Protecting Mobile Devices

Mobile devices as endpoints to corporate information have taken the world by storm. The “mobile first” mantra refers to the preferential use of a mobile device before a desktop or laptop. Have phone, will work (or even run the company). The potential of the device to enable new ways of working has to be safeguarded from that which could undermine both current execution and the integrity of long-range plans.

In the Microsoft 365 world, this is the role of Intune Mobile Threat Defense. The service looks at what’s happening on devices, with applications, with the content of messages, with the types of network traffic going through the device … and makes a determination whether all is well or starting to go rotten (slowly or quickly). When a threat is detected – which can be in collaboration with another mobile threat analysis vendor – new protections are enforced to reduce risk, stop data loss, and contain the threat. These could be conditional access policies, such that the end user has to verify that they are the person requesting access to the information through a second factor or means of authentication. Or it could be more draconian, whereby data is locked and blocked from access by anyone or anything. If the device can be remediated – via a secondary user authentication action or a device update that contains the threat – everything goes back to how it is supposed to work.

The Microsoft Intune Team just announced a new integration with BETTER Mobile for leveraging signals from BETTER ActiveShield to trigger Intune policies around conditional access and other mitigation policies. Current Intune customers can get 50 free licenses for 18 months from BETTER Mobile, to try out the integration.

Recovering from NotPetya – the DLA Piper Story

DLA Piper, a global law firm with a presence in more than 40 countries, was hit with the NotPetya ransomware attack in June 2017. It caused significant damage to its global IT infrastructure (hat tip, ITNews):
– every data centre and Windows-based server was impacted
– due to having a flat network structure, NotPetya was able to spread very quickly
– the firm had no email for 4 days
– the IT team put in 15,000 hours of paid overtime in the first three weeks in order to recover
– the first two weeks after the attack were spent trying to find salvageable equipment, but eventually the decisions was made to just start afresh
– the IT team re-created the entire infrastructure in the third week. Good backups made this possible.

In order to decrease the likelihood of a future attack having such widespread impact, DLA Piper is now:
– segmenting its network, isolating and separating offices
– setting up cloud-based versions of core systems in order to provide a live fall-back
– re-thinking its post-attack mitigation strategy, in light of its experiences

In the Excel spreadsheet above, I run the numbers to try to calculate the overall cost. For the direct costs of recovery, assuming a fully-burdened cost per hour of labour at $150, I get $2.25 million. This does not include lost productivity for partners and lawyers who were unable to work, or who had to find workarounds during the post-attack weeks. There is no doubt that this cost of lost productivity was many, many times the cost of the IT team.

Overall, a very costly experience for DLA Piper. Good to see that various mitigations are being put in place to ensure this never happens again to the same extent.

Data Breach Alert In Mozilla Firefox

Mozilla is looking at how it can alert users of a data breach when visiting a site that has been breached:

Firefox operator Mozilla is looking at adding a feature into the browser that would alert users if their credentials have been involved in a data breach, by integrating with Troy Hunt’s breach database.

Its functionality at the moment – the tool is currently being prototyped – involves a notification bar that appears to users when they visit a site registered in as having been breached.

Nice move. Not what I had in mind yesterday, but a good step in the right direction.

Data Breaches

We are at a time in history when data breaches are becoming more prevalent and more frequent. Equifax was compromised for 143 million people. Uber has been in the news this week for hiding knowledge of a data breach of 57 million customers for over a year (the rotters; if only the fines in GDPR were based on market value not annual revenue), and of course the 500 million odd user Yahoo breach (added to the earlier one billion user data breach). It is probably fair to say that if you alone know your personal and sensitive information, you are now in the minority. Someone will have access to personally identifiable data on you.

There are some things we the people can do. Use different user names and passwords to get access to the various services we access, thereby reducing the impact of account compromise in one service on the others. Although that’s pretty hard to do practically, especially if we are supposed to change our passwords or pass phrases for every service every month. With the increased number of services we all access, that’s not a very realistic expectation.

We could delegate the task of remembering passwords to a password manager, and we should, but if these get compromised (ahem, Lastpass), we are back at square one. And even with a password manager, changing passwords is still a manual process that can’t be done automagically on schedule for all consumed services by the password manager. The user with 100 services would still have to go through and manually update all services monthly. It’s not going to happen.

We could use two-factor authentication, and we should, but it’s a bit binary in its approach: always ask before allowing access, or trust this browser, computer, device, or session. If the same person uses the same device to access the same services from the same location, there are probably few red alert signals. But if those factors diverge, there could be weird anomalies that need an additional layer of checking.

In the enterprise IT security space there are intelligent security tools that look for anomalous usage of enterprise login credentials, assessing various threat factors to decide if additional access and authentication information should be requested before allowing access to requested services. For example, if the user is logged in via a device in one country, and a second login is requested by a device in another country, that is a signal that something could be amiss, and therefore a higher level of access checking is enforced. Likewise for login attempts at weird times of the day or night. Or from weird devices. Each login attempt is risk assessed before approval or denial (with the appropriate alerts to the powers that be for denied attempts).

I wonder if those enterprise oriented tools could be used at cloud scale – or at Internet scale – to pay attention to any use of personal and sensitive personal information?

Or what about this idea: what the credit card companies can do with artificial intelligence for identifying fraudulent transactions for credit cards, we the people could use for identifying fraudulent use of compromised personal data or account credentials?

Disaster Recovery – Personal Planning

A friend had his laptop stolen last week, and he is now scrambling to recover his work (data and documents) and get back to work. It prompted me to get out my disaster recovery plan and review how I would recover from device loss, theft, or a ransomware attack.

While the loss of a device would be an annoying interruption and cost money to replace, my approach is to ensure that my data is easily accessible to me again, and that I can simply get up and running with a new device. Something like: plug in, connect to key services, and begin working again.

Three core principles:

1. No data exists solely on any one device. All devices should only ever be an access point to the data I’m working with, meaning that the data is stored in a central location and accessible from any device I choose to use. With the range of cloud services we have available for a low cost – Dropbox, Box, OneDrive, iCloud Drive and similar – this is easy to set up and use. Data is stored locally on a device in a designated folder, but synchronised automagically to whatever cloud storage service I use.

2. Data is backed up continuously in my office. A password-protected backup drive is connected to my laptop, and takes snapshots of the whole device throughout the day. If necessary, I can recover from a lost or compromised device by connecting a new device to the backup drive.

3. An emergency rescue kit is available somewhere. In order to get back to work as quickly as possible, create an emergency rescue kit with a written plan of recovery and a list of key services and passwords (in full or in code). You could carry this around on an encrypted thumbdrive (don’t forget that password), or put it in a separate cloud service in an encrypted form (don’t forget that password).

And one additional principle that I’m considering:

4. Data is backed up continuously away from the office. Use a cloud service to create regular backups of key devices, thereby creating a second level of backup that’s not located in the same office. While principle 1 above deals with core data and documents, principle 4 creates a backup of everything on the device.

In combination, this means:
– laptop stolen while away from office – recover through 1, 3 or 4
– office compromised, laptop stolen – recover through 1, 2, 3 or 4
– office compromised, laptop and backup drive stolen – recover through 1, 3 or 4
– cloud service compromised – recover through 2, 3 or 4
– laptop stolen, backup drive fails, cloud services fail, online backup fails – oh well, let’s start again with a smile

I hope I don’t have to put this plan into action, but it’s there just in case.

What have I missed? (I haven’t talked about strong passwords, benefits of passphrases vs. passwords for services that support that, two-factor authentication, etc.)

What’s your plan of action?