Stethoscope spurs employees to implement better security practices
Every now and then, Netflix open sources some of the security tools created by its coders. The latest example of this is Stethoscope, a web application that collects information about users’ devices and provides them with specific recommendations for securing them.
At the moment, it will check if users use disk encryption, a firewall, a screen saver lock/password, if their operating system and software is up-to-date and if they use auto updating, whether they have jailbroken or rooted their device, and whether they have security tools installed and functioning.
“Stethoscope is powered by a Python backend and a React front end. The web application doesn’t have its own data store, but directly queries various data sources for device information, then merges that data for display,” the developers explained.
“The various data sources are implemented as plugins, so it should be relatively straightforward to add new inputs. We currently support LANDESK (for Windows), JAMF (for Macs), and Google MDM (for mobile devices – Android, Chrome OS, and iOS).”
Support for OSquery (for Linux) is in the works.
The tool has been open sourced under the Apache 2.0 license, and the developers are eager to work with other organizations to extend the data sources (i.e. add new plugins).
In addition to all this, the tool provides a responsive, mobile-friendly interface for viewing and responding to notifications. Plugins provide the mechanisms to both retrieve notifications from and write feedback to external data sources.
Who should use it?
Stethoscope is meant to be deployed by organizations that strive to push its employees towards better security choices with their own devices.
“It’s important to us that people understand what simple steps they can take to improve the security state of their devices, because personal devices–which we don’t control–may very well be the first target of attack for phishing, malware, and other exploits,” Jesse Kriss and Andrew White, the tool’s creators, pointed out.
A successful attack against personal devices may be the first step in an attack on an organization’s corporate systems and networks.
The idea behind the tool is not to force users, but to simply provide them with actionable information on how to get their devices into a more secure state. When or whether they will use this information is up to them, but the developers believe that if the process is made as frictionless as possible, they will choose to secure their devices both for their sake and that of the organization that employs them.
As noted by the developers, this approach has proven rather successful. As it turns out, the “make it turn green” stimulus works well for many people.