When a marketing buzz word sticks like BYOD (Bring Your Own Device), it is inevitable to see it everywhere in an effort to capitalize on the momentum; blogs, literature, SEO, social media, etc. In the past, we have seen great terms like "ecosystem", "framework", and my personal favorite "distributed computing", rise and fall in marketing. Fortunately, some of these buzz words are more realistic than others and really do pose a challenge to many companies. It is not just about the latest and greatest technology or security threat, but what really matters to the business.
BYOD is one of those terms that really does matter and is a real problem. eEye, like many organizations, does support BYOD. We have a wide mix of devices from Android to Apple to WebOS (PalmOS) connected with various parts of our infrastructure with a myriad of security tools, firewalls, and access control lists filtering content and visibility. This is no surprise and for corporations supporting BYOD, I would expect the same; or at least hope so. As businesses struggle to reduce costs, BYOD, provides an upfront cost savings by allowing employees to bring their own devices to work in lieu of potential capital expenses to acquire them. One of the hidden costs is how to maintain proper security for these devices and fundamentally what risks they present for vulnerability assessment and even custom auditing on top of costs for securing connectivity. Retina has taken the traditional approach of vulnerability assessment for Android devices to a new level to solve this problem. With the release of Retina CS 3.1 and Retina Community 3.1, eEye is offering for free a vulnerability assessment agent for Android devices from the Google Play Store (formerly Google Market Place). Download from Google Play Now. As users begin to connect these devices to the corporate infrastructure, primarily through email, they can assess if their device has inherent vulnerabilities that could cause unnecessary risk to the business via vulnerable applications like Google Wallet or Adobe Flash. When used as a standalone agent, all of the findings and remediation steps are presented directly on the device, and when connected to Retina CS, all of the results are correlated in the management console, just like any other asset, for complete zero-gap vulnerability management coverage. The solution however, does not just stop at assessments for Android devices, it allows for custom configuration and auditing to meet the needs of your business policies. Retina complements MDM solutions with additional flexibility for vulnerability and configuration policies. Consider that your policy for BYOD states that USB debugging should be off or that if you connect your device to the infrastructure, certain applications must be installed (for additional security like anti-virus) or are explicitly denied from being installed (like a faux version Angry Birds that contains malware). Retina CS (and CS Community) allow for you to perform this inventory. An MDM solution may be setup to enforce these but Retina Android Agents allow you to verify these settings on the actual device and create custom ones beyond the scope of your MDM solution. Mobile devices (smartphones and tablets) represent an entirely new way to do business. Everything from accepting credit cards (which fall under PCI DSS compliance regulations and making vulnerability assessment a must have on these devices) to allowing users to connect and bring their latest gadgets to work pose a new security challenge for IT and security departments. Emphasizing security restrictions on connectivity is not enough. Assessing these devices, that are outside of the corporate firewalls and IDS/IPS systems, is a must. Whether you rely on just an MDM vendor for your security, have mandated anti-virus on these devices, or have sat down and seriously considered the risks these devices represent, do not forget that they are vulnerable just like other desktops and servers within your environment. The marketing buzz may be about BYOD but remember the real buzz is within your organization and you must consider how you will manage mobile devices. They are the proverbial "hand-held keys" to the internal workings of your business; from emails, to contact lists, to possible mail attachments. They should be assessed for vulnerabilities and configuration violations just like any other device. Just like every other industry buzz in the past, like "working from home", and "mobile workforce" with laptops, these devices need the same considerations and protection. Retina can get you started. Download from the Google Play Store now.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.