Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Mobile-Only Employee Trend Could Break Security Models
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/24/2014 | 4:32:26 PM
With flexibility comes responsiblity
Does anybody agree with Ashok Sankar's statement that there's been a paradigm shift from the days when IT handed laptops to employees to a mobile era where people will want to use what they want, but take more responsibility for security. I think that's a pipe dream. Am I right?

 

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/24/2014 | 2:41:14 PM
Re: Mobile Device Strategy MDM or EMM
App containers, I think, are a good method of reducing risk by allowing only approved apps to permeate your mobile environment. Its difficult to provide a completely comprehensive app container without a few things. 

As you say Android is difficult because many third parties are just starting to get into the security sector of android as a device, and EMM/MDM is even further behind due to its open source properties.

Mobile devices are a daunting task as is. But if you are going to validate the apps before they go out you are going to need a team of developers and security specialists working together a majority of the time. They will need to be dedicated to this and many enterprises don't have the resources to do so.

I feel that it needs to be defined in policy what types of devices are allowed to connect to your network. By doing this, you can cut down on the quantity of apps your team would need to validate in an app container.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/23/2014 | 2:49:56 PM
Re: Mobile Device Strategy MDM or EMM
I think one of the biggest issues is that the way the app containers work themselves mean employees are more likely to go ahead and trust an application without considering that there is a risk of malware being integrated into it, especially on less-strict platforms like Android where there is lighter regulations on what apps can be made available in their stores.  Unless your security policy is able to test these apps and limit their exposure to corporate data, there will always be an inherent risk in any app that is installed.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 12:02:28 PM
Re: Mobile Device Strategy MDM or EMM
I agree we can lock down the whole device to minimize exposure to the risks,  MDM/EMM solutions can help to separate personal and corporate world and ease down security policy on persons' personal data and apps. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 11:59:07 AM
Re: Mobile-Only Employee Trend Could Break Security Models
I agree, there is a bigger security challenge in mobility. Mobile devices are more expose to security than other things we keep inside the network. Unless the companies have a good BYOD policy and implementation of it, they are basically exposed the rest of the world to be hacked.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 11:54:01 AM
confidentiality integrity - Availability trade-off
 

As it is the case for all major systems we use there is always trade-off between confidentiality– integrity – Availability. You can not really lock everything down and say I am secure. That does not work for end-user point of view, they should be ale to do their daily tasks otherwise doing business would not make sense. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/23/2014 | 11:29:59 AM
Re: Mobile-Only Employee Trend Could Break Security Models
That is a very good guess, and it is a huge issue, I admit. However, forging ahead while knowing that there are very big risks that have not been mitigated or even addressed is often a fatal mistake. Imagine a typical organization with a server farm, storage infrastructure, etc. Add to that the configuration of every connecting computer installed with every user having administrative rights, allowing those users to manage their own computers, and no anti-malware or group policy to protect it. Breaking into that infrastructure is almost child's play. Sure, everyone is instantly more productive, but at the same time, the vulnerability of the infrastructure has grown exponentially. Wouldn't it be better to put in place some sort of central management platform and policies that control the connecting computers before you deploy them? Implementing the management platform after deploying the devices sounds a lot like locking the barn door after the horses have escaped.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/23/2014 | 10:05:44 AM
Re: Mobile-Only Employee Trend Could Break Security Models
My guess is that it's not that anyone is taking mobile risks lightly. It's that the juggernaut of BYOD is so overwhelming that it's easier to stick your head in the sand and do nothing, than trying to figure out a solution to a constantly changing and difficult problem.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/22/2014 | 4:09:46 PM
Mobile-Only Employee Trend Could Break Security Models
"Approximately 52% of respondents reported that security practices on mobile devices have been sacrificed in order to improve employee productivity. The survey showed that 30% of organizations still have absolutely no security features in place to support mobility, and 74% of respondents say their security is inadequate to mitigate mobile threats." <-- Those statistics spell an Information Systems Security death wish! It is unfortunate that organizations take those high risks so lightly because it is so irresponsible! Did any of those organizations even perform a risk assessment? I just read the report, and I am almost at a loss for words. All I can do is shake my head in disbelief.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/22/2014 | 2:36:07 PM
Mobile Device Strategy MDM or EMM
My organization is in the process of refining the policies to incorporate MDM. People from organziations that do have an MDM or EMM, could you elaborate on how it is incorporated from an end user perspective and what specific security benefits are gained from your implementation? Thanks,


COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/10/2020
Zscaler to Buy Cloudneeti
Dark Reading Staff 4/9/2020
Researcher Hijacks iOS, macOS Camera with Three Safari Zero-Days
Kelly Sheridan, Staff Editor, Dark Reading,  4/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Yes, I do have virus protection on my system, now what?
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11669
PUBLISHED: 2020-04-10
An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.
CVE-2020-1801
PUBLISHED: 2020-04-10
There is an improper authentication vulnerability in several smartphones. Certain function interface in the system does not sufficiently validate the caller's identity in certain share scenario, successful exploit could cause information disclosure. Affected product versions include:Mate 30 Pro vers...
CVE-2020-3952
PUBLISHED: 2020-04-10
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
CVE-2020-4362
PUBLISHED: 2020-04-10
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929.
CVE-2020-1802
PUBLISHED: 2020-04-10
There is an insufficient integrity validation vulnerability in several products. The device does not sufficiently validate the integrity of certain file in certain loading processes, successful exploit could allow the attacker to load a crafted file to the device through USB.Affected product version...