Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Mobile-Only Employee Trend Could Break Security Models
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/22/2014 | 2:36:07 PM
Mobile Device Strategy MDM or EMM
My organization is in the process of refining the policies to incorporate MDM. People from organziations that do have an MDM or EMM, could you elaborate on how it is incorporated from an end user perspective and what specific security benefits are gained from your implementation? Thanks,
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/22/2014 | 4:09:46 PM
Mobile-Only Employee Trend Could Break Security Models
"Approximately 52% of respondents reported that security practices on mobile devices have been sacrificed in order to improve employee productivity. The survey showed that 30% of organizations still have absolutely no security features in place to support mobility, and 74% of respondents say their security is inadequate to mitigate mobile threats." <-- Those statistics spell an Information Systems Security death wish! It is unfortunate that organizations take those high risks so lightly because it is so irresponsible! Did any of those organizations even perform a risk assessment? I just read the report, and I am almost at a loss for words. All I can do is shake my head in disbelief.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/23/2014 | 10:05:44 AM
Re: Mobile-Only Employee Trend Could Break Security Models
My guess is that it's not that anyone is taking mobile risks lightly. It's that the juggernaut of BYOD is so overwhelming that it's easier to stick your head in the sand and do nothing, than trying to figure out a solution to a constantly changing and difficult problem.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/23/2014 | 11:29:59 AM
Re: Mobile-Only Employee Trend Could Break Security Models
That is a very good guess, and it is a huge issue, I admit. However, forging ahead while knowing that there are very big risks that have not been mitigated or even addressed is often a fatal mistake. Imagine a typical organization with a server farm, storage infrastructure, etc. Add to that the configuration of every connecting computer installed with every user having administrative rights, allowing those users to manage their own computers, and no anti-malware or group policy to protect it. Breaking into that infrastructure is almost child's play. Sure, everyone is instantly more productive, but at the same time, the vulnerability of the infrastructure has grown exponentially. Wouldn't it be better to put in place some sort of central management platform and policies that control the connecting computers before you deploy them? Implementing the management platform after deploying the devices sounds a lot like locking the barn door after the horses have escaped.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 11:54:01 AM
confidentiality integrity - Availability trade-off
 

As it is the case for all major systems we use there is always trade-off between confidentiality– integrity – Availability. You can not really lock everything down and say I am secure. That does not work for end-user point of view, they should be ale to do their daily tasks otherwise doing business would not make sense. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 11:59:07 AM
Re: Mobile-Only Employee Trend Could Break Security Models
I agree, there is a bigger security challenge in mobility. Mobile devices are more expose to security than other things we keep inside the network. Unless the companies have a good BYOD policy and implementation of it, they are basically exposed the rest of the world to be hacked.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 12:02:28 PM
Re: Mobile Device Strategy MDM or EMM
I agree we can lock down the whole device to minimize exposure to the risks,  MDM/EMM solutions can help to separate personal and corporate world and ease down security policy on persons' personal data and apps. 
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/23/2014 | 2:49:56 PM
Re: Mobile Device Strategy MDM or EMM
I think one of the biggest issues is that the way the app containers work themselves mean employees are more likely to go ahead and trust an application without considering that there is a risk of malware being integrated into it, especially on less-strict platforms like Android where there is lighter regulations on what apps can be made available in their stores.  Unless your security policy is able to test these apps and limit their exposure to corporate data, there will always be an inherent risk in any app that is installed.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/24/2014 | 2:41:14 PM
Re: Mobile Device Strategy MDM or EMM
App containers, I think, are a good method of reducing risk by allowing only approved apps to permeate your mobile environment. Its difficult to provide a completely comprehensive app container without a few things. 

As you say Android is difficult because many third parties are just starting to get into the security sector of android as a device, and EMM/MDM is even further behind due to its open source properties.

Mobile devices are a daunting task as is. But if you are going to validate the apps before they go out you are going to need a team of developers and security specialists working together a majority of the time. They will need to be dedicated to this and many enterprises don't have the resources to do so.

I feel that it needs to be defined in policy what types of devices are allowed to connect to your network. By doing this, you can cut down on the quantity of apps your team would need to validate in an app container.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/24/2014 | 4:32:26 PM
With flexibility comes responsiblity
Does anybody agree with Ashok Sankar's statement that there's been a paradigm shift from the days when IT handed laptops to employees to a mobile era where people will want to use what they want, but take more responsibility for security. I think that's a pipe dream. Am I right?

 

 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-40526
PUBLISHED: 2021-10-25
Incorrect calculation of buffer size vulnerability in Peleton TTR01 up to and including PTV55G allows a remote attacker to trigger a Denial of Service attack through the GymKit daemon process by exploiting a heap overflow in the network server handling the Apple GymKit communication. This can lead t...
CVE-2021-40527
PUBLISHED: 2021-10-25
Exposure of senstive information to an unauthorised actor in the &quot;com.onepeloton.erlich&quot; mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile applic...
CVE-2021-40371
PUBLISHED: 2021-10-25
Gridpro Request Management for Windows Azure Pack before 2.0.7912 allows Directory Traversal for remote code execution, as demonstrated by ..\\ in a scriptName JSON value to ServiceManagerTenant/GetVisibilityMap.
CVE-2021-21703
PUBLISHED: 2021-10-25
In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the ma...
CVE-2021-42258
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...