Organizations are very different now compared to the last five or 10 years. High-speed internet access and wireless devices has led to bring your own device (BYOD) acceptance becoming the norm. As a result, security organizations are faced with a unique issue they struggle to contain.
In this article, we’ll go over what devices infosec departments should have an eye on and how to tackle the challenge of BYOD head-on. For an expert’s perspective, we spoke to Georgia Weidman, founder of Shevirah, a mobile and IoT testing company.
The Problem With BYOD: Lack of Visibility
First, let’s identify the problem with BYOD. Because employees are connecting to an organization with owned laptops, mobile phones, and other wireless devices, security departments don’t have the kind of visibility they would with organization-owned devices.
However, Weidman notes that even with org-owned devices, the visibility problem associated with BYOD can still ring true. This is because devices can be issued with full permission and admin capabilities. Weidman explains that this allows employees to potentially install software that could be malicious or engage in risky behavior that could then compromise an organization’s network.
A recently exposed vulnerability of Sennheiser’s headset device highlights these potential risks. The headset required users to install a software that was discovered to be exploitable and could lead to Man-in-the-Middle (MITM) attacks. As headphones and headsets are a common office presence, it’s easy to see how this software vulnerability can impact an organization.
This isn’t an isolated incident - any device that connects through Wi-Fi, Bluetooth, or requires additional software presents a potential problem for an organization who doesn’t have a way to track that device or prevent unfettered access.
Devices Organizations Should Be Aware Of
Weidman highlights how issues with devices have always been a problem for security departments. She recalls how devices like printers were widely reported to have vulnerabilities, often without a patch or an update. Highlights of flaws among other popular devices are also a mainstay at major security events and conferences, turning attention to why visibility and device management is important.
As technology improved, the kinds of devices that security organizations should be aware of include:
- Mobile phones
- Employee-owned laptops
- Wireless accessories (keyboards, headsets)
- Bluetooth devices (such as smart watches, fitbits)
- Wireless speakers
- Voice-activated devices
- Webcams and conferencing devices
- IoT devices
Weidman mentions that any security considerations should also be extended to software and technology that’s in place on many of these devices. Not knowing whether an employee has unintentionally installed malicious software or apps on their phones or laptops is another example of poor visibility.
She also mentions that additional factors can make it difficult to take inventory effectively. Device details like device type, connection type, software version, operating system, installed apps, whether the device went to another country, and more are all considerations that can affect how a device may bring risk to an organization.
If these considerations feel overwhelming, that may be because you’re trying to tackle these problems on a case by case basis. When it comes to device management, Weidman encourages thinking long-term and from a big picture perspective.
“We don’t think about [security concerns] well enough or long enough. It’s about the next big thing.”
Rather than trying to face each device’s potential vulnerability head-on, it’s much more important to have the right security mindset to be well-equipped to handle potential problems as they arise.
How to Engage in Proper Device Management
There are a few fundamentals Weidman encourages for device management, detection, and risk mitigation.
Protect and Segment Your Network
Isolating devices from the main network is a good start in order to mitigate potential damage in case of a compromise. Otherwise, Weidman says that “if a device is hacked [on a flat network], it can start throwing exploits to other devices.” Network segmentation ensures both employees and new devices don’t have access to your organization’s most sensitive assets.
Awareness of your devices, whether employee or organization-owned can go a long way. If a new vulnerability is revealed or, worse, if your organization is exposed to an attack, just knowing what device is compromised (or can be compromised) can facilitate some quick action to minimize the damage to your organization.
For organization-owned devices given to employees, it’s important to ensure there are limits in place. Preventing admin access and limiting permissions are important to ensure employees aren’t installing problematic software or apps. As for employee-owned devices, mobile management software is available but employee adoption can be difficult. Here’s where awareness and security training can pay off.
By letting your employees know what the risks are, they may think twice before playing fast and loose on their devices and putting your organization at risk.
Proofing Your Organization for Device Risk
When it comes to device security, there are a lot of solutions, vendors, and software available. To make the decision that’s right for your organization. Weidman has some key tips.
Don’t Buy into the Marketing
Many vendors have large marketing budgets that overstate their offerings. Weidman points to the recent Starwood/Marriot hacks. “[These companies] have big security budgets but are still getting hacked. You have to take a step back when considering vendors. Just because they have a big marketing department doesn’t mean they’re effective.”
Know Your Needs
As is often the case, the best first step is to understand your risk profile to define what’s required from a new solution or vendor. As part of your due diligence, make sure it’s effective for your organization (and make sure it performs as advertised). For example, Weidman warns against mobile antivirus solutions. She explains that mobile apps are launched in sandboxed environments, so any scanning performed by a mobile antivirus is limited in its detection capabilities, making it largely ineffective.
Test, Test, Test
The best way to know whether something will work is to test it. Weidman encourages testing whenever possible and even encourages holding simulated bakeoffs, so vendors work on the same objective to obtain a contract. These test scenarios are especially important when trying to find the right solution for preventative measures against threats like social engineering.
Identify Your Priorities
Knowing how to secure an environment requires the right resource management. It’s easy to overspend on solutions and vendors that focus on a small issue that, if compromised, would cost less to fix. It’s also easy to overwhelm a department. Weidman notes how Neiman Marcus was famously hacked despite having a robust security environment in place. However, since it was understaffed, it succumbed to hackers.
When it comes to device and employee management, the right process is understanding your organization, your employees, and your needs. From there, you can engage in the right defense, and be prepared if the worst were to occur.
Looking to bolster your mobile security knowledge? The InfoSec World Conference & Expo has some great sessions covering the topic.