© Copyright AAMI 2014. Single user license only. Copying, networking, and distribution prohibited. Interview
An IT CEO Talks about The BYOD Trend About the Interviewee Kevin Johnson is chief executive officer at Secure Ideas in Orange Park, FL. E-mail: kevin@secureideas. com
Kevin Johnson’s more-than-20-year history in the information technology (IT) field has included work in system administration, network architecture, and application development. He has had experience with building security solutions for large organizations, developing incident-response and forensic teams, and “penetration testing” of Fortune 100 companies and government agencies. Johnson also speaks at conventions, offers instructions, and is an author and blogger.
are doing my job for me. They are weakening the controls, and people are rushing down this path toward breached security. We have to provide valid recommendations. It’s not enough to say, “Hey, I hacked into your tablet.” We have to be able to say, “I hacked in, and here is how you could have stopped me.” I get to do lots of things that would put me in jail, except that I have permission to do them.
How bad can things get with BYOD? Tell us about your background in this field. I’ve been involved with IT for going on 23 years now, and I’ve been fascinated by all things technology, and so as things grow and expand and new things come out, I’m that guy who buys every gadget. But also, in my work with Secure Ideas, supporting people with whom we’re working on an enterprise is critical. We have to be ready to ensure that we can manage and support whatever problem comes our way, and we need to be able to provide the proper level of access. About seven years ago, I became a full-time consultant. Before then, security had been part of my job. We started to see this explosion in mobile devices and tablets and the business has skyrocketed. I have laughed and joked around about “bring your own device” (BYOD)—that it’s a horrible idea to implement. In the last seven years, I’ve switched almost entirely to what’s considered the “red team” at Secure Ideas. I’m responsible for testing the security of a system as the “bad guy” and providing recommendations. But in the BYOD world of mobile devices and tablets, the users 54
Horizons Spring 2014
BYOD can go wrong in a number of places. As a security person, I will tell you not to use BYOD, but we’ve come to the realization that companies are going to use it regardless. And one of the main reasons that they do use it is the supposed cost savings. If your organization does not provide you with a phone, and you use your personal phone, that’s a cost savings. But it comes with a price: data loss. People lose their phones, give their phones away. I gave my daughter a hand-me-down phone. The problem is, any bit of corporate data that was on it is probably now sitting on my 11-year-old’s phone. People don’t think about it. Most of the time people don’t report a loss or that they gave their phone away. When they tell their boss they got a new phone, and the boss asks what happened to the old phone, they might say that they destroyed it. But they did not destroy it. Myself and other people I know regularly buy old phones on eBay or Craigslist or other sources selling refurbished items, and we regularly pull sensitive data from these phones. The second biggest problem companies are having with BYOD is that it’s not their phone. It’s the employee’s, and so can you really tell
© Copyright AAMI 2014. Single user license only. Copying, networking, and distribution prohibited.
Interview
BYOD is a slippery slope; organizations need to perform a great deal of up-front work before allowing it.
that employee that they can’t install the latest flashlight app or whatever game they want to play? Recently, an Android flashlight app turned out to be malware, and it stole data off the phone. But most people get e-mail on their phone, with full contact lists, and review data and documents, so malware can steal corporate data or enterprise data or gain access to your work’s internal network. We regularly use phones as what we call “pivot points,” where we get access to the internal corporate network, then pivot through onto the corporate servers. A third major problem is liability. If your personal phone is infected with malware, or the company suspects that your phone was used as part of an incident, and they take it from you, have they given you a replacement for it? How do they ensure that the irreplaceable photos you took are not lost? And what if they access your online banking information during a forensic examination and transfer all the money out of your bank account? The sad part is that these things have happened. There is a huge amount of up-front work that most organizations don’t do. They focus on saving money but don’t think about privacy concerns, security concerns, or how to handle these types of events.
How common are these problems in hospitals? It’s a massive problem. Sadly, for many organizations that I deal with, including hospitals and doctors’ offices, security isn’t a focus. Frequently, after we’ve assessed a situation, we find that the security is just horrific. Many hospitals have to deal with the fact that many of the doctors they let in aren’t their employees—they have a contract with them—and these doctors have privileges to access data via BYOD. Very often, we find that their wireless network is wide open and that we can get to their EHR (electronic health record) system from the wireless network. We ask them why this is, and they say because the doctors demand access to it. Then, we may suggest putting the EHR system behind a VPN (virtual private network) or firewall, but they may be resistant to the idea because the doctors don’t want to go through those steps or because they lack funding. They may choose to buy a new life-saving machine rather than protect the EHR system. We deal a lot with organizations that have to get by with low budgets and/or little or no support from upper management. Or, in the case of hospitals where upper management provides total support, they risk Horizons Spring 2014
There is a huge amount of up-front work that most organizations don’t do. They focus on saving money but don’t think about privacy concerns, security concerns, or how to handle these types of events.
55
© Copyright AAMI 2014. Single user license only. Copying, networking, and distribution prohibited.
Interview
losing contracted doctors who might say, “Fine. I will go to the other hospital down the street.” The hospital therefore is compelled to allow BYOD. It’s a catch-22. In addition to cellphones, we’re moving more toward medical devices that are Internet connected. For every device that I’ve tested— and I’ve tested a number of them—I can fake the data. The data are unencrypted, and they are being sent across the Internet in plain text many times. Somebody can intercept and see the data, or they can modify the The reality is that data. For examwe tell people to ple, I was able to treat these devices— trick one device into accepting tablets, phones, that I had walked medical devices— 50,000 miles in as foreign entities to one day. your network. That means there’s no checksumming—no validations. As far as the system knows, those data are accurate. Well, what happens if I have one of these monitors in place for serious medications and the data get corrupted, but they’re corrupted in such a way that they still look right?
What do you recommend that organizations do? Well, our first recommendation is don’t allow BYOD, but of course, we know that that won’t happen. So the reality is that we tell people to treat these devices—tablets, phones, medical devices—as foreign entities to your network. Most organizations have some means for an extranet or an external network that is locked down. They’re very well monitored, and the resources are approved and vetted. We recommend that if you’re going to allow BYOD, treat these devices as external entities that go through a control process, such as a VPN or terminal services. That way, you can control access to critical data, through this segmentation process.
56
Horizons Spring 2014
We also recommend using some type of containerization approach on these devices. This involves installing software that includes a container with all the enterprise data. This container, which is encrypted, can access your hospital network, e-mail, intranet, etc., while the rest of the phone cannot access those areas. Therefore, if, for example, a phone is lost, because the container is encrypted, it can be locked or destroyed remotely by the hospital without causing any problems for the person’s phone, such as losing pictures or contacts. In addition, the container is backed up to the corporate network. So, when I find the lost phone under my couch cushion or get a replacement phone, the container data can be restored. In many cases, we see organizations buying silver bullets without really understanding if they’re being aimed at the right thing. When we go in and do what we call an “architecture review,” we find that organizations have not looked at their system from an adversarial perspective, or what we call the “professionally evil” perspective. They look at questions such as: How do I ensure that the system is up and running? How do make sure the data are valid? Many times, they may have spent a lot of money on a solution but have not implemented it completely. It’s just something a vendor told them they needed, and so they bought it. And then they bought another solution, and then they bought a different one, and then they bought something else. I’ve literally gone into places that have had 10 to 15 different pieces of software that all do the same thing, but it depends on which part of the hospital you’re in and it ties in to budgetary factors. We find that often people know what they need to fix, but they don’t know why they need to fix it. And the “why” is very important. n
An IT CEO Talks about The BYOD Trend About the Interviewee Kevin Johnson is chief executive officer at Secure Ideas in Orange Park, FL. E-mail: kevin@secureideas. com
Kevin Johnson’s more-than-20-year history in the information technology (IT) field has included work in system administration, network architecture, and application development. He has had experience with building security solutions for large organizations, developing incident-response and forensic teams, and “penetration testing” of Fortune 100 companies and government agencies. Johnson also speaks at conventions, offers instructions, and is an author and blogger.
are doing my job for me. They are weakening the controls, and people are rushing down this path toward breached security. We have to provide valid recommendations. It’s not enough to say, “Hey, I hacked into your tablet.” We have to be able to say, “I hacked in, and here is how you could have stopped me.” I get to do lots of things that would put me in jail, except that I have permission to do them.
How bad can things get with BYOD? Tell us about your background in this field. I’ve been involved with IT for going on 23 years now, and I’ve been fascinated by all things technology, and so as things grow and expand and new things come out, I’m that guy who buys every gadget. But also, in my work with Secure Ideas, supporting people with whom we’re working on an enterprise is critical. We have to be ready to ensure that we can manage and support whatever problem comes our way, and we need to be able to provide the proper level of access. About seven years ago, I became a full-time consultant. Before then, security had been part of my job. We started to see this explosion in mobile devices and tablets and the business has skyrocketed. I have laughed and joked around about “bring your own device” (BYOD)—that it’s a horrible idea to implement. In the last seven years, I’ve switched almost entirely to what’s considered the “red team” at Secure Ideas. I’m responsible for testing the security of a system as the “bad guy” and providing recommendations. But in the BYOD world of mobile devices and tablets, the users 54
Horizons Spring 2014
BYOD can go wrong in a number of places. As a security person, I will tell you not to use BYOD, but we’ve come to the realization that companies are going to use it regardless. And one of the main reasons that they do use it is the supposed cost savings. If your organization does not provide you with a phone, and you use your personal phone, that’s a cost savings. But it comes with a price: data loss. People lose their phones, give their phones away. I gave my daughter a hand-me-down phone. The problem is, any bit of corporate data that was on it is probably now sitting on my 11-year-old’s phone. People don’t think about it. Most of the time people don’t report a loss or that they gave their phone away. When they tell their boss they got a new phone, and the boss asks what happened to the old phone, they might say that they destroyed it. But they did not destroy it. Myself and other people I know regularly buy old phones on eBay or Craigslist or other sources selling refurbished items, and we regularly pull sensitive data from these phones. The second biggest problem companies are having with BYOD is that it’s not their phone. It’s the employee’s, and so can you really tell
© Copyright AAMI 2014. Single user license only. Copying, networking, and distribution prohibited.
Interview
BYOD is a slippery slope; organizations need to perform a great deal of up-front work before allowing it.
that employee that they can’t install the latest flashlight app or whatever game they want to play? Recently, an Android flashlight app turned out to be malware, and it stole data off the phone. But most people get e-mail on their phone, with full contact lists, and review data and documents, so malware can steal corporate data or enterprise data or gain access to your work’s internal network. We regularly use phones as what we call “pivot points,” where we get access to the internal corporate network, then pivot through onto the corporate servers. A third major problem is liability. If your personal phone is infected with malware, or the company suspects that your phone was used as part of an incident, and they take it from you, have they given you a replacement for it? How do they ensure that the irreplaceable photos you took are not lost? And what if they access your online banking information during a forensic examination and transfer all the money out of your bank account? The sad part is that these things have happened. There is a huge amount of up-front work that most organizations don’t do. They focus on saving money but don’t think about privacy concerns, security concerns, or how to handle these types of events.
How common are these problems in hospitals? It’s a massive problem. Sadly, for many organizations that I deal with, including hospitals and doctors’ offices, security isn’t a focus. Frequently, after we’ve assessed a situation, we find that the security is just horrific. Many hospitals have to deal with the fact that many of the doctors they let in aren’t their employees—they have a contract with them—and these doctors have privileges to access data via BYOD. Very often, we find that their wireless network is wide open and that we can get to their EHR (electronic health record) system from the wireless network. We ask them why this is, and they say because the doctors demand access to it. Then, we may suggest putting the EHR system behind a VPN (virtual private network) or firewall, but they may be resistant to the idea because the doctors don’t want to go through those steps or because they lack funding. They may choose to buy a new life-saving machine rather than protect the EHR system. We deal a lot with organizations that have to get by with low budgets and/or little or no support from upper management. Or, in the case of hospitals where upper management provides total support, they risk Horizons Spring 2014
There is a huge amount of up-front work that most organizations don’t do. They focus on saving money but don’t think about privacy concerns, security concerns, or how to handle these types of events.
55
© Copyright AAMI 2014. Single user license only. Copying, networking, and distribution prohibited.
Interview
losing contracted doctors who might say, “Fine. I will go to the other hospital down the street.” The hospital therefore is compelled to allow BYOD. It’s a catch-22. In addition to cellphones, we’re moving more toward medical devices that are Internet connected. For every device that I’ve tested— and I’ve tested a number of them—I can fake the data. The data are unencrypted, and they are being sent across the Internet in plain text many times. Somebody can intercept and see the data, or they can modify the The reality is that data. For examwe tell people to ple, I was able to treat these devices— trick one device into accepting tablets, phones, that I had walked medical devices— 50,000 miles in as foreign entities to one day. your network. That means there’s no checksumming—no validations. As far as the system knows, those data are accurate. Well, what happens if I have one of these monitors in place for serious medications and the data get corrupted, but they’re corrupted in such a way that they still look right?
What do you recommend that organizations do? Well, our first recommendation is don’t allow BYOD, but of course, we know that that won’t happen. So the reality is that we tell people to treat these devices—tablets, phones, medical devices—as foreign entities to your network. Most organizations have some means for an extranet or an external network that is locked down. They’re very well monitored, and the resources are approved and vetted. We recommend that if you’re going to allow BYOD, treat these devices as external entities that go through a control process, such as a VPN or terminal services. That way, you can control access to critical data, through this segmentation process.
56
Horizons Spring 2014
We also recommend using some type of containerization approach on these devices. This involves installing software that includes a container with all the enterprise data. This container, which is encrypted, can access your hospital network, e-mail, intranet, etc., while the rest of the phone cannot access those areas. Therefore, if, for example, a phone is lost, because the container is encrypted, it can be locked or destroyed remotely by the hospital without causing any problems for the person’s phone, such as losing pictures or contacts. In addition, the container is backed up to the corporate network. So, when I find the lost phone under my couch cushion or get a replacement phone, the container data can be restored. In many cases, we see organizations buying silver bullets without really understanding if they’re being aimed at the right thing. When we go in and do what we call an “architecture review,” we find that organizations have not looked at their system from an adversarial perspective, or what we call the “professionally evil” perspective. They look at questions such as: How do I ensure that the system is up and running? How do make sure the data are valid? Many times, they may have spent a lot of money on a solution but have not implemented it completely. It’s just something a vendor told them they needed, and so they bought it. And then they bought another solution, and then they bought a different one, and then they bought something else. I’ve literally gone into places that have had 10 to 15 different pieces of software that all do the same thing, but it depends on which part of the hospital you’re in and it ties in to budgetary factors. We find that often people know what they need to fix, but they don’t know why they need to fix it. And the “why” is very important. n
