BYOD - Challenges of protecting data - Part 2

From someone with a background in infrastructure and support, I am leery of this BYOD = increased productivity theory.  From the user end, the malware bit alone would be a serious factor.  Think about the last time your family helpdesk line was called with "that annoying pop-up" or "I think my system is infected, its running slow." Now multiply that call by the average number of calls you receive on your corporate helpdesk for the day-to-day low priority stuff.  In this idea alone you are now upping the workload of the current helpdesk and desktop support teams.  But what about the user, well of course now they are probably down because the system needs to have a couple full scans done to see if there is malware on the system.  If there is, that is probably the easy part.  If there is not, well now the teams need to troubleshoot.  Is it software?  Hardware? An advanced attacker hiding from your scans?  That last one keeps me up at night.  So now the person's system is down for additional troubleshooting.  Do they have a loaner system?  Probably not, because we are BYOD we don't need to have our corporate systems any longer right?  

I am in an environment now that if my current standard image system croaks or needs to be re-imaged, I can get a loaner until my main system is back up and running.  The standard image has all the software I need to do the basics of my job.  At most I will not have my more advanced apps (nmap, powershell, etc...) for a day.  But I will have my email, access to intranet sites and my data which is currently stored on network shares.

Now my first thought does not take in the facts that the organization would have all the proper mitigating factors in place;  Network Access Control systems, pre-checks and such.  The argument is will the users be OK with that?  Well this is where legal needs to be involved because you are riding that fine line of privacy concerns.  I am from the old school where if you use the company resources on the company's network, then you, your system and your data are subject to review at any time.  With BYOD, you are now opting to make your personal device subject to the same review.  If a user is not OK with that then they could simply opt out of BYOD and use a standard issue device.  Why is that so hard to grasp?  

Now back to the possible infection by an unknown piece of malware by an unknown attacker...  So many advanced attackers will target specific users.  Add BYOD into the mix now they can target them at home on much less secure networks.  They can compromise the system there and build their recon info on what software is added to the system when it was allowed onto the network.  They can further compromise the device and get screen capturing and keylogging tools on it.  Like you mentioned, data is all things.  A screenshot of IP/PCI/HIPAA related data could be just as good as the documents themselves.  In any case they have a nice system they can tailgate on to get to the internal network.  

Forgot to add something... So I fail to see where the productivity increase comes in?  Even if all things are perfect and the user has a clean system.  How is that any different than having a corporate issued standard image?  What do you do about any possible productivity killers on the device such as games or even personal projects the user may be working on?  If they get bored they may fire up a game and play, probably more so for people with offices or cubicles with high walls.  Or they are doing side work and now they start working on that at the office on company time.  How do you prevent that?

Dewser,

Great points and a very mature and developed perspective.  I really hope this BYOD is just a passing fad idea.  It might work just fine for certain organizations, but I think medium and large organizations should stay away from this at all cost.  You make a great point in mentioning the legal side of it.  It might cause issues with privacy laws.  Has "reasonable expectation of privacy" been fully qualified in the law for BYOD-type circumstances?  If I get a device to troubleshoot it and then user then complains that I rummaged through their system - how do I protect myself and the organization from that?  Don't we already have enough frivolous lawsuits?

Maybe I'm just oldschool and more stuck in my ways, but I see this as a push against the ever-tightening restrictions of infosec (which is a direct reaction to more crackers with higher levels of skill).  Of course we will always have the executives who will want to have their own devices on the network and we will have to support those, but that is an obvious exception and just a security risk that has to be managed by many IT departments every day around the world.  Giving every employee "executive" priviledge to bring in their own device simply doesn't make sense.

I am really confused as to exactly who can possibly arrive at the concept of greater productivity from BYOD.  It goes against everything I've seen in the field.  Organizations already have to lock down their internet because employees can't seem to stay off Facebook for more than 10 seconds.  When stripped down it all comes back to access control - which is the most basic and fundamental foundation of security.  If you destroy or circumvent that - then why even bother having any security at all?  I'm appalled at the attitudes of so many toward security when we are seeing breaches more and more often with greater sophistication.  Now is the time for the community to be working hard to continue to stay up to date with the hacking landscape - not for us to throw caution to the wind and let every swinging joe with an electronic device connect to multi-million dollar systems.

I echo your concerns about targeted attacks.  I give all threats their due concern, but there really isn't much that can be done against a talented, experienced, and well-equipped cracker who has time and the element of surprise on his/her side (worst-case scenario).  BYOD seems to me as if it would only compound this issue and make it easier for less skilled crackers (of which there are far more to worry about) a back door into the company.  At some point I feel like throwing up my hands and saying, "OK, but don't say I didn't warn you", but that would be irresponsible of me and go against my own morals and personal and professional code of ethics.  I will harp on it till the very end.  BYOD should realistially cause any risk matrix result to go off the charts.  It should set off the klaxons and warning bells, but it doesn't seem to be and this dangerous fad actually seems to somehow be gaining momentum (much to my chagrin).  Thanks for a great post, Dewser.  I appreciate that there are others out there who are pushing back against this as well. 

Slightly anon,

I could understand BYOD if the organization employed people who use this stuff for a living.  For example, I would be far more accepting of BYOD at a company which employed a large number of IT consultants / programmers (or pentesters whathaveyou).  But, in an average situation where the vast majority of the employees have little tech knowledge - how am I supposed to just trust that they won't unintentionally allow an attack?  I think that Mr. Los really hit the nail on the head when he mentioned that the industry is failing at the basics right now.  I think that BYOD could most certainly be a fine solution, but, as I mentioned before, security as a standard just isn't good enough even if the industry as a whole was on top of the problem.  I also would absolutely love to hear from someone who has implemented this and get some feedback there.  However, I suspect that most anyone who has mainly employees that are high value and tech related or dependant positions would have greater success than an organization with high turnover rates and minimum wage positions that cycle every month.

I would also feel better about it if it was already integrated from the beginning of the analysis, architecture, and design phase (whether that be at startup or reboot).  The tools, processes, and policies of the IT department would definitely need to be closely tailored to this system to be effective.  I don't want to toss up another really long post, so just to say, I would be for it if I felt that the risks were mitigated and the creativity and productivity were measurable.  I would feel even better if an implementation plan across iterations toward the long-term target were clearly defined, functional areas were adjusted to suit the new architecture, and processes were clearly and concisely mapped and evaluated before-hand.

I guess my biggest fear from an administrative position is that organizations will try to jump on board this fad without realizing the incredible work that it would take to keep the user hierarchy in some semblence of organization without introducing too many more diversity levels.  It just seems to me that preferred paths would become extinct and non-optimized paths would quickly replace them - making load balancing and projection harder from the admins standpoint.  From the infosec standpoint - that of a hacker - oh I would love to pentest a BYOD company.  A target-rich environment with minimal standardized access control with disparate systems and silos is very tempting.

As an IT guy for over five years, and now in the hiring process to become a pentester, I see a lot of challenges for a BYOD environment.

For a large enterprise organization, I really see the potential for it becoming a "land of confusion" in the IT dept. I would hope that there would be some standards and procedures set in place by the organization along with serious considerations as to "what if" scenarios.

For a smaller company(5-30 people), I don't see it being as such a pain in the jaw as it would be for a larger place. Chances are a smaller company either has a managed services provider to handle their needs, one IT person, or someone that kinda switches hats between IT and say.... sales/payroll/whatever their main job is.

My main gripe with larger organizations doing BYOD is there could be a total lack of standardization, with hardware, software, licensing, and ability to train end users how to use their technology well and efficiently.

When an organization uses a large manufacturer to purchase large amounts of equipment from, they are generally able to get large numbers of the same computer model, or one very close to it at any given point. Having desktop/laptop/tablets that are all the same make to issues to employees makes the PC procurement process much quicker when it comes to imaging, or even creating an image to use enterprise-wide.

On the support side of things, many devices have their own unique quirks, known hardware issues, software incompatibilities, etc. A helpdesk or support group would be able to rectify any issues a user has much quicker if there is documentation and knowledge on issues.

I suppose one of my big fears is say a disgruntled employee looks up some youtube videos, blogs or whatever to learn about privilege escalation, hacking, or anyway to bypass security measures to maybe steal confidential information or just to cause a headache within the organization. It may be a long shot suggesting that but, I see that as a potential attack vector and lets face it; weirder stuff has happened.

Might add more to this later, all I have for now.

I hadn't thought about the software licensing issue before reading this post and its comments, but just to bring it home, suppose one of your users has installed an "unofficial" copy of XYZ Tool that was downloaded from Big Pirate Site, then uses the XYZ Tool from his own device to produce something for your company, which also does not have any XYZ Tool licenses.  Your company releases this with great public fanfare.  XYZ Company notices this, and knows you do not have any XYZ Tool licenses.  The individual user may not have been worth going after, but you are.  Do you think your agreement with the user that the user is responsible for the device is going to fix this?

MikeH9,

You have some interesting points, but what I think we have really arrived at is that we're not blaming BYOD for current failures - we're acknowledging that BYOD would compound current failures.  I made the point in my blog that there is always the risk of rogue devices and departments already have to deal with exceptions to the rule (e.g. executive priviledge), but to allow everyone that priviledge would be a tremendous risk on top of the current risk.

You do make some good points about the software licensing risks, although I can't say I've agreed with this 100% from the start.  Of all the risks that we have been examining, I believe that code and apps from unlicensed software is probably fairly low on the matrix.  I think that most developers who enjoy working as a developer understand the issues that licensing can bring and probably avoid it.  I would honestly trust developers more than I would a general employee.

I have been pushing for controls and regulation on devices, but let's look at it for what it really is.  Once you introduce an entire new network heirarchy just for "BYOD", then all you're really doing is building a separate CDN designed to do what? - the point of a network is to empower collaboration and profitability through services built-in to the solution.  My point is, that if a certain developer wants a particular software, why would the company not simply license that software?  Is it really boiling down to greed (i.e. we don't want to pay $7,000 for a license for this so let's just let them bring their own "copy" in on their own machine (that 'might' not be a legit copy?)).  My point is, what is BYOD going to solve that can't already be accomplished on the current network with current security policy and enforcement and with current standardization protections in place?  I'm still failling to see the real net benefit.

I think the discussion has led us to the point that we really identify that a small business that operates a small network with a small number of people who could actually benefit in some manner from BYOD would be acceptable.  Unfortunately, I believe that the average organization ( especially those in healthcare) should steer clear, and very much so in situations where some or many of the employee positions are considered expendable (or who rotate often due to high turnover).  I think I can speak for Mr. Los as well when I say that, overall, we are not pointing the finger at BYOD for problems, we are acknowledging that BYOD would only further compound those problems by and unacceptable amount.  Thanks for the great comments and ideas.  You got me thinking and compelled me to respond.  That's exactly what we need in this industry right now.

Your point on "What if your machine attacks another organization from within the corporate perimeter" is an interesting one. In recent years one of the biggest sectors where BYOD has changed everything is education. For most colleges and universities it makes sense that students and staff bring their own devices. Recently I worked with a university where a rooted iPhone was attempting to connect to hundreds of other systems outside of its local network. This resulted in a notification been sent to the university requesting that the incident was investigated and stopped.

Another issue that I see coming up a lot is that BYOD puts increasing demand on IP address management. In the case of an educational institute, students can grab 3 or more addresses. Many network managers are decreasing the lease time for address assignments so that they can be recycled quicker.