Infosec Guide: Dealing with Threats to a Bring Your Own Device (BYOD) Environment
Bring your own device (BYOD) adoption has risen greatly over the past few years as companies look to improve work efficiency and lower operational costs. While BYOD brings a number of advantages to both employees and the organizations they work for, they also have their own share of disadvantages in terms of security. This guide will tackle the primary threats organizations face when implementing BYOD programs, as well as best practices and solutions to mitigate these threats.
Malicious Mobile Applications
As mobile devices form a large portion of an organization’s BYOD ecosystem, organizations must be aware of the risks they face from malicious mobile apps downloaded by the users of these devices. Users who download through third party app stores and torrent repository websites often fail to check the authenticity of the apps they download, failing to realize that a large number of these applications are actually malicious in nature. Cyber criminals usually trick users by posing as legitimate downloads of new and popular applications such as last year’s Super Mario Run. What makes some of these apps particularly dangerous is that they appear to run like the actual applications, but deliver other malicious payloads such as unwanted advertisements or even malware.
Defending against malicious apps: For mobile devices, companies should consider providing endpoint security solutions that feature app reputation technology that can detect whether certain apps are safe to use. In addition, the organization’s enterprise solutions should include device management and application management features that allow IT professionals to manage the installation of applications from a single, centralized console.
While phishing is not just a BYOD problem, it becomes an especially significant threat in a BYOD ecosystem due to the tendency of organizations to focus on the security of the devices within their own network. Cybercriminals often start with the weakest link in the security chain—end users. Phishing attacks can be a very effective way to trick employees into thinking that a malicious email or message is actually a legitimate one.
While many companies implement security solutions that can effectively filter potential phishing attacks on their own machines, a much smaller number do the same for their employee’s devices. This opens them up to attacks that target their personal accounts, which could then affect their own personal devices.
Avoiding phishing attacks: Organizations should make user education a high priority. Employees should be taught to detect phishing attacks and briefed on what to do in case they receive suspicious messages or emails. As an extra security measure, companies should also look into installing solutions that can prevent or at least minimize the impact of phishing attacks on the devices of their employees. For mobile devices, this includes solutions that integrate tools such as integrated data loss prevention, application control, and web filtering.
Device loss or theft
A large number of BYOD devices are used to store, access, and process confidential company information. This poses a great risk if the device falls into the wrong hands. And the danger doesn't just come from malicious elements who are purposefully trying to steal data—simply leaving a device on public transportation can also expose sensitive data.
In many cases, there is a correlation between poor BYOD device implementation and data breaches. A 2015 study by Trend Micro noted that 46.5% of enterprises that allowed their employees to access their network via BYOD devices experienced some form of data breach, with device theft and loss being a major cause of data breaches.
Reducing the risks of device loss: Employees who are enrolled in BYOD programs should be required to use security solutions that can encrypt the data contained in their devices. Full disk encryption ensures that even if a device falls into the wrong hands, the data contained within is essentially unreadable to everyone except those who have access to the decryption tools.
Secure authentication is another important aspect of BYOD security. Many people place minimal authentication into their devices, thinking that they can never be lost or stolen. This means that important information stored on these devices can invariably be accessed with just a little tinkering. Organizations should also require any user who stores company information on their devices to enable multifactor authentication to ensure that any data stored in an employee’s device is not accessed easily.
Targeted attacks and vulnerabilities
Targeted attacks and exploiting vulnerabilities in BYOD devices are a key security issue for organizations. The DressCode malware family (detected by Trend Micro as ANDROIDOS_SOCKSBOT.A), which disguised itself as games and themes on mobile marketplaces, showed how perpetrators can infiltrate a company’s network environment to steal data. BYOD as an attack vector can be extremely dangerous because the company itself is at risk.
In addition to targeted attacks, users themselves can often place organizations at risk by neglecting to apply updates on their own personal devices. Unpatched or outdated software on these devices could have vulnerabilities that can be exploited for malicious purposes. Jailbroken or rooted mobile devices are usually slow, difficult, or outright impossible to patch, and while these tweaks can give users greater functionality and customizability, it might also compromise its security
Thwarting targeted attacks: For mobile devices, organizations can use mobile device management (MDM) software that can block malicious applications and programs before they can be installed. For other BYOD devices such as desktops and laptops, organizations should look into endpoint security solutions that can provide comprehensive features such as behavior monitoring, vulnerability and browser exploit protection, web reputation, and anti-malware features. Given the large number of possible attacks that leverage BYOD devices, organizations should invest in layered security solutions to help with mitigation.
While users should be encouraged to update their devices as soon as they are available, this does not guarantee that employees will actually update their devices. It may not be possible for companies to enforce hard rules requiring employees to use specific devices or operating system versions, but they can provide a list of supported devices and operating systems that is reasonable for both the organization and their employees. Older, unsupported devices and jailbroken or rooted phones should be discouraged from being enrolled in a company’s BYOD program.
Best practices for BYOD implementation
Implementing a successful BYOD program is an issue that is not only limited to IT departments and network administrators—it is an issue that should be tackled by the organization as a whole. As such, a comprehensive BYOD strategy is needed to ensure that the program is not only successful, but also secure. Here are some guidelines to help organizations with their BYOD implementation.
Implement a formal BYOD policy
Many organizations tend to implement “informal” BYOD policies—allowing employees to bring their own devices to work without any rules or even guidelines in place. There should be a formal onboarding or enrollment program before an employee’s device is allowed access to the company network and data. Corporate network settings should also be distributed to employees upon the successful enrollment of their devices to ensure consistency.
Restrict highly sensitive information to organizational devices only
While BYOD devices used in personal settings will invariably have company data stored in their devices, the most confidential files should be limited to devices that are only used within the company premises. If sensitive data must be stored in a BYOD device, organizations should ensure that the data is properly encrypted by security solutions.
Employees should only have access to the information they need
To minimize the impact of any potential security incident, companies should only provide employees access to the data they need. For example, the human resource department should not have files from the marketing department stored in their BYOD devices.
Organizations should look into ways to separate company and personal information
By using a Virtualized Mobile Infrastructure (VMI) system, organizations can allow their users to access company information on their mobile devices via a virtual mobile operating system running on a company server. This allows users to essentially separate their personal files, which are accessed through their devices' actual operating system, from their company files, which are accessed via the VMI.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.