BYOD – Risks and Mitigations

Bring Your Own Device (BYOD) is a policy that allows employees to bring their own devices to the workplace and use them there. This attracts and helps keep employees happy. At the same time, it saves a few bucks to the company as they may not need to procure new hardware. But BYOD implies that an employee can use his own device to access and use corporate resources.

This brings security risks to an organisation:

  • People outside the company can get access.  Access by company outsiders can happen due to devices being stolen or by people leaving the company.
  • Devices leave the company environment.  Devices brought outside the company offices are still carrying important information and may be used to access insecure networks elsewhere.
  • Devices might not be updated with the latest security patches.  BYOD devices might not be protected as extensively as the devices that are under direct control by the companies IT department.

 To limit the downside and keep possible damage to a minimum, it helps to:

  • Have a clear policy and rules to enforce it.  A well thought out policy about BYOD allows an organisation to set rules that everyone understands including the reasoning behind them, that is why they are needed.
  • Have an active mobile device management solution.  Even if there are no mobile devices owned by the company itself, there needs to be mobile device management to keep the company-controlled data and applications separated from the private ones.
  • Use strong authentication and encryption methods.  Strong authentication enables an organisation to identify and hold accountable the owners of stolen devices. Encryption can also keep communications and data safe from prying eyes.

BYOD allows a more fluid and flexible working environment. At the same time, it pokes the perimeter of a company with new security risks. In mitigating these, a strong cybersecurity policy and clear security controls must be implemented as we touched on in this article.


IT Practices That Put Enterprises at Risk

Many IT organizations are leaving their enterprises vulnerable to cybersecurity attacks because they overlook a number of simple tasks. Although no single solution or approach will keep organizations completely protected, there are some things to avoid so that IT teams can shore up their security posture and ensure continual improvement to match the advancing threat.

1. Using Old Printers: Surprisingly, office printers present three threat vectors. First, printers store images of documents. In addition, IT staffers often miss updates or news of exploitable office vulnerabilities. Tracking firmware updates and doing routine update checks is a great idea. If you can’t keep up with multiple vendor patches, make sure that you at least isolate printers on a separate VLAN with access limited to core protocols for printing. Finally, third-party vendor access can cause issues. Managed providers often have VPN credentials for enterprises to allow them access to perform maintenance and inventory. This is another gateway into your environment and is a third-party exposure that must be monitored. Limit their access as much as possible and require that access be handled via least privileged means.

2. Disregarding Alerts: The average enterprise generates nearly 2.7 billion actions from its security tools per month, according to a recent study from the Cloud Security Alliance (CSA). A tiny fraction of these are actual threats — less than 1 in a 100. Too many incoming alerts are creating a general sense of overload for anyone in IT. Cybersecurity practitioners must implement a better means of filtering, prioritizing, and correlating incidents. Executives should have a single platform for collecting data, identifying cyber attacks and tracking the resolution. This is the concept of active response — not only identifying threats, but being able to immediately respond to them as well.

3. Giving Away Admin Rights: Administrative rights arm malware and other unwanted applications with the authority needed to inflict damage to an enterprise. Forcing users to provide administrator credentials to deploy new applications tremendously cuts down threat exposure. This also creates an audit trail that lets security analysts rapidly identify issues, especially those that present signs of intrusion. Any form of administrator rights must come with a degree of risk analysis on behalf of the IT department. IT executives should consider what damage is possible if a user account is compromised, and what ripple effect would administrative rights have on secondary systems. Administrator access should be the exception, not the norm.

4. Ignoring Employee Apps: Do you really know what cloud services are being actively used in your network? Many organizations look the other direction when employees use social media and cloud services on their own. But the potential for an IT crisis can be quietly brewing as internal business users create their own IT infrastructure without any adherence to corporate policy. Monitoring cloud application connections can create increased visibility into unapproved software-as-a-service use, and limit the potential for a loss of intellectual property or sensitive information. Cloud access security broker solutions proxy outbound traffic to cloud applications and offer a detailed view into user behaviors.

5. Being Unprepared for Device Loss: Road warriors often fall victim to theft or accidentally leave a laptop or smartphone in a taxi, never to be seen again. This can be a non-event if the device is remotely managed and encrypted, but a major threat if the device contains unsecured sensitive data. IT administrators need to understand what data is being stored where. If it is anything sensitive, they should ensure that devices are properly encrypted and that remote access tools such as VPNs are in use and disabled in the event of a loss. Documenting that devices are encrypted and properly locked down will go a long way in the event of a data leak as well.

As cyberthreats have evolved, so has incident management. What hasn’t changed, unfortunately, is the need to address the simple and often tedious IT practices that, when ignored, can threaten enterprise security. From forgetting to revoke administrative privileges to providing third-party access to printers, the common cybersecurity challenges that enterprises face can be fixed, putting enterprises in the best position to address the current and evolving cyberthreat.

Seven Cyberactions for States

Nuclear site hackings, ransomware, and wiper attacks, along with other cyberstories from 2017 like ongoing attacks against the power grid, there are definitely some wider messages for all of organizations regarding needed protective actions.  What lessons can the public and private sector learn from recent events and to prepare for the future? Most experts believe that the worst is yet to come in cyberspace, so after providing a brief recap of top stories, I want to focus on seven actions that state and local governments need to be addressing right now.

1) Back to Basics  The government reports on recent cyberattacks described hackers writing targeted email messages containing fake resumes for control engineering jobs and sent them to the senior industrial control engineers. The fake resumes were Microsoft Word documents that were laced with malicious code to steal credentials and access. Also, the hackers compromised legitimate websites that they knew their victims frequented with malware — called a watering hole attack. In other cases, they deployed what are known as man-in-the-middle attacks in which they redirected their victims’ Internet traffic through their own machines. Security needs to be back to basics of “security blocking and tackling” for many, and consider even traditional cyberthreats, attacks that have been occurring for many years.

2) Do Your Homework — After understanding what threats are happening in these high-profile online attacks like WannaCry and NotPetya, we should ask ourselves what network alert tools we have to tell us about ongoing attacks? What cybermetrics are we compiling ? Do we have a dashboard? Also, do we have contacts with law enforcement and the Information Sharing & Analysis Centers (ISACs) in your industry?

3) Re-examine Critical Infrastructure Is Protected — Many of the recent attacks are specifically going after critical infrastructure. Do we know what data is most critical? Are you working with private-sector partners in these areas? Many industrial control systems are vulnerable to targeted cyber attacks and cyber espionage campaigns. However, because the systems were not designed with security in mind, they are largely unequipped to deal with these attacks. The first step we need to take is to review one of the available ICS Cyber Security Frameworks, e.g. the, ‘NIST Guide to Industrial Control Systems (ICS) Security’ or ‘CPNI — Security for Industrial Control Systems Framework.’ to assist in better understanding the challenges, requirements and responsibilities with regards to Governance, Risk, Managing ICS Life Cycle, Education and Skills, etc.

4) Cyber Assessments and Audits — One good place to start is with current audit findings and known security vulnerabilities, especially in areas such as patching known cybervulnerabilities for critical systems. Instead of fighting the auditors to win points, it is suggested to focus on the National Institute of Standards and Technology (NIST) Cybersecurity Framework to make your case. The framework includes five core functions: identify, protect, detect , respond and recover.

5) Partnerships — The theme of partnerships, especially in gaining actionable threat intelligence, is a constant theme but has never been more important than now with foreign nation-state attacks and the need for help rising globally. One of the new priorities in 2017 is addressing vulnerabilities in voting machines and registration databases. We should ask who are our partners in the public and private sector? Have we practiced responding to incidents together in cybertabletops? Who can you rely on in federal, state and local governments — including law enforcement? What vendors do you rely on?

6) Prepare for Ransomware or Not? — Addressing ransomware needs to be a priority, and the same cyberdefense tactics that are general best practices can help with ransomware. These actions include ensuring backups are performed and tested and other good cyberhygiene is applied enterprisewide. You should ask: What is your incident management plan? Are you ready for ongoing attacks, with clear levels of response? Also, examine your current plans for cyberpriorities and potential federal funding .

7) Cybertraining — Health IT News highlighted the importance of end-user training again this week . New attacks keep popping up using legacy apps. One of these is exploiting Powershell, or .LNK files to run malicious code and serve up ransomware including Locky. Then there’s the newfound threat inherent to PowerPoint that may run malicious code merely by hovering over a malicious URL with one’s mouse pointer. End users may not be thinking about background checks for detecting insider threats during the hiring process or even checking for resumes that are infected with malware. However, updated training can help in these related areas. Keep in mind that phishing and other social media attacks are evolving, so improved end user awareness training is a quick win — like in Missouri.

Amid all of these ongoing cyberheadaches, I never cease to be amazed by companies and governments that still say, “It won’t happen to us.” Or “We’re all set, we have a cyberprogram.” Yes, there have been many calls to government action on cybersecurity over the past decade, but the first half of 2017 shows that those calls were definitely needed. We need to walk away saying that it is time to act now on cyber, whatever their role.