Guest Post by Dan Virgillito, InfoSec Institute
Your IT department is certainly not at a loss when it comes to worrying about BYOD applications. Indeed, the list of threats to enterprise applications and the data they contain is a long one, and security professionals are constantly challenged to mitigate these threats.
Most of the threats are the result of the growth of the BYOD (bring-your-own-device) movement coinciding with the growth of the BYOA (bring-your-own-application) movement. As corporate staff becomes more independent in their choice of devices, they’ve begun installing and using third-party corporate applications for networking, file sharing, and other purposes.
Gartner informed that 70 percent of employees using personal devices tap their own applications to perform work-related tasks. With this growing practice, the staff of a corporation decides about using their own applications, without the IT department involved. This makes BYOA an irksome result of BYOD, and creates new security threat implications.
BYOA presents new challenges, including risk of sensitive corporate information being exposed from apps that employees use. Should your organization embrace this trend and the associated threats? Should you restrict all employees from using their own apps? If corporate data is not backed up, how can the IT department recover the information compromised from an app that an employee used?
Before you think of answers, it’s important to look at BYOD application threats in detail. The following are some of the threats and what may be their consequences:
Keylogging: Employees may download apps that have been invaded by keyloggers. This is an application that can be installed via phishing or by attaching itself to a legitimate application, usually free things such as a free feature in a productivity application, slipping through the Google Play Store or App Store. The keylogger malware can record all keystrokes that are typed by the user, making it easy for criminals to record financial data and sensitive information.
Drive by download: Employees may download apps that give consent to download malicious apps themselves without the user’s authorization. The secret download can be initiated by downloading apps from ‘APK’ and ‘peer-to-peer’ websites. Apps installed as a result of drive by download will target information such as contact list, personal identity, and corporate location.
Malicious payload: Viruses, Trojans, and other malicious payloads are a growing problem in BYOD applications. Apps infected with a malicious payload can be the key for hackers to introduce new threats within an organization, since they do not have internal security controls over them. These apps are disguised as legitimate looking applications: fraudsters will often take out the original source code of a legitimate app and repackage it with malware before putting it back on an app store.
Data mining: Employees may download communication apps that have been infected by adversaries to mine the user’s contact database; if these databases are connected to the corporate network, then hackers can mine corporate data and send it over to compromised servers via the web. Such apps will mine text and call logs too.
These threats become a nuisance when organizations conflate them in the overall BYOD threat landscape during a threat assessment. However, individual threats pertaining to BYOD apps should be given separate attention to mitigate their risks. Also, during the course of individual assessment, the following questions need to be addressed:
- What is the potential danger to your network & company data from a malicious BYOD application?
- What tools can be used to detect the infiltration?
- If you are unable to detect a malicious app, when will you become aware of its costs?
- Is there a way to detect an app that’s supporting malicious activity before it’s too late?
How do you analyze a threat on an individual basis when it comes to BYOD applications? Here is a sample template.
Threat: Malicious payload
General description: Apps with this threat permit hackers to steal files or data, completely wipe data, permit eavesdropping, and cause other consequences on the victim’s device. It is also possible for an app to carry multiple payloads. The source code of a legitimate app will be taken out and repacked with malicious code to hide the threat from the victim.
Threat classification: Sensitive, confidential, company-related
Entry point: Third-party apps, legitimate apps repacked with malware
Affected victims: Employee, administrator, manager, whole company
Business impact: Theft of employee information & company data, financial loss due to unauthorized account activity, lawsuits & regulations because of transaction compromise and non-compliance.
Mitigation step: Direct all BYOD apps traffic through a firewall as well as intrusion detection system and threat intelligence feeds.
Next, it is important to look at the measures that can minimize the risks to BYOD app ecosystem. Here is the detailed outline of the mitigation measures, their function and outcome.
Identify preexisting apps
Conduct an analysis to find out what apps are being used by employees and why. In an ideal scenario, one employee brings in an app (downloaded outside the corporate walls), then a few more bring in more apps, and the cycle continues. Whenever apps that were downloaded by employees reach critical mass, it is important to know why. Conduct surveys to ask employees what apps they use. In addition, instruct your IT department to conduct a detailed analysis of these apps to ensure employees aren’t bringing in malware and viruses. You should also use network access to gain visibility into what apps are coming into your company.
Create an app directory
An increasing number of organizations are creating their internal app directories as a way to minimize the risks of BYOD applications. The goal of an app directory is to make it easy for employees to find and use apps that are productive and do not support rogue behavior. Additionally, you can also highlight the signs of malicious behavior in the app directory. The directory can be referred to by employees every time they download an app for company-related work, both within and outside office premises.
Implement centralized control over new apps
Most enterprise networks will offer the IT department some kind of option to integrate with employees’ existing passwords: the passwords they use to sign in to company accounts. This makes it convenient to keep a check on new apps before they redirect employees to sign into company accounts. For example, a productivity app that requires an employee to login to the official email account of the company would be detected by the central network when the employee types in the password. This would give IT centralized control over new applications.
Get in touch with app vendors
Try to formalize a relationship with popular app developers or vendors that supply applications. Doing so may give you the opportunity to integrate business friendly features into employee-installed applications such as directory services, IT support, security policies, and centralized control over sign in. App vendors that target enterprise users are open to working with companies to improve the security of their applications.
Educate employees on BYOA threats
Employees should be educated over BYOA threats and the extent of harm they can cause to the company. Security awareness should include the risk of installing unsanctioned applications and what company information is ok to access outside of internal systems. At the same time, your organization should create a BYOA policy that balances the needs of your employees to use the apps they find the most productive with the needs of your company to protect its sensitive data.
Employees are already bringing apps into your company. However, these measures will consolidate the usage of these apps into the corporate network, which will enable your IT department to keep a check on most activities conducted through BYOD apps. This is a better approach than completely restricting employees from using their own apps – continuing their use will translate into productivity gains that will offset any cost of securing the apps.