Businesses should not let employees use jailbroken iPhones on corporate networks, according to White House computer security specialist Howard Schmidt.
Schmidt, who advises President Barack Obama on cybersecurity issues, talked to ZDNet UK against a background of growing staff use of their own laptops and smartphones for work. This so-called 'consumerisation of IT' is leaving IT managers to deal with new openings for attack, and raises concerns about data loss and access control.
Schmidt also revealed how the US government is working to share more information gathered by intelligence agencies with business.
Q: People are worried about bring your own device (BYOD) in business. What vulnerabilities should businesses be looking out for, and what does the US government plan to do about BYOD security?
A: Bring your own device and having a secure mechanism by which to do remote work access are core to everything we're talking about. We have a VM [virtual machine] capability [at the White House] to use our personal iPads to access our email and our desktop in a secure manner. We think that's the way of the future, but it needs to be thought out, as we have done with our CIO at the White House.
If you use a VPN [virtual private network], make sure you're using remote desktops, so you're not caching data locally — if you lose it, you become at risk. There are good, secure ways to do it, and I think it's a good way to connect business generally.
What are the pitfalls that businesses face?
Well, a couple of things. One, not using strong authentication, which means the ability to do remote access [is restricted]. Somebody could get control of your device, your credentials are parsed, and they can use that to log in directly [to your network]. That's not a good thing.
The second thing is making sure you're running the right applications. A lot of people talk about — in the iPhone world, of course — jailbreaking their device and then adding all kinds of applications that have not been seriously vetted. Obviously, there's always a risk when you're running unknown code on a system, so you need to make sure you're running what you're supposed to be running, [such as] all the patches and iOS updates.
The third thing is making sure the servers that you're connecting to are configured to accept the right connections. When we've done VPNs in the past, and remote access today, it's always a concern that the people connecting to it are supposed to be connecting to it — whether you're using MAC address filtering, credentialing mechanisms, SSL sessions, certificate-based [authentication]. Make sure the servers are protected as well.
How can you stop people jailbreaking their devices, though?
You can't stop people doing it, but what you can do is, if you can identify that it has been done, just don't let them on the network. It hearkens back to the early days of remote access.
There would be a check that would take place — are your patches up to date, is your antivirus up to date? If not, [the check] would divert you out to where you can get the latest updates before it would let you into the network. We have to do the same basic principle on mobile devices.
Businesses are facing challenges from threats such as financial crime, different types of cybercrime, hacktivism. What is the US government looking at, and what advice would it give on new types of threats?
Let's reduce the likelihood that you can become a victim, no matter what the source is. Fix your vulnerabilities. Make sure you're running continuous monitoring, as we are doing in the US government. Make sure you have plans in place for incident response to isolate and reduce the time of anything that may be affected, but also make sure you understand the full spectrum of threats out there. The term that we use is 'good cyber-hygiene'.
So, what are the full spectrum of threats that businesses should be looking at?
At one end of the spectrum, [you have] the traditional criminal [endeavours]: identity theft, credit-card fraud, financial fraud.
Make sure you understand the full spectrum of threats out there. The term that we use is 'good cyber-hygiene'.
The next step up from that is intriguing in someone's system — [either] to be part of a botnet to do DDoS attacks, [or] to have [compromised computers] be a mechanism for a repository [of stolen data] or a collection spot for other credentials that then you can use to compromise [other] systems.
The other end of the spectrum are those looking to do theft of intellectual property for economic gain. Companies in particular have to understand that while they may think their intellectual property is useful only to them, they must recognise that people out there will steal it, and turn it into a product before a company puts the necessary steps in place to protect it.
Is state-sponsored espionage something all companies should be aware of, or is it only relevant to companies working in, say, defence?
Any company has to be cognisant of that. When you start looking at intellectual property — that's the crown jewels for businesses. It needs to be protected. It needs to be recognised that, irrespective of where it comes from, there is someone out there who would like to take that, either to turn to their own advantage, or keep you from being able to do something with it already. Any company, any size, has to be cognisant of that.
Is it possible to find out where those threats are coming from?
Attribution is very difficult. We see this...
...all the time, and we've seen this over the years, where it appears the last hop [for stolen data] is within a specific country, or in one case, a specific home, and in reality, it was a compromised computer that somebody was controlling from another country completely. In some cases we've seen successful prosecutions, but for the most part, if somebody is very sophisticated, attribution is tremendously difficult.
Intellectual property — that's the crown jewels for businesses. It needs to be protected.
Surely the NSA or other government agencies have a good idea about attribution of attacks? But businesses are in a different position.
I wouldn't necessarily say that. I know one company in particular where the CEO and many of the staff used to work for me when I was in defence. They have the same mentality. They use very much the same tools, and have the same capability to see very similar things [to the government]. As a matter of fact, oftentimes, some of these companies are the ones that identify [attacks] for a client, and provide information to the government. There are some great technical capabilities, some a little bit better than ours.
How does government continuous monitoring hook into public and private partnerships for data-sharing?
The context of continuous monitoring on government systems is that we are looking to view the dot-gov environment as a single enterprise, as the dot-mil environment for a long time has been a single enterprise. Three parts of that are: strong authentication, trusted internet connections, and continuous monitoring.
Continuous monitoring means, effectively, it's not a matter of reviewing logs six months down the road when you found out you had a problem. It's having a system in place so that when something does happen, a) you're alerted, and b) you can remediate, and get back to business.
Some businesses feel some parts of law enforcement and the private sector share information, but that certain areas of government remain closed. Is it always going to be a one-way street?
No. As a matter of fact, we've proposed legislation that we think is vitally important to helping the private sector do more to protect critical infrastructure. One part of that is the information-sharing piece. We're looking for specific authority to share information with the private sector, to make sure it has better protection in place so when they share with each other there's less concern about anti-competitiveness and antitrust.
But also, [businesses need] the ability to share with the government without putting their proprietary information in jeopardy. So, it's not a total one-way street, but we're trying to make sure it's more of a two-way street. You'll probably hear from the [FBI] director talking about the FBI's effort with the Secret Service to share information very proactively, and actionable information with the private sector.
We're also moving very similarly in the intelligence community, which traditionally has been very close hold for very proper reasons. You have GCHQ — you name the intelligence agency — which says, "We, to help better protect critical infrastructure, have to develop and devise a mechanism by which we can protect the source and methods, protect the pieces that make us successful. But what we do, we give private sector, say, [information about] a piece of malware so they can go and stop that from infecting their system."
Any ideas how that would work?
The mechanics of it, I do. But it's probably not something I would talk about publicly.
There are some privacy concerns about increased data-sharing. How are you going to get over those concerns?
In our proposed legislation we have very specific language protecting privacy. For example, in information-sharing, if a private-sector company in critical infrastructure is sharing information with the government, there're specific rules on stripping out all personally identifiable information, and only providing information on the malware or the cyberthreats.
There's very specific language in the proposal we put forward to Congress in a whole breadth of areas including privacy impact assessments on things that we're doing. Working with privacy advocates, those are the things to make sure we've got the right language in there, the right aspect, to protect privacy while enhancing security.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.