BYOD security: Are agencies doomed to a permanent game of catch-up?

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Cybersecurity pros are running to keep up with emerging threats to mobile devices, yet most observers fear government and industry will always lag behind.

With the growing popularity and usefulness of mobile devices, the era of Bring Your Own Device in the workplace is either imminent or already upon us, depending on whom you’re talking with.

“BYOD is here, and everyone is working to make sure we can deliver things” through that channel, said John Harrison, group manager at Symantec Security Response.

That does not mean that your personal smart phone or tablet automatically will become a trusted part of the enterprise, but it will be increasingly difficult for administrators to keep them out. In many cases, it already is too late to try.

Related coverage:

Android app test demonstrates dangers for mobile devices

Tony Bennett left his heart, others leave mobile devices in San Francisco

“Some things you just can’t do,” said Gary Schluckbier, director of the secure products group at Motorola Solutions. “In some enterprises, banning personal mobile devices is one of them.” There always will be a risk trade-off in which usefulness must be balanced against threats, he said. “There are user cases where BYOD makes a lot of sense. In others, it doesn’t.”

The threats that make mobile devices a risk to the enterprise already are appearing. The amount of new malware being identified by security companies has shot up exponentially this year, and both government and industry are working to develop secure software and hardware for mobile devices. Despite these efforts, however, those in the industry offer little hope that they will be able get out in front of this threat curve.

Security is historically reactive, said Anup Ghosh, CEO of the security company Invincea. The same trends that have kept us playing catch-up with desktop and laptop security will continue in the mobile world, he predicted. “We’re seeing the same movie run over and over again,” Ghosh said.

That does not mean the outlook necessarily is gloomy, however. “Security will always follow, but the process can be quick,” said Mark Cohn, chief technology officer of Unisys Federal Systems.



Whether it will be quick enough remains to be seen. The pace of change in the computing environment is accelerating. For decades the desktop dominated, and then it was joined by the laptop. But no sooner has the laptop become a full-fledged partner than it is being pushed out by the tablet and smart phone.

Cohn predicts that, within a year, the desktop, tablet and smart phone will be the triumvirate of enterprise computing, and within another year the desktop is likely to be eliminated as a dominant platform. Eventually, a smart phone enabled with a Bluetooth keyboard and cloud storage could reign alone.

This shifting and convergence has not gone unnoticed by the bad guys. Malicious code for mobile devices has grabbed headlines in the past year, and McAfee’s latest quarterly threat report showed a sharp spike in new mobile malware, from fewer than 500 samples in the last quarter of 2011 to more than 6,000 in the first three months of 2012.

Android’s double-edged sword

The Android operating system is far and away the largest target for malware, accounting for more than three-quarters of the samples identified. In most cases, the code comes from outside the official Google app store for Android, McAfee researchers said. What makes Android attractive to criminals is the same thing that makes it attractive to developers and consumers.

“The Android is a platform that other people can use to make a product,” said Adam Wosotowsky, messaging data architect and research analyst at McAfee. “It allows for more creativity. For that reason, it’s more flexible.” Security features can be disabled and third-party applications easily installed.

On the other hand, because Android is open it also can be hardened. The National Security Agency has released a hardened version, Security Enhanced Android based on SELinux, an open-source project to identify and close security gaps in Android. Operating system aside, mobile devices in general offer a target-rich environment for hackers, in part because of the compact form factor.

“The platform is highly integrated, changes all the time and has a lot more attack surface,” said Motorola’s Schluckbier. Because many functions that might be separated on a larger device are combined on a single chip for a handheld, “we’re just starting to scratch the surface on threats.”

With malware, as with teenagers, a sudden growth spurt does not equate with maturity, researchers said. “It’s still in its infancy,” Wosotowsky said of mobile malware. “The number of malware samples we see for PCs is explosively higher than we see for smart phones.”

“So far, the underground economy is still figuring out how to monetize mobile threats in the way they have monetized desktop and laptop threats,” said Symantec’s Harrison.



In the United States, use of smart phones for financial transactions is not yet widespread, and common money-making scams for PCs — such as downloading fake antivirus programs or video codecs — are not as successful on mobile devices because most users are not yet thinking of putting antivirus software on their handhelds, and nobody wants to pay for new applications for a smart phone anyway.

Malicious apps

Malicious applications are the most common means of delivering malware to a mobile device, particularly unvetted software offered through third-party Android marketplaces. These Trojanized apps usually are corruptions of legitimate applications rather than built from scratch, Harrison said.

“We have seen some built from scratch,” Harrison said. “But hackers are lazy. Why go to the trouble? Android apps are totally easy to reverse engineer, compromise and upload. People seem to flock to them.”

The most successful fraudulent money-makers for mobile devices to date — and they don’t make a lot of money — probably are click fraud and premium billing for text schemes. But the growth in malware development going on today means that more serious threats are likely to appear as users become more comfortable in a mobile online world and criminals gain experience in the arena, Harrison said. “Once they figure out what’s working, we will see wider use.”

“Your cell phone is a little computer,” Wosotowsky said. “It is not immune to the problems associated with big computers. Eventually, there won’t be much difference between your PC and your cell phone. At that time, it [the cell phone] will certainly be the top target” for malware writers.

How long do we have before this happens? “We are starting to see the inflection point right here,” Harrison said. “We’re in the early stages.” Optimal security for a mobile device would be embedded in hardware, and that is where Motorola, an equipment manufacturer, is focusing it security efforts.

“Where we start is low in the device,” Schluckbier said. It also is hardening the operating systems adding features to Android and Windows Mobile. The company recently announced its Assured Mobile Environment in the AME 1000 Secure Mobile Telephony solution for Windows Mobile, which includes hardware-based cryptography and certificate management for voice.

The AME 1000 incorporates a crypto chip and Apriva Voice software and gateway, together with NSA Suite B voice encryption on its ES400 enterprise smart phone, which operates on both CDMA and GSM networks. Motorola plans to expand it to the Android OS as well.

One of the biggest physical threats to mobile data is the risk of losing the device. “You’re mobile, and the loss of data is only as far away as a thoughtless moment,” Schluckbier said.

Mobile military

The military recognizes the value of mobile devices, not only for use “behind the wire” in headquarters and garrison environments but also “outside the wire” in field deployments where they can provide constant communications with data and situational analysis both to commanders and to front-line troops. Fielding these devices in a combat environment entails considerable risk, especially since it often entails use of non-military carrier networks. The military and intelligence communities are countering this by hardening the Android operating system and developing their own secure apps.

Still, “most of the security has to do with loss-of-device scenarios,” said Invincea’s Ghosh.



Most of these protections fall within device management and range from simple controls, such as requiring password access and encryptiing file systems, to the more complex abilities such as remotely wiping a device that is unrecoverable.

“Today they use enterprise-issued devices,” Ghosh said of military and civilian government use. This traditionally has meant the BlackBerry, but the balance is shifting to the Android. “The range of applications available for BlackBerry is more limited. The federal workforce is very similar to the commercial; they want the latest in technology and they want to be able to use apps.”

Although hardened devices and operating systems are beginning to appear for government use, the bulk of the devices being used for work are consumer-grade, off-the-shelf phones and tablets that lack these security enhancements. And without secure devices, the current focus on mobile security will have to be on securing the data, security experts say.

“We are in the early days of the mobile security solution,” said Symantec’s Harrison, and the immediate goal is to be able to secure data — or at least avoid endangering it — on the devices.

“We have to have trusted users, trusted services and trusted platforms,” to ensure the security of data, said Unisys’ Cohn. But so far trusted identities have not been extended to mobile devices. Authentication still is based on website functionality developed for PCs, and there is little strong authentication for the mobile device and the device user that would ensure that information is being shared with the proper people under the proper circumstances.

Federal cyber strategy

The Obama administration’s National Strategy for Trusted Identities in Cyberspace envisions an identity ecosystem of commercial tools that could be adopted by government to achieve this goal. The ecosystem could allow the reuse of a limited number of credentials for many purposes, enabling the kind of strong but convenient authentication required for secure, widespread use of mobile computing. This system of shared, federated and widely trusted credentials does not yet exist on a large scale.

In the meantime, one method of mitigating the threat of mobile malware is to segregate system elements and functions so that code is less able to cross boundaries. Segregation also allows effective management of a device and the enforcement of policy. The ability to functionally separate enterprise from personal apps on the same device could allow personal devices to be more securely used in the workplace. Encrypted tunnels could be required for trusted enterprise apps, and access to file systems could be restricted to applications that are tagged for enterprise use.

Whitelisting — allowing only the installation of trusted applications on a device — also can help ensure that devices are operating securely.

Absolute security is impossible, however, and no amount of hardening, segregating or authenticating will completely eliminate the risks of mobile computing, especially in an environment that is developing so rapidly.

But don’t expect development to slow down to wait for security to catch up.

“Every major innovation in computing has come through a progress that was not managed coherently but was the result of independent effort from multiple players,” Cohn said. It is expensive to develop hardware and software that goes beyond the security that is “good enough for consumers,” he said, and demand for security will not direct the investment stream in the future.

“Maybe that is the price we pay for the fact that we allow innovation to occur.”

App Case Studies
Powered By
Browse The Atlas full case study database or read more case studies about App.
Resident Service Requests Made via City App Decreases Calls to Cartersville City Manager’s Office
Cartersville, GA
Forsyth County Sheriff’s Office powers up community engagement with the MySheriff mobile app.
Forsyth County, GA
Hurst, TX reduces the cost of service requests to less than $0.60 per interaction
Hurst, TX
BROWSE LOCAL GOV CASE STUDIES

NEXT STORY: Android's rite of passage: Now it has a botnet

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.