BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Tips for ID’ing Your Phone and Laptop

Post by Morey Haber May 14, 2010

I personally think I have set a new record for going through three Blackberry phones in one week.

I had my old phone (which was continuously having runtime errors) for over a year. I received a new unit and after two days it broke (don’t ask) and required a third replacement unit. Like any programmable electronic device, it required me to reset-up all of my applications, settings, and preferences for everyday use.

Like most companies, the device is automatically hardened when connected to the Blackberry Enterprise Server (BES). That means that certain settings are only available before enterprise activation and are locked out afterwards.

Take the simple field of “Owner” within a Blackberry. When not connected to BES, my company’s policy allows me to set the owner and contact information in case the phone is lost. Once connected, the system automatically places a read-only lock on the field and no longer permits edits.

You may be asking yourself so what? Well if I lose the phone, I would only hope a good samaritan would return it based on this contact information. Realistically, once it has been registered with the company it is probably better that the device remain anonymous in case it is lost or stolen like the policy attempts to do.

So how many times do you provide personal information on devices, laptops, phones, etc., that if lost or stolen would allow a deviant mind to capitalize on your misfortune?

Growing up, my parents instructed me to always write my name on my personal property, and even my school would encourage us to write our names inside the book for the year. It was always cool to see who had the book previously, friend or nerd.

Harmless enough back then, but today writing our names and identifying the property can lead to additional problems. Let’s take my Blackberry for example, the company policy clearly wants the device anonymous because if it was stolen, someone would be able to associate my name with the contents and would be more likely to access the device to find out what secrets it may hold.

Do you remember the Paris Hilton hack using Bluetooth? If her phone was not personally branded, would it have been a harder target to identify? If the device is completely identity-free, it is just another Blackberry. I’ve seen many companies identify their laptops with big logos, and property stickers. The malicious side of me would definitely target the laptop with the bank logo versus one that had someone’s bait and tackle shop logo.

This becomes a delicate balance of identifying systems physically versus providing too much information. I recommend using:

• Generic asset identification tags to track your inventory

• Provide electronic-based asset inventory for hardware details

• Forgo company logos that brand the device and make it a target for theft.

It is important to note, that many devices, including BES and iPhones, support the ability to remotely wipe the device in case it is lost. It should also be noted that the average time for a user to report a lost phone and have it wiped by an administrator is almost always going to favor the attacker. This includes the attacker removing the SIM card, disabling the radio, and/or removing the microSD card on a device before the remote wipe is sent. Remote wiping shouldn’t be considered the end-all solution for lost/stolen devices.

Balancing marketing and security is critical. When branding your devices, consider if they contain sensitive information and should remain anonymous due to their contents. This little tip might make a thief look at another target versus your company’s assets since they are anonymous.

Leave a Reply

Additional articles

BI-Qualys-Connector-IMG1

Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
Tags:
, , , , , , , ,
insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
Tags:
, , , , ,