Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:55 PM

BYOD: Filling The Holes In Your Security Policy

Allowing personal mobile devices at work can create new risks for your enterprise. Is your security policy ready?

Dude, Where's My Phone?

Lost and stolen mobile devices that contain sensitive company data are the biggest threat that companies allowing BYOD face, even though media attention is often on relatively rare mobile malware. Easily misplaced, with capacious hard drives and a laundry list of Web-based applications, smartphones and tablets--just like laptops--quickly become repositories for all manner of sensitive business information, from email messages to presentations to login credentials.

Securing those devices requires encrypting their hard drives and setting up strong passwords. But most phones aren't centrally controlled, says Al Huger, VP of development at cybersecurity company Sourcefire. "You need to have encryption and to have a standardized policy for passwords and for phones, but it's hard to enforce it without putting software on the endpoint."

However, installing a remote management application can be a sensitive issue when the device is owned by the employee, Huger says. Not everyone is going to want remote management capabilities controlled by their employers on their personal devices.

Data Theft: There's An App For That

Mobile applications--both legitimate and fraudulent--are a huge cause for concern at risk-sensitive firms. Mobile devices that have malicious or even just poorly coded applications installed on them are sources of insecurity.

Systems running Lookout Mobile Security's software detected 30,000 unique mobile malware instances in June, up from around 3,000 six months earlier, the company says. Mobile malware is still relatively rare but growing rapidly, since it has become a profitable business for cybercrime syndicates. One fast-growing category of mobile malware is so-called toll fraud programs. These abuse premium SMS messaging services on compromised phones by surreptitiously sending SMS messages to numbers that charge premiums back to the phone's owner. Mobile threats are likely to increase in the future, Lookout says.

Sourcefire's analysts commonly find malicious mobile software, particularly on Google Android devices, that's "causing mischief" on corporate networks, Huger says. Infected mobile devices use Bluetooth and other means to scan corporate networks for data to steal and other devices to infect. Smartphones look different from laptops, but, under the hood, they're still just computers, he says. "A jailbroken iPhone is just a Unix host," says Huger, referring to the mobile operating system's roots in Apple's Unix-based OS X. "You can log in to it remotely over SSH [Secure Shell]. Once you're in, you can use it to scan the public IP network."

An even bigger threat to companies comes from legitimate, nonmalicious applications--many of them not work-related--that can subtly and unintentionally expose company data and resources to prying eyes.

Aaron Turner, a co-founder and principal at the security consulting company N4Struct, says audits of his customers' networks have revealed these sorts of dependency problems.

"Let's say that a company lets mobile devices' native contacts, email, and calendar be connected to the Exchange server," Turner posits. "Now suppose that the LinkedIn mobile app requests permissions to view and copy all of your contacts. Is the enterprise really OK with LinkedIn getting a full copy of its global address list? That's pretty much the problem space right now: rogue apps interacting with enterprise data in ways that not everyone understands."

Lookout CTO Kevin Mahaffey describes the BYOD risk as "unquantifiable" because mobile application use creates "downstream risk" that's hard to predict. "If someone uses a weak password for Windows, the company will care. But what if their Dropbox account has a weak password, too? Now, the strength of everyone's passwords are a corporate concern," he says. Mobile devices, coupled with fast broadband connections and cloud-based services, mean every password that employees use now matters to their employers--not just the ones used to access corporate assets.

One Policy To Rule Them All

Lost devices? Vulnerable software? Dodgy applications? What's a risk-conscious company to do? The experts we spoke with have some suggestions.

Ideally, consumer-owned mobile devices would be governed by the same policies that apply to other company assets, such as laptops, desktops, and servers. But there really isn't "one policy to rule them all," and each company has to craft its own BYOD security policy. There are four common approaches that will help make your company more secure.

1. Know your enemy (and your friend)

The bare fact is that IT security practices at many companies are already porous and prone to failure. The anxiety about the risk caused by consumer devices may dial up executives' anxiety about data loss and infections, and that might be a good thing.

"I see the debate about BYOD as a forcing function that's making corporations take their internal security seriously and take steps to reduce their attack surface," says Rapid7's Moore, creator of the Metasploit penetration testing tool. In a BYOD environment, that might entail a philosophical shift in the thinking about mobile devices.

"Pay attention to phones and tablets," Lookout's Mahaffey says. "They're valuable corporate assets that hold sensitive email and documents, as well as internal applications." If users were more aware of that vulnerability, they might treat phones with more care--more akin to a wallet than replaceable electronic gadgets, he says.

Companies need visibility in two ways: They need to know what devices employees have and how those devices affect their risk, says Matt Dean, chief operating officer at FireMon, a security management software company. "You want to manage and control the risk that you're exposed to, so if a mobile device shows up on your wireless network, you understand what risk it poses to your network," he says.

2. Reduce the attack surface

Another step in securing BYOD environments is reducing exposure to attack. Companies should pay less attention to niche mobile attack vectors and concentrate on the security of their office environment's Wi-Fi infrastructure, Rapid7's Moore says.

The office Wi-Fi networks that those bandwidth-hungry mobile devices are tapping into are the real security Achilles' heel at many companies, Moore says. "Forget about mobile devices. If you have some massive Wi-Fi leak with rogue access points on your network, an attacker can own your machine and other corporate assets without doing anything else," he says.

Companies might consider disabling Wi-Fi within the office--though that's not going to make employees happy or productive. More tolerable might be to isolate Wi-Fi networks that mobile devices use from the rest of the company network, and provide strict filtering and policy enforcement for devices connected to them. For example: Use Web filtering tools to block access to potentially dangerous or non-work-related websites, and intrusion-prevention software or mobile device management tools to block network access altogether for noncompliant devices.

Regular audits of your Wi-Fi infrastructure are a good idea to make sure employees or attackers haven't set up rogue access points and to spot suspicious wireless traffic in or out of the network.

2 of 4
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
11/5/2012 | 7:56:43 PM
re: BYOD: Filling The Holes In Your Security Policy
82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work - this is the reality, but also it is a large security risk. The article makes important points about BYOD policy, and it is criticle to have a good policy. Also important is education of that policy. We changed our BYOD to have all doctors use a HIPAA compliant text messaging app called TIgertext to send patient info, but the adoption rate was very low, until we brought every docotr in, explained the policy, what we have it, and how to use the app. Now was have about a 97% use rate.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.