Businesses should not let employees use jailbroken iPhones on corporate networks, according to White House computer security specialist Howard Schmidt.
Schmidt, who advises President Barack Obama on cybersecurity issues, talked to ZDNet UK against a background of growing staff use of their own laptops and smartphones for work. This so-called 'consumerisation of IT' is leaving IT managers to deal with new openings for attack, and raises concerns about data loss and access control.
Schmidt also revealed how the US government is working to share more information gathered by intelligence agencies with business.
Q: People are worried about bring your own device (BYOD) in business. What vulnerabilities should businesses be looking out for, and what does the US government plan to do about BYOD security?
A: Bring your own device and having a secure mechanism by which to do remote work access are core to everything we're talking about. We have a VM [virtual machine] capability [at the White House] to use our personal iPads to access our email and our desktop in a secure manner. We think that's the way of the future, but it needs to be thought out, as we have done with our CIO at the White House.
If you use a VPN [virtual private network], make sure you're using remote desktops, so you're not caching data locally — if you lose it, you become at risk. There are good, secure ways to do it, and I think it's a good way to connect business generally.
What are the pitfalls that businesses face?
Well, a couple of things. One, not using strong authentication, which means the ability to do remote access [is restricted]. Somebody could get control of your device, your credentials are parsed, and they can use that to log in directly [to your network]. That's not a good thing.
The second thing is making sure you're running the right applications. A lot of people talk about — in the iPhone world, of course — jailbreaking their device and then adding all kinds of applications that have not been seriously vetted. Obviously, there's always a risk when you're running unknown code on a system, so you need to make sure you're running what you're supposed to be running, [such as] all the patches and iOS updates.
The third thing is making sure the servers that you're connecting to are configured to accept the right connections. When we've done VPNs in the past, and remote access today, it's always a concern that the people connecting to it are supposed to be connecting to it — whether you're using MAC address filtering, credentialing mechanisms, SSL sessions, certificate-based [authentication]. Make sure the servers are protected as well.
How can you stop people jailbreaking their devices, though?
You can't stop people doing it, but what you can do is, if you can identify that it has been done, just don't let them on the network. It hearkens back to the early days of remote access.
There would be a check that would take place — are your patches up to date, is your antivirus up to date? If not, [the check] would divert you out to where you can get the latest updates before it would let you into the network. We have to do the same basic principle on mobile devices.
Businesses are facing challenges from threats such as financial crime, different types of cybercrime, hacktivism. What is the US government looking at, and what advice would it give on new types of threats?
Let's reduce the likelihood that you can become a victim, no matter what the source is. Fix your vulnerabilities. Make sure you're running continuous monitoring, as we are doing in the US government. Make sure you have plans in place for incident response to isolate and reduce the time of anything that may be affected, but also make sure you understand the full spectrum of threats out there. The term that we use is 'good cyber-hygiene'.
So, what are the full spectrum of threats that businesses should be looking at?
At one end of the spectrum, [you have] the traditional criminal [endeavours]: identity theft, credit-card fraud, financial fraud.
Make sure you understand the full spectrum of threats out there. The term that we use is 'good cyber-hygiene'.
The next step up from that is intriguing in someone's system — [either] to be part of a botnet to do DDoS attacks, [or] to have [compromised computers] be a mechanism for a repository [of stolen data] or a collection spot for other credentials that then you can use to compromise [other] systems.
The other end of the spectrum are those looking to do theft of intellectual property for economic gain. Companies in particular have to understand that while they may think their intellectual property is useful only to them, they must recognise that people out there will steal it, and turn it into a product before a company puts the necessary steps in place to protect it.
Is state-sponsored espionage something all companies should be aware of, or is it only relevant to companies working in, say, defence?
Any company has to be cognisant of that. When you start looking at intellectual property — that's the crown jewels for businesses. It needs to be protected. It needs to be recognised that, irrespective of where it comes from, there is someone out there who would like to take that, either to turn to their own advantage, or keep you from being able to do something with it already. Any company, any size, has to be cognisant of that.
Is it possible to find out where those threats are coming from?
Attribution is very difficult. We see this...