How Personal Devices (BYOD) Change The Threat Model For Organizations
BYOD, or Bring Your Own Device, is a program by which employees can use their own devices for work purposes. End-user devices can be anything ranging from their laptops to their cell phones. BYOD is meant to allow more flexibility within an organization. Not only does it allow employees to work on equipment that is owned by them and, in many cases, is more familiar – it also can help cut organizational costs by putting the responsibility on the employee.
Unfortunately, there comes a security cost with implementing a BYOD program. BYOD devices and their infrastructure can often introduce challenges to the organization’s information security and management programs.
Common BYOD Challenges
Common challenges faced by BYOD programs are often due to challenges in the management of the devices and their owners. Since the organization does not own the device, it may often not have control over the device. Typically, the organization is responsible for purchasing and maintaining the equipment. In this model, the organization has much more control over the device. They can apply policies and monitor the devices. With BYOD, this management becomes much more difficult.
First, in a traditional enterprise environment, devices are often homogeneous in nature – i.e., they are the same or at least similar. There might be dozens of the same device. In a BYOD implementation, the devices can become very heterogeneous – between the company devices and the employee devices, there may be dozens of different types of devices. BYOD can be implemented on a broad spectrum; companies could just allow BYOD for mobile devices or go so far as to have all end-user activity done via personal devices. Instead of having 1 or 2 operating systems and a few hardware configurations, there could be several operating systems with several versions, and possibly dozens of different hardware configurations.
There are MDM (Mobile Device Management) software suites that allow administrators to control/configure/manage mobile devices on the enterprise network to combat this. While these software suites do not encompass ALL devices, it makes it easier to identify and manage devices connected to the enterprise network.
In addition to MDM software, some companies deploy Network Access Controls (NAC) such as firewalls, authentication/authorization technology, access control lists, and network policies (such as NPS on Windows Server). These controls cannot prevent all unauthorized access; however, can prevent a percentage of unwanted traffic.
Next, end-users pose a potential threat
In addition to end-users uninstalling MDM software, they may root or jailbreak their devices. Rooted and jailbroken devices present several risks to the network. End-users can bypass security measures on the network using jailbroken or rooted devices to forgo MDM software requirements. It also might be more difficult for the device to be detected on the network.
Jailbroken and rooted devices also make it possible to sideload applications. This process leaves the possibility of loading (intentionally or unintentionally) malware. This malware then can access the network and propagate or act as an information collection agent.
Users can also refuse to update their devices. Out-of-date devices present a threat to the network in that they often have unpatched vulnerabilities that can be taken advantage of. They can also cause unintentional compatibility issues in the network.
MDM software and network policies can help prevent non-compliant, jailbroken, or out-of-date devices from joining the network. In some cases, this software can help push updates to out-of-date devices and notifications to devices with unauthorized upgrades/changes. This can help mitigate many of the risks otherwise introduced by these devices connecting to the enterprise network or accessing enterprise data.
User installed applications can also pose a threat. Legitimate applications, such as The Weather Channel Application, can leak personal and private data. In 2019 a lawsuit was filed that claimed the Weather Channel sold geolocation information gathered through its app
In the case of a BYOD device, it is possible that an application, legitimate or not, could potentially exfiltrate data that is sensitive. As such, a BYOD policy that limits what a user can install with an “approved applications” list could limit potential data exfiltration. Data Loss Prevention (DLP) software can also help prevent and detect data exfiltration from these applications.
Users also pose a threat when it comes to phishing and other online scams. Recently, a threat actor released a phishing scam called the “Instagram Help Center” – it lured unaware users into a private message, thinking that they would get help with their Instagram accounts
End-user information security awareness poses a potential threat when it comes to these types of scams. An unsuspecting user might fall for such a phishing scam – which opens their device and potentially the network to multiple vulnerabilities. Information security awareness should be a part of any BYOD program to help mitigate phishing and other scams. Awareness training can be included in overall company Information Security policies. Many companies do include it as part of their overall security strategy.
Another issue that faces BYOD devices is theft or loss. Many BYOD devices are the size of a laptop or smaller. Items of this size are easily stolen or lost. In July of 2020, it was reported that over 300 devices were lost or stolen from the Central Government in the UK
Overall, all these challenges change the threat landscape and the threat model of an enterprise. BYOD has the potential to increase the attack surface of an enterprise and should be planned for accordingly.
BYOD requires careful planning that includes MDM and user policies (including training). While BYOD is known to help organizations be more efficient, reduce costs, and be more flexible, increasing the threat attack surface is there. Many threats from hardware issues, to user issues, to management issues, exist in the BYOD environment.
That does not mean, however, that BYOD cannot be implemented in an organization. BYOD can be successfully deployed with careful research and planning. Policies must be clear and concise, and users must be set up for success from the beginning (meaning they should be provided clear guidelines and training).
On the last note: With changes to the work landscape due to the COVID-19 pandemic, Work From Home or WFH programs have increased significantly. This has also increased the number of BYOD devices in many organizations. Many individuals use their laptops, desktops, phones, and tablets from home to complete tasks related to work (or even perform their entire job). It is not clear at the time of the writing of this post how this will change the BYOD landscape – things will change in the long run.