⬆️ ⬇️

BYOD - convenience versus security





The widespread use of the Bring Your Own Device strategy (BYOD, the use of personal devices for business purposes) in all areas of activity allows us to speed up business processes, obtain current information almost instantly and simplify communication with colleagues. With the apparent usability and mobility of employees, many problems and risks of information security arise, which will be discussed in this article.



Many modern companies are faced with the need to find a balance between the mobility of employees and information security of business, solving a number of new tasks related to the efficiency of managing personal devices and ensuring the safety of their use.

')

Personal laptops



Using personal laptops for business purposes, or as an assistive device, is a fairly common practice. Nevertheless, this is one of the main headaches of IT / IB departments: the device may contain critical data or access details to corporate network resources, e-mail, etc. For understandable reasons, it is extremely difficult to control the contents of such devices and ensure their full protection and is rather advisory in nature. Yes, there are companies in which the rules of using personal equipment are strictly prescribed by the security policy, or rather a ban on their use, but, nevertheless, for the sake of convenience, many ignore these tips, despite administrative or other measures. Personal devices may be most vulnerable to targeted attacks. It is much easier for attackers to attack a “lonely” laptop, using these or other attacks or methods of influence, rather than a device that is under the control of specialists, set up and maintained with proper security measures.



Another problem with “home” devices is that in most cases modern users work with local administrator rights, which simplifies the possibility of delivering malicious code to these devices, for example, using social engineering attacks.



Everyone heard about regular data backup, but in practice everything is rather sad: if there is no standard or regulation controlling these processes, the device user thinks about it very rarely, and does it even less often.



A typical IT nightmare is unprotected information stored on a personal laptop that can be lost at the airport or in a taxi. Many people believe that the password "at the entrance" provides adequate security measures and refers to data encryption, as to something from the field of spy movies.



Smartphones



Modern smartphones and tablets are less and less different from PCs in terms of corporate data stored on them. Access to e-mail, corporate documents, specialized services, business contacts and calendars, notes, plans and schedules - an attacker can gain this and much more by taking possession of such a device, or by gaining access to it.



A huge risk factor in the event of loss or theft of a device is the inability to instantly notify those responsible, or block access to the device.



Also, smartphones and tablets are more susceptible to Man-in-the-Middle class attacks, since It is very difficult to control the broadcast in the area of ​​movement of the smartphone owner, and it is quite easy to get the mobile device to connect to a “known” access point. After connecting to the access point, in most cases, without the knowledge and desire of the owner, you can intercept and replace traffic, or even directly attack the device (in the case of Android, you can use special modules Metasploit Framework).



Also, in the case of Android devices, there is a high probability of infection by this or that malware. This is due not only to the fact that such devices are used the most, but also to the fearful increase in the number of vulnerabilities in devices running this OS.



In the case of rooted / jailbroken devices, the risk of data loss or theft increases even higher: this is the installation of the application from unknown sources, unlimited and poorly controlled rights - most users do not read the warnings and acknowledge almost any requests from applications.



Cloud storage



Cloud technologies offer more features and convenience for accessing corporate data, but at the same time they increase the risk of data leakage or theft.



This is due to unregulated access to the network, a rather weak password policy of most users, weak preparation for threats of targeted attacks, with the use of socio-technical vectors.



Moreover, native cloud storages (gmail, icloud, onedrive, etc.) of personal mobile devices are outside the control of IT / IB departments and can be compromised with a high probability by hackers.



Security Solutions



If you can’t stop using personal mobile devices, you must include these devices in the company's security policies:



MDM implementation



If a wearable device belongs to a company, it is easier and more efficient to protect it using the generally accepted global BYOD protection practices. In corporate mobile devices, the share of mixing personal and professional data is small; therefore, some restrictions on the user's freedom of action are justified and expedient. In this case, the balance is shifted towards data protection, rather than ease of use. For these purposes, you can use both specialized devices (Blackberry), and special preventive measures to prevent leaks.



A device safety plan is required, including the following steps:



All of the above measures can be applied using Mobile Device Management (MDM) class systems that allow you to remotely (centrally) manage multiple mobile devices, whether they are devices provided to employees by a company or employees' own devices. Mobile device management typically includes features such as remotely updating security policies (without connecting to the corporate network), distributing applications and data, and configuration management to provide all devices with the necessary resources. MDM solutions are one of the means of implementing an organization’s information security policy and, like any other tool, are effective when used as intended and properly configured.



However, this solution is not a panacea for all threats - the ability to remotely control a device only if there is a network makes devices vulnerable to physical attacks (when the data network is disconnected or memory is copied) - to clone data for analysis in specialized environments or to retrieve and possibly decrypt data, therefore, only adherence to access control and data composition on a wearable device can reduce the risk of leakage or theft of critical data or access to it.

Source: https://habr.com/ru/post/281463/



All Articles