topic Re: Securing Photos on Mobile phones in Privacy

Securing Photos on Mobile phones

GinGa — Tue, 04 Feb 2020 09:48:36 GMT

Hi All,

We have users that visit a lot of external locations and take photos of sensitive data, this is against the policy but makes their lives a million times easier so hard to enforce
Instead I would like to find a solution that ensures the photos are properly encrypted and not uploaded to the cloud and ideally a corporate solution

Does anyone have any recommendations?

Re: Securing Photos on Mobile phones

CraginS — Tue, 04 Feb 2020 13:19:10 GMT

@GinGa wrote:
Hi All,

We have users that visit a lot of external locations and take photos of sensitive data, this is against the policy but makes their lives a million times easier so hard to enforce
Instead I would like to find a solution that ensures the photos are properly encrypted and not uploaded to the cloud and ideally a corporate solution

Does anyone have any recommendations?

Alexander, as long as an enterprise "saves" money by using BYOD (Bring Your Own Device) policies to have employees use their personally owned mobile phones for work purposes, you are out of luck. If you belly up to the bar and provide enterprise-owned phones to those employees, and implement a full enterprise control system on those devices, you can reduce greatly (but probably not eliminate) these breaches of security policy.

SO, how about examining the current policy, and modify it, with meaningful and easy-to-use procedures, to help the employees work "a million times easier." Policies that interfere with a worker's primary duties guarantee work-arounds and subversion.

I addressed this reality a few years ago in Maybe it's the Boss's Fault!

Craig

Re: Securing Photos on Mobile phones

CISOScott — Tue, 04 Feb 2020 15:05:45 GMT

We ran into a similar issue with Office 365. We were having users showing up with dual concurrent successful logins on both sides of the USA, 1 East Coast city and one West Coast city. Impossible to be in 2 places at once. We wondered if their account had been compromised. Upon investigation we discovered that they had installed the O365 app on their personal phone and accessing their corporate account and were using a VPN obfuscation service (Hide my IP) on their personal phone. Where did this IP obfuscation service reside? On the West Coast. Problem identified. Now we realized we had to fix our BYOD and Appropriate use policies.

My stance has always been, if the company wants you to access the company's IT stuff on a phone, we will give you a phone (or other mobile device) (or should be providing it). Just because you are able to do something does not always mean it is approved. We had to politely ask people not to access their corporate accounts on their personal devices, to include home computers.

Re: Securing Photos on Mobile phones

Caute_cautim — Tue, 04 Feb 2020 18:12:49 GMT

@GinGa Does you organisation have a corporate security policy which extends to allowing personal mobile phones on site, as long as you apply the corporate Mobile Device Management (MDM), if not in our case, you would not be permitted on the corporate network or even the guest internet via WiFi. By default the corporate MDM encrypts all data including photographs on the mobile phone and of course, if you loose it, it will by instruction locate and remove everything from the system entirely - albeit it still has power.

In terms of not loading up to the cloud, it really depends on whether the users are using your organisational infrastructure, if so, then a Cloud Access Security Broker (CASB), will do a great job of enforcing the corporate policy and detecting illicit attempts to send the photographs unauthorised places.

NATO examples are shown below:

https://communications.sectra.com/news-press-releases/news-item/70A469AC6C3BAD76/

https://tutus.se/en/products/secure-smartphone

I think, all employees will have had to sign up to the Corporate Security Policies, and be part of the Mobile Device Management scheme or they would not be permitted to use their own devices unless they then apply the corporate MDM to those devices.

https://smartphones.gadgethacks.com/how-to/5-best-phones-for-privacy-security-0176106/

Otherwise, you will simply not be able to manage the BYOD into the corporate environment. You could of course invoke the Mobile phone blocking technology, adopted in many education establishments and prisons.

An interesting discussion.

Regards

Caute_cautim

Re: Securing Photos on Mobile phones

rslade — Tue, 04 Feb 2020 19:21:24 GMT

> GinGa (Viewer) posted a new topic in Privacy on 02-04-2020 04:48 AM in the

> Does anyone have any recommendations?

Be realistic and specific in writing policy? If your policy has a stupid provision,
and people have to do things to get around it, they will get used to circumventing
policy as a matter of course.

(I recall going in to one venue to teach. The security guard was a fussy little twit
with all kinds of requirements. He was sitting beside a sign that said "No cameras
or recording devices of any kind!" I did *not* point out that I was carrying two
laptops, both equipped with Webcams, and (for some reason that I can't recall)
also two smartphones, all of which I needed for the seminar ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Just because I have a short attention span doesn't mean I
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Securing Photos on Mobile phones

GinGa — Wed, 05 Feb 2020 08:17:18 GMT

Thanks all for your replies

I fully agree that if a policy is to strict that people will stop following it and do their own thing but I also cannot just change the policy so that everything the users want or need to do is allowed

In this case I was looking for a technical solution where the users can work efficiently while our data is safeguarded

I am looking into a MDM solution in combination with a scanner type of app for now

Re: Securing Photos on Mobile phones

Caute_cautim — Thu, 06 Feb 2020 06:44:55 GMT

Remember People, Processes and Technology at all times - everything involves all three.

Regards

Caute_cautim

Re: Securing Photos on Mobile phones

CraginS — Thu, 06 Feb 2020 17:49:46 GMT

@Caute_cautim wrote:
Remember People, Processes and Technology at all times - everything involves all three.

John,

You are spot-on with reminding of the three components of a system.

I generally use People, Processes, and Tools, because many tools are not what some would think of as Technology: paper records, pencil and notebook, Post-It notes, Hammer, wrench, etc.

Craig

Re: Securing Photos on Mobile phones

denbesten — Thu, 06 Feb 2020 22:03:27 GMT

@Caute_cautim writes:
You could of course invoke the Mobile phone blocking technology, adopted in many education establishments and prisons.

Jamming is is illegal in many parts of the world.

Re: Securing Photos on Mobile phones

Caute_cautim — Thu, 06 Feb 2020 22:19:18 GMT

@denbestenAbsolutely, correct, but given the majority of education establishments are Government funded or linked directly to Government entities - definitely when it comes to examination time - they do certainly put in place mobile blocking technology or in places of correction. This may include Bluetooth, wireless WiFi and other such technologies given the capabilities of modern students to work around the system. Given that IoT devices, have unregistered wireless protocols in proprietary devices.

The establishments would most certainly have authority to put such devices in place, and in recently I have seen even moves to even block Shadow IT via Cloud Access Security Brokers (CASBs), given the extent of the ingenuity of the potential perpetrators. Due to data leakage and the bypassing of controls, as we have witnessed via the cloud.

Regards

Caute_cautim

Re: Securing Photos on Mobile phones

CISOScott — Fri, 07 Feb 2020 14:23:23 GMT

@denbesten wrote:
@Caute_cautim writes:
You could of course invoke the Mobile phone blocking technology, adopted in many education establishments and prisons.
Jamming is is illegal in many parts of the world.

Also think of the human and legal ramifications of jamming if a bad event were to happen, i.e. mass shooting, terrorist attack, etc., and an entity was jamming cell signals and people were unable to call for emergency services or help. When thinking of solutions ensure you think through emergency scenarios as well.

Re: Securing Photos on Mobile phones

Caute_cautim — Fri, 07 Feb 2020 23:55:24 GMT

@CISOScott However, there are circumstances where it is legal to do i.e. Places of Correction, during examination periods, if authorised, by the authorities themselves to contain and control messages during a Terrorism situations, during a Civil Emergency situation, whereby the public go potty using attempting to jam up the mobile phone system, and then drain the 24 hour battery capability of the mobile tower itself. During a Civil Defense situation, the authority have the power to do a lot of things to protect the safety of lives. Hence many emergency systems use P25 radio systems, these expensive devices have multiple capability, VHF, UHF, Emergency Channels and Mobile phone capabilities, and in some cases even Satellite phone capabilities.

I think it comes down to the situation at the moment, and also who is the controlling entity.

I agree and respect both @denbesten and @CISOScott your respective perspectives, but there are circumstances whereby there is no other choice, but to jam the mobile phone cells, are specific network for a reason - whether it is for emergency or security reasons. Or potentially whereby a decoy mobile tower has been erected for dupe people or for investigation purposes.

Nothing in this world is black and white, it comes with shades of gray, and white, and there always overriding circumstances, whereby authorities have the power to veto or engage in certain circumstances. "lex est lex."

Regards

Caute_cautim