Internet-connected Product Bans: How Do You Avoid Future Issues?

Recent actions by DHS signal a closer monitoring of technology being purchased by the U.S. government, especially technology created and or controlled by foreign governments. In some cases Internet-connected products controlled by foreign governments have already been banned, and there are indications more may be coming. For cybersecurity personnel the product bans will require a new approach to procurement policies (especially endpoint and BYOD policies).

2018 started with a ban of Kaspersky software and was quickly followed by Senator Rubio calling for a ban on Huawei and ZTE. Given the high political cost of banning a product the US Government typically only takes action if there is overwhelming evidence. Subsequently cybersecurity personnel should take such actions very seriously.

Internet-connected security software and mobile phones are problematic as they upload data as a normal part of their operation. For example, anti-virus programs upload any signature or group of packets they don’t understand to a cloud-based analytics engine. Similarly mobile phones upload usage data to improve coverage. For DHS to ban an Internet-connected product means there is evidence that data uploads go beyond the stated functions. In the case of Kaspersky it seems they were uploading the entire hard drive.

Company-owned computers on which banned security software is installed should be discarded. As security software operates at the kernel level simply de-installing software won’t do anything. Unless you’re an expert in re-flashing hardware don’t take the risk of using a tampered laptop. If you do decide to re-flash a laptop you should label the device so users are aware then you’re re-circulating a tampered system. Unfortunately for banned mobile devices there’s nothing you can do except remove the SIM card and discard the device.

BYOD presents a bigger cybersecurity challenge for enterprises. In many organizations cybersecurity personnel don’t even know what’s on the remote device. Moreover standard countermeasures such as encryption don’t help if the device itself is the attack vector. Thus enterprises will have to take the difficult step of approving BYOD purchases.

What To Do To Avoid Future Bans?

To avoid the cost of discarding a device here are five requirements for Internet-connected products you should consider before purchasing or recommending them:

Data Location Where is the data stored?  Additionally are there any remote analytics programs that have access to the data?

Internet Function What is the function of the Internet-connected service?  Is the functionality locked down?

Anonymization Process Are Internet-connected services implementing a one-way non-recoverable hash to ensure data is anonymized?

Data Security How is access to the data managed?  Additionally how is the network that transports the data protected?

System Verification What is the vendor doing to ensure all the things they promised are really happening.

Don’t wait for DHS to ban a product. Be proactive and avoid disaster.