April 30, 2013

Understanding Typical Scope of BYOD Threats

Business

New technological business trends are almost always about investment. First you pay money and after that, if you get lucky, you make your employees happier, achieve tighter security of business data or streamline the IT life of your company in some way. Unlike these trends, Bring Your Own Device is something that has come to life mostly by itself. Of course, a large number of hardware and software vendors now capitalize on this trend, but the real problem – and advantage – is that people are bringing their own hardware to work. Whether companies like this trend or not – they have to deal with it. Benefits of BYOD are obvious – companies save on hardware purchases and employees are happier with the devices they want. In this article we will focus on something that we know best: the threats that come with personal smartphones, laptops and tablets in your office space.

The scope of the problem

To better understand, how badly things can go with personal hardware at work, here’s an example. Recently one of our clients used the Application Control feature of Kaspersky Lab’s corporate product, to analyze what software is being used by its several thousand employees, and shared this data with us. These were standard endpoints: managed centrally, rules applied and anti-virus protection enabled. Of course, the company had certain, very strict, guidelines for approved software.

The results were quite disappointing. Violations of the policy were detected on half of the computers. A number of them were comparably harmless, like the use of an “illegal” instant messenger or a game (such software impedes productivity, not security, in most cases). But examples of serious security violations were found. Cloud storage software uploaded business documents to someone’s (poorly protected) user account automatically. Remote management tools, used for personal convenience, could penetrate the protected network perimeter from the outside. Well, you get the idea.

This is, again, what was found in the controlled environment of company-owned endpoints. What happens when the hardware and software is owned by a user? It is even worse. Among many aspects of information security, BYOD endangers businesses the most when employees unwillingly do inappropriate things on their devices, either company-owned or personal. Given the fact that there are over 200,000 new malicious programs appearing every day, and the number of targeted attacks against companies is growing, businesses find themselves in a very dangerous situation. At the same time, the majority of companies are not planning (or find it impossible) to completely block personal devices from accessing corporate data. To further understand how BYOD may harm corporate security, we have to look at traditional computers and modern devices like smartphones and tablets separately.

Laptops

Generic malware

This one looks quite obvious: all computers accessing a corporate network have to be protected from common threats like malware. What is important is that the methods of protection have to be the same for both corporate-sponsored and personal devices. Different security solutions on different network nodes is the most probable cause of problems. Even sticking with a pre-installed consumer protection solution on a BYOD laptop is not the best option. All devices, company-owned and personal, have to be managed with a unified security solution and managed centrally. This will help to eliminate common cases when a poorly protected personal computer constantly attacks the entire corporate network – a problem which is typically hard to trace because the devices cannot be effectively controlled and monitored.

Dangerous legal software

While the previous point referred to blacklisted programs – clearly malicious ones – this is about white, or legal software. Such software has to be controlled and be known to an IT department, helping to eliminate dangerous security breaches. In the typical corporate environment, this is achieved by limiting employees’ ability to install any additional programs outside of the company-approved list. For personal laptops this is not always possible. Instead, software installation and usage has to be controlled with a set of rules, where each program is categorized by a certain criteria. Such strategy helps to eliminate cases when an employee sends all corporate documents to a personal cloud-based service, which, being compromised, will put sensitive information in danger.

Targeted attacks

Personal devices may be the most vulnerable to targeted attacks utilizing methods like spear-phishing – that’s when a criminal sends a specially crafted e-mail to an employee, luring him or her into opening an attached document, that will exploit a vulnerability in a certain software. To better combat this complex problem, a number of criteria has to be met.

  • Modern, fully-featured anti-malware protection.
  • Efficient web anti-virus to detect and block dangerous web pages. Limiting access to certain web resources like online games during working hours which will also help to improve productivity.
  • Control over the installed and used software (see the previous section), which also monitors software vulnerabilities. Regular updates for critically vulnerable software have to be enforced by a company policy.

Device loss and theft

Unprotected business data stored on a personal laptop that gets lost in the airport or a taxi is a typical nightmare of an IT department. A number of companies solve this by allowing employees to work only in the office on the approved PCs, with highly limited abilities to send data and disabled use of USB flash drives. Such an approach, in fact, will not work in the BYOD-driven company. Firstly, workers are using their own computers for better flexibility; but this should not mean worse security. The perfect solution for the problem of device loss is full or partial encryption of corporate data, enforced by a policy. In this case even if a laptop or a USB Drive has been stolen, it would not be possible to access data without knowing the password.

In the second part: Mobile threats and advice… To be continued.