Minimizing BYOD Risks
Businesses that allow their employees to use mobile devices need to be aware of their vulnerabilities and how they could infect the company network. If a company issues and follows good security policies for its desktops and laptops, both of those are likely to be more secure than any tablet or mobile phone because there are limited actions that can be taken to secure them. Mobile phones are especially vulnerable because people download applications onto them, and most of those apps have not been vetted by security professionals. Many of the apps that are downloaded onto a phone can grab the users address book and other data most people don’t want to share. Even if employees use their mobile devices to connect to no server other than their company’s email system, if the phone has malware on it, it could spread to the network. However, with the right controls in place, there are ways employees can connect to their company email securely.
Secure mobile applications are available that allow safe connections to the company email server. Employees must download the application onto their mobile phones. Once the app is downloaded, employees can safely connect to the company email system. They just click on the application, and then input a password to connect to the company server. That allows them to see all their emails and to email other people using the company email system. That application system is sandboxed inside the mobile phone, so if the phone itself got infected, it would not infect the network because the only part of the device that connects to the company network is the secure sandboxed email application. But this type of application is only for company emails and does not provide protection for connecting to the company network other than the email system. For example, that application would not allow someone to safely connect to any company server other than the email server.
At the office, servers and desktop computers are inside the trusted network, which theoretically is secured by firewalls and an IDS/IPS. Ideally, the organization is monitoring its network 24x7. With a firewall and an IDS/IPS the company is protected from traffic coming from outside the organization. But with a company owned mobile computer (laptop or tablet), which often is moved offsite and sits outside the company network, that computer is vulnerable if it connects to the Internet without using a Virtual Private Network (VPN). The VPN allows the mobile computer to connect to the company network through a private tunnel. Once it connects to the company network, it works as if it were sitting right inside the office protected by the firewall and IDS/IPS.
So, as you can see, a company owned laptop, theoretically, is very safe outside of the office. That’s because company owned devices are usually patched, the latest software has been updated, and it probably has some restrictions on it. For example, the company can block users from visiting websites known for spreading malware and from downloading applications that have known vulnerabilities or are malicious.
When personally owned computers connect to the company network either inside the office or through a VPN, users bypass security systems that protect the network from outside threats. So if an employee brings her own computer (which unbeknownst to her has malware on it) to the office and connects it to the network, the malware on her computer could migrate to the network. This is because network protections are typically configured to focus on preventing access from external computers and pay no attention to the traffic between computers already inside the network.
But personally owned devices are another story. Their owners may not have kept software and anti-virus up-to-date, they usually aren’t secured with the latest patches and may not have installed anti-virus software. They don’t sit behind elaborate company firewalls or an IDS/IPS. They may have unknowingly visited websites that have infected links or downloaded applications for personal use that are infected with malware. In the absence of a fully patched environment and updated anti-virus software, computers are easily infected, often within minutes of connecting to the Internet. Once malware infects a user’s computer, the malware can spread to anything to which that computer is connected. And, as outlined above, if that device connects to the company network either inside the office or outside of the office via a VPN, that device’s malware can slide onto the network, bypassing all of the border security and ultimately allowing a hacker access to company servers that house private data.
A company that wants to protect their network should never allow the following
- A personally owned computer (mobile phone, laptop, tablet) or USB stick to connect into a USB port on a company computer or company network cable.
- A personally owned computer to connect to the firm’s wireless network inside or outside the office. An exception can be made when that wireless network is not connected to the corporate network, such as Wi-Fi used solely to provide Internet access.
- A personally owned computer to connect to the company network through a VPN or any wireless channel.
Despite these cautions, BYOD can work safely. Fortunately, there are systems that can be put into place so that employees can interact on their personally owned computers with corporate applications and data without being directly connected to the company network. One such system is called Virtual Desktop Infrastructure (VDI). When a company deploys VDI infrastructure, the personally owned device acts as the keyboard, monitor and mouse for a corporate owned computer. The user runs applications and interacts with data that is living on a company controlled machine. The corporate server connects to the user’s computer only via the mouse, the keyboard and the screen so the server cannot become infected. Another type of system places a containerized virtual "bubble machine," like a software application, on each employee’s personally owned computer. When a lawyer needs to work on a document or office application, she requests the document or company application from the server. The server sends an "instance," or copy of the document, directly to her safe containerized bubble where it is stored so the employee can disconnect from the Internet to work anywhere, like on a plane, and make changes to the document. Because the bubble is containerized in the computer, it is protected from any malware on the computer. The next time the employee hooks up to the virtual system, the latest edition of the document is uploaded back to the server. If her personally owned device is lost or stolen or she leaves the firm, the containerized bubble inside the employee’s computer can be remotely wiped.
It’s usually impractical to expect your own organization to manage BYOD. Partnering with a mobile device management (MDM) vendor can help organizations deploy and support the use of mobile devices and corporate applications on mobile devices. Implementing an MDM solution can often be less costly than managing BYOD in-house because MDM outsourcing companies have the knowledge and staff to work with countless types of old and new devices and operating systems. MDMs can manage multiple types of computer systems, password policy enforcement, remote-device wiping, real-time monitoring and configuration settings, and can also address the major requirements for providing users with access to data and applications.
The Dangers Of Mobile Phones
If a user’s phone is lost or stolen, private data on the phone could be accessed by the new person holding the phone.
If an employee were to connect to the company network without a VPN or a mobile security application, that information could be intercepted over the air in transit.
Mobile phones have some security built into them, but when people break the security devices in order to download unauthorized applications or take administrative control to make the phone do things it was not intended to do, it interferes with the security controls.
Some of the applications people purchase on third-party websites and application stores have vulnerabilities and malicious code that allows the app seller to access your address book and other data. The malware can also stealthily send out text messages that can spread malware or increase your monthly phone bill.
Just as malware spreads on PCs by clicking on hyperlinks or by opening up in emails attachments that are malicious, the same goes for mobile phones and tablets.
Botnets, which are a network of computers that unbeknownst to their users have been infected with malware and are secretly controlled by an operator, are being used by people hacking in the mobile arena. Since mobile devices, especially smartphones, are always on and always connected, they are becoming juicy targets for bot masters, who control the botnet (the army of infected computers).
Approaching BYOD Security
There are a spectrum of approaches companies take in regard to BYOD security and compliance issues. Those companies that must comply with industry compliance regulations (any company that accepts any credit card must at least be PCI DSS compliant) should have stricter enforcements on the ways employees can and cannot access the company network.
Mobile consultants at Dell SecureWorks see some companies that are extremely lenient with their mobile policies and others that are super strict. Some companies allow unfettered access to the company email system and allow employees to sync their phones or table via USB or Wi-Fi to the company network. Other organizations are more strict with their policies and enforcements.
In order to be compliant with federal regulations (PCI DSS, HIPAA and others) some organizations must be able to show that they mitigate risks to sensitive or protected data. We find that most companies don’t fully understand the compliance regulations. Many companies are also not fully aware of their mobile needs and what systems employees absolutely must be able to access, which systems they don’t need to access via mobile devices, and what the safest ways are to allow access to pertinent servers. That is why it’s always best for companies to meet with a mobile security specialists to discuss tailoring a plan that fits their needs. There are different ways companies can allow employees to access the company servers safely, and a consultant will help a company decide which way is best to fit the company’s needs and budget.
Companies should educate all employees on network security. Employees need to be aware that if their devices were lost or stolen, that data would be at risk. They also need to know that malware can infect their phones, tablets and laptops, that downloading apps can steal private information, and that many apps people buy in the marketplace have malware on them. Users need to know that there are fake marketplace sites displayed in the browser that emulate real marketplace sites where they might buy an application. They need to know that there are phishing scams, spam emails that are sent to them with malicious links in them that take them to fake websites that emulate real ones. On a computer, when a user sees a link to a website, he can hover over the link and see the URL. But not all mobile phones show the URL when you hover over the link. A user could be sent a spam email with a link to a website that sells an application the user wants. Or the user could google for a site that sells mobile applications. Those links that show up on the first page of Google results could be links to fake websites, websites that look like an authentic Apple or Google app store, but if you look closely at the URL, it is different than the authentic store the user is searching for. And the apps found there, or even apps found at the authentic stores, may have malware on them. If an employee’s device were to get infected and he were then to connect the device to the company network, it, too, could become infected.
Security Cautions For Mobile Applications
Businesses and public organizations are using mobile-based applications in innovative and compelling ways to interact with their customers, employees and partners.
However, mobile devices and applications can increase security and compliance risks to an organization by increasing the attack surface for hackers or by inadvertently creating a risk of unauthorized access and data loss. The danger in applications is that they are often not created securely, leaving holes open for hackers to access. For example, let’s say your company offers a mobile application for customers. If the application has any holes in it, a hacker could enter your network through one of those holes. The easiest example of hacking a hole is an application that has an open field in it, like one to type in a username. In that field, a hacker could type code rather than his name. And that code could get him to the back end of your server where your private data sits. Some companies only supply mobile applications to be used by employees, but those too could be riddled with holes, allowing entry to private data. As a result, many organizations are grappling with the issue of mobile app security and are challenged to answer the difficult questions mobile apps present.
For instance, “How can you safely enable your customers, employees and business partners?” “How can you maintain security, minimize risk and ensure compliance while using mobile applications to enable your business?” “How does your mobile app access and interact with your network?” “How do you ensure that your customer, employee and partner data is protected?”
Dell SecureWorks provides a Mobile Application Security Assessment (MASA) service, that helps you determine the integrity of your mobile applications and the systems they interact with.
Any organization developing or deploying mobile applications whether for internal employee use or for use by customers and business partners, can benefit from a MASA to ensure systems, networks and data are protected and compliance requirements are met.
Our assessment looks at the security and compliance risks of your entire solution from the app on the device, the backend systems and network the app connects to, and the interactions and data flows between them.
For more information on Dell SecureWorks and mobile security, please visit www.secureworks.com.