Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:55 PM

BYOD: Filling The Holes In Your Security Policy

Allowing personal mobile devices at work can create new risks for your enterprise. Is your security policy ready?

Dude, Where's My Phone?

Lost and stolen mobile devices that contain sensitive company data are the biggest threat that companies allowing BYOD face, even though media attention is often on relatively rare mobile malware. Easily misplaced, with capacious hard drives and a laundry list of Web-based applications, smartphones and tablets--just like laptops--quickly become repositories for all manner of sensitive business information, from email messages to presentations to login credentials.

Securing those devices requires encrypting their hard drives and setting up strong passwords. But most phones aren't centrally controlled, says Al Huger, VP of development at cybersecurity company Sourcefire. "You need to have encryption and to have a standardized policy for passwords and for phones, but it's hard to enforce it without putting software on the endpoint."

However, installing a remote management application can be a sensitive issue when the device is owned by the employee, Huger says. Not everyone is going to want remote management capabilities controlled by their employers on their personal devices.

Data Theft: There's An App For That

Mobile applications--both legitimate and fraudulent--are a huge cause for concern at risk-sensitive firms. Mobile devices that have malicious or even just poorly coded applications installed on them are sources of insecurity.

Systems running Lookout Mobile Security's software detected 30,000 unique mobile malware instances in June, up from around 3,000 six months earlier, the company says. Mobile malware is still relatively rare but growing rapidly, since it has become a profitable business for cybercrime syndicates. One fast-growing category of mobile malware is so-called toll fraud programs. These abuse premium SMS messaging services on compromised phones by surreptitiously sending SMS messages to numbers that charge premiums back to the phone's owner. Mobile threats are likely to increase in the future, Lookout says.

Sourcefire's analysts commonly find malicious mobile software, particularly on Google Android devices, that's "causing mischief" on corporate networks, Huger says. Infected mobile devices use Bluetooth and other means to scan corporate networks for data to steal and other devices to infect. Smartphones look different from laptops, but, under the hood, they're still just computers, he says. "A jailbroken iPhone is just a Unix host," says Huger, referring to the mobile operating system's roots in Apple's Unix-based OS X. "You can log in to it remotely over SSH [Secure Shell]. Once you're in, you can use it to scan the public IP network."

An even bigger threat to companies comes from legitimate, nonmalicious applications--many of them not work-related--that can subtly and unintentionally expose company data and resources to prying eyes.

Aaron Turner, a co-founder and principal at the security consulting company N4Struct, says audits of his customers' networks have revealed these sorts of dependency problems.

"Let's say that a company lets mobile devices' native contacts, email, and calendar be connected to the Exchange server," Turner posits. "Now suppose that the LinkedIn mobile app requests permissions to view and copy all of your contacts. Is the enterprise really OK with LinkedIn getting a full copy of its global address list? That's pretty much the problem space right now: rogue apps interacting with enterprise data in ways that not everyone understands."

Lookout CTO Kevin Mahaffey describes the BYOD risk as "unquantifiable" because mobile application use creates "downstream risk" that's hard to predict. "If someone uses a weak password for Windows, the company will care. But what if their Dropbox account has a weak password, too? Now, the strength of everyone's passwords are a corporate concern," he says. Mobile devices, coupled with fast broadband connections and cloud-based services, mean every password that employees use now matters to their employers--not just the ones used to access corporate assets.

One Policy To Rule Them All

Lost devices? Vulnerable software? Dodgy applications? What's a risk-conscious company to do? The experts we spoke with have some suggestions.

Ideally, consumer-owned mobile devices would be governed by the same policies that apply to other company assets, such as laptops, desktops, and servers. But there really isn't "one policy to rule them all," and each company has to craft its own BYOD security policy. There are four common approaches that will help make your company more secure.

1. Know your enemy (and your friend)

The bare fact is that IT security practices at many companies are already porous and prone to failure. The anxiety about the risk caused by consumer devices may dial up executives' anxiety about data loss and infections, and that might be a good thing.

"I see the debate about BYOD as a forcing function that's making corporations take their internal security seriously and take steps to reduce their attack surface," says Rapid7's Moore, creator of the Metasploit penetration testing tool. In a BYOD environment, that might entail a philosophical shift in the thinking about mobile devices.

"Pay attention to phones and tablets," Lookout's Mahaffey says. "They're valuable corporate assets that hold sensitive email and documents, as well as internal applications." If users were more aware of that vulnerability, they might treat phones with more care--more akin to a wallet than replaceable electronic gadgets, he says.

Companies need visibility in two ways: They need to know what devices employees have and how those devices affect their risk, says Matt Dean, chief operating officer at FireMon, a security management software company. "You want to manage and control the risk that you're exposed to, so if a mobile device shows up on your wireless network, you understand what risk it poses to your network," he says.

2. Reduce the attack surface

Another step in securing BYOD environments is reducing exposure to attack. Companies should pay less attention to niche mobile attack vectors and concentrate on the security of their office environment's Wi-Fi infrastructure, Rapid7's Moore says.

The office Wi-Fi networks that those bandwidth-hungry mobile devices are tapping into are the real security Achilles' heel at many companies, Moore says. "Forget about mobile devices. If you have some massive Wi-Fi leak with rogue access points on your network, an attacker can own your machine and other corporate assets without doing anything else," he says.

Companies might consider disabling Wi-Fi within the office--though that's not going to make employees happy or productive. More tolerable might be to isolate Wi-Fi networks that mobile devices use from the rest of the company network, and provide strict filtering and policy enforcement for devices connected to them. For example: Use Web filtering tools to block access to potentially dangerous or non-work-related websites, and intrusion-prevention software or mobile device management tools to block network access altogether for noncompliant devices.

Regular audits of your Wi-Fi infrastructure are a good idea to make sure employees or attackers haven't set up rogue access points and to spot suspicious wireless traffic in or out of the network.

2 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/5/2012 | 7:56:43 PM
re: BYOD: Filling The Holes In Your Security Policy
82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work - this is the reality, but also it is a large security risk. The article makes important points about BYOD policy, and it is criticle to have a good policy. Also important is education of that policy. We changed our BYOD to have all doctors use a HIPAA compliant text messaging app called TIgertext to send patient info, but the adoption rate was very low, until we brought every docotr in, explained the policy, what we have it, and how to use the app. Now was have about a 97% use rate.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...