Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:55 PM

BYOD: Filling The Holes In Your Security Policy

Allowing personal mobile devices at work can create new risks for your enterprise. Is your security policy ready?

Dude, Where's My Phone?

Lost and stolen mobile devices that contain sensitive company data are the biggest threat that companies allowing BYOD face, even though media attention is often on relatively rare mobile malware. Easily misplaced, with capacious hard drives and a laundry list of Web-based applications, smartphones and tablets--just like laptops--quickly become repositories for all manner of sensitive business information, from email messages to presentations to login credentials.

Securing those devices requires encrypting their hard drives and setting up strong passwords. But most phones aren't centrally controlled, says Al Huger, VP of development at cybersecurity company Sourcefire. "You need to have encryption and to have a standardized policy for passwords and for phones, but it's hard to enforce it without putting software on the endpoint."

However, installing a remote management application can be a sensitive issue when the device is owned by the employee, Huger says. Not everyone is going to want remote management capabilities controlled by their employers on their personal devices.

Data Theft: There's An App For That

Mobile applications--both legitimate and fraudulent--are a huge cause for concern at risk-sensitive firms. Mobile devices that have malicious or even just poorly coded applications installed on them are sources of insecurity.

Systems running Lookout Mobile Security's software detected 30,000 unique mobile malware instances in June, up from around 3,000 six months earlier, the company says. Mobile malware is still relatively rare but growing rapidly, since it has become a profitable business for cybercrime syndicates. One fast-growing category of mobile malware is so-called toll fraud programs. These abuse premium SMS messaging services on compromised phones by surreptitiously sending SMS messages to numbers that charge premiums back to the phone's owner. Mobile threats are likely to increase in the future, Lookout says.

Sourcefire's analysts commonly find malicious mobile software, particularly on Google Android devices, that's "causing mischief" on corporate networks, Huger says. Infected mobile devices use Bluetooth and other means to scan corporate networks for data to steal and other devices to infect. Smartphones look different from laptops, but, under the hood, they're still just computers, he says. "A jailbroken iPhone is just a Unix host," says Huger, referring to the mobile operating system's roots in Apple's Unix-based OS X. "You can log in to it remotely over SSH [Secure Shell]. Once you're in, you can use it to scan the public IP network."

An even bigger threat to companies comes from legitimate, nonmalicious applications--many of them not work-related--that can subtly and unintentionally expose company data and resources to prying eyes.

Aaron Turner, a co-founder and principal at the security consulting company N4Struct, says audits of his customers' networks have revealed these sorts of dependency problems.

"Let's say that a company lets mobile devices' native contacts, email, and calendar be connected to the Exchange server," Turner posits. "Now suppose that the LinkedIn mobile app requests permissions to view and copy all of your contacts. Is the enterprise really OK with LinkedIn getting a full copy of its global address list? That's pretty much the problem space right now: rogue apps interacting with enterprise data in ways that not everyone understands."

Lookout CTO Kevin Mahaffey describes the BYOD risk as "unquantifiable" because mobile application use creates "downstream risk" that's hard to predict. "If someone uses a weak password for Windows, the company will care. But what if their Dropbox account has a weak password, too? Now, the strength of everyone's passwords are a corporate concern," he says. Mobile devices, coupled with fast broadband connections and cloud-based services, mean every password that employees use now matters to their employers--not just the ones used to access corporate assets.

One Policy To Rule Them All

Lost devices? Vulnerable software? Dodgy applications? What's a risk-conscious company to do? The experts we spoke with have some suggestions.

Ideally, consumer-owned mobile devices would be governed by the same policies that apply to other company assets, such as laptops, desktops, and servers. But there really isn't "one policy to rule them all," and each company has to craft its own BYOD security policy. There are four common approaches that will help make your company more secure.

1. Know your enemy (and your friend)

The bare fact is that IT security practices at many companies are already porous and prone to failure. The anxiety about the risk caused by consumer devices may dial up executives' anxiety about data loss and infections, and that might be a good thing.

"I see the debate about BYOD as a forcing function that's making corporations take their internal security seriously and take steps to reduce their attack surface," says Rapid7's Moore, creator of the Metasploit penetration testing tool. In a BYOD environment, that might entail a philosophical shift in the thinking about mobile devices.

"Pay attention to phones and tablets," Lookout's Mahaffey says. "They're valuable corporate assets that hold sensitive email and documents, as well as internal applications." If users were more aware of that vulnerability, they might treat phones with more care--more akin to a wallet than replaceable electronic gadgets, he says.

Companies need visibility in two ways: They need to know what devices employees have and how those devices affect their risk, says Matt Dean, chief operating officer at FireMon, a security management software company. "You want to manage and control the risk that you're exposed to, so if a mobile device shows up on your wireless network, you understand what risk it poses to your network," he says.

2. Reduce the attack surface

Another step in securing BYOD environments is reducing exposure to attack. Companies should pay less attention to niche mobile attack vectors and concentrate on the security of their office environment's Wi-Fi infrastructure, Rapid7's Moore says.

The office Wi-Fi networks that those bandwidth-hungry mobile devices are tapping into are the real security Achilles' heel at many companies, Moore says. "Forget about mobile devices. If you have some massive Wi-Fi leak with rogue access points on your network, an attacker can own your machine and other corporate assets without doing anything else," he says.

Companies might consider disabling Wi-Fi within the office--though that's not going to make employees happy or productive. More tolerable might be to isolate Wi-Fi networks that mobile devices use from the rest of the company network, and provide strict filtering and policy enforcement for devices connected to them. For example: Use Web filtering tools to block access to potentially dangerous or non-work-related websites, and intrusion-prevention software or mobile device management tools to block network access altogether for noncompliant devices.

Regular audits of your Wi-Fi infrastructure are a good idea to make sure employees or attackers haven't set up rogue access points and to spot suspicious wireless traffic in or out of the network.

2 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/5/2012 | 7:56:43 PM
re: BYOD: Filling The Holes In Your Security Policy
82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work - this is the reality, but also it is a large security risk. The article makes important points about BYOD policy, and it is criticle to have a good policy. Also important is education of that policy. We changed our BYOD to have all doctors use a HIPAA compliant text messaging app called TIgertext to send patient info, but the adoption rate was very low, until we brought every docotr in, explained the policy, what we have it, and how to use the app. Now was have about a 97% use rate.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.