The “Rabbott” and I have been talking about the subject of BYOD so I thought I would share here. I am not sure why everyone is calling this a new problem – it has been around for years – even before mobile phones. How many of you are old enough to remember when floppies became “standard”? I am. How many of you remember the introduction of USB Drives? I am. I could go on and on and on – boy do I feel old.
What did each new technology have in common – they introduced new risks into the threat landscape. We now had to be worried about loss of data (being copied) and introduction of malware via the device. They have all become common place and technical solutions (encrypion, DLP, write blocking, etc.) are available if a company so chooses to implement them. My slant on this is that if you protect the data it doesn’t matter where it lives – harddrive, usb, etc. If it is encrypted it can be stored anywhere.
That is a fine solution for storage only devices, but with phones/tablets its a little different because they offer so much more than just data storage – they are as the name implies getting smarter and smarter each new release. Furthermore they have this nasty little thing we like to call split tunneling (often frowned upon in security) – data can go over both channels (3/4g as well as wireless and any combonation thereof). Not to mention, the market place is very fragmented with several versions of each of the popular devices (DROID, IOS, BlackBerry) which makes the motion of what should be allowed even more complicated. As seen while attending DerbyCon (great conference), these devices are at times (depending on what is installed, version running, etc.) very easy to “hack” and allow an remote attacker to become root on the devices. Once rooted it is harder to trust any application/data stored on the phone/tablet as everything has the potential to compromised at that point. For those security items that can’t be directly compromised (like the third party apps used to protect corporate email) it would be easy for a root user to implement a keylogger to steal the credentials. So this muddies the waters a bit when we, as security practioners, are asked to support them.
Like with any other item that introduces risks into the equation, we have to weigh the risk against the reward. Being mobile is a very big reward. Personally, I am on the fence about the subject when you start including phones/tablets into the BYOD mix. On one hand I worry about the security but on the other hand I really like the freedom of not being chained to my computer. Things I think help minimize the risk (you should do them even if your company doesn’t):
1. Encrypt the phone/tablet
2. Strong password to log into the phone/tablet (not a pin and not a pattern). Lock it anytime you aren’t using it.
3. Turn off any/all debugging
4. Install an application that will scan apps as they are installed (not the best but better than nothing)
5. Impement a “find my phone” option
6. Implement a remote wipe command – device and app both.
7. Use a password protected sandbox for work email.
8. Limit coporate assests on mobile devices to email. Encrypt sensitive emails (even if that means they can’t be read on mobile device).
9. Only install apps from trusted sources (even that is not 100%) and be intelligent on what you allow the apps to do (permissions).