Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

9/25/2013
04:57 PM
50%
50%

Protecting The Network From Bring-Your-Own Vulnerabilities

Companies that allow employees to use their own devices for work inherit their employees' vulnerabilities. How should companies secure networks in the age of BYOD?

The bring-your-own-device (BYOD) business model is here to stay, much to the chagrin of security professionals. The arguments for allowing employees to work with company data on their personal devices and bring those devices into the workplace are almost unassailable: increased productivity, flexible working hours, and a more agile business.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

While some companies may still limit workers to a single, or small selection, of devices and workstations, many firms are allowing employees to work from whatever device suits them. In many cases, that's a whole host of devices: Network security provider Bradford Networks, for example, has many higher education institutions among its customers, and some students use as many as 14 different devices to connect to the Internet.

"If companies think they are going to stop this, they really are not," says Frank Andrus, chief technology officer for the firm.

Yet companies should not allow employee devices onto the network or to store business data without some sort of security infrastructure in place to mitigate the vulnerabilities and compromises the devices may bring with them, Andrus says. In a presentation at the Interop conference in New York, he will stress that the human element is, initially at least, the most important aspect in implementing security controls on devices. Almost all employees are leery of giving corporate IT security any sort of control that could jeopardize their own data, he says.

"End users are really becoming part of the security model," he says. "The attacker is using them as a launching point into the network."

To eliminate the bring-your-own-vulnerabilities problem, mobile-security expert recommend three steps.

1. Survey the landscape
Companies should start by assessing the degree to which corporate assets are used by mobile workers.

Often a company does not have a lot of control over its IT infrastructure, and one employee who figures out how to connect to the e-mail or a collaboration service will educate others, until the business has a rogue IT problem, says Chris Isbrecht, director of product management for Fiberlink, a mobile-security provider.

[Despite naysayers, many security experts believe perimeter defenses have relevance when deployed as a part of defense-in-depth. See Is The Perimeter Really Dead?.]

"In a lot of cases, we find that people have no visibility or understand how many people and how many devices are actually connecting," he says. "The first step is education and visibility."

Companies should use the asset discovery to come up with a list of devices and what servers and services those devices are using. After that, the firm can decide which approach best works to locking down their infrastructure and data, he says.

2. Win over the worker
Any strategy for implementing protection for employee-owned devices must also win over the workers. Because the device belongs to the user, the company will not be able to manage it in the same way that the firm could manage a corporate device. In some countries, the company may be extremely limited in what actions they are able to take: A blacklist could be leaking information on the apps that the worker uses, and spam filtering could give the company insight into the worker's personal life.

For any security product or service, protecting both the business data and the user's privacy is a tricky line to walk, says Nicko van Someren, chief technology officer for Good Technology, a mobile-security provider.

"It's a two-way street," he says. "You have to be able to protect the employer's data against accidental loss or disclosure by the user, but you also have to protect the user against the employer in terms of [the fact that] this is not the employer's device."

3. Protect the right "D"
Finally, companies have to focus on what really matters: the data, not the device. Convincing workers to take better precautions and secure their devices is good, but the company should focus on protecting its data, says Good's van Someren. Many mobile device management products are focused on the wrong "D," he says.

"It is all about the data and not the device," van Someren says. "The businesses should not care about the device."

Because the worker's habits on the device focus on using apps, a data-driven security approach also has to focus on the apps as well, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hudson.josh
50%
50%
hudson.josh,
User Rank: Apprentice
10/10/2013 | 3:18:41 AM
re: Protecting The Network From Bring-Your-Own Vulnerabilities
BYOD is a big security problem, but many companies are willing to deal with it because of the potential productivity gains. BYOD devices login on to a network is simply going to be the reality of enterprise IT, but the most important thing is to secure the data and not just on the network but with the various ways device now communicate. Our hospital put a BYOD policy in place to use Tigertext (www.tigertext.com) for HIPAA complient text messaging, mostly to deal with the reality that the doctors were sending patient data over regular SMS which is not HIPAA compliant. The reality was that the doctors were doing this because it was more efficient for them. Now we have the doctor using HIPAA compliant tigertext and the patient processing productivity doubled in the last quarter - a significent business advantage. Yes, BYOD is a big security issue, and yes their are real productivity gain to be had, but IT is going to have to be creative to get them and maintain security.
Snyper82
50%
50%
Snyper82,
User Rank: Apprentice
9/26/2013 | 3:21:15 PM
re: Protecting The Network From Bring-Your-Own Vulnerabilities
Excellent points, can I get some more "how to suggestions" though?
For example, you quoted that business should care about the data and not the device. This is done in part by encrypting the data, but if the device is compromised, then encryption doesn't do a whole lot - assuming unlocking the device unlocks the encryption.
Am I off base?
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14540
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-16332
PUBLISHED: 2019-09-15
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
CVE-2019-16333
PUBLISHED: 2019-09-15
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
CVE-2019-16334
PUBLISHED: 2019-09-15
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
CVE-2019-16335
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.