BYOD or Bring-Your-Own- … Ostrich?

When it comes to the bring-your-own-device (BYOD) movement, there are essentially two types of organizations: Those that have programs in place to support it; and those that pretend that, because they have forbidden the practice, it isn’t happening. In the latter group, in which employees are doubtless bringing their own devices, the IT professionals tasked with network security have brought their own ostrich — and its head is buried firmly in the sand.

We all know that mobile devices such as smartphones and tablets bring additional risks. The same can be said of any employee-owned device, including laptops and desktops. Would we like to minimize risk? Of course. But which of the following is riskier?

  • Letting employees who may know little about threats or mitigation strategies sort out what the most appropriate defenses are, install the proper tools, configure them for optimal usability/security and maintain all this in the face of an ever-changing backdrop of newly-discovered vulnerabilities and attack types.
  • Letting subject matter experts chart the course and enable members of the user community to focus on their daily jobs.

Bear in mind that there is not a third option since the devices will inevitably make their way into the environment in one way or another. The only question is whether firms want the employees bringing in these devices to decide on a security strategy for themselves or to allow professionals to provide the necessary training and infrastructure to guide the process.

A Brief History Lesson

Remember when all computing was done under tightly controlled environments? All computers were on raised floors behind access-controlled doors, with security guards logging everyone’s comings and goings, all under constant surveillance by security cameras. (Alright, so maybe some of you don’t remember this. Just take my word for it. It really happened.)

Then, the first PCs burst onto the scene, and the idea that sensitive data might now sit on or under someone’s desk in an open cubicle caused the security department to break out in hives. As if that weren’t enough; laptops soon started showing up, and it was as if the data center had grown legs and could now be carried to and from external meetings just as easily as it could end up at the beach with an employee wanting to check email from time to time while on vacation. Worse still, this precious resource could get nabbed from a hotel room or car seat and wind up in the hands of a competitor in short order. By that point, the hives were breaking out in hives of their own.

But, as we all know, it didn’t stop there. Now, we have mobile devices with the power and storage capacity of yesterday’s mainframes in a size that fits conveniently in an employee’s pocket — or on the floor of the taxi that employee took an hour ago. At this point, the medical analogies fail me.

The point is that, with each turn of the technological crank, doomsayers have predicted the end of IT security as we know it; and yet, life goes on. Not only has the world not come to an end, but smart organizations have figured out how to ride the waves of new technology and improve their competitiveness in the process. When viewed from this historical perspective, it becomes clear that those companies that figure out how to leverage change and manage risk are going to be the winners. The others? Well, we will get to read about them in the history books.

BYOD Is Just the Beginning

It’s not only devices that employees are introducing into the equation; it’s also public cloud services such as iCloud, Gmail, Dropbox, Evernote and so on. In fact, the more we move to mobile devices with always-on Internet connections, the more we are going to leverage these capabilities because they were made for each other. Any attempt to pre-emptively block all public cloud services is just as likely to fail as an attempt to prohibit the use of smartphones and tablets for business purposes. The better strategy is, once again, to figure out how to get out in front of the trend and exercise prudent control over how these devices and services can be used in a secure manner instead of simply forbidding them and running the risk of driving their use underground, where you will no longer have the ability to influence how they are used.

In the end, users are going to bring their own devices, clouds and anything else that awaits on the technological horizon. The only question is whether you also want them to bring their own security as well while the organization chooses to hang out with the ostriches.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…