New devices could threaten corporate security

Employees bringing newly acquired smartphones and tablets into the office could be a new year gift for hackers, warns Ernst & Young

Employees bringing newly acquired smartphones and tablets into the office could be a new year gift for hackers, warns consultancy firm Ernst & Young (EY).

In the post-Christmas period, companies with poorly protected networks and those lacking adequate security policies on employee-owned devices could be at risk of attacks targeting employees’ devices.

“We are already seeing issues with companies leaving themselves exposed to this phenomenon,” said Massimo Cotrozzi, director of cyber crime investigations at EY.

“The new devices that employees bring into the office could be connecting via the corporate wireless networks to external cloud systems which, in the best case, have not been appropriately protected, let alone tested,” he said.

Cotrozzi believes organisations that are unprepared could be “caught napping” while hackers are getting in through unsecured employee devices.

This threat is compounded by the fact that new devices are not necessarily running the latest and therefore safest versions of software, according to Jahmel Harris, consultant at MWR InfoSecurity.

Responding to the EY warning, he said a review by BlueBox of sub $100 tablets in 2014 showed that many of them are shipped with old and vulnerable versions of Android, security backdoors and mis-configuration.

“With many employees using these devices for work, many will make it into offices dealing with sensitive information,” said Harris.

“And due to the fragmentation of Android, providing sign-off for one type of device does not necessarily mean other devices will be configured in the same way,” he said.

EY notes that 2014 saw the rise in mobile malware, with fifteen million mobile devices infected with malware according to a report by Alcatel-Lucent's Kindsight Security Labs.

Despite this, research indicates that businesses are not taking this threat seriously. The latest EY Global Information Security Survey shows that 84% of companies consider mobile security a medium/high priority area, yet only 41% indicated they will increase their spending in covering the threat.

More on BYOD

“The scale of high-profile cyberattacks in 2014 has demonstrated that hackers are willing to use innovative means to achieve their goals and this is likely to include targeting employee devices and infecting them with malware,” said Cotrozzi.

“By taking a pro-active approach, in terms of financial investment as well as monitoring threats and detecting breaches before they can impact the business, businesses can better understand where the risk for their particular organisation lies, and who is likely to be targeting them, whether it is hacktivists, organised crime or other entities,” he said.

Cotrozzi said businesses also need to be prepared for when the worst occurs and have a clear strategy to respond to and clean up after an attack.

“Employees must understand how to preserve evidence left by the perpetrators and must also establish contingencies to deliver an instant response to reassure customers and prevent reputational damage,” he said.

According to Harris, with any bring your own device (BYOD) environment, care should be made to perform checks on devices, where the operating system version, installed apps and root status are checked first. 

“As different types of devices are introduced, such as wearables, there will be an expectation that these will be used in offices, but the security impact of these devices are not always known and there is not always off the shelf solutions to support them in a secure way,” he said.

Harris believes wearables pose a particular risk as they are so integrated in mobile devices that will be used in BYOD environments.

“With enough time, an attacker can bypass most attempts of blacklisting and poorly configured whitelists, so companies should have policies and practices in place to deal with what should be thought of as inevitable breaches,” he said.

This includes monitored logs, the ability to wipe devices if they are lost, stolen or compromised and figuring out where the businesses high risk assets are.

“These high-risk assets should have additional security controls in place, meaning a breach of a mobile device does not necessarily put the company at further risk that that accepted when implementing a BYOD policy,” he said.

Read more on Hackers and cybercrime prevention