Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Mobile-Only Employee Trend Could Break Security Models
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/24/2014 | 4:32:26 PM
With flexibility comes responsiblity
Does anybody agree with Ashok Sankar's statement that there's been a paradigm shift from the days when IT handed laptops to employees to a mobile era where people will want to use what they want, but take more responsibility for security. I think that's a pipe dream. Am I right?

 

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/24/2014 | 2:41:14 PM
Re: Mobile Device Strategy MDM or EMM
App containers, I think, are a good method of reducing risk by allowing only approved apps to permeate your mobile environment. Its difficult to provide a completely comprehensive app container without a few things. 

As you say Android is difficult because many third parties are just starting to get into the security sector of android as a device, and EMM/MDM is even further behind due to its open source properties.

Mobile devices are a daunting task as is. But if you are going to validate the apps before they go out you are going to need a team of developers and security specialists working together a majority of the time. They will need to be dedicated to this and many enterprises don't have the resources to do so.

I feel that it needs to be defined in policy what types of devices are allowed to connect to your network. By doing this, you can cut down on the quantity of apps your team would need to validate in an app container.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/23/2014 | 2:49:56 PM
Re: Mobile Device Strategy MDM or EMM
I think one of the biggest issues is that the way the app containers work themselves mean employees are more likely to go ahead and trust an application without considering that there is a risk of malware being integrated into it, especially on less-strict platforms like Android where there is lighter regulations on what apps can be made available in their stores.  Unless your security policy is able to test these apps and limit their exposure to corporate data, there will always be an inherent risk in any app that is installed.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 12:02:28 PM
Re: Mobile Device Strategy MDM or EMM
I agree we can lock down the whole device to minimize exposure to the risks,  MDM/EMM solutions can help to separate personal and corporate world and ease down security policy on persons' personal data and apps. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 11:59:07 AM
Re: Mobile-Only Employee Trend Could Break Security Models
I agree, there is a bigger security challenge in mobility. Mobile devices are more expose to security than other things we keep inside the network. Unless the companies have a good BYOD policy and implementation of it, they are basically exposed the rest of the world to be hacked.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 11:54:01 AM
confidentiality integrity - Availability trade-off
 

As it is the case for all major systems we use there is always trade-off between confidentiality– integrity – Availability. You can not really lock everything down and say I am secure. That does not work for end-user point of view, they should be ale to do their daily tasks otherwise doing business would not make sense. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/23/2014 | 11:29:59 AM
Re: Mobile-Only Employee Trend Could Break Security Models
That is a very good guess, and it is a huge issue, I admit. However, forging ahead while knowing that there are very big risks that have not been mitigated or even addressed is often a fatal mistake. Imagine a typical organization with a server farm, storage infrastructure, etc. Add to that the configuration of every connecting computer installed with every user having administrative rights, allowing those users to manage their own computers, and no anti-malware or group policy to protect it. Breaking into that infrastructure is almost child's play. Sure, everyone is instantly more productive, but at the same time, the vulnerability of the infrastructure has grown exponentially. Wouldn't it be better to put in place some sort of central management platform and policies that control the connecting computers before you deploy them? Implementing the management platform after deploying the devices sounds a lot like locking the barn door after the horses have escaped.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/23/2014 | 10:05:44 AM
Re: Mobile-Only Employee Trend Could Break Security Models
My guess is that it's not that anyone is taking mobile risks lightly. It's that the juggernaut of BYOD is so overwhelming that it's easier to stick your head in the sand and do nothing, than trying to figure out a solution to a constantly changing and difficult problem.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/22/2014 | 4:09:46 PM
Mobile-Only Employee Trend Could Break Security Models
"Approximately 52% of respondents reported that security practices on mobile devices have been sacrificed in order to improve employee productivity. The survey showed that 30% of organizations still have absolutely no security features in place to support mobility, and 74% of respondents say their security is inadequate to mitigate mobile threats." <-- Those statistics spell an Information Systems Security death wish! It is unfortunate that organizations take those high risks so lightly because it is so irresponsible! Did any of those organizations even perform a risk assessment? I just read the report, and I am almost at a loss for words. All I can do is shake my head in disbelief.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/22/2014 | 2:36:07 PM
Mobile Device Strategy MDM or EMM
My organization is in the process of refining the policies to incorporate MDM. People from organziations that do have an MDM or EMM, could you elaborate on how it is incorporated from an end user perspective and what specific security benefits are gained from your implementation? Thanks,


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6564
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
CVE-2020-6565
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2020-6566
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2020-6567
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
CVE-2020-6568
PUBLISHED: 2020-09-21
Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.