All it takes is one employee stuffing his daughter’s thumb drive into a company computer and suddenly a ‘Hello Kitty’ animation has taken over every computer screen in the office.It’s malware.
In an hour, China has siphoned all relevant proprietary information. In a week, their factories are pumping out cheap replicas of whatever that American company with that (probably former) employee wanted to sell.
It happens. It happened in fact to Iran with Stuxnet, when “an unwitting” scientist used an uncleared thumb drive on a network computer. Use of the device, and many like it, to include laptops, cameras, and cell phones, is referred to as BYOD, or Bring Your Own Device, in information security circles.
Security isn’t just an issue on the private side either: on Nov. 27, Charlie Gasparino of Fox News wrote about how SEC staffers inadvertently exposed the comprehensive inner workings of the American finance market to the world by bringing their laptops to, of all things, a hacker conference.
Talk about unwitting.
Tom Sanzone, senior vice president of defence consulting firm Booz Allen Hamilton, said at Bloomberg’s Enterprise Risk Conference that regardless of what analysts say about hackers in Iran, China or Russia, the biggest threats come from within.
“Not only a sophisticated actor, a cyber expert, but a ‘domain’ expert,” said Sanzone, “someone who understands the infrastructure of the system he’s attacking.”
The worst forms of cyber penetration are designed by actors, insiders if you will, who know the ins and outs of the system they’re attacking. Secondly, an ‘unsuspecting’ insider can carry that exploitation inside the network on one of many devices.
There is an answer though … kind of.
Generally, the advisers at the conference agreed that there is never going to be a truly free BYOD environment. Some employers can ask nicely that their employees do not download apps like Dropbox onto their phone. Other, more tyrannical methods are employed, such as outright banning of certain devices, or certain apps.
Ron Hassanwalia of SOTI, a Canadian mobile security software company, says that complete mobile security is tough to come by, but not impossible. First of all, get rid of the idea of BYOD.
Photo: Wikimedia Commons
“It’ll be Bring Your Own Certified Device, BYOCD,” says Hassanwalia. “By certified I mean a subset of all the mobile OS and OS flavours out there to decrease the fragmentation. For example, if you were to start a BYOD policy, start with one or two operating systems, with a subset of devices starting with what is available from the carriers in your area.”Certain devices and software can also be certified through Federal Information Processing Standard, which ranks security in four levels — 4 being the highest.
Without getting too technical, it boils down to what level of cryptography, or how well the actual hardware can protect information. On the business or corporate end, what degree of restriction you put on employees in terms of hardware and software is up to you.
“Depends on how willing they are to sacrifice on security,” says Hassanwalia. “How much access they have. Reduce the number and types of devices you can use so you get security you want. For more choice, reduce the amount of access devices have to data.”
Hassanwalia’s company works on GPS and network monitoring of devices. He says that certain mobile devices have hardware that enables an actual physical separation between stored information — so certain parts of information storage that only communicate freely under certain stipulations.
“We’ve partnered with [original equipment manufacturers] in order to protect data so that it is not able to access a computer via USB key,” says Hassanwalia.
The hardware is one dimension of security. The other, he says, is based on software, which SOTI helps design.
“Data can be weaponised,” Hassanwalia says. “We’re providing a methodology that information can be contained on a device, and then securely managed and supported and monitored, in a centralized system, on a closed network.”
The system would work in concert with the certified device, only allowing it to access certain levels of secure information depending on ‘coordinates.’ Once those coordinates are exited, said information can either be washed from the phone, or locked behind varying complexities of encryption.
All of these actions can be monitored to boot, from a centralized network room, kind of like a mall cop looking at a wall of cameras.
Had the SEC been using hardened devices, equipped with coordinate based algorithms that encrypt or downgrade information access, they would never have been one of those ‘unwitting’ insiders Sanzone talked about and Gasparino wrote about.
Though, until these hardware and software security redundancies become standard operating procedure, agencies, government and otherwise, will continue to leave themselves vulnerable.
NOW WATCH: Briefing videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.