September 9, 2024 • 25 mins
Discover cutting-edge strategies to defend against mobile device security threats facing frontline workers in 2024 in this engaging discussion with Brett Cooper and special guest Richard Makerson. We promise you'll walk away equipped with the knowledge to track lost devices, lock them down, and protect sensitive data from unauthorized access. Richard shares his expertise on zero-touch enrollment and the risks of open settings, such as unsecured public Wi-Fi and Bluetooth. Learn how to shield your enterprise from these vulnerabilities while maintaining seamless and secure operations for your team.
Explore the critical components required to ensure device security, access control, and compliance in the modern workplace. Brett and Richard emphasize the importance of application whitelisting, role-based access control, and the dangers of outdated operating systems. Delve into the intricacies of GDPR and CCPA compliance, with real-world examples like Amazon's data misuse fine highlighting the significance of these regulations. Gain insights into managing insider threats and the essentials of password hygiene, including the promising future of passwordless solutions like FIDO2. Don't miss this informative episode packed with practical advice to keep your enterprise secure and compliant.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
Hello, welcome to another episode of the Blue
Fletch Enterprise MobilityRoundup Podcast.
I'm Brett Cooper, today joinedby Richard Makerson, and we're
going to be talking about thetop security threats for mobile
devices for frontline workers in2024.
A lot of these are things we'veseen in the last couple of years
and I'm going to cover whatthey are and then Richard's
going to talk about someremediation factors or ways to
(00:22):
prevent them from happening foryour devices or your employees
remediation factors or ways toprevent them from happening for
your devices or your employees.
So, richard, the first item wetalked about, which is still
very, very common, is lost orstolen devices, and this is a
device that gets lost.
Yeah, it's a lot of money thatgets.
A lot of times you put on ashelf and they can't find them
anymore, but also somethingsometimes they get left out,
they get stolen, go on eBay orget stolen by somebody's
(00:44):
malicious, and then you have allsorts of other issues where
they could put malware or otherpieces on it.
From a consideration standpoint, what are the things you guide
clients on in regards to how todeal with lost or stolen devices
or reduce it or prevent it?
Speaker 2 (01:00):
Well, the first thing is that, statistically,
there'll be some device that'sat risk of becoming lost or
stolen.
So what can you do before itbecomes lost or stolen?
Meaning, are you trackingdevices?
Do you know where they're at?
Who's using a device, so that,when a device becomes lost or
stolen, or at risk of becominglost or stolen, you can see
(01:23):
where the device connected lastor at risk of becoming lost or
stolen?
You can see where the deviceconnected last.
Who was the last user whologged into the device to
quickly understand was it trulystolen?
Did we leave it on a shelf?
Did we accidentally ship it toa customer?
We've seen all those things.
And then, once it becomes lostor potentially stolen, do you
have the safeguards in place toprotect your sensitive data?
(01:44):
Right, do you have thesafeguards in place to protect
your sensitive data?
Do you have tools in place thatlock down the device when it's
not in a safe location?
If it's not in a safe locationfor an extended period of time,
being able to wipe the device tomake sure none of your data
gets access to the outside worldalso prevents bad actors from
putting malicious applicationson the device and then returning
(02:06):
it back into your ecosystem andthen leveraging tools like zero
touch enrollment from Google tomake sure that, even if the
device is wiped, that no oneelse could register or use that
device again because it's beenflagged within the larger Google
and Play system.
And these are for devices thathave GMS.
(02:27):
Asop devices wouldn't count,but those are the ways to keep
your devices safe, but also yourinformation from potentially
getting out there, awesome.
Speaker 1 (02:39):
The second area we talked about was open settings
on devices, and this is I thinkthere's three key things we
called out.
The first one was open settingson devices, and this is.
You know, I think it rained.
There's three key things wecalled out.
The first one was around wifi.
So if you just can get to wifi,they can hop on public wifi, or
if somebody created a roguehotspots, they can get on there
and capture data.
(02:59):
The second one we talked aboutis the communication settings,
so Bluetooth and NFC.
Most of these devices now haveBluetooth and NFC on them, so
how do you control or restrictusers from connecting those to
devices that shouldn't be atBluetooth or tapping NFC tags
that may have malicious data onthem?
And the third one was aroundUSB slash ADB, and ADB is the
(03:20):
Android debugging bridge, soit's a tool that allows users to
connect and installapplications, remove
applications on devices.
But USB in general should alsobe restricted because, out of
the box, android comes with theability to connect via USB, pull
files on and off.
Even with iOS, they have thatas well.
So, for that thread, or thesettings thread, what are the
(03:42):
things you typically see or seecompanies do to help prevent
that or restrict that?
Speaker 2 (03:46):
Yeah, there have been some times and I know, like,
for our solution, we can enablesettings at a granular level
because you know some companiesdo have a need to get to a
specific setting.
But that's access to a veryspecific setting that aligns
with how a company operates.
But usually settings should notbe available simply because
(04:12):
frontline devices are shared.
So you want the device to be ina consistent state.
You don't want someone to beable to get to Wi-Fi settings,
jump on another Wi-Fi networkbecause maybe they think it's
faster or whatever their reasonis, and then they leave it in
that state and now a user whomight pick up that device can't
use it anymore.
(04:33):
Or, to your point, you get intoa bad network and now you have a
man in the middle who'swatching your data go by
Bluetooth and NFC.
You know, have it locked downwhere you know it's turned on
only when needed.
And even in some of those cases, like with Bluetooth, being
able to filter to specificBluetooth devices, right.
(04:56):
So if you have printers, maybeeven payment terminals, you know
you want to have it where youhave a narrow focus, right.
So really reduce that riskwindow.
And then with USB and ADB, nodevice in production should have
USB and ADB enabled.
I haven't seen a great use caseyet.
(05:17):
Where you need that, you knowADB should just not be enabled.
That is just a recipe you justset yourself up for trouble.
Speaker 1 (05:28):
Yeah, the settings the story reminds me of.
There was a retailer it was oneof our clients, but I think I
saw it on Reddit.
There was somebody on theirlast day.
They got let go and they wantedall the devices in the store
and found they could change thewallpaper.
So they changed the wallpaperto a picture of them, yeah, so
it wasn't super malicious butdefinitely very distracting to
other employees, and then itgoes back to data as well.
Speaker 2 (05:47):
right, can you monitor when devices change?
Do I have an outlier of adevice that has a configuration
or a settings change that'sdifferent from any other device?
Speaker 1 (05:59):
Yeah, if you have 10,000 devices and only one of
them in production has a certainsetting, you probably have a
device that's compromised.
Yes, so this is a good segue.
The next thing is malwareattacks, which is a little bit
generic, but malware is anythingthat gets put on a device to
either steal data, do somethingmalicious or do something that
the device is not supposed to do.
(06:21):
Do something that the device isnot supposed to do.
A lot of times, malware will beinjected in a device.
It'll sit there for a long time, used as a backdoor by
nefarious actors.
I think for Android devicesthere's definitely been.
As more and more devices areout there, there's more and more
malware associated with it.
Google's done a really good jobof helping prevent this, but
(06:44):
from a standpoint of malwaregetting on the device.
So now you talk about settings.
What else do you recommend forcustomers and companies to help
reduce the amount of malware,prevent malware from getting on
their devices?
Speaker 2 (06:55):
Yeah, the first recommendation is locking down
the device.
So we talked about thatpreviously.
So if I don't have USB and ADBturned on, I can't site load
applications.
Very similar to Bluetooth andNFC.
The other piece is just nothaving an open web browser on a
(07:16):
device, meaning I can open it,type in my URL and get to any
link that I need.
So locking on a device reduceany open doors or any
possibilities for someone tosideload or download or somehow
get applications on the deviceoutside of your MDM or EMM.
(07:37):
The second piece is justleverage an endpoint protection
platform like CrowdStrike.
So have something that'sconstantly monitoring what's on
the device, the flow of traffic.
Going back to that data piece.
The third one is Google Protect.
So when Android first wasreleased, there was a lot of
(08:02):
just bashing Android, justsaying it wasn't secure, it's
not ready for the enterprise,and Google has done a lot over
the last years to make up forthat and to show that Android
can be flexible, can be robust,but also be just as secure as
iOS.
So leverage you know Google torun those scans and leverage
(08:26):
that at scale as well, right?
So not only are they scanningthe applications that are on
your device if they seesomething that looks malicious.
Have they scanned it and saw itsomewhere else where they can
flag it and bring it to yourattention?
And the last thing, going backto the data, you know set
baselines of reporting right,always understand what's going
(08:46):
out there, look at the data and,when something looks different,
understand where did thatchange come from.
Was it something internally?
Was it, you know, a team doingsome testing and they were just
moving fast and loose?
Or do you actually have a badactor out there, you know,
trying to compromise yourdevices and get access to your
data?
Speaker 1 (09:05):
Yeah, so, speaking of data, I think that item four,
issue four we've seen is dataleakage, and data leakage can be
sensitive data coming off thedevices.
It could be unsecured datagoing through messaging channels
.
I think Richard mentioned webbrowsers.
Data can get off your devicespretty easily if the web browser
(09:26):
is opened up or if you don'thave proper controls on your
network or endpoints opened up,or if you don't have proper
controls on your network orendpoints.
And I think the you knowwhether it's attachments,
whether it's pictures, whetherit's sensitive database files
getting up, there's always arisk around that.
So I think the you know there'sa couple of recommendations you
talked about which I thinkthose align a lot to the
previous items you just calledout.
Speaker 2 (09:47):
Yeah.
So going back to locking downthe device, I can say it another
way.
You know whitelist theapplications that are on the
device.
You can see a consistent themehere being able to restrict
users from getting sensitivedata right.
So maybe you know, noteverybody needs the same level
of access.
I know those are controls thatwe've put in place with our
(10:09):
launcher.
With role-based access, youmight not need access to
everything in an application andsome things may require manager
approval or certain roles toactually get to that sensitive
data, being able to clean upyour sessions properly.
So when you log out, you don'twant someone to log in and have
a carryover from a manager,permission or access to a system
(10:31):
that that employee doesn't have, shouldn't have, access to.
I would argue that that datamight actually be more
interesting than the task athand, and so that would lead to
trouble and then having propertroubleshooting tools when
things do go wrong.
So things will go wrong out inthe field, and so do your
(10:52):
associates or end users haveaccess where they can be on the
phone with help desk ortroubleshooting with someone to
understand what's going on,because you know folks will turn
into MacGyver and start to takescreenshots or copy paste data
or screenshots to other systemsand you know now you're really
(11:12):
going, you know, off the farmand going down a path that's,
you know, really risky.
And so by having proper toolson the device and that's one of
the reasons why the genesis ofour support application right
being able to have safe accessto that information that could
be important in those tools thatwill be important to
(11:32):
troubleshooting while keepingthe device locked down and
secure.
Speaker 1 (11:36):
I think another point you touched on this Google has
done a lot in the last I thinkfour or five Android versions
around scope storage whereapplications can't read data
from other applications, whichhas helped a lot, but there's
still apps that will write to SDcard and you got to be careful
I think to Richard's point butthere's still apps that will
write to SD card and you got tobe careful I think to Richard's
point make sure you clean upthat data at the end of sessions
and there's nothing residual orsensitive sitting on the device
(11:58):
at the end of session.
The next item, item five, iscompliance issues, and this
aligns really closely to data,but more so data for end users.
So with the introduction ofthings like GDPR in Europe or
CCPA in California, you have therisk of lawsuits or legal
actions if there is personalemployee data or personal
(12:20):
customer data that's on devicesand shared with somebody who it
shouldn't be shared with andwith those.
I know, like an example was, Ithink in Europe, amazon got
fined I think it was like 30 or40 million euros in their
logistics group because they haddata that was being monitored
inappropriately between devices,and that's just one of 50 or 60
(12:42):
multimillion dollar lawsuitsthat companies have, I guess,
been sued by either the EU orsomeone else in regards to data
privacy.
But for you, when you thinkabout that security risk, what
are the recommendations you giveclients?
Speaker 2 (12:57):
Yeah, I know, for our BlueFletch Enterprise solution.
Customers, especially customersin the UK and Europe, love it
because not only do we providequick access and single sign-on
access but when you end thatuser session, to be able to
remove all of that session datawithout having to, you know, do
(13:17):
something funky like enterprisereset and rebuild the device.
So it's very clean, it'stargeted and you know our
customers over there really likethat.
The other piece that they likeabout our tool is the ability to
anonymize user data to makesure that it's you know data is
coming up that you couldoperationalize and you
(13:40):
understand what's going on butin those countries, to make sure
that you know identifiable datais anonymized so that you don't
run into these complianceissues data is anonymized so
that you don't run into thesecompliance issues.
Speaker 1 (13:56):
Yeah, it's definitely .
We've gotten a lot of tractionon our products specifically
around things like Microsoft, soMicrosoft is very popular
Microsoft Teams.
If Richard logs in and then Ipick up the device in my next
shift and he's still logged in,it is a violation of GDPR in a
lot of countries.
So I think that's somethingthat we've been getting a lot of
traction for tools like theBlueFletch Launcher and
BlueFletch Enterprise Toolset.
For the next item and youtouched on this earlier but was
(14:20):
outdated operating systems andoutdated applications, and this
may not sound like that big of adeal, I think for me.
I love stability, I love theability to have a single
operating system that we supportacross all the devices, whether
it's 10,000 or 20,000 devicesin a client environment.
But I think there's also youneed to make sure you have
(14:40):
processes to go update or patchoperating systems.
And then same thing on apps.
You need to know if you have anapp, is it supported, does it
have any vulnerabilities, doesit use an old SSL version?
You need to be able to updatethose and support those.
And I guess from this thebiggest example I could think of
in the last couple of years isthe WPA to the crack attack,
(15:01):
which was there was a patch thatGoogle put out or Android put
out and a lot of people didn'thave that patched and I would
see it where they'd have olderversions of operating systems
and it just it makes me supernervous.
But I guess for you are thereother things.
You have recommendations orguidance around how to deal with
patching or updatingapplications.
Speaker 2 (15:20):
Yeah, it's really getting in a good habit of
understanding what um, uh, osupdates are available and
security patches they arecurrently on, but it's not
(15:56):
really a great practice goingforward, especially with a lot
of these frontline workershaving high turnover, especially
in retail environments whereyou have a mix of frontline
workers and customers.
That's a really trickyenvironment.
And although germane to this,but not necessarily germane, I
would say for iOS or iPhoneusers, you'll probably notice
(16:21):
over the last year, you get aconstant stream of updates and
if you're in tune with tech news, they always come probably a
day or two after you read aboutsome vulnerability that someone
discovered or someone's tryingto hack iPhones.
But you know, whereas you mightpersonally update your phone
once, maybe twice a year, you'reprobably getting updates
(16:44):
monthly and so you know yourenterprise devices need to be
protected just as just as much.
And then, going back to data,you need to track and report on
what's out there in the field,right, what versions of your
applications, what versions ofyour OS's, versions of your
security patches.
You know, having data andknowing what's out there is key
(17:09):
and then just being in tune withthe news, so understanding what
vulnerabilities are out there,what you know malicious hacking
team from Russia or China may bedoing to our devices here in
the United States.
For you know, any given pointin time or any given season you
know will affect you.
(17:30):
You know, don't think that youknow, just because you have, you
know, tight security controls,you're, you know, some
distribution center in themiddle of nowhere that you know
your devices can't get touched.
They can and they will.
Speaker 1 (17:44):
Yeah, and I think one of the other things too, on
knowing and monitoring isactually also looking forward at
what Google or Apple is pushingout, and you know there's
certain situations where thepatches or OS updates will break
your enterprise application.
So, having a team that isconstantly looking forward, if
you're on Android 14, understandwhat's coming in 15, be able to
(18:07):
regression test your apps andhave that process that Richard
talked about, where you're ableto push out your patches,
control that and really havethat reporting across your
enterprise.
The next item seven we talkedabout was bad password hygiene
or unsecured password apps orapps that don't have security on
(18:27):
them, and I think a lot of thisyou know.
When I think of hygiene, itcomes down to you know.
Do you have, you know passwordsthat are shared across users?
Do you have users with stickynotes?
Do you have you know weakpassword requirements where
you're not actually enforcingthose, and then you know a lot
of this just comes down to youknow.
I think you talked about thiswhen we were talking about this
(18:49):
topic earlier.
If you can go on Reddit andfind the pin for a device, it's
not a secure pin.
I think we had a customer thathad 100,000 plus devices.
You went on there and they hadthe pin for all the devices is
on Reddit.
You're almost better off noteven having a pin on the devices
.
Definitely don't let yourselfbe lulled into a false sense of
(19:10):
security with bad passwordhygiene.
But on this topic, what are theother things or controls you've
seen around passwords and userauthentication on devices?
Speaker 2 (19:20):
Yeah, you need a good identity strategy right where
you have a single source oftruth and if you have multiple
IDPs, federation between those.
And if you have multiple IDPsfederation between those, it
keeps it where I only have toremember one username and one
password, because I think onceyou add multiple ones it gets
tricky and folks start saving itsomewhere in plain text whether
(19:48):
it's in Notes or Evernote or,to your point, sticky Notes and
those systems will help create,will help enforce complex
passwords and you can do thingslike having passwords, you know,
rotate, meaning like every 90days or every quarter I have to
change my password.
So you know I am a constantlymoving target across my fleet of
devices.
You know, leverage a solutionlike Blue Fletcher Enterprise
(20:35):
with SSO right where we tiedirectly into the IDP something
that's time intensive or workingwith the customer, and then
consider or research or just bein tune with some of the
passwordless options out there,like FIDO2.
I know we internally have beentalking about FIDO2 keys and we
have been supporting FIDO2, Ithink, for the last two years
(20:56):
and talking about those keys andeven some of the government PIF
cards for the last three plusyears.
But you know you could have, youknow, very high security, but
it comes with a little bit ofcost.
And so you know you could have.
You know, very high security,but it comes with a little bit
of cost.
And so you know what's worse.
You know paying $25 for a keyfob, or you know 32 million
(21:20):
euros for Amazon France becauseof, you know, a breach or a
noncompliance issue, complianceissue.
Speaker 1 (21:28):
Yeah, I think on the that that, whether it's cards or
tokens looking at 2FA isanother one too, like things
like Okta, microsoft, entra IDhave good integration with 2FA
and I know we have a number ofcustomers that are using it with
BlueFudge Enterprise to do SSOwith 2FA across all their
devices and it.
It does create a much moresecure experience because a
(21:50):
password can be shared.
It can be written down, even ifit is complex or rotated, but a
password plus a tokendefinitely is a lot more secure.
The last item we talked aboutin regards to security threats
we see for frontline workerdevices is what we categorize as
the insider threat, and this isa disgruntled employee,
(22:11):
somebody who is wanting to actmaliciously or is just even just
goofing off and doing somethingsilly that they shouldn't be
doing, and I think a lot of thatresults in either system
outages or data breaches and canget really expensive really,
really fast.
But for you, when you think ofthe insider threats or Tom in
(22:36):
the paint department likes togoof off what are the things you
think about around controls orprotections that companies
should be thinking through?
Speaker 2 (22:42):
Yeah.
So, going back to the earlierpoints around SSO and IDPs,
those also allow you to quicklyinvalidate sessions and user
accounts, and if it's a singlesource of truth, it's going to
work across everything.
And so, if you do have a badactor, if you do letting someone
go who's you know isdisgruntled, being able to, you
(23:04):
know, with a few clicks, makesure that they don't have access
to those systems and, in theheat of passion, they couldn't
do something that could beharmful to your organization,
one that I had just thoughtabout, I'll come back to it.
But also, you know, corporatemonitoring, right?
So not only monitoring the flowof data and what's happening,
(23:27):
like internally, can we look atthe dark web or look at the web
to see is our data getting out,whether it's sensitive data,
corporate data, to preventinsider training threats?
I want to keep my data or mysecrets away from my competitors
.
And then, lastly, just avoidsharing passwords at all costs,
(23:51):
and then just one for fun, youknow.
Going back to, you know, lockingdown that device.
I don't want a device to be putin a bad state or a state where
it's not even usable anymore,because if I'm at a location
where I have just enough devices, and now I lose a device.
That's productivity that I'mlosing.
That's costing me time.
That's productivity that I'mlosing.
That's costing me time.
That's costing me.
That's an opportunity lost aswell, and so that's almost as
(24:16):
big of a threat as a leak or abreach or something malicious.
Happening is.
Now I can't operate my business.
Speaker 1 (24:25):
Operational availability.
Huge, awesome, richard.
Thank you for covering thesetopics with me today.
If you have additionalquestions, feel free to reach
out to us at info atbluefletchcom and, as always,
feel free to like or subscribeif you follow along on YouTube
or your podcast channelsomewhere.
And thank you, thank you.
Hello, welcome to another episode of the Blue
Fletch Enterprise MobilityRoundup Podcast.
I'm Brett Cooper, today joinedby Richard Makerson, and we're
going to be talking about thetop security threats for mobile
devices for frontline workers in2024.
A lot of these are things we'veseen in the last couple of years
and I'm going to cover whatthey are and then Richard's
going to talk about someremediation factors or ways to
(00:22):
prevent them from happening foryour devices or your employees
remediation factors or ways toprevent them from happening for
your devices or your employees.
So, richard, the first item wetalked about, which is still
very, very common, is lost orstolen devices, and this is a
device that gets lost.
Yeah, it's a lot of money thatgets.
A lot of times you put on ashelf and they can't find them
anymore, but also somethingsometimes they get left out,
they get stolen, go on eBay orget stolen by somebody's
(00:44):
malicious, and then you have allsorts of other issues where
they could put malware or otherpieces on it.
From a consideration standpoint, what are the things you guide
clients on in regards to how todeal with lost or stolen devices
or reduce it or prevent it?
Speaker 2 (01:00):
Well, the first thing is that, statistically,
there'll be some device that'sat risk of becoming lost or
stolen.
So what can you do before itbecomes lost or stolen?
Meaning, are you trackingdevices?
Do you know where they're at?
Who's using a device, so that,when a device becomes lost or
stolen, or at risk of becominglost or stolen, you can see
(01:23):
where the device connected lastor at risk of becoming lost or
stolen?
You can see where the deviceconnected last.
Who was the last user whologged into the device to
quickly understand was it trulystolen?
Did we leave it on a shelf?
Did we accidentally ship it toa customer?
We've seen all those things.
And then, once it becomes lostor potentially stolen, do you
have the safeguards in place toprotect your sensitive data?
(01:44):
Right, do you have thesafeguards in place to protect
your sensitive data?
Do you have tools in place thatlock down the device when it's
not in a safe location?
If it's not in a safe locationfor an extended period of time,
being able to wipe the device tomake sure none of your data
gets access to the outside worldalso prevents bad actors from
putting malicious applicationson the device and then returning
(02:06):
it back into your ecosystem andthen leveraging tools like zero
touch enrollment from Google tomake sure that, even if the
device is wiped, that no oneelse could register or use that
device again because it's beenflagged within the larger Google
and Play system.
And these are for devices thathave GMS.
(02:27):
Asop devices wouldn't count,but those are the ways to keep
your devices safe, but also yourinformation from potentially
getting out there, awesome.
Speaker 1 (02:39):
The second area we talked about was open settings
on devices, and this is I thinkthere's three key things we
called out.
The first one was open settingson devices, and this is.
You know, I think it rained.
There's three key things wecalled out.
The first one was around wifi.
So if you just can get to wifi,they can hop on public wifi, or
if somebody created a roguehotspots, they can get on there
and capture data.
(02:59):
The second one we talked aboutis the communication settings,
so Bluetooth and NFC.
Most of these devices now haveBluetooth and NFC on them, so
how do you control or restrictusers from connecting those to
devices that shouldn't be atBluetooth or tapping NFC tags
that may have malicious data onthem?
And the third one was aroundUSB slash ADB, and ADB is the
(03:20):
Android debugging bridge, soit's a tool that allows users to
connect and installapplications, remove
applications on devices.
But USB in general should alsobe restricted because, out of
the box, android comes with theability to connect via USB, pull
files on and off.
Even with iOS, they have thatas well.
So, for that thread, or thesettings thread, what are the
(03:42):
things you typically see or seecompanies do to help prevent
that or restrict that?
Speaker 2 (03:46):
Yeah, there have been some times and I know, like,
for our solution, we can enablesettings at a granular level
because you know some companiesdo have a need to get to a
specific setting.
But that's access to a veryspecific setting that aligns
with how a company operates.
But usually settings should notbe available simply because
(04:12):
frontline devices are shared.
So you want the device to be ina consistent state.
You don't want someone to beable to get to Wi-Fi settings,
jump on another Wi-Fi networkbecause maybe they think it's
faster or whatever their reasonis, and then they leave it in
that state and now a user whomight pick up that device can't
use it anymore.
(04:33):
Or, to your point, you get intoa bad network and now you have a
man in the middle who'swatching your data go by
Bluetooth and NFC.
You know, have it locked downwhere you know it's turned on
only when needed.
And even in some of those cases, like with Bluetooth, being
able to filter to specificBluetooth devices, right.
(04:56):
So if you have printers, maybeeven payment terminals, you know
you want to have it where youhave a narrow focus, right.
So really reduce that riskwindow.
And then with USB and ADB, nodevice in production should have
USB and ADB enabled.
I haven't seen a great use caseyet.
(05:17):
Where you need that, you knowADB should just not be enabled.
That is just a recipe you justset yourself up for trouble.
Speaker 1 (05:28):
Yeah, the settings the story reminds me of.
There was a retailer it was oneof our clients, but I think I
saw it on Reddit.
There was somebody on theirlast day.
They got let go and they wantedall the devices in the store
and found they could change thewallpaper.
So they changed the wallpaperto a picture of them, yeah, so
it wasn't super malicious butdefinitely very distracting to
other employees, and then itgoes back to data as well.
Speaker 2 (05:47):
right, can you monitor when devices change?
Do I have an outlier of adevice that has a configuration
or a settings change that'sdifferent from any other device?
Speaker 1 (05:59):
Yeah, if you have 10,000 devices and only one of
them in production has a certainsetting, you probably have a
device that's compromised.
Yes, so this is a good segue.
The next thing is malwareattacks, which is a little bit
generic, but malware is anythingthat gets put on a device to
either steal data, do somethingmalicious or do something that
the device is not supposed to do.
(06:21):
Do something that the device isnot supposed to do.
A lot of times, malware will beinjected in a device.
It'll sit there for a long time, used as a backdoor by
nefarious actors.
I think for Android devicesthere's definitely been.
As more and more devices areout there, there's more and more
malware associated with it.
Google's done a really good jobof helping prevent this, but
(06:44):
from a standpoint of malwaregetting on the device.
So now you talk about settings.
What else do you recommend forcustomers and companies to help
reduce the amount of malware,prevent malware from getting on
their devices?
Speaker 2 (06:55):
Yeah, the first recommendation is locking down
the device.
So we talked about thatpreviously.
So if I don't have USB and ADBturned on, I can't site load
applications.
Very similar to Bluetooth andNFC.
The other piece is just nothaving an open web browser on a
(07:16):
device, meaning I can open it,type in my URL and get to any
link that I need.
So locking on a device reduceany open doors or any
possibilities for someone tosideload or download or somehow
get applications on the deviceoutside of your MDM or EMM.
(07:37):
The second piece is justleverage an endpoint protection
platform like CrowdStrike.
So have something that'sconstantly monitoring what's on
the device, the flow of traffic.
Going back to that data piece.
The third one is Google Protect.
So when Android first wasreleased, there was a lot of
(08:02):
just bashing Android, justsaying it wasn't secure, it's
not ready for the enterprise,and Google has done a lot over
the last years to make up forthat and to show that Android
can be flexible, can be robust,but also be just as secure as
iOS.
So leverage you know Google torun those scans and leverage
(08:26):
that at scale as well, right?
So not only are they scanningthe applications that are on
your device if they seesomething that looks malicious.
Have they scanned it and saw itsomewhere else where they can
flag it and bring it to yourattention?
And the last thing, going backto the data, you know set
baselines of reporting right,always understand what's going
(08:46):
out there, look at the data and,when something looks different,
understand where did thatchange come from.
Was it something internally?
Was it, you know, a team doingsome testing and they were just
moving fast and loose?
Or do you actually have a badactor out there, you know,
trying to compromise yourdevices and get access to your
data?
Speaker 1 (09:05):
Yeah, so, speaking of data, I think that item four,
issue four we've seen is dataleakage, and data leakage can be
sensitive data coming off thedevices.
It could be unsecured datagoing through messaging channels
.
I think Richard mentioned webbrowsers.
Data can get off your devicespretty easily if the web browser
(09:26):
is opened up or if you don'thave proper controls on your
network or endpoints opened up,or if you don't have proper
controls on your network orendpoints.
And I think the you knowwhether it's attachments,
whether it's pictures, whetherit's sensitive database files
getting up, there's always arisk around that.
So I think the you know there'sa couple of recommendations you
talked about which I thinkthose align a lot to the
previous items you just calledout.
Speaker 2 (09:47):
Yeah.
So going back to locking downthe device, I can say it another
way.
You know whitelist theapplications that are on the
device.
You can see a consistent themehere being able to restrict
users from getting sensitivedata right.
So maybe you know, noteverybody needs the same level
of access.
I know those are controls thatwe've put in place with our
(10:09):
launcher.
With role-based access, youmight not need access to
everything in an application andsome things may require manager
approval or certain roles toactually get to that sensitive
data, being able to clean upyour sessions properly.
So when you log out, you don'twant someone to log in and have
a carryover from a manager,permission or access to a system
(10:31):
that that employee doesn't have, shouldn't have, access to.
I would argue that that datamight actually be more
interesting than the task athand, and so that would lead to
trouble and then having propertroubleshooting tools when
things do go wrong.
So things will go wrong out inthe field, and so do your
(10:52):
associates or end users haveaccess where they can be on the
phone with help desk ortroubleshooting with someone to
understand what's going on,because you know folks will turn
into MacGyver and start to takescreenshots or copy paste data
or screenshots to other systemsand you know now you're really
(11:12):
going, you know, off the farmand going down a path that's,
you know, really risky.
And so by having proper toolson the device and that's one of
the reasons why the genesis ofour support application right
being able to have safe accessto that information that could
be important in those tools thatwill be important to
(11:32):
troubleshooting while keepingthe device locked down and
secure.
Speaker 1 (11:36):
I think another point you touched on this Google has
done a lot in the last I thinkfour or five Android versions
around scope storage whereapplications can't read data
from other applications, whichhas helped a lot, but there's
still apps that will write to SDcard and you got to be careful
I think to Richard's point butthere's still apps that will
write to SD card and you got tobe careful I think to Richard's
point make sure you clean upthat data at the end of sessions
and there's nothing residual orsensitive sitting on the device
(11:58):
at the end of session.
The next item, item five, iscompliance issues, and this
aligns really closely to data,but more so data for end users.
So with the introduction ofthings like GDPR in Europe or
CCPA in California, you have therisk of lawsuits or legal
actions if there is personalemployee data or personal
(12:20):
customer data that's on devicesand shared with somebody who it
shouldn't be shared with andwith those.
I know, like an example was, Ithink in Europe, amazon got
fined I think it was like 30 or40 million euros in their
logistics group because they haddata that was being monitored
inappropriately between devices,and that's just one of 50 or 60
(12:42):
multimillion dollar lawsuitsthat companies have, I guess,
been sued by either the EU orsomeone else in regards to data
privacy.
But for you, when you thinkabout that security risk, what
are the recommendations you giveclients?
Speaker 2 (12:57):
Yeah, I know, for our BlueFletch Enterprise solution.
Customers, especially customersin the UK and Europe, love it
because not only do we providequick access and single sign-on
access but when you end thatuser session, to be able to
remove all of that session datawithout having to, you know, do
(13:17):
something funky like enterprisereset and rebuild the device.
So it's very clean, it'stargeted and you know our
customers over there really likethat.
The other piece that they likeabout our tool is the ability to
anonymize user data to makesure that it's you know data is
coming up that you couldoperationalize and you
(13:40):
understand what's going on butin those countries, to make sure
that you know identifiable datais anonymized so that you don't
run into these complianceissues data is anonymized so
that you don't run into thesecompliance issues.
Speaker 1 (13:56):
Yeah, it's definitely .
We've gotten a lot of tractionon our products specifically
around things like Microsoft, soMicrosoft is very popular
Microsoft Teams.
If Richard logs in and then Ipick up the device in my next
shift and he's still logged in,it is a violation of GDPR in a
lot of countries.
So I think that's somethingthat we've been getting a lot of
traction for tools like theBlueFletch Launcher and
BlueFletch Enterprise Toolset.
For the next item and youtouched on this earlier but was
(14:20):
outdated operating systems andoutdated applications, and this
may not sound like that big of adeal, I think for me.
I love stability, I love theability to have a single
operating system that we supportacross all the devices, whether
it's 10,000 or 20,000 devicesin a client environment.
But I think there's also youneed to make sure you have
(14:40):
processes to go update or patchoperating systems.
And then same thing on apps.
You need to know if you have anapp, is it supported, does it
have any vulnerabilities, doesit use an old SSL version?
You need to be able to updatethose and support those.
And I guess from this thebiggest example I could think of
in the last couple of years isthe WPA to the crack attack,
(15:01):
which was there was a patch thatGoogle put out or Android put
out and a lot of people didn'thave that patched and I would
see it where they'd have olderversions of operating systems
and it just it makes me supernervous.
But I guess for you are thereother things.
You have recommendations orguidance around how to deal with
patching or updatingapplications.
Speaker 2 (15:20):
Yeah, it's really getting in a good habit of
understanding what um, uh, osupdates are available and
security patches they arecurrently on, but it's not
(15:56):
really a great practice goingforward, especially with a lot
of these frontline workershaving high turnover, especially
in retail environments whereyou have a mix of frontline
workers and customers.
That's a really trickyenvironment.
And although germane to this,but not necessarily germane, I
would say for iOS or iPhoneusers, you'll probably notice
(16:21):
over the last year, you get aconstant stream of updates and
if you're in tune with tech news, they always come probably a
day or two after you read aboutsome vulnerability that someone
discovered or someone's tryingto hack iPhones.
But you know, whereas you mightpersonally update your phone
once, maybe twice a year, you'reprobably getting updates
(16:44):
monthly and so you know yourenterprise devices need to be
protected just as just as much.
And then, going back to data,you need to track and report on
what's out there in the field,right, what versions of your
applications, what versions ofyour OS's, versions of your
security patches.
You know, having data andknowing what's out there is key
(17:09):
and then just being in tune withthe news, so understanding what
vulnerabilities are out there,what you know malicious hacking
team from Russia or China may bedoing to our devices here in
the United States.
For you know, any given pointin time or any given season you
know will affect you.
(17:30):
You know, don't think that youknow, just because you have, you
know, tight security controls,you're, you know, some
distribution center in themiddle of nowhere that you know
your devices can't get touched.
They can and they will.
Speaker 1 (17:44):
Yeah, and I think one of the other things too, on
knowing and monitoring isactually also looking forward at
what Google or Apple is pushingout, and you know there's
certain situations where thepatches or OS updates will break
your enterprise application.
So, having a team that isconstantly looking forward, if
you're on Android 14, understandwhat's coming in 15, be able to
(18:07):
regression test your apps andhave that process that Richard
talked about, where you're ableto push out your patches,
control that and really havethat reporting across your
enterprise.
The next item seven we talkedabout was bad password hygiene
or unsecured password apps orapps that don't have security on
(18:27):
them, and I think a lot of thisyou know.
When I think of hygiene, itcomes down to you know.
Do you have, you know passwordsthat are shared across users?
Do you have users with stickynotes?
Do you have you know weakpassword requirements where
you're not actually enforcingthose, and then you know a lot
of this just comes down to youknow.
I think you talked about thiswhen we were talking about this
(18:49):
topic earlier.
If you can go on Reddit andfind the pin for a device, it's
not a secure pin.
I think we had a customer thathad 100,000 plus devices.
You went on there and they hadthe pin for all the devices is
on Reddit.
You're almost better off noteven having a pin on the devices
.
Definitely don't let yourselfbe lulled into a false sense of
(19:10):
security with bad passwordhygiene.
But on this topic, what are theother things or controls you've
seen around passwords and userauthentication on devices?
Speaker 2 (19:20):
Yeah, you need a good identity strategy right where
you have a single source oftruth and if you have multiple
IDPs, federation between those.
And if you have multiple IDPsfederation between those, it
keeps it where I only have toremember one username and one
password, because I think onceyou add multiple ones it gets
tricky and folks start saving itsomewhere in plain text whether
(19:48):
it's in Notes or Evernote or,to your point, sticky Notes and
those systems will help create,will help enforce complex
passwords and you can do thingslike having passwords, you know,
rotate, meaning like every 90days or every quarter I have to
change my password.
So you know I am a constantlymoving target across my fleet of
devices.
You know, leverage a solutionlike Blue Fletcher Enterprise
(20:35):
with SSO right where we tiedirectly into the IDP something
that's time intensive or workingwith the customer, and then
consider or research or just bein tune with some of the
passwordless options out there,like FIDO2.
I know we internally have beentalking about FIDO2 keys and we
have been supporting FIDO2, Ithink, for the last two years
(20:56):
and talking about those keys andeven some of the government PIF
cards for the last three plusyears.
But you know you could have, youknow, very high security, but
it comes with a little bit ofcost.
And so you know you could have.
You know, very high security,but it comes with a little bit
of cost.
And so you know what's worse.
You know paying $25 for a keyfob, or you know 32 million
(21:20):
euros for Amazon France becauseof, you know, a breach or a
noncompliance issue, complianceissue.
Speaker 1 (21:28):
Yeah, I think on the that that, whether it's cards or
tokens looking at 2FA isanother one too, like things
like Okta, microsoft, entra IDhave good integration with 2FA
and I know we have a number ofcustomers that are using it with
BlueFudge Enterprise to do SSOwith 2FA across all their
devices and it.
It does create a much moresecure experience because a
(21:50):
password can be shared.
It can be written down, even ifit is complex or rotated, but a
password plus a tokendefinitely is a lot more secure.
The last item we talked aboutin regards to security threats
we see for frontline workerdevices is what we categorize as
the insider threat, and this isa disgruntled employee,
(22:11):
somebody who is wanting to actmaliciously or is just even just
goofing off and doing somethingsilly that they shouldn't be
doing, and I think a lot of thatresults in either system
outages or data breaches and canget really expensive really,
really fast.
But for you, when you think ofthe insider threats or Tom in
(22:36):
the paint department likes togoof off what are the things you
think about around controls orprotections that companies
should be thinking through?
Speaker 2 (22:42):
Yeah.
So, going back to the earlierpoints around SSO and IDPs,
those also allow you to quicklyinvalidate sessions and user
accounts, and if it's a singlesource of truth, it's going to
work across everything.
And so, if you do have a badactor, if you do letting someone
go who's you know isdisgruntled, being able to, you
(23:04):
know, with a few clicks, makesure that they don't have access
to those systems and, in theheat of passion, they couldn't
do something that could beharmful to your organization,
one that I had just thoughtabout, I'll come back to it.
But also, you know, corporatemonitoring, right?
So not only monitoring the flowof data and what's happening,
(23:27):
like internally, can we look atthe dark web or look at the web
to see is our data getting out,whether it's sensitive data,
corporate data, to preventinsider training threats?
I want to keep my data or mysecrets away from my competitors
.
And then, lastly, just avoidsharing passwords at all costs,
(23:51):
and then just one for fun, youknow.
Going back to, you know, lockingdown that device.
I don't want a device to be putin a bad state or a state where
it's not even usable anymore,because if I'm at a location
where I have just enough devices, and now I lose a device.
That's productivity that I'mlosing.
That's costing me time.
That's productivity that I'mlosing.
That's costing me time.
That's costing me.
That's an opportunity lost aswell, and so that's almost as
(24:16):
big of a threat as a leak or abreach or something malicious.
Happening is.
Now I can't operate my business.
Speaker 1 (24:25):
Operational availability.
Huge, awesome, richard.
Thank you for covering thesetopics with me today.
If you have additionalquestions, feel free to reach
out to us at info atbluefletchcom and, as always,
feel free to like or subscribeif you follow along on YouTube
or your podcast channelsomewhere.
And thank you, thank you.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.