Risk considerations for bring your own device in the business environment
Written by Sean Mancini
The trend
In the last 5 years the mobile computing industry has boomed we have more power at out finger tips than ever before thanks to the boom of the smart phone era only now have corporations and businesses have started to adopt the trend of BYOD or bring your own device this trend make a lot of economic sense to the business for example instead of purchasing the entire sales force new blackberry’s and in turning having to run a infrastructure to support blackberry for example having to run BES or black berry enterprise server a company now can run an Microsoft exchange environment which they most likely already utilize and have the sales force use their own personal device to connect to the exchange server
And they now have corporate email on their personal device this in turn frees up funds for the company as the devices did not have to be purchased
The problem for I.T Support
While the company’s board of directors may want to dash at the idea of this trend the I.T administrators and hitting their heads on their desk
Questions will have to be answered on the I.T level for example when all of the devices that were purchased for company employees all devices mostly likely ran the same operating system i.e. Blackberry OS so when users had problems with access email they contacted I.T support who were trained to support the Operating system if there is now many different devices how will you I.T. department be ready to support them? Additional training will have to be done which comes at a cost which should be part of the process of considering the adoption of this trend
Software Governance
Another variable that Company’s should take into consideration is that of software being installed on the users phones for example if a user installs an application that is licensed for non-commercial use but the user is using it for work purposes this can lead to legal problem for the company
Network Security
From a network security standpoint bring your own device if not prepared for properly can lead to a disastrous outcome remember that in the business networks that we have run traditionally network and security administrators were tasked with the responsibility to keep the systems secure based on policies that were developed for example system patches are announced by the operating system developers the I.T department analyzes the effect of each of these patches in a test environment and when the outcome is satisfactory the patches and fixes are deployed to the production environment but now we are relinquish this control how many end users have an antivirus on their mobile phones ? How many end users have a password protected phone? recent studies suggest that these simple security features are in the signal digit percentile for users that take advantage of these security basics that we consider standard on our corporate devices if you look at todays mobile security practices if the business has control of the devices we can make it mandatory to have a password locked phone via policy’s on the network or we lock down certain features on the phone like web-browsing or applications from being installed by allowing the employee to use their own device we lose this control as such security practices will need to be adapted to accommodate these new variables that are not as much in the control of the administrators that previously was
A mobile attack scenario
I have come up with a feasible mobile attack scenario in which I think may very well be an attack we will see in the wild sooner rather than later
Scenario:
The Target
ABC Company is a medium size company that is on the verge of becoming a large company the owner’s project that in the next 4 years they will have 20 % more employees bringing the total amount of employees to just fewer than 800
The company has recently sent out a communication to its employees that employees are now welcome to use their more cell phones instead of company issued phones
The adoption rate is an amazing 70 percent which equal to around 560 employees are now using devices they own rather than the company’s
A survey is done by the I.T department of ABC company to see what operating systems they should create documentation for they find 70 % of devices are running android 20% are apple IOS devices and 10% are blackberry devices which these numbers can be supported because of trends in the market all users who use their own devices will need to connect to the company exchange server so they can receive emails when around the office or on the road
The Attack
Its Monday morning around 8:30 am when an email comes in from an attacker that is spoofed to look like it’s from the I.T department the subject line is please update your email application asp with an attachment in this case specifically for an android phone telling the user to click the attachment and install the “update”
The users do and the application installs and the users continues on, The user has unknowingly installed an IRC client on His/hers phone out of the 560 employees 400 fall for the social engineering attack and install the malware on the phone the malware forms a mesh and is programmed to have all the phones connect to a IRC server out on the internet and since the phones are not on a VPN network are not subject to the company’s internal network security policy so the traffic reaches its destination without hassle the IRC server sends a message back to the phones to select the phone with the highest MAC id to become a secondary IRC server and also selects 2 more phones to become IRC servers it then instructs the other infected phones to now attack to the primary IRC server located on one of the affected phones and use the others as secondary servers all of the other phones become zombie devices the attacker now has access to 396 zombie phones which now have about as much system resources as a home desktop pc and the attacker has a “walking botnet “ of mobile phones at his or her disposal which they can now use to attack ABC company’s infrastructure and with the power of almost 400 devices can wreak havoc on a network especially when the traffic is coming from its own devices the attacker can use the botnet for example to attack the exchange server as they were able to access the information for the server via a compromised phone and use the users credentials to send out spam mail via the phones mail application which can damage ABC company’s
Aftermath:
The attacker used the phones at their disposal to send spam messages all of ABC company’s clients with malware clients have started to complain of the malware received and are starting to distrust working with ABC company over web services such as email as they are concerned for their internet safety ,
The company’s I.T department is scrambling to get the infection under control but since they don’t have access to all devices this is a daunting and time consuming task that is costly to the company where we would normally be able to initiate a remote wipe of the phones connected to our network we have lost this ability
Solution and prevention
The solution to the issues with BYOD would be to adopt strict policy for use of personal devices on corporate networks for example
All users should be required to have antivirus software on their phones
All users must have password protection on the phone
The phone must not be rooted or jail broken
The user must not use applications that are for personal use only
The user must report lost or stolen phones immediately
The phones MAC address should be recorded this will allow administrators to ban the device from getting access to the LAN in the event of a security issue
The phones should not be able to communicate with local resources unless connected through encrypted channels such as VPN
Phones should be checked periodically for mobile security policy breaches and if a user breaches the security policy should lose privilege of using their personal device for work purposes
In conclusion
The concussion to the above statements are BYOD can be implemented in the workplace but companies will need to consider all variables and construction strict security policy’s and invest in a suffice security infrastructure in order for it to be successful company’s technical departments will have to evolve as there are new security vectors that may not have been an issue before as the malware trend now is on the incline for mobile operating systems the malware landscape is becoming more vast and new challenges are being faced
Paper written by Sean Mancini
March 2013
www.seanmancini.com
[email protected]
You can download the PDF version of this Document here
Bring your own device considerations