Let's Ban BYOD: Redux

My recent post calling for a temporary ban on BYOD programs until we figure out how to control and manage them better, caused a surprising [at least to me] uproar and aptly illustrates a serious problem in the cyber-security space right now.

There is tremendous cyber-risk to all business now and a set of rapidly increasing threats expanding across an array of actors whose presence we hadn’t contemplated even as recently as just last year. There are tons of vendors attacking each vector with a point solution that in theory makes sense and holds tremendous appeal on the basis of their individual promise.

There are a lot of people who have been around the information security space for a while who are very concerned that we are losing our grip on any possibility of containing the threats, and a large group of people who have entered the space recently who actually believe the marketing promise for most of these new products. And in addition, there are lots of the same people who think that all you need to do is implement the technology and the problem [whatever it might be] magically disappears.

There were over 400 product vendors at the most recent RSA conference, many of which had raised in aggregate over $60 billion over the last three years. In the third quarter of this year alone, there were 5 deals of $50M+, and 10 deals between $25M-$50M with a total funding volume of$1.3B across 80 deals, a record number of deals and the second largest funding volume since 2010; fundraising volume this YTD has already exceeded all of 2015.

We have lots of money chasing a holy grail that doesn’t exist. With all of these start-up product technologies, we haven’t even come close to thwarting the majority of threats. Why? Because most of them start and end with people.

Even if we were to somehow be able to create a single solution that solved today’s big cyber-security problem, the attackers would not just decide to stop farting around, pack their things, admit defeat, throw down their weapons and go home. And even if we were able to achieve through technology a lasting success against the majority of threats, who would it be that would configure, implement, manage, tune, optimize, maintain, monitor for, respond to and remediate the minority of threats that became successful breaches?

Of the $1.3 billion invested this year, exactly zero was invested in service companies. So, no one.

That “Please, No More BYOD” post accumulated a few thousand views in 5 days and of those who commented, 80% had something positive to say in support of the basic premise and 85% forwarded the post to their networks. Interestingly, of the positive responses, the job titles were mostly people who had responsibility for the defense of the enterprise and ranged from lawyers, to safety managers, to IT managers, to CISOs, compliance people, security architects, HR officers, IT project managers, security analysts and engineers, etc.

Those who bothered posting negative comments came mostly from a service desk manager, a senior consultant on embedded platforms, a product manager at a software vendor, a lead systems engineer for a software vendor, a pre-sales engineer at a software vendor, a cloud advisor at a software vendor, etc. There is a pattern here.

Their arguments ran along lines of

"Oh please, there are plenty of good mobile device security solutions out there. This is the sort of FUD that suggests antediluvian thinkers in the 'c' suite. ", and

“ … all of the above technologies I speak of can be run on a BYOD device, WITHOUT the MDM. So you can close off the Enterprise from the user's device and still mitigate your risk without having to take over their device as a whole.”, to

“Not sure what your experience is with such technologies, but I can assure you that a managed iPhone is WAY safer than a Windows desktop, and much less vulnerable to malware.”, and

“An MDM with a secure internal lock box technology, like [product name], security is rock solid for mobile users. We can use up to 5 devices at [vendor name]. Mobile is here to stay!”

The majority of the argument theses ranged from a) I must be unaware of the vast panoply of cool technologies that can easily manage the mobile threat, b) I am an antediluvian thinker likened to counterparts in the [God-forbid] “C” suite, c) I live off the results of sowing Fear, Uncertainty and Doubt, and d) I have my head up my ass.

By the way, while (d) is probably true, if any one of the “cool technology” naysayers had bothered to check, they would have seen that we partner with some of the best MDM and Mobile device security product vendors on the market today.

This is one respected researcher’s view of Mobile security:

In 2015, Kaspersky detected almost 5.5 million pieces of malware on more than 3 million user devices. And as reported by IT Web, the number of new malware programs detected each day has reached over 430,000--many of which target mobile devices. I believe [for the record] that every company should be running some form of mobile device management software, but the technology's drawbacks make it an incomplete solution to IT's problems.

And because you asked, these are a few of the major threats from Mobile devices or a BYOD program:

Mobile apps are often the cause of unintentional data leakage and for example, “riskware” apps pose a real problem for mobile users, who generally give them sweeping permissions, but don’t always check security. These are typically free apps found in official app stores that perform as advertised, but also send personal—and potentially corporate—data to a remote server, where it is mined by advertisers and even [gasp] cybercriminals.

Data leakage can also happen through hostile enterprise-signed mobile apps. In those cases, mobile malware uses distribution code native to popular mobile operating systems like iOS and Android to spread high-value data across corporate networks without raising red flags. The solution, as in most of these risks does not involve some magic bullet software package but rather adherence to permissions policies which no software solution is going to eliminate and is very difficult to enforce.

Unsecured Wi-Fi presents a major threat because no one wants to burn through their personal data plan when wireless hotspots are available. This is yet another instance where software technologies cannot address user behaviors. The phones after all, belong to the employee and not the company.

In experiment after study, it has been proven that free wireless security is easily hacked by cyber-security experts and attackers were also able to easily hack users’ social media, PayPal and even VoIP conversations. Enforcing rules about never using free Wi-Fi on an employee’s personal device is difficult if not ultimately impossible, regardless of how cool the MDM software might be. And, it has far reaching and yet to be adequately mined privacy litigation implications that will haunt businesses in the future.

Can you imagine the plaintiff arguments based on their employer insisting on the use of personal iPhones for business applications because the company had rolled out a BYOD program and poor Marty, the A/P clerk was just trying to access his banking app when all of a sudden … ?

Network spoofing happens all the time where hackers set up fake access points (connections that look like Wi-Fi networks but are actually traps) in high-traffic public locations such as coffee shops, libraries and airports and then give the access points common names, like “Free Airport Wi-Fi” or “Coffeehouse,” which encourages users to connect.

In some cases, attackers require users to create an “account” to access these free services, complete with a password. Now some of you will say, “No one is that stupid”. To which I say, “Huh?” The cyber-thieves know that most users employ the same email and password combination for multiple services, allowing the hackers to compromise their email, e-commerce, and other secure information. Again, no MDM software is going to solve that problem.

In addition, some VPN implementations only make sure that part of a device's network communications are protected, the MDM [software] agents themselves are not sophisticated enough to fend off all attacks because device and OS manufacturers don't provide MDM vendors with all the code necessary to completely manage the devices and MDM providers have a tough time providing support for new operating systems as quickly as those OSes come out.

And, since mobile devices are always powered-on they represent the front lines of the phishing wars as studies have shown that mobile users are the most vulnerable and the first to receive these legitimate-seeming emails and first to take the bait. Why? Desktop users who only check their email infrequently throughout the day are often warned off by tech news sites or security bulletins before they click.

It’s not always malware that users should be worried about, but rather spyware installed by spouses, coworkers or employers to keep track of their whereabouts and use patterns. While helpful, no endpoint antivirus program is able to detect all of today’s malware strains and spyware is a high target category of threat vectors.

Many mobile app developers use weak encryption algorithms, and even strong encryption can be useless if not properly implemented. Developers frequently use standard encryption algorithms that already have known vulnerabilities to speed up the process of app development and reduce the time to market and they also inadvertently and sometimes intentionally leave “back doors” open for specialized access that renders them ultra-vulnerable to modification of high-level functions like sending or receiving text messages.

To facilitate ease-of-access for mobile device transactions, many apps make use of “tokens,” which allow users to perform multiple actions without being forced to re-authenticate their identity. Similar to passwords, they’re generated by apps as a way to identify devices. Secure apps generate new tokens with each access attempt, or “session,” and should remain confidential.

The problem occurs when an app unintentionally shares session tokens with malicious actors, allowing them to impersonate legitimate users. No MDM platform can manage improper session handling or know in real-time whether a session token belongs to Hillary or Sebastian.

In addition to those seven threats, and for those who complained that Windows desktops are more vulnerable than mobile devices, anything and everything including desktops and laptops connected to a mobile network are increasingly responsible for infecting smartphones and tablets, by dint of their own flaws enabling malware to travel from an infected Windows desktop over the mobile network and into an iPhone. It may not happen directly but instead in an effort to bypass MDM controls, it often takes the form of embedded code in an enterprise mobile app.

High level access from personal mobile devices, smartphones and tablets effectively take the place of desktops and while less vulnerable, Android simply doesn’t offer the same level of built-in security or control. I will leave the discussion of the impact of the future threat mega-multiplier known as IoT for a later post, but suffice to say, we ain’t seen nothing yet.

Most CISOs and security professionals agree with the notion that mobile device security threats are both increasing in number and evolving in scope and that we have only begun to fight a war that is armed by a small and evolving enemy soon to be joined by the ranks of a large number of and impossible to control IoT devices.

The choices are simple.

We must either halt these programs until we can figure out how to better protect and defend against the expanded threats, or ...

... we must be willing to take the risk that by relying on MDM and similar supplementary technologies to manage our mobile infrastructure, this act of deliberately increasing our threat surfaces will be offset by the gains in productivity, convenience and employee satisfaction.