BYOD (Bring-Your-Own-Device), in which a growing number of workers use their smartphones for both personal and work purposes is a hot trend.
A recent report by research company Gartner predicts that by 2017 half of all employers will require employees to supply their own device for work purposes. The report, entitled “Bring Your Own Device: The Facts and the Future,” indicates that security remains the top concern for BYOD.
Another survey, published by the Ponemon Institute and Zix Corporation, indicates that the majority of IT and IT specialists believe their companies do not use any tools or policies to protect corporate data from risks arising from BYOD.
The research shows that 60 percent of IT professionals are dissatisfied with current BYOD solutions, mostly due to cost and inadequate security.
The problem is not limited to organizations that deploy a BYOD policy, but also includes companies which provide their workers with mobile devices. So for example, workers who use the corporate network to connect to services such as Microsoft Skype for Business (Lync) may expose their employers to serious security threats.
The major risks for the organizations’ networks include:
Hacking of network active directory credentials
Active Directory usernames and passwords can be hacked and used to provide unauthorized access to many core business applications. Using Active Directory credentials in the non-secured environment of a mobile device introduces major risks.
The exposed credentials might be hacked and used to either receive emails or log in to other corporate applications. Hacking is typically achieved by “eavesdropping” on public networks, through hostile applications installed by users or received by SMS. Another danger is that the user will allow other people, such as friends and family members, to use his or her device, and unintentionally expose the corporate network to risk.
The best solution for such problems is to try to refrain from using or storing the Active Directory credentials on the mobile device.
Usage of uncertified devices
The worker might connect to the corporate network by using his or her name and password on other unauthorized devices, therefore companies need to adopt a policy in which workers can access the system only from authorized devices.
An addition risk is posed when someone has access to a user’s credentials and can connect unnoticeably from a different device.
To avoid these two issues, the required solution is to allow only registered devices to connect, thus implementing a Two Factor Authentication connection.
Brute Force attack and denial of service (DoS)
The exposure of internal services, such as Skype for Business, through the use of a BYOD policy introduces a risk of brute force attacks and denial of service attacks.
The authentication of these services must be publicly available in order to allow the worker to connect anytime from anywhere, thus exposing the Active Directory authentication interface to potential attacks.
Brute-force attacks are conducted by systematically checking all possible keys or passwords until the correct one is found.
Denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) are attempts to make the corporate network unavailable to its intended users. They generally consist of efforts to temporarily or indefinitely interrupt or suspend the services of a host connected to the Internet.
These attacks can make the network unavailable and cause significant business damage. The best way to defend the organization from such attacks is by blocking them at the gateway level by configuring a block-failed login policy that prevents the attack attempts from reaching the Active Directory by implementing a gateway layer blocking these attacks before they enter the network.
Identifying the risks arising from adopting BYOD policies and from making internal services available for external mobile devices is the first step that organizations need to take before they authorize such a strategy.
As the BYOD trend is expected to play a major role in the future, IT managers should explore the possible solutions and find the ones that are most suitable for their organization.