Bring Your Own Malware

Started by deanwebb, January 26, 2021, 09:15:30 PM

Previous topic - Next topic

deanwebb

A thought: everybody that's been working from home... how much MORE malware do they have on their PCs from the months of not being under direct corporate supervision in an office? Used to be, it was just the sales guys doing their quarterly or semi-annual visit to the office that would be the worst as far as compliance went. Now, we got loads more people that have devices like those remote sales guys.

I'm thinking it's a good idea for everyone to expect some big security challenges as folks return to offices and bring their own malware.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

This is why it's hard for me to get rid of Cisco AMP for endpoints.

deanwebb

Quote from: Dieselboy on January 27, 2021, 01:03:18 AM
This is why it's hard for me to get rid of Cisco AMP for endpoints.

That's OK. The end-users find ways to do that, intentionally or otherwise. :doh:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

It can be an issue if your cyber team uses mostly network monitoring tools. Without being on the network there is nothing to see. This is why end point protection, Cisco AMP, or whatever is important. You also need it setup to be able to call home when not on the VPN. Also doing some kind of posture assessment on connections. That way you can verify it has some minimal security before accessing the network. This becomes harder if you are a BYOD shop, and let your users use their own devices for connectivity. We require corporate devices for work so I don't deal with it, but it can be hard to draw a line on what your employee is allowed to do with their own device.

-Otanx



icecream-guy

Quote from: Otanx on January 27, 2021, 10:34:48 AM
but it can be hard to draw a line on what your employee is allowed to do with their own device.

-Otanx

Not hard,  comply or deny.

if you want to connect to my network with your round peg, you fit it into my square hole and you are good...
you will find most people are willing to comply to connect to the network.
:professorcat:

My Moral Fibers have been cut.

deanwebb

Quote from: ristau5741 on January 27, 2021, 07:00:24 PM
Quote from: Otanx on January 27, 2021, 10:34:48 AM
but it can be hard to draw a line on what your employee is allowed to do with their own device.

-Otanx

Not hard,  comply or deny.

if you want to connect to my network with your round peg, you fit it into my square hole and you are good...
you will find most people are willing to comply to connect to the network.

I'd say that that depends a lot on the security culture of the organization involved.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

I agree with everything above. While I'm looking into Microsoft and Google cloud suites, they provide DLP tools as part of the package (top tier). Looking specifically at the BYOD (or BYOM which I might just call it from now on ;) ) they say that they can do full wipe or selective wipe of devices. For example, I bring my personal phone into the business and use it to access company data. If I leave the company, there can be a selective wipe of the device ie only company data is wiped off the device and personal stuff is untouched.

Circling back to endpoint security, I am using Cisco Duo login. Duo can provide an endpoint check as part of the authentication mechanism, specified via policy. Basically, I can say; after username/password/2FA, check the endpoint for:
- OS patches are up to date
- password is set
- disk encryption enabled
- firewall enabled

I watched a webinar on Duo last year and one feature in the pipeline is another check:
- check if AMP for endpoints is running and has no issues

I'm really keen for them to implement the AMP check. So if a computer has had something dodgy on it and AMP flags it then the computer would not be allowed to access the VPN or other apps until this is resolved, if you wanted to do this through the policy.

This is done through SAML web login. If I could then link this in via NAC for end-users I think it could potentially be a good idea.

Regarding security culture, what we say here is that there's no higher priority than security and security is not an option. 

deanwebb

Even when the developers ask to turn stuff off, "just for troubleshooting"? :smug:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.