The hottest IT trend in the workplace right now is definitely BYOD: Bring Your Own Device. This is popular with employees who regard it as a convenient way to read private e-mail and to browse to (work-unrelated) sites at the office, and moreover as a way to work for their employer on a device they know really well. The BYOD trend is also welcomed by many employers as they think it saves them money on hardware, software, and on training to operate the device. The same trend can also be seen in schools: the call to use the latest hardware is easily accommodated by allowing students to bring their own devices into school and allow these devices access to the network. But it’s far from clear whether these assumptions of increased convenience and/or financial advantage in terms of reduced costs are really justified.
According to a 2012 British Telecom Survey, 60% of employees say they are already allowed to connect their own devices to the company network, and the figure is expected to reach 82% within two years. In an ESET Harris survey of employed adults in the U.S. last year, 80% said they use some kind of personally-owned electronic device for work-related functions. While power users and employees in IT departments have led the trend, senior management and the Board have been following hard on their heels and are using their own devices on the corporate network, yet BT found only 25% of them are aware of the significant security risks of BYOD. Here are the stats by country:
Of course there are advantages to BYOD. In most cases the devices are small and lightweight, easy to transport, have a battery life normally lasting a full workday, and are much cheaper than a laptop to buy – especially if the initial outlay is funded by the employee rather than the company. The employees are likely to be more adept at using and working with their own devices, so they do not have to get used to a new device or environment and need little or no training.
But of course there are many disadvantages to this: it is difficult – if not impossible – to manage the content and configuration of the devices. Updating typically is done via the manufacturer, bypassing corporate Q&A and often relying on a third-party manufacturer to decide when and whether to apply updates and upgrades.For anyone thinking that BYOD is a problem for the (near) future rather than right now, here is your wake-up call: the future is already here.
Devices are difficult to protect and outbound traffic is difficult—if not impossible— to monitor. Using different applications at the same time (multi-tasking) may be limited and many corporate-supported plug-ins (Flash, Silverlight, etc.) are often not supported. Furthermore, the applications for the different devices are not interchangeable, so that work created on one device may not be useable on, or even transferable to, another.
It is also very unlikely that VPN Client software will exist for all the different personal devices that might be used by employees within a single enterprise. Although corporate/sensitive data should never leave the corporate network, especially when no VPN software is available for the device, the risk of employees copying such data onto the device to have access to it while not in the office reveals the biggest disadvantage: risk of theft. As the devices are usually small, they are easily stolen (and easily lost). If the device contains corporate/sensitive data, it is a small step towards the information being stolen and misused.
And for the future, there is the question of how devices will handle IPv6 (if at all). IPv6 is coming fast, yet the number of devices that support IPv6 is still rather low.
The sheer range of different devices that can be brought into networks can bring about considerable complexity as regards the potential of the device for both functionality and compromise.
Some of the risks are more obvious than others. If we just look at smartphones for example, there are many features that can “assist” a user once the device is connected to a USB port of the desktop. The connected device can serve as:
Other devices have less obvious “features”. Some people like to take these kinds of devices into their working environment so as to make it feel more like home. Psychologically, a picture playing device may be useful… Or not…
Some picture-playing devices may have additional features, for example Sony’s Personal Internet Viewer can, besides displaying pictures stored in local memory, also display pictures and movies stored on mass-media that can be connected to or inserted into the mass-storage port.
These devices often have a small operating system using commonly available libraries. If these libraries contain potential security holes, it may be possible to take over the control of the device using specially crafted pictures. As the device is on the network, the possibilities there are endless (and worrying). Traversing the network, it may try to find open shares with access to interesting data, it may set up a backdoor, or start to serve as a small C&C server, a spam center, and so on. And of course, as there is often no anti-malware available for the device, this may go unnoticed (although good network monitoring tools should catch this unauthorized activity on a corporate network).
Lots of applications connect to the Internet. Most often for innocent purposes such as retrieving details of the weather, or to (pre)view e-mail in the InBox. These communications are usually carried as plain text, and tools like WireShark are able to view all the details (including passwords), and open the door to misuse of this information.
But devices that are able to connect to the Internet may also have the ability to run an application like WireShark themselves, storing all (or selected) corporate communications on the device to be taken outside of the corporate perimeter.
Even if you have validated the device as being completely secure, and confirmed that there is no scope for wrongful or inappropriate actions to be taken on or by the device, there may be a firmware update or operating system that brings new (undesirable) features to the device.
These features can’t be foreseen but can be catastrophic in their implications for security. It is possible that mobile devices will start to use the now oh-so-popular public cloud. What if the device, for your convenience, is synchronizing all its data content automatically with the cloud? A nice feature if the device is broken or stolen and you want to have your replacement device to be identical and to have the same content as was present at the time the other device was lost or broken, but not so nice if the data is now accessible to a thief. Even if the device is PIN- or password-protected, some forensic software (and less legitimate code) is capable of gaining access in no time (by some form of jailbreaking, for example).
It is impossible for a corporate security team to know about all the new features introduced in all new operating systems, applications or firmware for all devices. From a security point of view, one is normally well-advised to make sure the latest update, patch and firmware is installed, but this may not be feasible for devices where the corporate IT team (still more so a team to which corporate IT is outsourced) is not completely (or at all) familiar with the operation of the device and the software that runs on it.
A model to better facilitate the aims and goals of corporate IT (either internal or outsourced), is the CYOD (Choose Your Own Device) model. Employees that want to use a personal device on the corporate network or for corporate functions can choose their device from a set of devices which has been pre-selected by IT. These devices are by definition “known entities,” selected because they can be managed, the output of their applications is known to be compatible, patches and updates are timely available, and all corporate security standards and policies can be effectuated.
Employees that do not want to use a device from a given set, or prefer to use their own device, will have to accept that they cannot get access to the corporate network or corporate functions from unapproved devices. At the same time, such employees should be educated on “Security at Work” guidelines and reminded that they do not own the corporate network. If there ever was a time that devices could be “safely” connected without any implications, it has now passed.
Another problem that falls under the BYOD model are the employees without a company-managed laptop who, from time to time, work from home on their own computer or are on the road accessing the corporate network from an Internet café or a public Internet connection in an airport or hotel. The state of these systems is unknown and you cannot really trust the state of the Operating System on them. It may well be that someone else has used the system to browse to an “interesting” site and ended up with a backdoor on the system, a backdoor that is persisting and still present at the time the employee starts to use the computer in good faith.
Windows 8 includes a new feature called “Windows To Go” that allows corporate entities to create a full corporate environment including applications and utilities, booting from a USB drive. After the system has booted from the USB device, all corporate standards, policies and management tools are effective and enforced. This can make an employee’s device as safe as any corporate desktop PC.
Windows To Go also comes with a few security precautions. To prevent a potential data leakage, if the USB key is removed, running processes will be frozen. If the USB key is inserted again within 60 seconds, the system will continue to work: otherwise it will perform a shutdown of Windows to Go to prevent sensitive data remaining displayed on the screen or stored in the memory. A Windows to Go USB key can also be protected by Bitlocker.
Does “Windows To Go” mean that you are running no risk when your employee’s personal device is booted from the USB device?
No, there still is a risk. Assuming that the Windows To Go environment has been set up correctly, so that a VPN is established to the office tunneling all communications, there is still the problem of the uncontrolled Internet itself. While the corporate network is protected by a firewall, the personal device can also be used in unsafe environments, introducing other risks of compromise and infection. But of course that is not different to the case of other corporate devices that leave the safe perimeter of the corporate network, such as a laptop that is connecting to the Internet in a hotel or at a hotspot.
For anyone thinking that BYOD is a problem for the (near) future rather than right now, here is your wake-up call: the future is already here, including all the attendant risks. It is almost impossible to prevent people from bringing all kinds of devices into the workplace, short of the physical measures associated with state security agency buildings. Even wristwatches with cell-phone functionality (including Internet access and a USB-port) already exist. It is time for organizations to take BYOD seriously and re-engineer corporate policies around it. Integrating Mobile Device Management (MDM) inside your corporate IT Management protocols is a must. Otherwise, sooner than later you will find your corporate data exposed and misused. By moving to a CYOD model, where the different devices that are allowed access on the corporate network can be managed by corporate IT, the risk can be minimized to acceptable levels while still offering employees a degree of flexibility over the devices they use.
Author Righard Zwienenberg, We Live Security