May 6, 2013

Understanding the typical scope of BYOD Threats: Part Two


Continued from Part I

Smartphones and Tablets

Smartphones and tablets are no different from PCs in terms of the amount of corporate data stored on them. E-mail access, corporate documents, business contacts – it’s all there. The volume of threats for mobile devices is less than that of traditional computers, but it’s catching up quickly: every month in 2012 we detected more than 3,000 new malicious programs for Android. The situation for Apple iOS devices is different, since its closely controlled environment, for now, eliminates the threat of malware for this platform (except cases when malware-like programs appear in the official App Store). But this does not mean that iPhones and iPads are the best option for a BYOD program, security-wise. All devices are prone to data loss as a result of device theft and/or inappropriate use of legal software such as cloud storage.

Given this, the problems of generic malware, dangerous legal software and device loss that we have discussed in relation to traditional laptops, are relevant to mobile devices as well. Especially relevant is the device loss and theft problem, since there is much greater chance of your smartphone being stolen than your laptop. In fact, anti-theft protection for smartphones is equally important as anti-malware protection. Fortunately, for now there is a low chance of targeted attacks on smartphones: cybercrime is not yet ready to utilize exploits in Android or iOS devices to steal data. But Kaspersky Lab’s research shows that Android devices are now being targeted with social engineering techniques and malware. There are a few unique quirks in BYOD threats for mobile devices as well.

Rooted/jailbroken devices

Rooted Android smartphones or jailbroken iPhones or iPads are basically mobile computers with no limits: its owner may install or delete or modify any program or even a core part of the operating system. This basically means that all means of control and protection enforced by a company in order to access corporate data may be bypassed. In a case where a device gets infected, malware will also get full access to all the device’s features and data. Therefore, rooted devices should not be allowed to access sensitive data at all.

Enhanced anti-theft protection

Since mobile devices are more prone to theft and loss, it is important to protect the data stored on them with additional methods. The first method is the same for all devices: encryption. All corporate data has to be encrypted, and therefore unreachable for thieves or spies. The second method provides the ability to remotely block or wipe the smartphone in case it has been lost or stolen. An employee has to notify the IT department that he lost his device as soon as possible, after that a special command will be sent to block it or delete all important data. It should also be possible to locate the lost device, keeping in mind that the implementation for anti-theft for devices on different platforms is different as well.

Conclusions and advice

The main idea behind proper BYOD security is that personal devices have to be treated in the same manner as company-owned devices. Likewise, laptops and smartphones being used outside of the company perimeter have to be protected just like those behind the firewalls and network protection solutions in the office. Some traditional methods are not applicable anymore, like, for example, web control enforced centrally for the corporate network only. An IT department has to keep in mind that in the modern environment employees will work with corporate data anywhere they want, on a variety of devices. What has to be done is proper control of software and apps, web and e-mail as well as protection from malware and loss/theft using modern methods. To recap, here is the list of solutions:

  • Automatically enforced security policy. Company rules are inefficient if they are just printed and signed by employees. A worker does not have to think if a certain app or website is appropriate, restricted or plain dangerous. He or she is usually not an expert in this. Automated control on software, devices and web is the only solution to prevent accidental loss of data.
  • Inventory. The IT department has to know exactly which devices are allowed certain privileges to access corporate data, and be able to revoke the access rights or block the device completely.
  • Beyond anti-malware. When talking about protection from threats, effective, industry-leading anti-malware protection is a must, but it alone cannot guarantee security. While a traditional anti-virus engine is fine with generic viruses and Trojans, targeted attacks require more sophisticated techniques. Among them are solutions designed to directly combat new and unknown exploits, vulnerability assessment tools and frameworks that will automatically install and control software and push updates for critically vulnerable applications.
  • Mobile Device Management. A security policy has to be enforced on all devices, regardless of platform, and traditional business security suites are not capable of applying the rules and security features for smartphones and tablets. Modern mobile platforms like Android and iOS do have to be supported, and managed centrally just like traditional laptops.
  • Further protection of data using encryption. It reduces the chance of sensitive data loss even in a case where a personal device was compromised or stolen.

Further reading: