Security Considerations in a BYOD CultureThe 'bring your own device' movement has put security pros on high alert for a new breed of predator who is on the hunt to find ways to exploit the ever-expanding attack surface.
When employees started to bring their BlackBerrys and laptops to work more than a decade ago, CIOs had few security concerns. In large part, it was just the C-suite who found it easier to live in the mobile space rather than on a PC.
Once smartphones came along, though, it became clear that employees were intent on using their own devices to conduct work-related transactions. That marked the start of the bring-your-own-device (BYOD) movement – and a new breed of security predators on the hunt to find ways to exploit the ever-expanding attack surface.
"Incident detection such as lost devices versus breached device or actual versus suspected breach is also a problem. Confidential information is being sent or received over an unsecure channel," researchers wrote back in 2013, in a paper noting the security challenges that evolved from companies enabling BYOD. "Many mobile devices are always on and connected, so the vulnerability to malicious attacks increases through different communication channels."
These days, according to Akshay Bhargava, SVP of innovation at Malwarebytes, the number of devices per person (3.5) far exceeds the number of employees who need to be monitored, leaving security teams to pick up the vulnerability pieces. So what can security teams do to protect the increased attack surface from extensive endpoint expansion?
The Evolution of BYOD
Let's start with a look at the BYOD landscape. As it is with most things in technology, security wasn't the first factor considered when employees started using their personal devices for work purposes. The convenience of checking email on a personal device yielded greater productivity, and that was the main focus.
Security teams accepted this benefit, as well as employees' growing demand for more control over how and where they worked. This, in turn, enabled the proliferation of devices – what Justin Somaini, Malwarebytes board member and former CISO at SAP and Yahoo, calls the "interception of culture and technical use."
"Apple's iOS devices really pushed the needle. It started out as employees saying, 'I want to have one phone, not two,'" he says. "As the devices got smarter, access to those services became a lot more prevalent, which resulted in a downward adoption that really started from the top."
The Evolution of BYOD Risk
Privacy considerations and the potential that devices could be lost or stolen were some of the security concerns that emerged early on in the BYOD movement. Gradually those concerns grew to include users accessing and transferring corporate data over unsecured networks. Then data leakage and malicious apps raised alarms.
From an attack landscape perspective, these connected devices increasingly became (and remain) an attractive threat vector for attackers. Innovation has rapidly changed the ways we use technology, which has delivered us to a place where the devices themselves are more sophisticated and have greater access to corporate information and other highly valuable assets, according to Bhargava.
Now, the concerns of security professionals include phishing attacks, business email compromise, and ransomware attacks on mobile devices, according to research recently published by Agari.
"Increasingly, more emails are opened on devices, and criminals are aware of that rampant acceleration. They are betting on the fact that most employees will open email on a personal device," Bhargava says.
But malicious actors aren’t just rolling the dice. As with traditional attacks on the network, the BYOD attack life cycle begins with the first stages of reconnaissance and exploit. Once criminals are able to compromise a device, they can extract critical data and then move laterally.
"Cybercriminals are targeting phishing attacks accordingly, with email in particular, because the way it appears in Outlook on a desktop is very different from how it looks on a smartphone," Bhargava says. "They can optimize the subject line and to/from bars in a way that is easier to spoof."
How to secure devices has been one of the greatest challenges that came along with the widespread adoption of BYOD. The issue was not only securing devices, but securing them on par with all other technology within the entire ecosystem.
Security practitioners struggled to find answers to a variety of questions, according to Somaini. "What is that software control to allow or deny software on that device? How do we ensure the configuration is appropriate per what our policy is? How do we make sure that software updates are getting applied? That was a big hurdle for many years until we saw mobile device management [MDM] pieces come out," he says.
What stood in the way of finding clear-cut answers to those security questions was being able to identify where the company ended and the personal life began. "On one hand, the line between work and personal was getting blurred, but the productivity gains were phenomenal," Bhargava says. "Employees and the resources they needed were accessible on channels that let employees communicate and collaborate with colleagues."
The question then became, how do we meet in the middle? Over the course of a decade, organizations have been implementing different security strategies. Organizations, IT, and security have started taking BYOD more seriously and looking at solutions from the people, process, and technology perspectives, with more endpoint solutions serving as a first line of defense.
"The answer was really wrapped around the company's ability to get visibility and control of that device when they didn't own it and actually be refined enough to only apply that visibility and control to the services and capabilities that they wanted," Somaini says.
Succeeding at gaining that visibility and control, though, has been difficult to do with unmanaged devices. MDM software packages created that management and control plane, but Somaini says these solutions were followed by a shift into more of a services and API model, which lacked the necessary visibility and control.
The Future of BYOD Security
The need for both visibility and control has given rise to technologies that enable access to both the personal and work environments. The security capabilities at the core of each of these environments is essentially similar, Somaini says, but solutions that bridge the gap between the consumer and corporate environments provide a more holistic view.
The more mature, security-minded organizations are using a model that will likely be the direction many organizations take as they develop their BYOD policies. "These companies are driving security into the services that they are allowing for those consumer devices and providing free or corporate owned security capabilities on those devices," Somaini says.
In order to stay ahead of the adversary, organizations need the visibility that comes from the consumer products coupled with the intelligence afforded in the corporate environment.
"Now we have more mature solutions to be able to provide security on mobile devices or workstation laptops to make sure the company is not monitoring access to the personal data, while also making sure that malware isn't encroaching and that those workstations are patched," Somaini says. "I think we are getting a lot better."
(Image: Adobe Stock)
Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM's Security Intelligence. She has also contributed to several publications, ... View Full Bio