I personally think I have set a new record for going through three Blackberry phones in one week.
I had my old phone (which was continuously having runtime errors) for over a year. I received a new unit and after two days it broke (don’t ask) and required a third replacement unit. Like any programmable electronic device, it required me to reset-up all of my applications, settings, and preferences for everyday use.
Like most companies, the device is automatically hardened when connected to the Blackberry Enterprise Server (BES). That means that certain settings are only available before enterprise activation and are locked out afterwards.
Take the simple field of “Owner” within a Blackberry. When not connected to BES, my company’s policy allows me to set the owner and contact information in case the phone is lost. Once connected, the system automatically places a read-only lock on the field and no longer permits edits.
You may be asking yourself so what? Well if I lose the phone, I would only hope a good samaritan would return it based on this contact information. Realistically, once it has been registered with the company it is probably better that the device remain anonymous in case it is lost or stolen like the policy attempts to do.
So how many times do you provide personal information on devices, laptops, phones, etc., that if lost or stolen would allow a deviant mind to capitalize on your misfortune?
Growing up, my parents instructed me to always write my name on my personal property, and even my school would encourage us to write our names inside the book for the year. It was always cool to see who had the book previously, friend or nerd.
Harmless enough back then, but today writing our names and identifying the property can lead to additional problems. Let’s take my Blackberry for example, the company policy clearly wants the device anonymous because if it was stolen, someone would be able to associate my name with the contents and would be more likely to access the device to find out what secrets it may hold.
Do you remember the Paris Hilton hack using Bluetooth? If her phone was not personally branded, would it have been a harder target to identify? If the device is completely identity-free, it is just another Blackberry. I’ve seen many companies identify their laptops with big logos, and property stickers. The malicious side of me would definitely target the laptop with the bank logo versus one that had someone’s bait and tackle shop logo.
This becomes a delicate balance of identifying systems physically versus providing too much information. I recommend using:
• Generic asset identification tags to track your inventory
• Provide electronic-based asset inventory for hardware details
• Forgo company logos that brand the device and make it a target for theft.
It is important to note, that many devices, including BES and iPhones, support the ability to remotely wipe the device in case it is lost. It should also be noted that the average time for a user to report a lost phone and have it wiped by an administrator is almost always going to favor the attacker. This includes the attacker removing the SIM card, disabling the radio, and/or removing the microSD card on a device before the remote wipe is sent. Remote wiping shouldn’t be considered the end-all solution for lost/stolen devices.
Balancing marketing and security is critical. When branding your devices, consider if they contain sensitive information and should remain anonymous due to their contents. This little tip might make a thief look at another target versus your company’s assets since they are anonymous.