The ubiquitous use of mobile technology has caused a surge in applications and services targeting such platforms. Starting from the 1990s, with introductions of mobile phones, PDAs and laptops into the corporate environment, companies soon realized the beneficiary relationship of mobile technology with commercial output and employee productivity. In large fintech environments, these technologies are now almost essential tools, and larger firms have expanded their marketable services through computer programmes targeting mobile technology devices – otherwise known as apps or third-party applications. As mobile devices become more advanced, ubiquitous and affordable, many SMEs (small and medium-sized enterprises) have also joined the exploitation of the internet’s reach and mobile technology. Today, companies of all sizes have adopted BYOD (bring your own device) practices and mobile technology into its business and operational infrastructure, enabling flexible service provisions over wireless internet networks and connections.

This article is essentially a brief analysis focused on deconstructing security concerns associated with BYOD-enabled environments. First, technological vulnerability is a concern for all industries, especially those with BYOD environments. Second, a company’s IT infrastructure and information security procedures, often designed without considering the security vulnerabilities of technologies involved, is their last line of defense against malicious intentions. Ergo, BYOD security concerns can be dissolved broadly into technological and infrastructural components – in that order.

Double-Edged Tools

BYOD environments operate on employees, contractors or clients integrating their personal devices into company IT networks and gaining access to databases and/or various mainframes. A key technology-related concern is thus embedded malware leading to unauthorized access and subsequent data loss. Let us briefly consider the SlemBunk Android Trojan. According to mobile threat researchers from FireEye writing in December 2015, later versions of the Trojan have become highly sophisticated.[1] Not only are newer versions focused on financial gain, they have also been encoded with commercial packers such as DexProtector to prevent reverse engineering and analysis through code obfuscation.[2] Regardless of corporate or governmental environments, BYOD is closely (almost symbiotically) related to emerging commercial platforms such as smartphones and hybrid laptop-tablets. Technology, however, is a double-edged tool. Commercial platforms are often designed with user experience as a priority, and competing companies often focus on rolling out new systems and integrated technologies – often produced by external vendors. Taking into consideration that new technologies will always possess the potential for a zero-day, the integrated security of all components within commercial devices sometimes “takes a backseat” – see footnotes for examples.[3] It is imperative, therefore, that future mobile technology products are designed with security being an equal priority to usability.

Let us put this into context. According to a 2016 spotlight report by LinkedIn Group Partner, Information Security, they discovered that ‘40 percent of organizations [interviewed, have made] BYOD available to all employees’.[4] With employees making the largest user group where BYOD is enabled, embedded malware in employee devices leading to subsequent data breeches and loss is, thus, of concern to enterprise CIOs and cybersecurity consultants. This is especially true in larger businesses which might have thousands of employees connecting their personal devices into company mainframes and internet networks. Ergo, the next line of defense and concern of BYOD cybersecurity is infrastructural.

Power of Infrastructure

Technological security concerns are only half the problem, even for attackers. How mobile technology provides the platform from which employees work, infected devices play the same role in a Cyber Kill Chain (CKC).[5] Infected devices either act as payload delivery for large-scale data thefts, or operate as pivoting nodes, or represent the end-target of cyberespionage. Remember, companies with BYOD policies have a portion of its IT infrastructure formulated by connected employee devices – in addition to those from outside contractors and clients. Here is where understanding a company’s connectivity infrastructure plays a key role for mission success, for both attackers and defenders.

Regardless of the technological element, BYOD landscapes would still adhere to a fundamental corporate infrastructure and are susceptible to social engineering. Understanding and mapping a computer network is part of the CKC. Companies without BYOD enablement would have a core IT infrastructure dotted with connections into employee personal devices – if they were connected into the company’s WiFi network. BYOD enablement, while proven to increase productivity, also increases the size of a company’s core IT infrastructure and the number of access targets for malicious actors. For instance, phishing scams or aggressive adware can be used to target key employee clusters – such as hedge fund or account managers – in attempts to gain access into a company’s network. While larger firms possess the equity, corporate connections and specialist staff (i.e. CIO, CTO), the same cannot necessarily be said for SMEs. Therefore, a thorough understanding of a company’s infrastructure within human and network domains is valuable strategic intelligence. It reveals to attackers who to exploit for access and which connections to manipulate along the CKC. Through protecting key nodes and regulating connectivity, defenders can achieve defense in depth. Regardless of organizational size, strategic infrastructure protection can reduce costs while ensuring effective network security.

Today, we live in a world where information is of value to almost everyone. Governments implement legislative guidelines into ensuring access to data for national security purposes (i.e. Snooper’s Charter) or task intelligence organizations with developing surveillance programmes (i.e. PRISM Program).[6] Corporate and criminal organizations are on a constant lookout for vulnerabilities to exploit. Armed with a growing underground market of contractible services whose entire business objective is built on exploiting technical vulnerabilities for ulterior motives, even disgruntled employees can have a fighting chance.[7] In a world progressively moving towards an Internet-of-Things (IoT) landscape riddled with mobile technology, BYOD enablement increasingly has financial benefits for most corporate enterprises and SMEs. At its core, BYOD is a pan-industry and global cybersecurity issue, and much like the IoT, we need to address it on technical and infrastructural levels.

Endnotes

[1] Zhou, W., Chen Z., Su, J., Xie, J., Huang, H. ‘SlemBunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps’, FireEye, (17 Dec 2015); https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html

[2] Park, J., Kim, H., Jeong, Y., Cho, S., Han, S. & Park, M. ‘Effects of Code Obfuscation on Android App Similarity Analysis’, Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 6(4), pp. 86 – 98

[3] Fox-Brewster, T., ‘iPhone Hackers Say Apple Weakened Backup Security With iOS 10’, Forbes, (23 Sep 2016); http://www.forbes.com/sites/thomasbrewster/2016/09/23/apple-iphone-7-ios-10-vulnerabilities-in-passwords-jailbreaks/#5d78d88753dc; Mamiit, A., ‘Google Pixel Hacked In Under 60 Seconds: Is Your Smartphone Safe From The Exploit?’, TechTimes, (13 Nov 2016); http://www.techtimes.com/articles/185660/20161113/google-pixel-hacked-in-under-60-seconds-is-your-smartphone-safe-from-the-exploit.htm; North Carolina State University Researchers, ‘Researchers find vulnerabilities in iPhone, iPad operating system’, Phys.org, (25 Aug 2016); https://phys.org/news/2016-08-vulnerabilities-iphone-ipad.html; Allan, D. ‘Microsoft hits roof as Google points out glaring Windows security flaw’, Techradar, (01 Nov 2016); http://www.techradar.com/news/microsoft-hits-roof-as-google-points-out-glaring-windows-security-flaw;

[4] Schulze, H., BYOD & Mobile Security: 2016 Spotlight Report (PDF), LinkedIn Group Partner: Information Security, (2016); http://www.crowdresearchpartners.com/wp-content/uploads/2016/03/BYOD-and-Mobile-Security-Report-2016.pdf

[5] Engel, G. ‘Deconstructing The Cyber Kill Chain’, DarkReading, (18 Nov 2014); http://www.darkreading.com/attacks-breaches/deconstructing-the-cyber-kill-chain/a/d-id/1317542

[6] Home Office, Bill 143-56/1: Investigatory Powers Bill, (01 Mar 2016); https://www.publications.parliament.uk/pa/bills/cbill/2015-2016/0143/16143.pdf; Bowden, C., ‘The US National Security Agency (NSA) surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens’ fundamental rights’, Directorate General for Internal Policies Policy Department C: CitizensRights and Constitutional Affairs, (28 Aug 2013).

[7] Lawinski, J., ‘Dark Web Globetrotters: A Look at Underground Markets Around the World’, RSAConference, (25 July 2016); https://www.rsaconference.com/blogs/dark-web-globetrotters-a-look-at-underground-markets-around-the-world

Please follow and like us: