Guest Blog: Bring Your Own Device and the Mobile Perimeter

by David Harley CITP FBCS CISSP, ESET Senior Research Fellow

I crept into the IT industry (and thence into security and eventually the anti-malware industry later than you might think, but still early enough to find myself using and supporting dumb terminals, dedicated word processors, and some pretty primitive PC and Apple desktops – often using terminal emulation software so as to access ‘real’ computing power: Unix or VMS, mostly). Kermit may be a frog to you, but it’s still a communications protocol to me! [Oops, I remember Kermit too. Ed]But I was just in time to see portables become portable rather than luggable, and the distinction between the desktop and the server was eroding as even laptops started to evolve into multi-user systems sharing resources (and accounts) across networks.

Before you could say ‘NCSA Telnet’, road warriors and people working from home became able to VPN into the workplace intranet and/or use their work account as a doorway to the internet.

Things look very different nowadays. We don’t just access The Cloud, we live in it. That is to say, it’s far harder to distinguish between our private lives and our work lives, and that blurring of borders is exacerbated by the multiplicity of devices we use to access our on-line personae (work-related and recreational).

Even those of us who left our teens behind many years ago: – even I, a dyed-in-the-wool reactionary dinosaur, have been known to give a presentation from my own tablet, which has never benefited from the tender security-enhancing ministrations of an IT department.

Many of us have come a long way from the issue of a corporate laptop with a standard image and the lowest possible level of privilege for the intended user’s account.

That iGadget of mine doesn’t have quite all the functionality of my first work laptop, but it has a lot more storage, computing power, and general usability, and it didn’t cost my company a penny in outlay for hardware, training, or software.

But there are obvious potential issues in opposition to those advantages. No financial investment usually means no control. Not only laptops, but some tablets and smartphones, continue to be targeted quite effectively by malware: consider, for example, the Android botnet recently flagged by Terry Zink.

While the big players currently selling into this space are able to exercise more control (or veto) over the installation of unhealthy apps by incautious customers than we are used to in desktop operating systems, that security can be subverted by jail-breaking or obtaining apps from an unofficial source.

Bypassing security and escalating privilege on a corporate laptop is unlikely to be in the skill-set or comfort zone of the average corporate end-user, but those inhibitions are less likely to apply for something that’s perceived primarily as a personal (and recreational) device.

But there’s more to this than malware: phishing, SMS fraud, targeted social engineering, loss and theft of a highly mobile device and the data it contains – or can access from a central resource.

In a BYOD {Bring Your Own Device] world, it might be just too much trouble to ensure that each and every device that might be connected to the corporate network is required to authenticate properly, or runs appropriate security software, or updates and patches OS versions, firmware and applications in a timely manner.

After all, diversity of hardware militates against the use of standardized profiles. Yet is it really the best time to abandon the use of corporate standards and management tools when just about any device may provide a window into a private cloud that might entail access to highly sensitive information?

Author Biog

David Harley, BA CITP FBCS CISSP is an English IT security researcher, author/editor and consultant specializing in topics like malware, Mac security, anti-malware product testing and management of email abuse.

He entered the IT field in the late 1980s, working primarily in medical informatics with emphasis on security. In 2001 he managed the NHS Threat Assessment Centre. Since 2006 he has worked closely with ESET, where since 2011 he has held the position of Senior Research Fellow. He is a former Director of the Anti-Malware Testing Standards Organization (AMTSO). He is a Fellow of the British Computer Society (now the BCS Institute) and has certifications in security management, audit, and ITIL service management.

Harley was co-author (with Robert Slade and Urs Gattiker) of Viruses Revealed, and technical editor and principal author of The AVIEN Malware Defense Guide for the Enterprise. He has also contributed chapters and articles to a number of other security-related books and publications. He often presents papers at specialist security conferences including Virus Bulletin, AVAR, and EICAR. Apart from ESET’s ThreatBlog, blogs for (among others) Infosecurity Magazine, SC Magazine, AVIEN, (ISC)2, SecuriTeam, AMTSO, Mac Virus, and Internet Evolution.