BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Tips for ID’ing Your Phone and Laptop

Posted May 14, 2010    Morey Haber

I personally think I have set a new record for going through three Blackberry phones in one week.

I had my old phone (which was continuously having runtime errors) for over a year. I received a new unit and after two days it broke (don’t ask) and required a third replacement unit. Like any programmable electronic device, it required me to reset-up all of my applications, settings, and preferences for everyday use.

Like most companies, the device is automatically hardened when connected to the Blackberry Enterprise Server (BES). That means that certain settings are only available before enterprise activation and are locked out afterwards.

Take the simple field of “Owner” within a Blackberry. When not connected to BES, my company’s policy allows me to set the owner and contact information in case the phone is lost. Once connected, the system automatically places a read-only lock on the field and no longer permits edits.

You may be asking yourself so what? Well if I lose the phone, I would only hope a good samaritan would return it based on this contact information. Realistically, once it has been registered with the company it is probably better that the device remain anonymous in case it is lost or stolen like the policy attempts to do.

So how many times do you provide personal information on devices, laptops, phones, etc., that if lost or stolen would allow a deviant mind to capitalize on your misfortune?

Growing up, my parents instructed me to always write my name on my personal property, and even my school would encourage us to write our names inside the book for the year. It was always cool to see who had the book previously, friend or nerd.

Harmless enough back then, but today writing our names and identifying the property can lead to additional problems. Let’s take my Blackberry for example, the company policy clearly wants the device anonymous because if it was stolen, someone would be able to associate my name with the contents and would be more likely to access the device to find out what secrets it may hold.

Do you remember the Paris Hilton hack using Bluetooth? If her phone was not personally branded, would it have been a harder target to identify? If the device is completely identity-free, it is just another Blackberry. I’ve seen many companies identify their laptops with big logos, and property stickers. The malicious side of me would definitely target the laptop with the bank logo versus one that had someone’s bait and tackle shop logo.

This becomes a delicate balance of identifying systems physically versus providing too much information. I recommend using:

• Generic asset identification tags to track your inventory

• Provide electronic-based asset inventory for hardware details

• Forgo company logos that brand the device and make it a target for theft.

It is important to note, that many devices, including BES and iPhones, support the ability to remotely wipe the device in case it is lost. It should also be noted that the average time for a user to report a lost phone and have it wiped by an administrator is almost always going to favor the attacker. This includes the attacker removing the SIM card, disabling the radio, and/or removing the microSD card on a device before the remote wipe is sent. Remote wiping shouldn’t be considered the end-all solution for lost/stolen devices.

Balancing marketing and security is critical. When branding your devices, consider if they contain sensitive information and should remain anonymous due to their contents. This little tip might make a thief look at another target versus your company’s assets since they are anonymous.

Leave a Reply

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,