Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

9/25/2013
04:57 PM
50%
50%

Protecting The Network From Bring-Your-Own Vulnerabilities

Companies that allow employees to use their own devices for work inherit their employees' vulnerabilities. How should companies secure networks in the age of BYOD?

The bring-your-own-device (BYOD) business model is here to stay, much to the chagrin of security professionals. The arguments for allowing employees to work with company data on their personal devices and bring those devices into the workplace are almost unassailable: increased productivity, flexible working hours, and a more agile business.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

While some companies may still limit workers to a single, or small selection, of devices and workstations, many firms are allowing employees to work from whatever device suits them. In many cases, that's a whole host of devices: Network security provider Bradford Networks, for example, has many higher education institutions among its customers, and some students use as many as 14 different devices to connect to the Internet.

"If companies think they are going to stop this, they really are not," says Frank Andrus, chief technology officer for the firm.

Yet companies should not allow employee devices onto the network or to store business data without some sort of security infrastructure in place to mitigate the vulnerabilities and compromises the devices may bring with them, Andrus says. In a presentation at the Interop conference in New York, he will stress that the human element is, initially at least, the most important aspect in implementing security controls on devices. Almost all employees are leery of giving corporate IT security any sort of control that could jeopardize their own data, he says.

"End users are really becoming part of the security model," he says. "The attacker is using them as a launching point into the network."

To eliminate the bring-your-own-vulnerabilities problem, mobile-security expert recommend three steps.

1. Survey the landscape
Companies should start by assessing the degree to which corporate assets are used by mobile workers.

Often a company does not have a lot of control over its IT infrastructure, and one employee who figures out how to connect to the e-mail or a collaboration service will educate others, until the business has a rogue IT problem, says Chris Isbrecht, director of product management for Fiberlink, a mobile-security provider.

[Despite naysayers, many security experts believe perimeter defenses have relevance when deployed as a part of defense-in-depth. See Is The Perimeter Really Dead?.]

"In a lot of cases, we find that people have no visibility or understand how many people and how many devices are actually connecting," he says. "The first step is education and visibility."

Companies should use the asset discovery to come up with a list of devices and what servers and services those devices are using. After that, the firm can decide which approach best works to locking down their infrastructure and data, he says.

2. Win over the worker
Any strategy for implementing protection for employee-owned devices must also win over the workers. Because the device belongs to the user, the company will not be able to manage it in the same way that the firm could manage a corporate device. In some countries, the company may be extremely limited in what actions they are able to take: A blacklist could be leaking information on the apps that the worker uses, and spam filtering could give the company insight into the worker's personal life.

For any security product or service, protecting both the business data and the user's privacy is a tricky line to walk, says Nicko van Someren, chief technology officer for Good Technology, a mobile-security provider.

"It's a two-way street," he says. "You have to be able to protect the employer's data against accidental loss or disclosure by the user, but you also have to protect the user against the employer in terms of [the fact that] this is not the employer's device."

3. Protect the right "D"
Finally, companies have to focus on what really matters: the data, not the device. Convincing workers to take better precautions and secure their devices is good, but the company should focus on protecting its data, says Good's van Someren. Many mobile device management products are focused on the wrong "D," he says.

"It is all about the data and not the device," van Someren says. "The businesses should not care about the device."

Because the worker's habits on the device focus on using apps, a data-driven security approach also has to focus on the apps as well, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hudson.josh
50%
50%
hudson.josh,
User Rank: Apprentice
10/10/2013 | 3:18:41 AM
re: Protecting The Network From Bring-Your-Own Vulnerabilities
BYOD is a big security problem, but many companies are willing to deal with it because of the potential productivity gains. BYOD devices login on to a network is simply going to be the reality of enterprise IT, but the most important thing is to secure the data and not just on the network but with the various ways device now communicate. Our hospital put a BYOD policy in place to use Tigertext (www.tigertext.com) for HIPAA complient text messaging, mostly to deal with the reality that the doctors were sending patient data over regular SMS which is not HIPAA compliant. The reality was that the doctors were doing this because it was more efficient for them. Now we have the doctor using HIPAA compliant tigertext and the patient processing productivity doubled in the last quarter - a significent business advantage. Yes, BYOD is a big security issue, and yes their are real productivity gain to be had, but IT is going to have to be creative to get them and maintain security.
Snyper82
50%
50%
Snyper82,
User Rank: Apprentice
9/26/2013 | 3:21:15 PM
re: Protecting The Network From Bring-Your-Own Vulnerabilities
Excellent points, can I get some more "how to suggestions" though?
For example, you quoted that business should care about the data and not the device. This is done in part by encrypting the data, but if the device is compromised, then encryption doesn't do a whole lot - assuming unlocking the device unlocks the encryption.
Am I off base?
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5397
PUBLISHED: 2020-01-17
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not incl...
CVE-2019-17635
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted inde...
CVE-2019-19339
PUBLISHED: 2020-01-17
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries...
CVE-2007-6070
PUBLISHED: 2020-01-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2019-17634
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could...