Why Personal Devices Compromise Security
I previously wrote about one of several recent attacks on LastPass. Now we are learning more about how it happened and this should be a warning to companies that allow BYOD or bring your own device. Note this is not a Windows or Mac issue; nor is a computer vs. phone issue. In fact, all of the above are problematic.
The LastPass situation started with an engineer taking work home. This is far from unusual and the employee was just trying to get work done.
But here is the problem. At home, the employee used his personally owned computer. This is one that the company had no control over. No ability to monitor. No ability to know what software was installed on it. No ability to have any visibility into the machine.
In this case, the employee had Plex software on his computer. The software is not bad and, in fact, it is pretty popular. Unfortunately, the version he was running had a vulnerability in it that an attacker was able to exploit and the rest is history.
But what is coming out now is that Plex released a patch for this bug in May of 2020. That is two years before the bug was exploited by the attacker.
Managers should understand that high visibility bugs are weaponized in a matter of 1-3 days. This patch was 24 months old.
Even scarier, Plex has released 75 versions since that date. No, this is not a typo. SEVENTY FIVE.
But since the company had no visibility into the employee’s personally owned computer, they did not know that the software was not being patched and did not know that the bug had been exploited.
Likely you don’t prohibit personally owned or BYOD devices – especially phones.
But, you are potentially putting all of your data at risk by allowing this. If ransomware gets into your corporate network this way, you are putting your company’s very survival on the line.
You can reduce the risk and, at least, you need to put some controls in place. How strict you want to be is a function of how lucky you feel or what your risk tolerance is.
If you need help with this, please contact us.
Credit: The Hacker News