BYOD: An Emerging Mobile Security Risk

sweetleafnotebookMobile - Wireless

Nov 12, 2013 (3 years and 6 months ago)

90 views

Mobile
Security

1







BYOD: An Emerging Mobile Security Risk


Christopher J
.

Borak


BADM 8317


Information Systems for Management


April
21
, 2012









Mobile
Security

2


Table of Contents

BYOD: An Emerging Mobile Security Risk

................................
................................
..................

1

Abstract

................................
................................
................................
................................
.......

3

BYOD: An Emerging Security Risk

................................
................................
...........................

4

BYOD Trend

................................
................................
................................
...............................

4

Securing Network Transmissions
................................
................................
................................

7

Preventing
Unauthorized Network Penetration
................................
................................
...........

8

Cloud Computing Technology

................................
................................
................................
..

10

Conclusion

................................
................................
................................
................................
.

11

References

................................
................................
................................
................................
.....

13




Mobile
Security

3


Abstract

In a global economy where everyone is expected to have instant access to information
and work faster and more efficient than their competitor, the rise in use of personal
mobile
devices such as smart phones and tablets are creating increased security risks for companies. But
as clients expect businesses to provide services using these emerging technologies compiled with
an increasing push from employees to embrace new tech
nologies, IT departments are scrambling
to address an array of security issues resulting from use of these devices.

Companies must
therefore use the following steps to address mobile security: first, establish strict security
protocols for using personal
mobile devices and educate employees on how to implement the
protocols to safely use the device for work and personal use; two, address how to safely secure
the transmission of data when traveling; three, how to secure the company network from
unauthorized

network penetration.

This paper will also address a variety of issues such as how to
deal with lost or stolen devices, the trend of downloading a variety of personal and work apps
and their effect on company network security, to the complexity of managing

the emerging
Cloud technology. After reading this paper the reader will have a better understanding of the
issues facing IT departments who are currently addressing the emerging trend of employees
utilizing their own mobile devices for business and person
al use and how to successfully secure
company data and network systems from unauthorized access.



Mobile
Security

4


BYOD: An Emerging Security Risk

In a global economy where everyone is expected to have instant access to information
and work faster and more efficient than
their competitor, the rise in use of personal mobile
devices such as smart phones and tablets are creating increased security risks for companies.


But
as clients expect businesses to provide services using these emerging technologies compiled with
an incr
easing push from employees to embrace new technologies, IT departments are scrambling
to address an array of security issues.
According to research by Microsoft (2012) and Schreurs,
Al
-
Huneidi, & Princen (2012) t
hese issues include insecure Wi
-
Fi connecti
vity, lost or stolen
devices, mobile web browsing, malicious mobile app downloads, unsupported applications,
unauthorized network penetration, intercepted or corrupted data.

In addition to these
considerations, new advancements in cloud
computing technolo
gy are

also opening up new
possibilities in employee efficiency, cost reduction, and security nightmares for IT managers.
All of these issues fall under what is gene
rally referred to as mobile ente
rprise security. Mobile
e
nterprise is broadly defined
as a company who
supports

the use of business applications via
mobile devices.

BYOD Trend

There are three main areas of consideration that IT managers need to consider when
addressing mobile enterprise security. First is the employee who brings their ow
n personal
device

to work
.

This emerging trend is known as BYOD or “Bring Your Own Device.”
This
trend can include smartphones, tablets, and laptops.
Since th
e BYOD

practice is being
encouraged by more companies to enhance worker performance

and increas
e employee
satisfaction,

this trend is expected to increase at dramatic rates in the coming years.

In Utah,
Mobile
Security

5


according to Ko
ntzer (2012)
,

the government is embracing
technology to increase the efficiency
in delivering government services. This is done by
the state creating

its own mobile app

for its
employees
that allows highway patrol officers and social caseworkers to submit case reports via
their mobile device. The result is
a two hour a day gain in productivity verses
employees
having
to travel back
to the office to type up and submit the
ir

report
s

in person. Funds saved by

this

increase

in

productivity
are

being

channel to education
al

programs for an increasing student
population (Kontzer, 2012).

An additional benefit to BYOD is that employees feel
more
satisfied with their work because they are allowed to pick the device that is best for them verses
using an archaic device

supported by the IT department
.
In the past, m
any employees carried
two phones: one for work and one that had all of the bells
and whistles they desired for their
personal life. With the development of Apple’s

powerful

iPhone and iPad
devices
in recent
years, the push to embrace this new technology
that merges work and personal performance has
grown in popularity
from executives
to the average worker
. Their expectations of what
technology should and can do

has become a trend that IT d
epartments can no longer ignore but
are forced to embrace.

The concept of having a device that
enhance
s a
consumers work and personal life
performan
ce

has exploded in popularity

worldwide
.
A
pple
reported in
July of

2011 they had
their 1
5

billionth download of apps used for iPhone/iPad.

As popular as downloading apps has
become, IT departments
have

to address the increased
security risk

that apps create

by

exposing
the company’s servers to Trojan viruses inadvertently downloaded by the employee to their
device.


In Android phones, the vetting process for apps allowed into Android apps store is less
vigorous than the Apple Store. This ha
s resulted in several

malicious
Android apps being
corrupted with Trojan viruses that have attacked company networks

(Schillar, 2011).


Trojan
Mobile
Security

6


viruses
can also
be downloaded when

an employee is using a mobile device to surf the we
b and
accidentally
access
es

a

corrupted website
.

So for IT departments, the first line of BYOD defense
is employee education on how to safely use their device to avoid security breaches.

Setting up a BYOD user protocol is essential. Different companies have different
approaches.

NZ

Buziness (2011) encourages

strong password
s

and malware security software

be
installed on all devices
.

Since most IT departments are not equipped to deal with 100 different
model phones, tablets, etc. with varying versions of operating systems and tra
cking what each
device is doing on the network, many

companies have taken the step of installing Mobile Device
Management (MDM) software on all employee’s devices who use them for work and personal.
Henderson & Allen (2011) define

MDM software as
software

designed to manage devices from
multiple manufacturers with different operating systems which are linked to different carriers.
Products such as MaaS360, MDM (version 5.2.2.10), Enterprise Mobility Management, and
Afaria are popular solutions to outsourc
ing the management of mobile device security. The
software listed above varies in its costs but once installed does
an evaluation on everyone’s
mobile device
on the company’
s network. It sets each device

to the company’s

predetermined
security

standards.

If a phone is “jailbreaked” or altered in any way that violates company
policy, it will be kicked off the company network and denied access.

All

MDM software

force
s

password protection and can wipe
a device

if it is lost. Right now there is not a “one si
ze fits all”
solution. Some MDM solutions work better for Blackberry and Android phone
s than they do for
Apple devices
.

But as the market continues to increase for the

MDM solutions, developers will
improve their products to meet company’s IT need
s
.

For
IT departments, being able to select
what each device can and cannot do in relation to their network and data is very appealing.

Mobile
Security

7


MDM software is an essential approach, but probably more importantly is employee
education of how to keep their devices safe and what is the expected protocol to keep
data
protected.

According to PC World (2011) 36% of cell phone users had a cell phone di
sappear on
them. From having it stolen to accidentally leaving it in a restaurant or cab, loss of smartphone
is a major potential security breach for any company.
Some companies are

wisely

implementing
a policy that it is a minor offense to lose a device

and report it immediately, but grounds for
dismissal for not reporting the breach immediately. With immediate notification, an IT
department can wipe a phone rendering it useless to anyone with unauthorized access
, but if the
employee fears reporting the

breach to IT department, the effects can be disastrous.

Securing Network Transmissions

T
he second area IT managers need to consider is how to secure the network transmission
on mobile devices. Since employees are using their own device to access company
networks
many will utilize the free Wi
-
Fi option available in airports, coffee shops, etc. that are emerging
all over the country. Using these unsecured Wi
-
Fi connections allows unauthorized persons to
access the transmitted data thereby exposing c
ompany
and customer information.
A
ccording to
Fan, Li, & Sun (2012) a better alternative is using a Virtual Private Network

(VPN)
. They define
a VPN as
the use of a shared public network (like internet) to establish a specific data
transmission channel from the

company’s servers to the user’s remote branch offices and
business partners while maintaining security of communicatio
n and secured data transmission
that is managed by the company’s IT department.

Another area for concern when traveling is the use of Bl
uetooth technology and the
security
loopholes for hackers to a
ccess information such as email, contacts lists, calendar data,
Mobile
Security

8


and photos/videos on a device or send messages and make calls on the device without the user’s
knowledge. This is often referred to at Bluesnarfing, Bluejacking, or Bluebugging. According
to Vochin (2012) and
SP Commerce LLC

(2012) it

i
s important to alw
ays download the latest
patc
hes and updates to your phone. Users can prevent Bluesnarfing by turning their phone to the
undiscoverable mode until their ready to transmit data. Then confirm that the computer or
system they are pairing with is the correct c
omputer and not the hacker’s computer.
Bluesnarfing is really only a concern for high profile executives or government officials. It
requires that the hacker be within 30 feet of the user and have special expensive equipment.

Preventing Unauthorized Netw
ork Penetration

The third area IT managers need to consider is how to secure the server information from
unauthorized network penetration.
Hackers are a common problem for all companies these
days.
One of the quickest ways hackers

gain access to a compa
ny’
s network is

through well
intentioned employees says Fowler (2011). Hackers use
social networking
sites like LinkedIn to
find out about the hi
erarchy

in a company and determine an employee’s roll. Then the hacker
puts together an official looking emai
l from a superior in the company talking about subjects
relative to the company (all from data on LinkedIn) and then asks for special information such as
login or password information. This type of email is called spear phishing email. In a 2011
study by

the security awareness firm KnowB4, “it sent phishing emails to employees at 81
companies from a reputable and trusted server; 43% of them had one or more employee click on
the link in the emails. In a second test, using unknown and untrusted servers that

were filtered
out by many corporate email systems, still at least one person in 15% of the companies clicked
on the emails” (Fowler, 2011). Fowler’s point that well intentioned employees are a major
Mobile
Security

9


loophole that companies need to address

and a simple fi
x is educating employees on the current
security risks and sending frequent email reminders of good practices concerning email.

As phishing emails pose a risk to companies so does the rise in Mobile
Commerce (m
-
commerce)
.
Mobile commerce is the promotion,
buying, and selling of goods and services
through electronic data communication networks that interface with wireless devices (Varshney
& Madan, 2010).

M
-
commerce has become a growing concept widely used in many societies’
daily lives. With the advances

in smartphones and the recent introduction of tablets one can
purchase items such as TVs, textbooks, furniture, and a wide variety of goods and services while
standing in line to buy a gallon of milk. While
m
-
commerce has not replaced shopping malls or
d
epartment stores, it has made organizations make their websites mobile friendly.
There are two
types of transactions involved in m
-
commerce. There are low
-
value transactions which include
items like music downloads and ring tone downloads. Then there are
high
-
value transactions
which include credit and debit card transactions, point
-
of
-
sale terminals, and paying through the
handset at merchant locations.

When an employee uses his personal device to engage in m
-
commerce the device
and
user are

being exposed

to potential risk.

Only doing business with reputable companies who
invest in good security practices reduces the potential risk of the mobile device user. For IT
departments, ensuring that their employees have the MDM software is a must. In the event t
hat
an employee does business with a m
-
commerce site that is corrupted, the MDM software will
protect the company’s network from security breaches.

As companies embrace the BYOD trend,
they are forced to rely on the good judgment of their employees engagi
ng in m
-
commerce on
their personal time.

Mobile
Security

10


Cloud Computing Technology

Another area of concern
is the emerging advancement in c
loud
computing

technology.


In the past companies would buy more servers to accommodate the increase in data that the
company was s
toring. As the c
ompany grew, so did the need to buy

additional servers. Servers
run even when they are not being used and this can get very expensive. With cloud computing,
data and programs

can be uploaded to a company cloud

which is hosted in a remote location
thereby eliminating the need for additional servers to be

purchased and

maintained. The

company

cloud can be expanded or reduced as the need arises.
This flexibility is very appealing
to corporate IT budgets.

Another e
merging trend is ma
ny companies are developing their own apps for their
employees to use for work such as Primerica who has a mobile based app for its employees to
write life insurance policies for up to $250,000 in just three minutes (Kontzer, 2012). So
as more
companies create business apps

for employees

the more they will want to invest in their own
cloud. Taking this a step further, Messmer (2012) suggests that companies can avoid many
security risks by building their own app stores for the employees
to use. Apps included

in a
company’s store

would need

to

address work and personal use. For example, companies should
expect to include the popular games like Angry Birds, Fruit Ninja, and DrawSome

among the
other approved options. The key to this appro
ach working is offering a variety of approved apps
that are updated a
s

the market changes
. The point is to give the employee many work and
personal options so they will use company approved apps and not jeopardize the integrity of the
network

by accidenta
lly downloading a malicious app that causes a pot
ential threat.


Mobile
Security

11


Another approach several companies are considering is a method the music

and movie

industr
ies

ha
ve

used for years. DRM technology or
digital management rights is used to tag data
being tran
smitted. In the music industry if a song is coded with DRM technology it can only be
played in certain platforms or in the case of a movie it could only be played on a BlueRay player
verses a DVD player. This same technology can be used to protect a comp
any’s data.
T
he
company may have a protected cloud for company use and the employee may have a personal
cloud for personal use. When a
n employee’s

device is synced the problem arises in what
information is uploaded to what cloud. When company data is uploaded to an employee’s
personal cloud, a breech in security has or could occur.

Messmer (2012) points out that with
DRM technology the data itself
will recognize that it is not in the correct cloud and it will delete
itself

and simultaneously

delet
e

the possibility of a breach of security.

Conclusion

Overall, ensuring security in an ever
-
changing and evolving world of mobile devices is a
constant cha
llenge for IT managers. There are many approaches companies can take to secure
their data while still encouraging the popular trend of BYOD.

The first step is a p
r
oactive
approach of educating employees on how to
safely use their mobile devices for work
or personal
use and i
n
the event
of a loss or stolen device what steps to immediately take. Besides
empowering employees to be part of the IT team in shared security responsibility, companies can
also use MDM software to manage the security of the network

with a multitude of devices
accessing it. And lastly with the emergence of the cloud, companies have opportunities to
expand their workforce’s efficiency and productivity with the creation of new apps and increased
flexibility on how data it transmitted.

U
l
timately, Messmer (2012) may be right that the future is
in each company developing its own cloud and app store. It provides greater control of data and
Mobile
Security

12


increases security.

By offering employees the increased security of reputable apps for

work,

personal leisure
,

and m
-
commerce
, they

increase their own network security

by reducing
malicious viruses and unauthorized network penetration
.

More research will have to be done to
see if this is a viable
cost effective
opt
ion for companies in the future

and if their work force will
embrace

the concept of employer based app stores.

As mobile technology continues to evolve,
the focus will continue to shift from customer trust in technology to customer trust in vendors. If
companies can establish a networ
k of trusted vendors in their app stores, it is possible that the
concept of employer based app

stores could be embraced by their work force.



Mobile
Security

13


References


Fan, Y.
-
q., Li, C., &

Sun, C. (2012). Secure VPN Based on Combination of L2TP and IPSec.
Journal of Networks

, 141
-
148.

Fowler, G. (2011, September 25). What's a Company's Biggest Security Risk? You.
The Wall
Street Journal
.

Henderson, T., & Allen, B. (2011, May 23). New tools

protect mobile devices.
Network World

,
28

(10), pp. 27
-
34.

Kontzer, T. (2012, January). Managing Mobility in the Enterprise.
CIOINSIGHT

, pp. 14
-
17.

Messmer, E. (2012, January 9). Security Minefield.
Network World

, pp. 22
-
26.

Microsoft. (2012).
Security

Risks in the Mobile Enterprise
. Retrieved February 26, 2012, from
Microsoft: technet.microsoft.com/en
-
us/library/cc182262.aspx

NZ Business. (2011, September). Are mobile devices compromising your business security?
NZ
Business

, 25

(8), pp. 60
-
60.

PC Worl
d. (2011). Have you seen this lost phone?
PC World

, 29

(11), 79
-
83.

Schiller, K. (2011, March 28). Moving Target: Security Risks and the Mobile Work Force.
Information Today

, 28

(3), p. 36.

Schreurs, J., Al
-
Huneidi, A., & Princen, T. (2012).
Secured Prof
essional Use Of Mobile ICT
Devices.

Hasselt University, Belgium. Science Publishers.

SP Commerce LLC. (2011).
Bluetooth Security
-

Bluejacking, Bluesnarfing, and Bluebugging
.
Retrieved April 6, 2012, from Blue Tomorrow Web Site:
http://bluetomorrow.com/about
-
bluetooth
-
technology/bluetooth
-
security/bluejacking
-
bluesnarfing
-
bluebugging.html


Varshney, G., & Madan, P. (2010). A Study of Functionality Dilemma and Barriers to Optimal
Usage of M
-
commerce.
CURIE
, 60
-
73.

Vochin, A. (2009, February 11).
How to Protect Yourself against Bluetooth Hacking
(Bluesnarfing).

Retrieved April 6, 2012, from Softpedia:
http://gadgets.softpedia.com/news/How
-
to
-
Protect
-
Yourself
-
Against
-
Bluetooth
-
Hacking
-
Bluesnarfing
-
1254
-
01.html