Wayne Wilson

At work we use a VDI to do anything work related. Even if we bring a our own device, we still need to login to the VDI using our RSA tokens. Obvoiusly the VDI isn’t as great performance wise, it solves a lot of the security issues with having to do work on your own device.

I work at a school district. We opened up BYOD 4 years ago. We had many decisions to make. Would we enforce things like Anti-Virus on the machines, updated patches for operating systems, etc. After looking at all the possibilities, we decided our best defense was NO defense. It would be impossible for us to try to enforce those things, even with all the software and appliances out there that check for these types of things. It would merely frustrate the users and stunt the use of BYOD for learning.

What we did decide to do: use 802,1x so that each user authenticates to the Wifi. BYOD users were assigned to an IP scope that had no access to any other resources on the network except a server for authentication and Internet access. To further limit issues, each graduation class had their own IP subnet, so if you did start to poke around, you could only see a limited number of devices. And we did encourage users to install AV and keep up to date, but we didn’t check/enforce it. We couldn’t!!!

Wayne,

Great point, Allowing users to BYOD in a workplace is tricky. Having standard workstations allows standardized support and patches to be issued organization wide. Many people who would BYOD also risk of having old hardware requiring more support. Also, since devices might be older they might not be able to even run the standardized antivirus that we might need to implement on the system.

I can definitely see how BYOD would be a cost saver for businesses as long as the opportunity cost associated with increased vulnerability to your network is not too high. The more sensitive information the user is requesting access to, the more tricky the situation when handling BYOD. Restricting access to a specific subnet, and limiting access to resources works fine, but what happens if the user is in a position who handles sensitive data such as finance or legal? I think it is important to have some kind of NAC that ensures a device is hardened to a particular point before access is granted into the network. I’ve seen several articles with a quick google search that states the increased popularity of BYOD in the workforce is fueling a comeback of NAC to secure networks.

Thanks for this post Wayne. Like you I was a little blown away from the article. I learned two things from this article; what an air-gap network/computer is and how they can be compromised. I guess that completely isolating your computer from unsecured networks and internet doesn’t mean it is completely secured. I knew that components on your computer emits heat and radio signals but being able to collect, analyze, and decode that information with cheap tools and devices is news to me.

Thanks for sharing Wayne. I liked the youtube video that was referenced in the article (and some of the comments from the youtube). A lot of folks felt that the BitWhisper proof of concept was impractical because it assumes that the attacker gained physical access, installed software on both computers, knowledge of thermal properties, etc.

However, I do agree that the threat is real. It is so real that Tempest standards are published by the NSA and certifications are provided by NATO on information systems spying methods and protections. These include the use of Faraday cages to block electrical emissions and prevent them from being intercepted.

A Faraday cage is a more sophisticated method of preventing interception of emissions, but there are many other practical physical and logical access controls that can be implemented to reduce the risk of an attack like this. The level of investment all depends on the classification and the risk associated with the data you are trying to protect.

Some of this stuff goes back forty plus years. If you look up “tempest” you will see the military was worried about leakage from electronic systems for a very long time.

This article makes me want to keep all critical servers either in space or deep in the ocean. That seems like only safe method to defend against this style of vulnerability. I do remember reading that Microsoft was working on underwater servers called Natick. These can be deployed just off the coast and last for years ideally. The hacker would probably have to learn how to SCUBA but I doubt their devices would work down there with them.