360 Degree Cyber Security, LLC

BYOD Pt 2. The threat vector

BYOD Pt 2. The threat vector

As I mentioned in my last post, bringing your own device (BYOD) provides a benefit to businesses that need work done, but don’t have the money to purchase the equipment.  But there was a caveat, that benefit must be weighed against the risk the business assumes by allowing BYOD.

Second to the businesses employees, the most valuable asset a company has is their information and the information they process.  This information is what is at risk if there happens to be vulnerability that is exploited (intentionally or unintentionally) by an employee or other person that gets there hands on the device.

Some threats that pose dangers to your data is

1. Malware/Viruses/Spyware.  Introduction of malware, viruses, and spyware into the company IT infrastructure could have a crippling effect on your business.  The latest malware also known as ransomware encrypts the data on the users device and there by prevents the user from gaining access to the files needed.  If a BYOD user gets hit with ransomware while connected to the business’ files, the business may be out of luck.

2. Lost/Stolen device. Perhaps the largest threat.  The Veteran’s Administration is no stranger to lost portable electronic devices.  In 2006 they lost a single laptop that contained a significant amount of information about U.S. veterans.  It has not only happened to the Veteran’s Administration but also to car manufacturers, HR recruiting companies, etc.  Once the device is lost, the data is potentially forever lost and possibly compromised.

3. Rooted devices.  Device manufacturers go to great lengths to ensure some level of security on the devices they sell.  But there are people that want more access to the inner workings of the device.  The super power users inadvertently open their device to being an easier target for malware and misbehaving applications.

4. Outdated software. Numerous times each week, updates and patches to software applications are released to fix flaws within the application that not only affect how the application works, but also affect the security of the device and data.

5. Open WiFi.  In this day and age, most are desiring the ability to be able to connect anywhere at anytime.  Look at all the places that offer free or pay WiFi… airport, coffee shops, stores, restaurants, just about anywhere you go.  When connecting to these WiFi sources, the connections are typically unprotected.  Another person at the same coffee shop could snoop on the mobile device’s traffic and get all sorts of information.  Maybe even get into the computer.

6. Unlocked devices.  Locking the device provides a minimal measure of security.  This prevents people from picking up the device and scrolling through documents, emails, or other files related to your business.  It is a simple mechanism, but is often not implemented.

This just a summary of some of the larger threats associated with BYOD.  In my next blog entry, we will look at what can be done to protect a business while still implementing BYOD.

Until then… Think twice and perform a cyber 360.

About the Author

Chris Wolski author

Chris Wolski is the founder and principle consultant of the small business and municipality focused cyber security firm 360 Degree Cyber Security, LLC. He is currently certified by International Information System Security Certification Consortium as a Certified Information Systems Security Professional and by the SANS Institute as a Global Industrial Cyber Security Professional. Active in the information security community, Chris volunteers his time at BSides Delaware and to various individuals seeking to be mentored in cybersecurity. He is frequently researching industrial devices to discover weaknesses that would present a problem for users of those devices. Chris obtained his start in cyber security in the U.S. Navy where he served in various information security and signals intelligence roles over his 20 year career. He left government service after serving in a position to develop cyber threat intelligence against industrial controls and later on the Joint Chiefs of Staff as a cyber incident handler. Chris has a Bachelor of Science Degree in Cybersecurity from University of Maryland University College and is currently pursuing a Master in Business Administration, also at the University of Maryland University College.

Leave a Reply