BYOD Security Is All About Juggling Risks

Allowing workers to use personal phones and tablets to do their jobs has created security risks in the workplace, but those risks can be minimized if they’re managed.

What should such a risk management program do? “The first step is you have to protect the device,” IBM Application, Data and Mobile Security Director Caleb Barlow told TechNewsWorld.

“That includes everything from provisioning and deprovisioning a device to insuring that you have a way, if the device is stolen, to wipe — in a legally defensible way — the enterprise data off it,” he said.

Wiping a device is also necessary when an employee leaves a company.

“You want to wipe corporate information but not obliterate the pictures of someone’s child or their wedding,” Barlow explained.

Unknown Pedigrees

Another important component of a Bring Your Own Device risk management program is protecting an organization’s data at rest and in transit.

“That’s similar to what you’d anticipate happening on a laptop,” Barlow said.

“The difference in mobile is that when we deploy things like Virtual Private Networks and encryption, we have to do it not just at the device level but at the actual application level. That’s because what we’re worried about on a mobile device is not it just being stolen, but exfiltration of data from one app to another,” he explained.

While a corporate-issued laptop typically has a set of IT-approved software programs on it, that’s not the case with a personal mobile device.

“We don’t know where the apps came from,” Barlow said. “They were downloaded from a store for (US)$1.99. We have no relationship at all with the publisher, and we really don’t know anything about the pedigree of those applications.”

Big Brother Effect

A third component of a good BYOD risk management program protects the applications themselves. That means looking at how data enters and exits the app. It means making sure the data is encrypted. It also means limiting the data flow between applications on the device.

“There’s a variety of techniques to do that from virtualization to containerization to policy management,” noted Barlow.

Another aspect of a good risk management plan is accounting for compliance requirements.

“You need to understand how your compliance requirements might be affected by those devices, particularly when they access enterprise data,” Skybox Security Vice President Michelle Cobb told TechNewsWorld.

Creating risk metrics can also be an important element of a management plan, although it may not be easy to do.

“Techniques used to scan host servers and other devices in an organization may not extend well to mobile,” Cobb explained. “So you may have to look at other ways to extend that picture.”

“Today you may be familiar with the vulnerabilities on the traditional part of your network, but you may need to extend that view so you can understand the risks of mobile devices,” she added.

When implementing a risk management program, it’s important workers understand what an organization is doing to their personal devices.

“Some people get concerned when they show up for work and the IT department wants to stick software on their iPad,” Acronis Director of Mobility Solutions Anders Lofgren told TechNewsWorld.

“You can get that Big Brother effect,” he said. “That’s not what you want.”

iOS 7 Debuts With Security Flaw

Apple opened the download taps last week for the latest version of its mobile operating system, which has generally garnered good reviews for new security features, many of them aimed at making the iPhone more welcome in enterprise environments. It didn’t take long, however, for security researchers to uncover a very large vulnerability in iOS 7.

To make things more convenient for an iPhone user, Apple added a new feature called “Control Center.” It can be called up without unlocking a phone and gives a user quick access to several frequently used apps — flashlight, timer, calculator and camera.

When either the timer or the calculator is started from the Control Center, the full functionality of the phone’s camera can be accessed with a sequence of home button pushes. With access to the camera, anyone can see pictures stored on the phone, share photos via email and SMS messages, post photos to social networks and edit and delete photos.

What’s more, because the photo app accesses the contacts app, an unauthorized party could peek at some of the contacts on the phone.

Another flaw was discovered in the iPhone’s personal assistant app, Siri, that also allows email to be sent from the phone and postings made to social networks under the auspices of the phone’s owner.

A temporary solution to the Control Center flaw is to shut off the settings for the Control Center, Notification Center and Siri.

Apple is currently looking into a more permanent fix for the problems.

Breach Diary

• Sept. 16. Experian, which received a US$12 million no-bid contract from South Carolina last year to provide free credit monitoring services to people affected by a breach of state tax department affecting millions, says it won’t renew its contract with the state and begins offering the services to South Carolinians for 99 cents a month.
• Sept. 16. NHC Oak Ridge discloses possible data breach of patient information due to a missing backup tape that wasn’t encrypted. Tape included patient names, Social Security numbers, birth dates, home addresses and medical information. Facility says investigation of incident is under way.
• Sept. 19. Atlanta-based LabMD challenges FTC’s authority to bring a data breach complaint against the cancer-screening lab for failing to adequately secure data in its possession. A hearing on the FTC complaint is scheduled for April. Over the last 11 years, the FTC has settled 50 cases stemming from such complaints.
• Sept. 20. Der Spiegel reports a recent cyberattack on Belgium’s largest telecommunications company Belgacom was performed by British spy agency Government Communication Headquarters. The report was based on confidential documents leaked by U.S. whistleblower Edward Snowden.

Upcoming Security Events

• Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $895 member, $1,150 non-member. After Aug. 20, $995 member, $1295 non-member.
• Sept. 25. Cyber Sticks and Carrots: How the NIST Cybersecurity Framework, Incentives, and the SAFETY Act Affect You. 12 noon-2 p.m. ET. Offices of Venable, 575 7th Street, NW Washington, D.C. Presentation with former Deputy Secretary of Homeland Security Jane Holl Lute. Free with registration.
• Sept. 25. Cyber Security Summit 2013. Hilton, New York City. Admission: $199; government, $99.
• Sept. 30-Oct. 4. INTEROP 2013. Javits Center, New York City. Registration: all access pass, $3,099 (Mon.-Fri.); conference pass, $2,199 (Wed.-Fri.); Mac & iOS IT, $1,899 (Mon.-Tue.)
• Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian/The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $875/$775 government; Standard to Oct. 3, $995/$875 government.
• Oct. 1-3. Governmentware 2013. Suntec Singapore International Convention & Exhibition Centre. Registration: Government, $588.50; Others, $900, plus tax.
• Oct. 2. Visa Global Security Summit — Responsible Innovation: Building Trust in a Connected World. Ronald Reagan Building and International Trade Center, Washington, D.C. Free with registration.
• Oct. 2. Information Security Conference. Charleston Civic Center. Sponsored by West Virginia Office of Technology. Free.
• Oct. 5. Suits and Spooks. SOHO House, New York City. Registration: Early Bird, $395 (July 5-Aug. 31); $625 (Sept. 1 and after).
• Oct. 8-9. Cyber Maryland 2013. Baltimore Convention Center., Baltimore, Md. Registration: $495; government, free; academic faculty, $295; student, $55.
• Oct. 9. Induction Ceremonies at Cyber Security Hall of Fame for James Bidzos, David Bell, Eugene Spafford, James Anderson and Willis H. Ware. 6 p.m.-10 p.m. Hilton Baltimore, 401 W. Pratt Street, Baltimore. Dinner Admission (Black Tie Optional): $250.
• Oct. 17-18. 2013 Cryptologic History Symposium. Johns Hopkins Applied Physics Laboratory’s Kossiakoff Conference Center, Laurel, Md. Registration information to be announced.
• Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros + VAT delegate/495 euros + VAT one-day pass; Discount from July 27 – Sept. 27, 995 euros + VAT delgate/595 euros + VAT one-day pass; Standard from Sept. 27-Oct.27, 1,095 euros + VAT delegate/695 euros + VAT one- day pass; On site from Oct. 28-31, 1,295 euros + VAT.
• Nov. 6. FedCyber.com Government-Industry Security Summit. Crystal Gateway Marriott, 1700 Jefferson Davis Highway, Arlington, Va. Registration: government, free; academic, $100; industry, $599.
• Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
• Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
• Dec. 9-13. Annual Computer Security Applications Conference. Hyatt French Quarter, New Orleans.
• Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, $415; Oct. 21-Dec. 1, $575; After Dec. 1, $725.