The Enterprise Mobility Roundup
The Enterprise Mobility Roundup
Insights into Mobile Device Security Threats for Frontline Workers
Discover cutting-edge strategies to defend against mobile device security threats facing frontline workers in 2024 in this engaging discussion with Brett Cooper and special guest Richard Makerson. We promise you'll walk away equipped with the knowledge to track lost devices, lock them down, and protect sensitive data from unauthorized access. Richard shares his expertise on zero-touch enrollment and the risks of open settings, such as unsecured public Wi-Fi and Bluetooth. Learn how to shield your enterprise from these vulnerabilities while maintaining seamless and secure operations for your team.
Explore the critical components required to ensure device security, access control, and compliance in the modern workplace. Brett and Richard emphasize the importance of application whitelisting, role-based access control, and the dangers of outdated operating systems. Delve into the intricacies of GDPR and CCPA compliance, with real-world examples like Amazon's data misuse fine highlighting the significance of these regulations. Gain insights into managing insider threats and the essentials of password hygiene, including the promising future of passwordless solutions like FIDO2. Don't miss this informative episode packed with practical advice to keep your enterprise secure and compliant.
Hello, welcome to another episode of the Blue Fletch Enterprise Mobility Roundup Podcast.
Speaker 1:I'm Brett Cooper, today joined by Richard Makerson, and we're going to be talking about the top security threats for mobile devices for frontline workers in 2024.
Speaker 1:A lot of these are things we've seen in the last couple of years and I'm going to cover what they are and then Richard's going to talk about some remediation factors or ways to prevent them from happening for your devices or your employees remediation factors or ways to prevent them from happening for your devices or your employees. So, richard, the first item we talked about, which is still very, very common, is lost or stolen devices, and this is a device that gets lost. Yeah, it's a lot of money that gets. A lot of times you put on a shelf and they can't find them anymore, but also something sometimes they get left out, they get stolen, go on eBay or get stolen by somebody's malicious, and then you have all sorts of other issues where they could put malware or other pieces on it. From a consideration standpoint, what are the things you guide clients on in regards to how to deal with lost or stolen devices or reduce it or prevent it?
Speaker 2:Well, the first thing is that, statistically, there'll be some device that's at risk of becoming lost or stolen. So what can you do before it becomes lost or stolen? Meaning, are you tracking devices? Do you know where they're at? Who's using a device, so that, when a device becomes lost or stolen, or at risk of becoming lost or stolen, you can see where the device connected last or at risk of becoming lost or stolen? You can see where the device connected last. Who was the last user who logged into the device to quickly understand was it truly stolen? Did we leave it on a shelf? Did we accidentally ship it to a customer? We've seen all those things.
Speaker 2:And then, once it becomes lost or potentially stolen, do you have the safeguards in place to protect your sensitive data? Right, do you have the safeguards in place to protect your sensitive data? Do you have tools in place that lock down the device when it's not in a safe location? If it's not in a safe location for an extended period of time, being able to wipe the device to make sure none of your data gets access to the outside world also prevents bad actors from putting malicious applications on the device and then returning it back into your ecosystem and then leveraging tools like zero touch enrollment from Google to make sure that, even if the device is wiped, that no one else could register or use that device again because it's been flagged within the larger Google and Play system. And these are for devices that have GMS. Asop devices wouldn't count, but those are the ways to keep your devices safe, but also your information from potentially getting out there, awesome.
Speaker 1:The second area we talked about was open settings on devices, and this is I think there's three key things we called out. The first one was open settings on devices, and this is. You know, I think it rained. There's three key things we called out. The first one was around wifi. So if you just can get to wifi, they can hop on public wifi, or if somebody created a rogue hotspots, they can get on there and capture data.
Speaker 1:The second one we talked about is the communication settings, so Bluetooth and NFC. Most of these devices now have Bluetooth and NFC on them, so how do you control or restrict users from connecting those to devices that shouldn't be at Bluetooth or tapping NFC tags that may have malicious data on them? And the third one was around USB slash ADB, and ADB is the Android debugging bridge, so it's a tool that allows users to connect and install applications, remove applications on devices. But USB in general should also be restricted because, out of the box, android comes with the ability to connect via USB, pull files on and off. Even with iOS, they have that as well. So, for that thread, or the settings thread, what are the things you typically see or see companies do to help prevent that or restrict that?
Speaker 2:Yeah, there have been some times and I know, like, for our solution, we can enable settings at a granular level because you know some companies do have a need to get to a specific setting. But that's access to a very specific setting that aligns with how a company operates. But usually settings should not be available simply because frontline devices are shared. So you want the device to be in a consistent state. You don't want someone to be able to get to Wi-Fi settings, jump on another Wi-Fi network because maybe they think it's faster or whatever their reason is, and then they leave it in that state and now a user who might pick up that device can't use it anymore.
Speaker 2:Or, to your point, you get into a bad network and now you have a man in the middle who's watching your data go by Bluetooth and NFC. You know, have it locked down where you know it's turned on only when needed. And even in some of those cases, like with Bluetooth, being able to filter to specific Bluetooth devices, right. So if you have printers, maybe even payment terminals, you know you want to have it where you have a narrow focus, right. So really reduce that risk window. And then with USB and ADB, no device in production should have USB and ADB enabled. I haven't seen a great use case yet. Where you need that, you know ADB should just not be enabled. That is just a recipe you just set yourself up for trouble.
Speaker 1:Yeah, the settings the story reminds me of. There was a retailer it was one of our clients, but I think I saw it on Reddit. There was somebody on their last day. They got let go and they wanted all the devices in the store and found they could change the wallpaper. So they changed the wallpaper to a picture of them, yeah, so it wasn't super malicious but definitely very distracting to other employees, and then it goes back to data as well.
Speaker 2:right, can you monitor when devices change? Do I have an outlier of a device that has a configuration or a settings change that's different from any other device?
Speaker 1:Yeah, if you have 10,000 devices and only one of them in production has a certain setting, you probably have a device that's compromised. Yes, so this is a good segue. The next thing is malware attacks, which is a little bit generic, but malware is anything that gets put on a device to either steal data, do something malicious or do something that the device is not supposed to do. Do something that the device is not supposed to do. A lot of times, malware will be injected in a device. It'll sit there for a long time, used as a backdoor by nefarious actors. I think for Android devices there's definitely been. As more and more devices are out there, there's more and more malware associated with it. Google's done a really good job of helping prevent this, but from a standpoint of malware getting on the device. So now you talk about settings. What else do you recommend for customers and companies to help reduce the amount of malware, prevent malware from getting on their devices?
Speaker 2:Yeah, the first recommendation is locking down the device. So we talked about that previously. So if I don't have USB and ADB turned on, I can't site load applications. Very similar to Bluetooth and NFC. The other piece is just not having an open web browser on a device, meaning I can open it, type in my URL and get to any link that I need. So locking on a device reduce any open doors or any possibilities for someone to sideload or download or somehow get applications on the device outside of your MDM or EMM. The second piece is just leverage an endpoint protection platform like CrowdStrike. So have something that's constantly monitoring what's on the device, the flow of traffic.
Speaker 2:Going back to that data piece. The third one is Google Protect. So when Android first was released, there was a lot of just bashing Android, just saying it wasn't secure, it's not ready for the enterprise, and Google has done a lot over the last years to make up for that and to show that Android can be flexible, can be robust, but also be just as secure as iOS. So leverage you know Google to run those scans and leverage that at scale as well, right? So not only are they scanning the applications that are on your device if they see something that looks malicious. Have they scanned it and saw it somewhere else where they can flag it and bring it to your attention?
Speaker 2:And the last thing, going back to the data, you know set baselines of reporting right, always understand what's going out there, look at the data and, when something looks different, understand where did that change come from. Was it something internally? Was it, you know, a team doing some testing and they were just moving fast and loose? Or do you actually have a bad actor out there, you know, trying to compromise your devices and get access to your data?
Speaker 1:Yeah, so, speaking of data, I think that item four, issue four we've seen is data leakage, and data leakage can be sensitive data coming off the devices. It could be unsecured data going through messaging channels. I think Richard mentioned web browsers. Data can get off your devices pretty easily if the web browser is opened up or if you don't have proper controls on your network or endpoints opened up, or if you don't have proper controls on your network or endpoints. And I think the you know whether it's attachments, whether it's pictures, whether it's sensitive database files getting up, there's always a risk around that. So I think the you know there's a couple of recommendations you talked about which I think those align a lot to the previous items you just called out.
Speaker 2:Yeah. So going back to locking down the device, I can say it another way. You know whitelist the applications that are on the device. You can see a consistent theme here being able to restrict users from getting sensitive data right. So maybe you know, not everybody needs the same level of access. I know those are controls that we've put in place with our launcher.
Speaker 2:With role-based access, you might not need access to everything in an application and some things may require manager approval or certain roles to actually get to that sensitive data, being able to clean up your sessions properly.
Speaker 2:So when you log out, you don't want someone to log in and have a carryover from a manager, permission or access to a system that that employee doesn't have, shouldn't have, access to.
Speaker 2:I would argue that that data might actually be more interesting than the task at hand, and so that would lead to trouble and then having proper troubleshooting tools when things do go wrong. So things will go wrong out in the field, and so do your associates or end users have access where they can be on the phone with help desk or troubleshooting with someone to understand what's going on, because you know folks will turn into MacGyver and start to take screenshots or copy paste data or screenshots to other systems and you know now you're really going, you know, off the farm and going down a path that's, you know, really risky. And so by having proper tools on the device and that's one of the reasons why the genesis of our support application right being able to have safe access to that information that could be important in those tools that will be important to troubleshooting while keeping the device locked down and secure.
Speaker 1:I think another point you touched on this Google has done a lot in the last I think four or five Android versions around scope storage where applications can't read data from other applications, which has helped a lot, but there's still apps that will write to SD card and you got to be careful I think to Richard's point but there's still apps that will write to SD card and you got to be careful I think to Richard's point make sure you clean up that data at the end of sessions and there's nothing residual or sensitive sitting on the device at the end of session.
Speaker 1:The next item, item five, is compliance issues, and this aligns really closely to data, but more so data for end users. So with the introduction of things like GDPR in Europe or CCPA in California, you have the risk of lawsuits or legal actions if there is personal employee data or personal customer data that's on devices and shared with somebody who it shouldn't be shared with and with those. I know, like an example was, I think in Europe, amazon got fined I think it was like 30 or 40 million euros in their logistics group because they had data that was being monitored inappropriately between devices, and that's just one of 50 or 60 multimillion dollar lawsuits that companies have, I guess, been sued by either the EU or someone else in regards to data privacy. But for you, when you think about that security risk, what are the recommendations you give clients?
Speaker 2:Yeah, I know, for our BlueFletch Enterprise solution. Customers, especially customers in the UK and Europe, love it because not only do we provide quick access and single sign-on access but when you end that user session, to be able to remove all of that session data without having to, you know, do something funky like enterprise reset and rebuild the device. So it's very clean, it's targeted and you know our customers over there really like that. The other piece that they like about our tool is the ability to anonymize user data to make sure that it's you know data is coming up that you could operationalize and you understand what's going on but in those countries, to make sure that you know identifiable data is anonymized so that you don't run into these compliance issues data is anonymized so that you don't run into these compliance issues.
Speaker 1:Yeah, it's definitely. We've gotten a lot of traction on our products specifically around things like Microsoft, so Microsoft is very popular Microsoft Teams. If Richard logs in and then I pick up the device in my next shift and he's still logged in, it is a violation of GDPR in a lot of countries. So I think that's something that we've been getting a lot of traction for tools like the BlueFletch Launcher and BlueFletch Enterprise Toolset. For the next item and you touched on this earlier but was outdated operating systems and outdated applications, and this may not sound like that big of a deal, I think for me.
Speaker 1:I love stability, I love the ability to have a single operating system that we support across all the devices, whether it's 10,000 or 20,000 devices in a client environment. But I think there's also you need to make sure you have processes to go update or patch operating systems. And then same thing on apps. You need to know if you have an app, is it supported, does it have any vulnerabilities, does it use an old SSL version? You need to be able to update those and support those. And I guess from this the biggest example I could think of in the last couple of years is the WPA to the crack attack, which was there was a patch that Google put out or Android put out and a lot of people didn't have that patched and I would see it where they'd have older versions of operating systems and it just it makes me super nervous. But I guess for you are there other things. You have recommendations or guidance around how to deal with patching or updating applications.
Speaker 2:Yeah, it's really getting in a good habit of understanding what um, uh, os updates are available and security patches they are currently on, but it's not really a great practice going forward, especially with a lot of these frontline workers having high turnover, especially in retail environments where you have a mix of frontline workers and customers.
Speaker 2:That's a really tricky environment.
Speaker 2:And although germane to this, but not necessarily germane, I would say for iOS or iPhone users, you'll probably notice over the last year, you get a constant stream of updates and if you're in tune with tech news, they always come probably a day or two after you read about some vulnerability that someone discovered or someone's trying to hack iPhones.
Speaker 2:But you know, whereas you might personally update your phone once, maybe twice a year, you're probably getting updates monthly and so you know your enterprise devices need to be protected just as just as much. And then, going back to data, you need to track and report on what's out there in the field, right, what versions of your applications, what versions of your OS's, versions of your security patches. You know, having data and knowing what's out there is key and then just being in tune with the news, so understanding what vulnerabilities are out there, what you know malicious hacking team from Russia or China may be doing to our devices here in the United States. For you know, any given point in time or any given season you know will affect you. You know, don't think that you know, just because you have, you know, tight security controls, you're, you know, some distribution center in the middle of nowhere that you know your devices can't get touched. They can and they will.
Speaker 1:Yeah, and I think one of the other things too, on knowing and monitoring is actually also looking forward at what Google or Apple is pushing out, and you know there's certain situations where the patches or OS updates will break your enterprise application. So, having a team that is constantly looking forward, if you're on Android 14, understand what's coming in 15, be able to regression test your apps and have that process that Richard talked about, where you're able to push out your patches, control that and really have that reporting across your enterprise. The next item seven we talked about was bad password hygiene or unsecured password apps or apps that don't have security on them, and I think a lot of this you know. When I think of hygiene, it comes down to you know. Do you have, you know passwords that are shared across users? Do you have users with sticky notes? Do you have you know weak password requirements where you're not actually enforcing those, and then you know a lot of this just comes down to you know.
Speaker 1:I think you talked about this when we were talking about this topic earlier. If you can go on Reddit and find the pin for a device, it's not a secure pin. I think we had a customer that had 100,000 plus devices. You went on there and they had the pin for all the devices is on Reddit. You're almost better off not even having a pin on the devices. Definitely don't let yourself be lulled into a false sense of security with bad password hygiene. But on this topic, what are the other things or controls you've seen around passwords and user authentication on devices?
Speaker 2:Yeah, you need a good identity strategy right where you have a single source of truth and if you have multiple IDPs, federation between those. And if you have multiple IDPs federation between those, it keeps it where I only have to remember one username and one password, because I think once you add multiple ones it gets tricky and folks start saving it somewhere in plain text whether it's in Notes or Evernote or, to your point, sticky Notes and those systems will help create, will help enforce complex passwords and you can do things like having passwords, you know, rotate, meaning like every 90 days or every quarter I have to change my password. So you know I am a constantly moving target across my fleet of devices. You know, leverage a solution like Blue Fletcher Enterprise with SSO right where we tie directly into the IDP something that's time intensive or working with the customer, and then consider or research or just be in tune with some of the passwordless options out there, like FIDO2. I know we internally have been talking about FIDO2 keys and we have been supporting FIDO2, I think, for the last two years and talking about those keys and even some of the government PIF cards for the last three plus years.
Speaker 2:But you know you could have, you know, very high security, but it comes with a little bit of cost. And so you know you could have. You know, very high security, but it comes with a little bit of cost. And so you know what's worse. You know paying $25 for a key fob, or you know 32 million euros for Amazon France because of, you know, a breach or a noncompliance issue, compliance issue.
Speaker 1:Yeah, I think on the that that, whether it's cards or tokens looking at 2FA is another one too, like things like Okta, microsoft, entra ID have good integration with 2FA and I know we have a number of customers that are using it with BlueFudge Enterprise to do SSO with 2FA across all their devices and it.
Speaker 1:It does create a much more secure experience because a password can be shared. It can be written down, even if it is complex or rotated, but a password plus a token definitely is a lot more secure. The last item we talked about in regards to security threats we see for frontline worker devices is what we categorize as the insider threat, and this is a disgruntled employee, somebody who is wanting to act maliciously or is just even just goofing off and doing something silly that they shouldn't be doing, and I think a lot of that results in either system outages or data breaches and can get really expensive really, really fast. But for you, when you think of the insider threats or Tom in the paint department likes to goof off what are the things you think about around controls or protections that companies should be thinking through?
Speaker 2:Yeah. So, going back to the earlier points around SSO and IDPs, those also allow you to quickly invalidate sessions and user accounts, and if it's a single source of truth, it's going to work across everything. And so, if you do have a bad actor, if you do letting someone go who's you know is disgruntled, being able to, you know, with a few clicks, make sure that they don't have access to those systems and, in the heat of passion, they couldn't do something that could be harmful to your organization, one that I had just thought about, I'll come back to it. But also, you know, corporate monitoring, right? So not only monitoring the flow of data and what's happening, like internally, can we look at the dark web or look at the web to see is our data getting out, whether it's sensitive data, corporate data, to prevent insider training threats? I want to keep my data or my secrets away from my competitors. And then, lastly, just avoid sharing passwords at all costs, and then just one for fun, you know.
Speaker 2:Going back to, you know, locking down that device. I don't want a device to be put in a bad state or a state where it's not even usable anymore, because if I'm at a location where I have just enough devices, and now I lose a device. That's productivity that I'm losing. That's costing me time. That's productivity that I'm losing. That's costing me time. That's costing me. That's an opportunity lost as well, and so that's almost as big of a threat as a leak or a breach or something malicious. Happening is. Now I can't operate my business.
Speaker 1:Operational availability. Huge, awesome, richard. Thank you for covering these topics with me today. If you have additional questions, feel free to reach out to us at info at bluefletchcom and, as always, feel free to like or subscribe if you follow along on YouTube or your podcast channel somewhere. And thank you, thank you.