Ecosystem of Breaches -- Devices and Hardware
To access the data through the services over a network consumed by a UI we have to run all of this on devices, we're talking hardware, we're talking about a lot of stuff to control. I'm not going to talk about the backend hardware, the servers. I'm just going to talk about the devices that the human beings interact with directly.
For starters, in this day and age with so many people working from hime, we're using a lot of stuff at home that maybe we shouldn't be. We're sharing devices, maybe a desktop computer, maybe tablets…. It's not just limited to the fact that we may have multiple users on the same physical piece of hardware, we're also relying on family members and remote workers help us manage that hardware, which means we're letting other people onto those systems to help us.
Something else to consider is that if we're using mobile devices, things like phones and tablets, we have to remember than pretty much anything we buy from a phone company is going to be configured to use their settings, whether you're on your own wireless or not. A lot of times that data is taking a route that you aren't aware of. A lot of times the name resolution is handled entirely by that telco.
While we haven't seen a lot of attacks through this but it is rather terrifying to think that all you have to do is get into the name resolution of one of the major mobile carriers and you will have an awful lot of control over an awful lot of people.
And while I continue to stress the Internet of Things, IoT is hardware that is interacting with other hardware and provides a way into your data systems. We should understand, and be able to limit, what these devices are talking to, what networks they're running on (did my lightbulbs set up a mesh network that I'm not aware of?), what addresses they're using and what they are talking to.
We often don't isolate things in the enterprise like printers or network devices let alone the baby monitors, smart TVs, smart speakers and lightbulbs at home. These are things that we need to consider as devices that are running things and connecting to other things and are part of our infrastructure even if it's way in the back of our minds.
Obviously when we talk about device management we have to consider the basics, things like virus and malware protection and intrusion control. But again, in this age of huge numbers of people working from home we work on a lot of devices that may not be managed by the corporation in the old stack sense.
But then, there are a lot of reasons that we don't want virus or malware protection running because of performance and convenience or the fact that sometimes the cure is worse than the disease. There's really kind of an art form to this layer of protection and it needs to be informed by your business requirements and what makes the most sense for your people.
That said, individual devices should have their own identity -- your laptop and your phone should be part of the identity token presented when accessing data. Now it's true that when I log into Twitter from my new mobile phone I'm going to get an alert from Twitter. But we should take that further, we should add identity and grant privileges as needed. Should my mobile phone be allowed to change my password? Are there aspects of my profile that it shouldn't be able to update? While it's the same software, we should have graduated, and granulated permissions for different devices.
Finally these devices are running other software along side our software. The typical corporate policy says use the corporate equipment, but naturally this doesn't work with consumer software and can be overly restrictive for individuals.
This, of course, gets down to individual responsibility. I know that I've installed an interesting app, played with it for awhile and the forgot to remove it which means I have no idea what it's doing in the background.
- Be aware of the risks of shared devices
- Accept that we have to grant access to others sometimes
- Mobile providers can route your traffic through their networks
- IoT includes things like printers and network appliances
- Virus and Malware protection is complicated to manage
- Devices should have different Identity and Permissions
- You can't control other people's software