Owning the Platform

At AusCERT last week one of the speakers mentioned the regular autumn spike in malicious traffic from malware-infested student laptops joining the university network. Apparently this university supports the variety of equipment students inevitably bring to school, because they require or at least expect students to possess computing hardware. The university owns the infrastructure, but the students own the platform. This has been the norm at universities for years.

A week earlier I attended a different session where the "consumerization" of information technology was the subject. I got to meet Greg Shipley from Neohapsis, incidentally -- great guy. This question was asked: if companies don't provide cellphones for employees, why do companies provide laptops? Extend this issue a few years into the future and you see that many of our cellphones will be as powerful as our laptops are now. If you consider the possibility of server-centric, thin client computing, most of the horsepower will need to be elsewhere anyway. Several large companies are already considering the "no company laptop" approach, so what does that mean for digital security?

You must now see the connection. University students are the corporate employees of the near future. If we want to learn some tricks for dealing with employee-owned hardware on company-owned infrastructure manipulating mixed-ownership data (business and personal), consider going back to college. I think we're going to have to focus on Enterprise Rights Management, which is a popular topic. That still won't make a difference if the employee smartphone is 0wned by an intruder who is taking screen captures, unless some form of hardware-enforced Digital Rights Management frustrates this attack. Regardless, I think the next corporate laptop you receive might be your last.

Comments

Anonymous said…
Gartner is a fan of the "no company laptop" idea which is why I discount it. And Mr. Shipley is wrong. With few exceptions all the companies I've worked for (some dozen) - we did buy cell phones for employees and set up processes and procedures to manage it. And you don't have to way a few years - we are already replacing laptops with smartphones.

And your point about university students is not valid. While its useful information on know how university's tackle this threat - the acadamic environment is not the real world. Never has - never will be. Completely different model than your everyday corporation.
6:03 PM
Anonymous said…
my phone has had a faster processor than my laptop for almost two years now (july). i have an old thinkpad and my phone is a samsung i730.

i would never buy another laptop - maybe a umpc, though. i think it's just the death of laptop, period. maybe companies will start to nix the desktops too and go thin client. maybe all applications will move to web 2.0 and we'll all use pdaphones to access them
7:28 PM
Anonymous said…
the difference is that a company has a profit motive that relies on devices to be achieved. As an employee you pursue cash for the business bottom line. As a student you pay cash to learn something. If you want me to pursue cash for you and your stockholders you had better provide a system that I can be successful with. Failing to do that means that I am a freelance operator and you had better pay more than others to keep me interested.

They are different beasts with different motives. Lets not confuse them because it is convenient.
11:19 PM
John Ward said…
I have to agree with Jason. If a company expects me to use my equipment for its purposes, it better not have any notion of ownership of any contents of that system. At a basic level (ignoring NDA's and other contracts for a moment), it means I can develop something for a company, and turn around and sell it to the highest bidder.

I've worked with companies in the past that had the "you pay to work" mentality, and turnover is high, which means cost goes up due to inflated training expenses.

I typically go with the mentality that if a company doesn't provide me with the equipment I need, I just simply wont work with them. If I'm held liable and out of pocket, its not worth my time.
12:27 AM
Anonymous said…
Hi, I'm a little late to this thread. kicking PC's off the network is moving on a pace. BP are doing that for 18,000 laptops. Plus more and more products are allowing applications to go to clients without the clients being part of the network. take a look at G/On at www.giritech.com. Nodeless computing means not owning the client. Businesses could save a fortune.
8:59 AM
Anonymous said…
This comment has been removed by a blog administrator.
7:09 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more