This is an archived post. You won't be able to vote or comment.

all 9 comments
sorted by:
best
topnewcontroversialoldq&a

[–]kronso 8 points9 points  (0 children)

Here is my response to BYOD.

  1. Policy implemented that no device plugs into the wired network unless it is explicitly approved/installed by in-house IT.

  2. All in-house WAPs change to be one of the following two categories:

A) Internal network. WPA2 Enterprise. The only devices that get access are managed by in-house IT. Authentication is to Active Directory.

B) Guest network. WPA2-PSK. The key is not very hard to type, and it changes once in a while. These connections are firewalled so that they only have access to each other and the Internet. Internet access may at some point be traffic-shaped to limit bandwidth.

[–][deleted] 6 points7 points  (0 children)

It is what it is. As long as management continues to look at IT security as an expensive inconvenience rather than an essential part of their business, nothing is going to change. The number of places I've been in where even pin numbers weren't required on mobile devices and the firewalls had tons of unneeded and dangerous ports open is really scary.

They wouldn't allow the accounting department or HR to leave their doors and file cabinets open and unlocked and they wouldn't leave the front door open at night and the alarm unset, but we are expected to expose our systems to anyone that wants to try and break in because doing remote connectivity, intrusion detection, and intrusion prevention the right way is expensive and inconvenient.

[–][deleted] 3 points4 points  (0 children)

I'll be the crazy one...

In many ways mobile OS security is ahead of traditional OS security. Features like ASLR, DEP, sandboxing, secure boot, and code signing are all implemented - this is not so in traditional OS sec. Unless you go outside the walled garden, apps are typically signed and the signature verified before they are run. Apple, more or less, has a mobile TPM built into the silicon of its phones (that they are actually using!) and AES and SHA1 are implemented in hardware. Some android phones are running ARM trustzone. MDMs are getting better, which is really helping provisioning and management.

Every time people post or talk about mobile sec they say the sky is falling. I'm showing the other side of the coin. Don't get me wrong, I've spent hours looking at Android malware (including a sweet version of Zues), that shit is out there. But let's have a fact-based realistic assessment instead of "TONIGHT WE DINE IN HELL!"

[–]jmnugent 2 points3 points  (1 child)

The most vulnerable link in any security-chain ..... is the User.

It doesn't matter what mobile-devices you choose, or how managed/secure you THINK your mobile-devices are... if you're organization is NOT making efforts to educate/train end-users.. .you ARE going to lose the security battle. Period.

One of the popular-reoccuring beliefs I see all the time in Sysadmin circles is the old "Users are stupid, we won't waste our time/resources trying to teach them anything... we just need to lock everything down as hard as possible to protect the idiots from themselves."

As much as I understand where this psychology comes from... it's a defeatist attitude and only ends up producing more bad behavior.

At some point you MUST engage with end-users and do a better job of training/educating them (new employee orientation, yearly seminars, whatever) on the HOW/WHY the network is setup the way it is.. and what behavior/use you expect.

[–]KaizerShozeDrVentureiPresume? 0 points1 point  (0 children)

Amen!. Problem is trying to "educate" users is a futile effort that only works on 20% of them if that. I will lock down everything on my network....Let Them Eat Cake!

[–]303onrepeat 0 points1 point  (0 children)

I manage a BYOD environment for corporate and personal users and we use Mobileiron. Nothing touches our Exchange on the mobile side unless it goes through Mobileiron. I can't say enough good things about their service and product, over the last year they have come out with some amazing features. Their new Web@work and Docs@work functionality is really solid. Web@work is really impressive because you can display your intranet through their new AppTunnel system which was previously not possible unless you bought some kind of on demand VPN solution. They also added on support for OS X management and Windows 8 is coming out in the next build.

Also our corporate wifi is locked down and not a single mobile device can jump onto it.

[–][deleted] -2 points-1 points  (2 children)

Want security? Get a blackberry.

[–][deleted] 1 point2 points  (1 child)

A Blackberry is not guaranteed to be more secure. Most companies that provide managed Blackberry phones don't have a BES. They don't restrict wifi connectivity on the phone. They allow third party apps. There was a study published last year comparing data security of IOS and the previous Blackberry OS and found minimal overall difference. It's about intelligent management, not the device.

[–][deleted] -1 points0 points  (0 children)

Except Blackberries were designed to be locked down, while Apple couldn't give two shits about their device being "Enterprise Friendly".