Well said James, Well said. I think we are going to have to approach BYOD from a lot of angles the two I think of are Privacy and Security, which will rule the ruse for the time to come.
Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org Work:401-444-9081 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: James Rankin [mailto:kz2...@googlemail.com] Sent: Tuesday, April 16, 2013 10:54 AM To: NT System Admin Issues Subject: Re: Dropsmack Malware C&C via Dropbox Whitelisting can be a lot of work, if you haven't got a flexible technology. There are various vendors in the space and some of them take a lot of the donkey-work out of it for you, whilst still maintaining (as far as I've seen) decent security. But I totally agree that it's still at the whim of the person with their fingers on the controls - if the admin allows a bad executable, then you're in trouble. That can only be mitigated by belt-and-braces approaches, really, relying on old-style reactive AV or IDS/IPS or whatever to catch the bad executable that's somehow bypassed your processes and controls. There is another load of tech springing up around MDM, MIM, MAM or whatever TLA you choose to describe it. It's another big set of challenges though. At the moment I am concentrating on extending the agents I have to MacOS devices rather than worrying about tablets and mobiles yet. I can avoid some of the pain at the moment by deploying Windows apps and desktops via Citrix to the mobile devices rather than letting users manipulate corporate data directly, but it's something I will no doubt get asked to get involved in sometime in the future :-) But it's all so fun keeping up with user trends, isn't it? Maybe if we try really hard to get on top of the possibilities right now we can approach BYOD from a security perspective rather than just getting bullied into making it happen too quickly and having to catch all the security issues while firefighting :-) Cheers, JR On 16 April 2013 15:36, Ziots, Edward <ezi...@lifespan.org<mailto:ezi...@lifespan.org>> wrote: James, I agree on the application whitelisting front. But its a lot of work and its still based on trust. ( If you trust something bad) then you have still let the determined attacker in the door, but the caveat is if you control the code execution on your endpoints, then you change the game into your favor. Other aspects to think of: Will application whitelisting work for mobile devices: (Iphone, Android, Tablets, all of which can act like storage devices in a way. Questions to be answered: Which devices do you allow to be attached to your systems to transfer data? (Policies, procedures, enforcement with technical controls and auditing and followup with administrative controls for compliance? (Do we allow the Apple devices, but not the Android, or do we allow just Ironkey devices, and whom should have them and what data should they be able to take ( DLP/DRM etc etc) And we all should know by now that AV is next near worthless against current malware trends, so why does the compliance regulations still require this ( PCI-DSS especially). Working on App whitelisting right now, its been interesting and complex at the time, but at the end I feel it will be worth it. Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org<mailto:ezi...@lifespan.org> Work:401-444-9081<tel:401-444-9081> This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: James Rankin [mailto:kz2...@googlemail.com<mailto:kz2...@googlemail.com>] Sent: Tuesday, April 16, 2013 10:21 AM To: NT System Admin Issues Subject: Re: Dropsmack Malware C&C via Dropbox Way to beat that nasty...whitelisting. I guess that vector would work for a lot of these synchronization clients, so I guess good whitelisting is the only way. Luckily as I've started using AppSense DataNow instead of DropBox for mine, I get AppSense Application Manager along with it, which is probably the best whitelisting product I've seen. Very interesting read though, just shows that traditional AV can't really fend off a determined hacker. Cheers, JR On 16 April 2013 15:07, Ziots, Edward <ezi...@lifespan.org<mailto:ezi...@lifespan.org>> wrote: Here is the slide deck on this: https://media.blackhat.com/eu-13/briefings/Williams/bh-eu-13-dropsmack-jwilliams-slides.pdf Good reading, scary thought but a lot are using Dropbox and not thinking about the consequences.... http://www.techrepublic.com/blog/security/dropsmack-using-dropbox-to-steal-files-and-deliver-malware/9332?tag=nl.e036&s_cid=e036&ttag=e036 Food for thought, especially from regulatory compliance standpoint. Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org<mailto:ezi...@lifespan.org> Work:401-444-9081<tel:401-444-9081> This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk<http://appsensebigot.blogspot.co.uk/> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk<http://appsensebigot.blogspot.co.uk/> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>