BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Tips for ID’ing Your Phone and Laptop

Posted May 14, 2010    Morey Haber

I personally think I have set a new record for going through three Blackberry phones in one week.

I had my old phone (which was continuously having runtime errors) for over a year. I received a new unit and after two days it broke (don’t ask) and required a third replacement unit. Like any programmable electronic device, it required me to reset-up all of my applications, settings, and preferences for everyday use.

Like most companies, the device is automatically hardened when connected to the Blackberry Enterprise Server (BES). That means that certain settings are only available before enterprise activation and are locked out afterwards.

Take the simple field of “Owner” within a Blackberry. When not connected to BES, my company’s policy allows me to set the owner and contact information in case the phone is lost. Once connected, the system automatically places a read-only lock on the field and no longer permits edits.

You may be asking yourself so what? Well if I lose the phone, I would only hope a good samaritan would return it based on this contact information. Realistically, once it has been registered with the company it is probably better that the device remain anonymous in case it is lost or stolen like the policy attempts to do.

So how many times do you provide personal information on devices, laptops, phones, etc., that if lost or stolen would allow a deviant mind to capitalize on your misfortune?

Growing up, my parents instructed me to always write my name on my personal property, and even my school would encourage us to write our names inside the book for the year. It was always cool to see who had the book previously, friend or nerd.

Harmless enough back then, but today writing our names and identifying the property can lead to additional problems. Let’s take my Blackberry for example, the company policy clearly wants the device anonymous because if it was stolen, someone would be able to associate my name with the contents and would be more likely to access the device to find out what secrets it may hold.

Do you remember the Paris Hilton hack using Bluetooth? If her phone was not personally branded, would it have been a harder target to identify? If the device is completely identity-free, it is just another Blackberry. I’ve seen many companies identify their laptops with big logos, and property stickers. The malicious side of me would definitely target the laptop with the bank logo versus one that had someone’s bait and tackle shop logo.

This becomes a delicate balance of identifying systems physically versus providing too much information. I recommend using:

• Generic asset identification tags to track your inventory

• Provide electronic-based asset inventory for hardware details

• Forgo company logos that brand the device and make it a target for theft.

It is important to note, that many devices, including BES and iPhones, support the ability to remotely wipe the device in case it is lost. It should also be noted that the average time for a user to report a lost phone and have it wiped by an administrator is almost always going to favor the attacker. This includes the attacker removing the SIM card, disabling the radio, and/or removing the microSD card on a device before the remote wipe is sent. Remote wiping shouldn’t be considered the end-all solution for lost/stolen devices.

Balancing marketing and security is critical. When branding your devices, consider if they contain sensitive information and should remain anonymous due to their contents. This little tip might make a thief look at another target versus your company’s assets since they are anonymous.

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,