss. If a device does not have a pin or strong password, all of its data can be accessed. Even if your phone is authenticated, some good forensics packages can still extract data from it. If critical data is stored on the device, add-on encryption is essential. The second risk is malware. Malware enters a phone from two primary vectors: mobile advertising and compromised open source libraries. Because advertising on mobile devices is less controlled, malicious actors can insert malware through this application programming interface (API). Open source libraries have also been known to be compromised, as we saw with Xcode just this month.[3] EMM can help with both these risks by limiting apps in the enterprise container, and enforcing pin number and password rules.

Using a home personal computer for work is less common than using mobile devices, primarily because fewer people work on personal computers these days. Some companies are moving toward using tablets for work, and others use virtual desktops, which allow employees to use their own computers. Even companies that require employees to use laptops or desktops purchased and issued by their IT departments rely on Cloud-based applications to get work done. With Cloud-based apps, it is difficult to preclude access to personal devices.

The issues that accompany PC use are slightly more complicated than issues associated with mobile devices. The most successful remote desktop implementations are those that really only use the PC for its keyboard, video, audio, and mouse functions. If you want to allow local data storage, you need a policy around encryption (for sensitive corporate data) and a way to ensure that the home computer is as secure as a corporate device.

We are now adding social media to the equation. The issues to consider with social media include company reputation, policy restrictions, malware, and ownership. Organizations want to protect their reputation, so they write social media policies that provide guidelines on use, posting, and reporting. However, you may not know that the National Labor Relations Board has some strict guidelines on what an organization can and cannot have in its policy. There are First Amendment issues with the right to associate and discuss work issues that can conflict with certain social media policies. Check out NLRB guidelines to learn more.

Next, make sure your policy includes clear guidelines on who owns the account. If employees are allowed to post from their personal accounts, provide a disclaimer they can use to clearly show they are stating their own opinion. Require all work-related communications to be issued from organization-owned and -managed accounts.

Finally, there is malware to consider. Malware that arises on social media is the same type of malware you might see on many websites. The difference is that malware spreads quickly if it gets onto a popular topic or image on social media. This is why it is so important to ensure that nothing containing malware gets posted. Actively scan posts to make sure they don’t have images or attachments, and ensure that your browsers are up to date with the latest patches. Lastly, avoid risky programs, such as flash, if at all possible.

In the words of Mr. Universe, “You can’t stop the signal.[4]


BYOD and social media are here for the duration. If we evaluate our risks, and plan our controls, we can connect with confidence and assurance.



[1] http://www.zdnet.com/article/research-74-percent-using-or-adopting-byod/

[2] http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA

[3] https://www.washingtonpost.com/news/the-switch/wp/2015/09/21/apples-app-store-was-infected-with-malw...

[4] http://firefly.wikia.com/wiki/Mr._Universe

17 Comments
Level 12

As a Network Engineer, I occasionally, and facetiously, discuss that our core fundamental missions - networking (connectivity) and security are diametrically opposed.  Networking's core purpose is to connect everything, to ensure everything stays connected, and everything can talk to everything else, over the network.  While the Security people will probably disagree with me ... I would say that Security's core purpose is to stop connectivity.  Before I get flamed, I paraphrase from the "most secure system - is one which is off, disconnected, encased in concrete, in a safe, and chained to the bottom of the ocean/or in outer space."  Now, of course, this violates a tenant of security - availability, but hey, it's pretty dang secure.

Realistically, networking has to provide the high availability, while security has to provide the authentication and accountability.  The two teams have to work together to provide the business with value - being able to consistently and reliably connect to systems, and keeping the business safe and secure - even from itself. 

MVP
MVP

Nice write-up plus I agree with pseudocyber‌ and his assessment.

There are great reasons to not follow through with every possible type of interaction and connectivity, and employee conduct and efficiency take a back seat (IMHO) to the risks hyperconnectivity present.

Level 12

nice information very nice

Level 8

very good article

Level 14

Fortunately, I work on a classified system.  No mobile devices beyond the front door.  Very good article though.  Makes me appreciate where I am.

I worked briefly with a fellow who'd been with the Center for Disease Control for years.  He told me they didn't allow any wireless connectivity at all, and no BYOD in specific.

I'd like to work in that kind of environment, even if only from a security and sleep-at-night point of view.

MVP
MVP

Ah...it can be good and bad.  I've seen no wireless connectivity which includes bluetooth along with disablement of USB and no write to CD.

Yes, please!  I can live without wireless at work. Or, I'd prefer to have its convenience, but only if Security gets the final say about what's allowed--and only if they KNOW what they're doing.

Level 14

Quite true.  Due to recent security failures, think NSA, moving data can be challenging at times.

Level 14

I don't think they are necessarily at "odds," but there are certainly things you have to consider and design concepts that need to be adopted. Traditionally, you place a firewall at each remote site for Internet protection and provide private line network access (WAN) to the data center...  You have a somewhat false state of security in this model. However, what if, you remove all those firewalls and private lines and strictly use VPN access through a firewall INTO the data center. Doesn't matter if your data center is across the hall or across the country, ALL access is through a VPN session.

Then, does it really matter what device you use or what websites you browse? Just a different aspect.

D

I'm surprised some people would love to be without wireless and/or mobile devices at their workplace. That seems boring. I understand that more secure/classified environments require this type of prohibitive policy and I understand why - it still sounds like a drag, though!

Level 10

One of the concerns I've heard with IPSEC VPNs has to do with whether your users are protected from malware that you can get via drive by download or off unsecured wifi.  Of course higher security systems backhaul all traffic to the corp net via IPSEC tunnel, but many of us don't use that approach because of latency.

Additionally, if  the malware is clever and on the laptop, it can lateral over the IPSEC tunnel to the datacenter.  And malware is really clever about call outs and laterals now.  We've seen phone homes outbound on port 53  which bypasses all your WAF and many deep packet inspection engines.  Laterals seem to be using a lot of microsoft protocols, so if you have windows server in your datacenter ...

We used to use split tunneling on IPSEC to create some protection  but I don't think that has much value any more  - anyone have an opinion?

The only perceived value for split-tunneling for our users is more to conserve our corporate internet bandwidth than anything else nowadays.

Level 21

The big thing I always worry about is people having their phones connected to their work email account and then loosing them.  This could compromise any important information they have in their email as well as give social engineers a way in by being able to send and receive email as the employee and gain additional important information.

We use MobileIron to protect our assets when a BYOD device--or corporate-owned device--is lost.

We have had a directive from Security for the last 15 years that no split-tunneling is allowed, and I can see their point.

I still end up driving down the path that hyper connectivity can too easily mean hyper vulnerability because some things will fall through the cracks.  And hyper connectivity isn't required--it's only interesting (today).

Level 21

Thanks sharing!  I tend to agree that often things like hyper connectivity gets labeled as "required" when it really isn't.  There is certainly a balance to be had.