Saturday, February 13, 2016

Cell phone cameras create unexpected privacy problems

To regular readers, my apologies for a couple of light blogging weeks.  I've been busy and sick (a combination I don't recommend to anyone).  I'm just now getting back on my feet and will try to get back to a more regular tempo.

Cameras - they're everywhere
Everyone these days has a cell phone camera.  Everyone that is except for maybe my grandmother.  And it turns out, that might be a problem for her.

According to ProPublica, there have been at least 35 cases of nursing home workers sharing surreptitiously obtained photos of seniors under their care to social media platforms.  Apparently 16 of these involved snapchat.

A knee jerk reaction to this news might be to restrict cell phones in the work place.  I worked for years in environments where I couldn't ever take my cellphone, let alone any photographic equipment. I know what it's like to live like that and I don't think that employers should encourage that either.  Your employees will probably quit if you try.

But it is a problem, and not just for nursing homes.  During OSINT audits of our clients at Rendition Infosec, we regularly find photos of sensitive data posted to social media.  These range from photos identifying equipment in the workplace to sensitive documents captured in the background of some photos.  Not something to be taken lightly.

So what's the right BYOD strategy?
My recommendation is that organizations embrace BYOD. Usually when we talk about BYOD in infosec, we're talking about keeping the devices from insecurely accessing the network.  But there's way more to BYOD.  Two issues we frequently advise Rendition clients on concerning BYOD are workplace photos and charging devices on work computers.

Rendition generally recommends making the workplace a "no photo zone."  This takes away any potential issues of an employee making the wrong judgment call when determining whether to post a photo.  HR and legal will probably like this too, since it nearly eliminates the possibility of harassment complaints where one party says "I didn't think I was doing anything wrong."  If the workplace is a no photo zone, it doesn't matter what's in the photo and employees are no longer left open to bad judgment calls.

When it comes to charging phones using the USB ports of work computers, this is just a full-on no go event.  Don't even think about it.  There are many reasons for this, but perhaps one of the biggest is that DLP systems are only recently starting to treat some phones as removable storage. Previously, many DLP systems were treating anything that registers as an MTP device as "not removable storage."  This often had disastrous consequences for DLP rules which treat copying sensitive files to removable storage differently than to an internal drive.  Obviously there are infection issues to deal with too when mobile devices are plugged into corporate machines.

Overall, a good BYOD strategy should help secure your overall working environment - not just the network.