I'll have more RSA recap to offer later on this week, but I wanted to kick off the RSA postmortem with a look at the last day or so of the sessions from the conference. There's a bit of a BYOD slant to these nuggets.
There are many ways in which mingling personal and corporate devices and access puts both sides at risk. Some are due to the way online behavior (personal surfing) from one domain bleeds into exposing your data from another domain (work). The reverse can be true, too. Corporate assets are targets, and that puts your personal assets at risk if you put valuable personal data on a device that sees action outside the home while on business travel.
Florindo Gallicchio, Director of InfoSec at Optiv, talked about how one can give up privacy by disclosing some information about yourself in public — perhaps you're a little too lax in working on a laptop in public (someone peeks at your strategic plans as you edit in PowerPoint) or texting in a subway (I can deduce your name plus your vacation plans if you are chatty).
You can easily disclose enough information to turn you into a target, thanks to public info available via Facebook, LinkedIn, and whitepages.com (and other personal information aggregators and brokers). Once they identify who you are and where you live or work (maybe they took a glance at your office badge), they can determine if you are a worthy target and take action. They can use social media to understand who you are, what your email address may be, and choose to scam you or send effective phishing emails.
I believe that whether this puts your assets at risk is accentuated by having shared work/personal BYOD devices. Using your own personal devices on your own personal time makes it a bit more likely to put you off-guard, but the device still contains work data, no matter what time of day it is.
The inverse is true: if you bring your BYOD device on an important business trip, you may be a target, and you may end up losing personal data if your device is stolen or malware is put on it.
Last year, I wrote a blog on how enterprises can learn from lessons provided to home users. Today, I want to flip that and consider the challenges of using BYOD devices, and how enterprise-style protection can help personal users (which in turn helps enterprises as personal devices are being used for work) so the benefits apply to both parties.
As Randy Marchany, CISO of Virginia Tech said during RSA, the letter “D” in BYOD refers to devices. It’s not just "bring your own laptop", or "bring your own smartphone". All local devices, including flash drives, smart watches, etc., if improperly handled, can put information at risk. At Virginia Tech, they believe that all security is local, yet monitoring is central.
Let’s use the example of the wireless network at RSA Conference itself. Cisco had a video wall displaying its network traffic analysis. Sure enough, there were some devices that seemed to be hacked and BYOD devices already infected and connected to the RSA conference network. And the traffic was going to lots of unsavory places. Was it part of a bot-net, or busy exfiltrating data? I wouldn’t be surprised if it was both.
So here are a few hints on what a personal device owner to learn from what corporations do to make your network access more secure. I’ll assume for the moment that you already use a network firewall, so the hints are items many people may not use consistently:
- VPN: If you are using a public, open wireless network, use a VPN. Your office may have issued one to you. If not, you can get your own — there are plenty of VPN software and services out there. Just because the WiFi SSID is called “Free Wi-Fi” or “name-of-hotel” does not really mean it’s what it seems to be.
Corporations favor them as a way to access private networks across public networks. Even if you increasingly depend on SaaS services on the public internet and don’t always need access to a private network, there are still reasons for using VPN. For example, with a VPN, if you access cloud resources, you reduce the chances of network snooping or man-in-the-middle attacks. It also provides additional privacy since it uses an alternate IP address.
Furthermore, although web traffic is incresingly encrypted, it’s still comforting to know that a VPN controls all traffic. Many VPN software is available for not only laptops but for smartphone devices too. This is something any personal user who travels & uses public WiFi can benefit from.
- Cloud Access policy via CASB: Since more apps are accessed in the cloud (whether file storage or SaaS), one needs to do that securely. In other words, VPN access to controlled private data center resources is safe, but if you are going to access cloud resources, you need additional proper control & policy enforcement over how you access those public cloud services — like authentication, encryption or malware detection.
CASB (Cloud Access Security Broker Services) provide this capability. Some people may consider CASB to be a proxy, or an industrial, grown-up’s version of Internet parental control, but it’s more than that, and there were many firms at RSA displaying them — such as Blue Coat, Netskope or Skyhigh. CASB software is used by enterprises, and if offered for your BYOD devices, it will provide better protection, no matter where you work in the office network or in the public internet. My colleagues at ESG cover the area in more detail, and you can get more info from them.