Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


04:57 PM

Protecting The Network From Bring-Your-Own Vulnerabilities

Companies that allow employees to use their own devices for work inherit their employees' vulnerabilities. How should companies secure networks in the age of BYOD?

The bring-your-own-device (BYOD) business model is here to stay, much to the chagrin of security professionals. The arguments for allowing employees to work with company data on their personal devices and bring those devices into the workplace are almost unassailable: increased productivity, flexible working hours, and a more agile business.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

While some companies may still limit workers to a single, or small selection, of devices and workstations, many firms are allowing employees to work from whatever device suits them. In many cases, that's a whole host of devices: Network security provider Bradford Networks, for example, has many higher education institutions among its customers, and some students use as many as 14 different devices to connect to the Internet.

"If companies think they are going to stop this, they really are not," says Frank Andrus, chief technology officer for the firm.

Yet companies should not allow employee devices onto the network or to store business data without some sort of security infrastructure in place to mitigate the vulnerabilities and compromises the devices may bring with them, Andrus says. In a presentation at the Interop conference in New York, he will stress that the human element is, initially at least, the most important aspect in implementing security controls on devices. Almost all employees are leery of giving corporate IT security any sort of control that could jeopardize their own data, he says.

"End users are really becoming part of the security model," he says. "The attacker is using them as a launching point into the network."

To eliminate the bring-your-own-vulnerabilities problem, mobile-security expert recommend three steps.

1. Survey the landscape
Companies should start by assessing the degree to which corporate assets are used by mobile workers.

Often a company does not have a lot of control over its IT infrastructure, and one employee who figures out how to connect to the e-mail or a collaboration service will educate others, until the business has a rogue IT problem, says Chris Isbrecht, director of product management for Fiberlink, a mobile-security provider.

[Despite naysayers, many security experts believe perimeter defenses have relevance when deployed as a part of defense-in-depth. See Is The Perimeter Really Dead?.]

"In a lot of cases, we find that people have no visibility or understand how many people and how many devices are actually connecting," he says. "The first step is education and visibility."

Companies should use the asset discovery to come up with a list of devices and what servers and services those devices are using. After that, the firm can decide which approach best works to locking down their infrastructure and data, he says.

2. Win over the worker
Any strategy for implementing protection for employee-owned devices must also win over the workers. Because the device belongs to the user, the company will not be able to manage it in the same way that the firm could manage a corporate device. In some countries, the company may be extremely limited in what actions they are able to take: A blacklist could be leaking information on the apps that the worker uses, and spam filtering could give the company insight into the worker's personal life.

For any security product or service, protecting both the business data and the user's privacy is a tricky line to walk, says Nicko van Someren, chief technology officer for Good Technology, a mobile-security provider.

"It's a two-way street," he says. "You have to be able to protect the employer's data against accidental loss or disclosure by the user, but you also have to protect the user against the employer in terms of [the fact that] this is not the employer's device."

3. Protect the right "D"
Finally, companies have to focus on what really matters: the data, not the device. Convincing workers to take better precautions and secure their devices is good, but the company should focus on protecting its data, says Good's van Someren. Many mobile device management products are focused on the wrong "D," he says.

"It is all about the data and not the device," van Someren says. "The businesses should not care about the device."

Because the worker's habits on the device focus on using apps, a data-driven security approach also has to focus on the apps as well, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/10/2013 | 3:18:41 AM
re: Protecting The Network From Bring-Your-Own Vulnerabilities
BYOD is a big security problem, but many companies are willing to deal with it because of the potential productivity gains. BYOD devices login on to a network is simply going to be the reality of enterprise IT, but the most important thing is to secure the data and not just on the network but with the various ways device now communicate. Our hospital put a BYOD policy in place to use Tigertext (www.tigertext.com) for HIPAA complient text messaging, mostly to deal with the reality that the doctors were sending patient data over regular SMS which is not HIPAA compliant. The reality was that the doctors were doing this because it was more efficient for them. Now we have the doctor using HIPAA compliant tigertext and the patient processing productivity doubled in the last quarter - a significent business advantage. Yes, BYOD is a big security issue, and yes their are real productivity gain to be had, but IT is going to have to be creative to get them and maintain security.
User Rank: Apprentice
9/26/2013 | 3:21:15 PM
re: Protecting The Network From Bring-Your-Own Vulnerabilities
Excellent points, can I get some more "how to suggestions" though?
For example, you quoted that business should care about the data and not the device. This is done in part by encrypting the data, but if the device is compromised, then encryption doesn't do a whole lot - assuming unlocking the device unlocks the encryption.
Am I off base?
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.