Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

3/25/2015
10:30 AM
David Lindner
David Lindner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Internet Of Bring-Your-Own Things

Devices and interconnected systems are finding a foothold not only in our homes but in mainstream organizations. Here are three tips to mitigate the risk.

It’s a Monday morning and time to go into the office and kick off the week. But before leaving the house, I need to write an executive summary for a client report that’s due by 8:00 a.m. I pull out my Livescribe 3 pen to write, which automatically synchs to my iPhone 6, plus allows me to email the summary to my CEO. Once the email is launched, I open the OnStar application on my iPhone and start my vehicle remotely so that it’s nice and toasty once I’ve braved a 10-degree jaunt to the car.

Inside the car, I pop my Jawbone ERA Bluetooth headset into my ear for a hands-free option while I take calls on my drive into the office. My CEO calls as I back out of the garage asking for a meeting to discuss my email. After hanging up, I ask Siri to set up the meeting. When I get to the office, I use Apple Pay on my iPhone to pay for parking. I get to my desk, open my MacBook Pro with the Knock iPhone application without typing in a password.

How many different, interconnected mobile devices are mentioned in that short anecdote? Devices and interconnected systems are finding a foothold not only in our homes but mainstream organizations. Apple TV, LiveScribe 3, and others are being used and connected to other devices or systems that connect directly to our locked down corporate infrastructures. Unfortunately, meeting the issues posed by complex networks overwhelms people. As such, scant attention is being paid to the security of the devices we are using in business. Given that these devices are inherently insecure, we have a problem, Houston!

Getting started
Recently, a financial organization asked me to test Apple’s AirPlay service: the sales team wanted to stream their presentations from their corporate-managed iPads. This organization did the right thing by first assessing the risk instead of rushing out to implement something new and shiny.

The goal of the project was to quickly connect to any Wi-Fi access point from the AppleTV and iPad, and then show the content on a customer, or potential customer’s overhead projectors. Think about all of the implications: a managed device, with sensitive data, streaming to an unmanaged device, on an untrusted network. This scenario presents so many unknowns, even before the security posture of Apple TV and AirPlay is assessed. Plus, there is no way to specifically disable AirPlay. The only way to dis-allow AirPlay is to block the iPad from connecting to ad-hoc access points completely, which would defeat the iPad’s purpose entirely.

This scenario is rapidly becoming commonplace as unknown devices slowly infiltrate our personal and business lives through known and unknown mechanisms. As security professionals, it’s our job to develop policies and procedures that vet and lock down any IoT device that is used inside our organizations. But where to begin? Here are my three recommendations:

  1. Pick three to five IoT devices that may help your organization provide better service to your customers, employees, and business partners (i.e., AppleTV, LiveScribe 3, etc.). 
  2. Perform a security verification of the devices. This undertaking should include testing relevant security control areas such as: Sensitive Data Protection (at rest, in use, and in transit), Authentication (both user and device), Authorization, Accountability, and Cryptography. If you have the know-how to do this internally, GREAT. If not, look to third-party consulting organizations that have expertise in assessing the security of IoT and Mobile devices. 
  3. Design specific policies and procedures around when and how the IoT devices should and can be used. When appropriate, work with the device vendors to provide a more secure, business secured firmware, software, or hardware for future implementations of their device.

Just like with mobility, IoT technology is creating a new class of bring-your-own devices within the corporate infrastructure. The IoT movement will only increase -- and at a staggering pace that may surpass that of mobile. As a business, we should acknowledge and embrace IoT device usage but also understand and mitigate risk where we can.

David (Dave) Lindner is the Global Practice Manager, Mobile Application Security Services, for Aspect Security, a consulting firm based in Maryland that focuses exclusively on application security services and training for a worldwide clientele. He also serves as an OWASP Top ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
3/27/2015 | 12:21:49 PM
Don't use consumer products in the corporate environment
The challenge is to think about risks and security when the suppliers doesn't seem to care enough, especially when you bring in consumer products. As with mobile apps, consumer-oriented IoT devices are not suitable for corporate use. It will still take some time for things to mature.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12875
PUBLISHED: 2019-06-18
Alpine Linux abuild through 3.4.0 allows an unprivileged member of the abuild group to add an untrusted package via a --keys-dir option that causes acceptance of an untrusted signing key.
CVE-2017-8335
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of setting name for wireless network. These values are stored by the device in NVRAM (Non-volatile RAM). It seems that the POST parameters passed in this...
CVE-2017-8336
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that...
CVE-2019-12874
PUBLISHED: 2019-06-18
An issue was discovered in zlib_decompress_extra in modules/demux/mkv/util.cpp in VideoLAN VLC media player 3.x through 3.0.7. The Matroska demuxer, while parsing a malformed MKV file type, has a double free.
CVE-2012-6711
PUBLISHED: 2019-06-18
A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the "echo -e" built-in func...