CTEM-INF-5 - Infected Customer Owned Device
Documentation has not been completed. This page is a placeholder for future documentation.
An Infected Customer-Owned Device is a compromised host that belongs to a customer of your organization. This type of infection occurs when a customer's device, which is used to interact with your services or access resources, has been compromised by an attacker. For example, if your organization provides a website where customers can create accounts and access resources, an infected customer-owned device refers to the device the customer is using that has been compromised.
Characteristics of an Infected Customer-Owned Device
- Customer Ownership: The device is owned and managed by the customer, meaning that the organization's control over the device's security is extremely limited.
- Interaction with Corporate Services: The device is used by the customer to interact with the organization's systems, such as accessing a web portal, creating accounts, or using other services provided by the organization.
- Established Persistence: Attackers have gained control of the customer's device, potentially using methods like malware, trojans, or other forms of malicious software to establish persistence.
Common Methods of Discovery
Infected customer-owned devices are typically detected through various indicators, including:
- Customer Complaints: Customers may report suspicious activity, such as unauthorized transactions, indicating that their device has been compromised.
- Suspicious Account Behavior: Unusual activity patterns may be detected in customer accounts, suggesting that their device has been compromised and is being used maliciously.
- Third-Party Intelligence: Reports from third-party security services or information from cybercrime forums may indicate that customer devices are compromised.
Risks and Impact
The compromise of a customer-owned device presents several significant risks, primarily related to the confidentiality and integrity of customer data:
- Loss of Customer Confidentiality: Sensitive customer data, including personally identifiable information (PII), may be exposed due to the compromise, leading to privacy violations and potential legal consequences.
- Data Integrity Issues: The integrity of data accessed or provided by the customer may be compromised. Attackers may alter or misuse customer data, affecting the accuracy and reliability of information stored by the organization.
- Reputation Damage: The compromise of customer-owned devices can damage the organization's reputation, as customers may hold the organization responsible for not adequately protecting their interactions and data.
Key Considerations for Threat Exposure Management
Managing infected customer-owned devices requires a strategy that emphasizes customer awareness, proactive detection, and mitigation of risks:
- Customer Education: Educate customers on the importance of securing their devices and provide guidelines for maintaining good cybersecurity hygiene, such as using antivirus software and keeping systems up to date.
- Account Monitoring: Implement monitoring for unusual activity patterns in customer accounts that may indicate a compromised device. Establish alerting mechanisms to detect and respond to suspicious behavior.
- Incident Response and Support: Provide clear guidance and support for customers when a compromised device is identified. This includes steps for securing their device, resetting passwords, and protecting their data.
- Data Integrity Verification: When an infected device is detected, verify the integrity of data related to that customer to ensure no unauthorized modifications have occurred.
Infected customer-owned devices represent a unique challenge, as organizations have limited control over customer assets. Effective threat exposure management in these situations should focus on proactive customer education, monitoring for suspicious activity, and swift response to identified compromises to protect customer data and maintain trust.