Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Mobile-Only Employee Trend Could Break Security Models
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
9/24/2014 | 4:32:26 PM
With flexibility comes responsiblity
Does anybody agree with Ashok Sankar's statement that there's been a paradigm shift from the days when IT handed laptops to employees to a mobile era where people will want to use what they want, but take more responsibility for security. I think that's a pipe dream. Am I right?

 

 
RyanSepe
RyanSepe,
 User Rank: Ninja
9/24/2014 | 2:41:14 PM
Re: Mobile Device Strategy MDM or EMM
App containers, I think, are a good method of reducing risk by allowing only approved apps to permeate your mobile environment. Its difficult to provide a completely comprehensive app container without a few things. 

As you say Android is difficult because many third parties are just starting to get into the security sector of android as a device, and EMM/MDM is even further behind due to its open source properties.

Mobile devices are a daunting task as is. But if you are going to validate the apps before they go out you are going to need a team of developers and security specialists working together a majority of the time. They will need to be dedicated to this and many enterprises don't have the resources to do so.

I feel that it needs to be defined in policy what types of devices are allowed to connect to your network. By doing this, you can cut down on the quantity of apps your team would need to validate in an app container.
Stratustician
Stratustician,
 User Rank: Moderator
9/23/2014 | 2:49:56 PM
Re: Mobile Device Strategy MDM or EMM
I think one of the biggest issues is that the way the app containers work themselves mean employees are more likely to go ahead and trust an application without considering that there is a risk of malware being integrated into it, especially on less-strict platforms like Android where there is lighter regulations on what apps can be made available in their stores.  Unless your security policy is able to test these apps and limit their exposure to corporate data, there will always be an inherent risk in any app that is installed.
Dr.T
Dr.T,
 User Rank: Ninja
9/23/2014 | 12:02:28 PM
Re: Mobile Device Strategy MDM or EMM
I agree we can lock down the whole device to minimize exposure to the risks,  MDM/EMM solutions can help to separate personal and corporate world and ease down security policy on persons' personal data and apps. 
Dr.T
Dr.T,
 User Rank: Ninja
9/23/2014 | 11:59:07 AM
Re: Mobile-Only Employee Trend Could Break Security Models
I agree, there is a bigger security challenge in mobility. Mobile devices are more expose to security than other things we keep inside the network. Unless the companies have a good BYOD policy and implementation of it, they are basically exposed the rest of the world to be hacked.
Dr.T
Dr.T,
 User Rank: Ninja
9/23/2014 | 11:54:01 AM
confidentiality– integrity - Availability trade-off
 

As it is the case for all major systems we use there is always trade-off between confidentiality– integrity – Availability. You can not really lock everything down and say I am secure. That does not work for end-user point of view, they should be ale to do their daily tasks otherwise doing business would not make sense. 
GonzSTL
GonzSTL,
 User Rank: Ninja
9/23/2014 | 11:29:59 AM
Re: Mobile-Only Employee Trend Could Break Security Models
That is a very good guess, and it is a huge issue, I admit. However, forging ahead while knowing that there are very big risks that have not been mitigated or even addressed is often a fatal mistake. Imagine a typical organization with a server farm, storage infrastructure, etc. Add to that the configuration of every connecting computer installed with every user having administrative rights, allowing those users to manage their own computers, and no anti-malware or group policy to protect it. Breaking into that infrastructure is almost child's play. Sure, everyone is instantly more productive, but at the same time, the vulnerability of the infrastructure has grown exponentially. Wouldn't it be better to put in place some sort of central management platform and policies that control the connecting computers before you deploy them? Implementing the management platform after deploying the devices sounds a lot like locking the barn door after the horses have escaped.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
9/23/2014 | 10:05:44 AM
Re: Mobile-Only Employee Trend Could Break Security Models
My guess is that it's not that anyone is taking mobile risks lightly. It's that the juggernaut of BYOD is so overwhelming that it's easier to stick your head in the sand and do nothing, than trying to figure out a solution to a constantly changing and difficult problem.
GonzSTL
GonzSTL,
 User Rank: Ninja
9/22/2014 | 4:09:46 PM
Mobile-Only Employee Trend Could Break Security Models
"Approximately 52% of respondents reported that security practices on mobile devices have been sacrificed in order to improve employee productivity. The survey showed that 30% of organizations still have absolutely no security features in place to support mobility, and 74% of respondents say their security is inadequate to mitigate mobile threats." <-- Those statistics spell an Information Systems Security death wish! It is unfortunate that organizations take those high risks so lightly because it is so irresponsible! Did any of those organizations even perform a risk assessment? I just read the report, and I am almost at a loss for words. All I can do is shake my head in disbelief.
RyanSepe
RyanSepe,
 User Rank: Ninja
9/22/2014 | 2:36:07 PM
Mobile Device Strategy MDM or EMM
My organization is in the process of refining the policies to incorporate MDM. People from organziations that do have an MDM or EMM, could you elaborate on how it is incorporated from an end user perspective and what specific security benefits are gained from your implementation? Thanks,


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &acirc;&euro;&tilde;pec_coupon[code]&acirc;&euro;&trade; parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&amp;date_from=2023-02-17&amp;date_to=2023-03-17 of the component Report Handler. The manipula...