Mobilization: Deconstructing BYOD Cybersecurity (By Cheng Lai Ki, freelance cybersecurity researcher)

The ubiquitous use of mobile technology has caused a surge in applications and services targeting such platforms. Starting from the 1990s, with introductions of mobile phones, PDAs and laptops into the corporate environment, companies soon realized the beneficiary relationship of mobile technology with commercial output and employee productivity. In large fintech environments, these technologies are now almost essential tools, and larger firms have expanded their marketable services through computer programmes targeting mobile technology devices – otherwise known as apps or third-party applications. As mobile devices become more advanced, ubiquitous and affordable, many SMEs (small and medium-sized enterprises) have also joined the exploitation of the internet’s reach and mobile technology. Today, companies of all sizes have adopted BYOD (bring your own device) practices and mobile technology into its business and operational infrastructure, enabling flexible service provisions over wireless internet networks and connections.

This article is essentially a brief analysis focused on dissecting the concerns associated with BYOD-enabled environments. First, technological vulnerability is a concern for all industries, especially those with BYOD environments. Second, a company’s IT infrastructure and information security procedures, often designed without considering the security vulnerabilities of technologies involved, are their last line of defense against malicious intentions. Ergo, BYOD security concerns can be divided broadly into technological and infrastructural components – in that order.

DOUBLE-EDGED TOOLS

BYOD environments operate on employees, contractors or clients integrating their personal devices into company IT networks and gaining access to databases and/or various mainframes. A key technology-related concern is, thus, embedded malware leading to unauthorized access and subsequent data loss. Let us briefly consider the SlemBunk Android Trojan. According to mobile threat researchers from FireEye writing in December 2015, later versions of the Trojan have become highly sophisticated. Not only are newer versions focused on financial gain, they have also been encoded with commercial packers such as DexProtector to prevent reverse engineering and analysis through code obfuscation. Regardless of corporate or governmental environments, BYOD is closely (almost symbiotically) related to emerging commercial platforms such as smartphones and hybrid laptop-tablets. Technology, however, is a double-edged tool. Commercial platforms are often designed with user experience as a priority, and competing companies often focus on rolling out new systems and integrated technologies – often produced by external vendors. Taking into consideration that new technologies will always possess the potential for a zero-day, the integrated security of all components within commercial devices sometimes “takes a backseat” – see footnotes for examples. It is imperative, therefore, that future mobile technology products are designed with security being an equal priority to usability.

Let us put this into context. According to a 2016 spotlight report by LinkedIn Group Partner, Information Security, they discovered that ‘40 percent of organisations [interviewed, have made] BYOD available to all employees’. With employees representing the largest user group where BYOD is enabled, embedded malware in employee devices leading to subsequent data breeches and loss is, thus, of concern to enterprise CIOs and cybersecurity consultants. This is especially true in larger businesses which might have thousands of employees connecting their personal devices into company mainframes and internet networks. Ergo, the next line of defense and concern of BYOD cybersecurity is infrastructural.

POWER OF INFRASTRUCTURE

Technological security concerns are only half the problem, even for attackers. How mobile technology provides the platform from which employees work, infected devices play the same role in a Cyber Kill Chain (CKC). Infected devices either act as payload delivery for large-scale data thefts, or operate as pivoting nodes, or represent the end-target of cyberespionage. Remember, companies with BYOD policies have a portion of its IT infrastructure formulated by connected employee devices, in addition to those from outside contractors and clients. Here is where understanding a company’s connectivity infrastructure plays a key role for mission success, for both attackers and defenders.

Regardless of the technological element, BYOD landscapes would still adhere to a fundamental corporate infrastructure and are susceptible to social engineering. Understanding and mapping a computer network is part of the CKC. Companies without BYOD enablement would have a core IT infrastructure dotted with connections into employee personal devices – if they were connected into the company’s WiFi network. BYOD enablement, while proven to increase productivity, also increases the size of a company’s core IT infrastructure and the number of access targets for malicious actors. For instance, phishing scams or aggressive adware can be used to target key employee clusters – such as hedge fund or account managers – in attempts to gain access into a company’s network. While larger firms possess the equity, corporate connections and specialist staff (i.e. CIO, CTO), the same cannot necessarily be said for SMEs. Therefore, a thorough understanding of a company’s infrastructure within human and network domains is valuable strategic intelligence. It reveals to attackers who to exploit for access and which connections to manipulate along the CKC. Through protecting key nodes and regulating connectivity, defenders can achieve defense in depth. Regardless of organisational size, strategic infrastructure protection can reduce costs while ensuring effective network security.

Today, we live in a world where information is of value to almost everyone. Governments implement legislative guidelines into ensuring access to data for national security purposes (i.e. Snooper’s Charter) or task intelligence organisations with developing surveillance programmes (i.e. PRISM Program). Corporate and criminal organisations are on a constant lookout for vulnerabilities to exploit. Armed with a growing underground market of contractible services whose entire business objective is built on exploiting technical vulnerabilities for ulterior motives, even disgruntled employees can have a fighting chance. In a world progressively moving towards an Internet-ofThings (IoT) landscape riddled with mobile technology, BYOD enablement increasingly has financial benefits for most corporate enterprises and SMEs. At its core, BYOD is a pan-industry and global cybersecurity issue, and much like the IoT, we need to address it on technical and infrastructural levels.

About the author: Cheng Lai Ki is a freelance cybersecurity researcher with MA in Intelligence & International Security from King’s College London and a BA in Criminology from the University of Leicester. Formerly the managing editor for Strife Blog and Journal, he has been published in academic and commercial sectors in areas of security studies, cybersecurity, intelligence, regional politics and warfare.

This article originally appeared in Cyber World, published by Secgate.