Mobile and BYOD threats are exploding

Mobile devices, coupled with bring-your-own-device policies, create security challenges

The whole world, it seems, is going mobile. Smart phones, most of which are more powerful than the desktop and laptop computers of just a few years ago, are quickly becoming commonplace, and tablet PCs such as Apple’s iPad are the newest must-haves for business and government professionals.

And they have just as quickly become a security nightmare. For one thing, it seems many organizations don’t have a good idea of how many of these mobile devices are in the enterprise or where they are accessing the network.

When the SANS Institute did a recent survey of 500 IT professionals at various organizations, it found that only 9 percent of them felt they were completely aware of all the mobile devices that were accessing their enterprise infrastructure and applications. In total, less than half had a reasonable confidence about this.

Given that more than 60 percent of the organizations also said they allowed employees to bring their own devices to work and that these devices, applications, and their access are even harder to track and manage than company-owned devices, that makes for a scary scenario.

“Most people seem to have approached [bring your own device] with this idea that it’s going to save them a ton of money,” said Kevin Johnson, an industry security consultant, a senior instructor for SANS and author of the SANS Mobility/BYOD Security Survey report. “But no one’s actually sat down and asked what it means to them.”

Government agencies do have a lot more control of their own devices, he agreed, but with BYOD you have the scenario where someone has gotten a smart phone and then wants to use it in his or her workplace, but the controls are not in place to allow it.

“The focus just isn’t there yet,” Johnson said. “They just don’t take that stuff into account.”

Mobile policy best practices

• Think from a threat and controls perspective when establishing policies for your organization’s mobile environment.

• Assess the mobile devices already allowed and how they are managed.

• Identify the threats and vectors that might affect the security of the mobile device and the controls that are available to mitigate the risks.

• Use existing security policies as a guideline to help align mobile policies with the government-specific laws, regulations and standards with which your agency must comply.

• Research the capabilities of your mobile device and app environment, including all the controls that are available to manage security, permissions and risk.

• Determine the breadth and depth of the control settings, identify functions and features that are not enforceable, and address them with administrative policies and employee awareness.

• Consider how mobile policies can be tested and validated to ensure that they have been successfully implemented. If organizations permit the use of employee-owned devices, they typically do not have policies to address the issues regarding the lack of enforcement nor the capability to obtain the mobile device to perform forensics in the event of an investigation.

Source: SANS Mobility/BYOD Security Survey, March 2012

A large part of the problem with BYOD is not necessarily the speed with which it’s happened but that people can’t believe that organizations would allow it in the first place, said Daniel Nowak, lead security architect at Iron Bow Technologies.

The traditional response of the past two years is that policy won’t allow it, he said, “but reality trumps policy, and organizations are saving ridiculous amounts of money by allowing people to use their own devices, so the reality now is that BYOD is going forward.”

Technically, he pointed out, personal devices are just more endpoints on the network for security to deal with, but these devices are extremely immature. With other portable devices such as laptops, organizations have had a decade and more to deal with their security flaws and have enough mitigating controls in place to manage at least some of the risk.

But new devices such as Android smart phones and iPads are, in their natural state, completely untrustworthy and insecure devices, “yet they are nevertheless given access to the organization’s data,” Nowak said.

In the absence of a full mobile security policy, here are things that can be done to lessen the risks involved with mobility and BYOD, though none of them are ideal:

• Change the architecture of the network to better control access, perhaps by setting up a separate area that all these devices have to flow into and where enhanced security technologies such as deep packet inspection and flow control tools can be sited. That way, organizations will have a much better chance of detecting malware on BYOD systems.

• Use the Media Access Control address and system profile of the device to at least determine who is accessing the network. It doesn’t secure the device itself, but it does enable fairly close monitoring of who is accessing or trying to access the network.

• Assume zero trust of the devices and instead control their access to any applications that are internal to the organization. That can be a pain to set up and manage, but it gets around the notion of having to place any kind of trust in the mobile system itself.

Government has at least started trying to get a handle on the problems of mobile devices and BYOD. In May, the Defense Department set out its visions and main goals for using mobile devices, putting its focus on three areas: wireless infrastructure, the mobile device itself and mobile applications. It will all lead eventually to what Teri Takai, DOD’s CIO, called a common vision and approach for mobile IT.

The next step will be development of a plan for implementing the strategy laid out in the May document.

On the civilian side, in June, the Department of Homeland Security was reportedly reviewing versions of a mobile reference architecture that, when finalized, will focus more on securing the data that will be accessed by mobile devices rather than the device itself.

About this Report

This report was commissioned by the Content Solutions unit, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors are not guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Content Solutions, please email us at [email protected]