Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

3/25/2015
10:30 AM
David Lindner
David Lindner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Internet Of Bring-Your-Own Things

Devices and interconnected systems are finding a foothold not only in our homes but in mainstream organizations. Here are three tips to mitigate the risk.

It’s a Monday morning and time to go into the office and kick off the week. But before leaving the house, I need to write an executive summary for a client report that’s due by 8:00 a.m. I pull out my Livescribe 3 pen to write, which automatically synchs to my iPhone 6, plus allows me to email the summary to my CEO. Once the email is launched, I open the OnStar application on my iPhone and start my vehicle remotely so that it’s nice and toasty once I’ve braved a 10-degree jaunt to the car.

Inside the car, I pop my Jawbone ERA Bluetooth headset into my ear for a hands-free option while I take calls on my drive into the office. My CEO calls as I back out of the garage asking for a meeting to discuss my email. After hanging up, I ask Siri to set up the meeting. When I get to the office, I use Apple Pay on my iPhone to pay for parking. I get to my desk, open my MacBook Pro with the Knock iPhone application without typing in a password.

How many different, interconnected mobile devices are mentioned in that short anecdote? Devices and interconnected systems are finding a foothold not only in our homes but mainstream organizations. Apple TV, LiveScribe 3, and others are being used and connected to other devices or systems that connect directly to our locked down corporate infrastructures. Unfortunately, meeting the issues posed by complex networks overwhelms people. As such, scant attention is being paid to the security of the devices we are using in business. Given that these devices are inherently insecure, we have a problem, Houston!

Getting started
Recently, a financial organization asked me to test Apple’s AirPlay service: the sales team wanted to stream their presentations from their corporate-managed iPads. This organization did the right thing by first assessing the risk instead of rushing out to implement something new and shiny.

The goal of the project was to quickly connect to any Wi-Fi access point from the AppleTV and iPad, and then show the content on a customer, or potential customer’s overhead projectors. Think about all of the implications: a managed device, with sensitive data, streaming to an unmanaged device, on an untrusted network. This scenario presents so many unknowns, even before the security posture of Apple TV and AirPlay is assessed. Plus, there is no way to specifically disable AirPlay. The only way to dis-allow AirPlay is to block the iPad from connecting to ad-hoc access points completely, which would defeat the iPad’s purpose entirely.

This scenario is rapidly becoming commonplace as unknown devices slowly infiltrate our personal and business lives through known and unknown mechanisms. As security professionals, it’s our job to develop policies and procedures that vet and lock down any IoT device that is used inside our organizations. But where to begin? Here are my three recommendations:

  1. Pick three to five IoT devices that may help your organization provide better service to your customers, employees, and business partners (i.e., AppleTV, LiveScribe 3, etc.). 
  2. Perform a security verification of the devices. This undertaking should include testing relevant security control areas such as: Sensitive Data Protection (at rest, in use, and in transit), Authentication (both user and device), Authorization, Accountability, and Cryptography. If you have the know-how to do this internally, GREAT. If not, look to third-party consulting organizations that have expertise in assessing the security of IoT and Mobile devices. 
  3. Design specific policies and procedures around when and how the IoT devices should and can be used. When appropriate, work with the device vendors to provide a more secure, business secured firmware, software, or hardware for future implementations of their device.

Just like with mobility, IoT technology is creating a new class of bring-your-own devices within the corporate infrastructure. The IoT movement will only increase -- and at a staggering pace that may surpass that of mobile. As a business, we should acknowledge and embrace IoT device usage but also understand and mitigate risk where we can.

David (Dave) Lindner is the Global Practice Manager, Mobile Application Security Services, for Aspect Security, a consulting firm based in Maryland that focuses exclusively on application security services and training for a worldwide clientele. He also serves as an OWASP Top ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
3/27/2015 | 12:21:49 PM
Don't use consumer products in the corporate environment
The challenge is to think about risks and security when the suppliers doesn't seem to care enough, especially when you bring in consumer products. As with mobile apps, consumer-oriented IoT devices are not suitable for corporate use. It will still take some time for things to mature.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-20092
PUBLISHED: 2021-05-13
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
CVE-2020-21342
PUBLISHED: 2021-05-13
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
CVE-2020-25713
PUBLISHED: 2021-05-13
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
CVE-2020-27823
PUBLISHED: 2021-05-13
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-27830
PUBLISHED: 2021-05-13
A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.