The Stryker data wiping attack via Intune and the attempted attack on the Polish National Centre for Nuclear Research (NCBJ) show that geopolitical affairs also play a big role in cyber security.
In the Stryker data wiping attack via Intune that wiped “over 200,000 systems, servers, and mobile devices,” there are anonymous reports and rumours that employees’ own mobile devices, enrolled under a BYOD (Bring Your Own Device) initiative, were affected. Under that initiative an employee’s personal mobile device, such as a tablet or smartphone, can be enrolled via an Intune MDM profile, policies were supposedly applied and the devices were fully wiped to factory state, so personal data, apps, and pictures were unfortunately lost.
In a properly configured environment, an administrator would configure BYOD (Bring Your Own Device) via Intune to use a segmented work partition, otherwise known as a Work Profile. This solution creates a separate, segmented space that is secure for work‑related data and apps while keeping users’ personal data separate and inaccessible to the Work Profile. In the case of a remote wipe by either the company administrator or a malicious actor, only the Work Profile and its space would be wiped while users’ personal data would remain intact.
To further secure your Intune environment against wiper attacks like the one that affected Stryker, there are two controls you can implement:
The first control I would recommend is to require the use of either PassKeys or YubiKeys for all highly privileged accounts that each employee uses to perform sensitive and critical tasks. Combine this with a policy that such accounts cannot be used unless a PassKey or YubiKey is enrolled. This ensures that sensitive accounts are compliant and helps prevent MFA phishing, since an attacker would need physical access to the smartphone or the YubiKey device.
While both PassKeys and YubiKeys accomplish the same goals, there are minor differences between them:
PassKeys do not require dedicated hardware and can be used entirely via the Microsoft Authenticator app. PassKeys also allow syncing authentication method between devices, so when one device is lost you can still authenticate via another device. When an employee logs into a sensitive system, they are asked to authenticate via face recognition, fingerprint, or PIN and to scan a QR code to approve the login request using Bluetooth and an internet connection.
YubiKey require the dedicated hardware and the company to purchase a physical key. The private keys used for authentication are stored on the device itself in a dedicated, hardened chip that cannot be read by the user or a malicious actor. Because of how the private keys are stored and hardened, you cannot sync or backup them, however, if a privileged user loses their key or it breaks, an administrator can reset the affected account’s authentication method to enrol a newly issued key. While this method comes at a cost and some inconvenience, it offers a higher level of security than other methods. When an employee logs into a sensitive system, they need to insert the YubiKey into a USB port, enter the YubiKey PIN, and physically touch the YubiKey to complete authentication.
The second control would be to require approval from another employee when a wipe command is issued. This would stop an attack in its tracks if a highly privileged account is compromised and an attacker attempts to wipe devices in the environment. However, if PassKeys or YubiKeys are used for account authentication, the likelihood of a privileged account compromise is very low. To further lock down your environment, you can put the same type of control in place for other similarly sensitive actions or commands.
#Stryker #Intune #MDM #BYOD #Policy #Prevention #CyberPrevention #Cyber #CyberSecurity #CyberAttack
Subscribe to #byod entries via RSS feed