Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

3/25/2015
10:30 AM
David Lindner
David Lindner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Internet Of Bring-Your-Own Things

Devices and interconnected systems are finding a foothold not only in our homes but in mainstream organizations. Here are three tips to mitigate the risk.

It’s a Monday morning and time to go into the office and kick off the week. But before leaving the house, I need to write an executive summary for a client report that’s due by 8:00 a.m. I pull out my Livescribe 3 pen to write, which automatically synchs to my iPhone 6, plus allows me to email the summary to my CEO. Once the email is launched, I open the OnStar application on my iPhone and start my vehicle remotely so that it’s nice and toasty once I’ve braved a 10-degree jaunt to the car.

Inside the car, I pop my Jawbone ERA Bluetooth headset into my ear for a hands-free option while I take calls on my drive into the office. My CEO calls as I back out of the garage asking for a meeting to discuss my email. After hanging up, I ask Siri to set up the meeting. When I get to the office, I use Apple Pay on my iPhone to pay for parking. I get to my desk, open my MacBook Pro with the Knock iPhone application without typing in a password.

How many different, interconnected mobile devices are mentioned in that short anecdote? Devices and interconnected systems are finding a foothold not only in our homes but mainstream organizations. Apple TV, LiveScribe 3, and others are being used and connected to other devices or systems that connect directly to our locked down corporate infrastructures. Unfortunately, meeting the issues posed by complex networks overwhelms people. As such, scant attention is being paid to the security of the devices we are using in business. Given that these devices are inherently insecure, we have a problem, Houston!

Getting started
Recently, a financial organization asked me to test Apple’s AirPlay service: the sales team wanted to stream their presentations from their corporate-managed iPads. This organization did the right thing by first assessing the risk instead of rushing out to implement something new and shiny.

The goal of the project was to quickly connect to any Wi-Fi access point from the AppleTV and iPad, and then show the content on a customer, or potential customer’s overhead projectors. Think about all of the implications: a managed device, with sensitive data, streaming to an unmanaged device, on an untrusted network. This scenario presents so many unknowns, even before the security posture of Apple TV and AirPlay is assessed. Plus, there is no way to specifically disable AirPlay. The only way to dis-allow AirPlay is to block the iPad from connecting to ad-hoc access points completely, which would defeat the iPad’s purpose entirely.

This scenario is rapidly becoming commonplace as unknown devices slowly infiltrate our personal and business lives through known and unknown mechanisms. As security professionals, it’s our job to develop policies and procedures that vet and lock down any IoT device that is used inside our organizations. But where to begin? Here are my three recommendations:

  1. Pick three to five IoT devices that may help your organization provide better service to your customers, employees, and business partners (i.e., AppleTV, LiveScribe 3, etc.). 
  2. Perform a security verification of the devices. This undertaking should include testing relevant security control areas such as: Sensitive Data Protection (at rest, in use, and in transit), Authentication (both user and device), Authorization, Accountability, and Cryptography. If you have the know-how to do this internally, GREAT. If not, look to third-party consulting organizations that have expertise in assessing the security of IoT and Mobile devices. 
  3. Design specific policies and procedures around when and how the IoT devices should and can be used. When appropriate, work with the device vendors to provide a more secure, business secured firmware, software, or hardware for future implementations of their device.

Just like with mobility, IoT technology is creating a new class of bring-your-own devices within the corporate infrastructure. The IoT movement will only increase -- and at a staggering pace that may surpass that of mobile. As a business, we should acknowledge and embrace IoT device usage but also understand and mitigate risk where we can.

David (Dave) Lindner is the Global Practice Manager, Mobile Application Security Services, for Aspect Security, a consulting firm based in Maryland that focuses exclusively on application security services and training for a worldwide clientele. He also serves as an OWASP Top ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
3/27/2015 | 12:21:49 PM
Don't use consumer products in the corporate environment
The challenge is to think about risks and security when the suppliers doesn't seem to care enough, especially when you bring in consumer products. As with mobile apps, consumer-oriented IoT devices are not suitable for corporate use. It will still take some time for things to mature.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25514
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
CVE-2020-25515
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
CVE-2020-14022
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
CVE-2020-14023
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
CVE-2020-14024
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...