Device Vulnerability Management

Tenable [226] reported in 2012 that device vulnerability management was a top concern for security professionals. Their study surveyed attendees at the RSA Conference 2012 and discovered that nearly 70% of people believed that mobile device vulnerability management was ’very important’ when compared to other security avenues. Furthermore, almost all participants believed that mobile devices posed a significant threat to their businesses security, yet 68% said they currently have "no way of identifying known mobile device vulnerabilities

2.5 Consumerisation & BYOD 51

that could be affecting their network and 67% said they either have no controls in place for mobile device usage on their network, or their employees simply ignore existing mobile device usage policies" [166], [226].

Although the majority of corporate data we access, and material we consume via the internet is encrypted and tunnelled via Secure Sockets Layer (SSL) encryption and Transport Layer Security (TLS), the end point device used to access this content poses a significant security threat if unsecured. In BYOD this end point is an unknown (with respect to non-managed user devices). IT professionals are unaware as to whether the device has software defences (virus/malware scanner) and even whether this is up to date. Furthermore, a 2012 study conducted jointly by Skype, Norton and Tom Tom [208] found that 40% of the respondents admitted they don’t upgrade software when they should leaving them open to many cyber attacks and malware.

Whilst virus/malware scanners are somewhat effective tools for mitigating malicious software acquisition, they do not prohibit man-in-the-middle attacks (or more appropriately malware specific to mobiles, man-in-the-mobile), or man-in-the-browser attacks [166]. This observation is important for numerous reasons:

• Browser-based sharing is a popular and highly problematic activity with respect to BYOD. (See Fig 2.13).

• Such software does not provide security against such an attack.

• IT professionals cannot control which browser the user chooses to use (each have separate vulnerabilities), or indeed which plug-ins and security patches they have.

• It is impossible to know whether or not the device is currently infected.

• IT staff cannot access the devices’ cache, password storage, web history etc. Simply copying and pasting may cause sensitive data to be compromised by malware scraping cache files.

• Browser-based file-sharing is set to become more popular and require ever closer management (see Fig. 2.14).

BackgroundandLiteratureReview

0 5 10 15 20 25

76 - 100 % 51 - 75 % 26 - 50 % 11 - 25 % 1 - 10 %

< 1 % None

Percentage of Users %

Employees who use browser-based file-sharing

Fig. 2.13 The percentage of users who use browser-based file-sharing [184].

2.5Consumerisation&BYOD53

3

39 43

48 56

61 63

68

0 10 20 30 40 50 60 70 80

Other Cost of non-compliance will increase More privacy and data security regulations to comply with Increase in cyber-criminal attacks Increase in the need to share documents for purposes of collaboration Managing user access at the document level will become more complex Increase in the volume of documents Increase in the access requirements for users because of mobility

User Percentage %

Reasons the security of browser-based file sharing will become more important

Fig. 2.14 Reasons the security of browser-based file sharing will become more important [184].

From the previous discussion and Figs 2.13, 2.14, it is clear to see why BYOD introduces many significant risks with respect to information security management. It also shows how this trend is set to continue (2.14) and how at present there are few security strategies in place to mitigate the risks. Furthermore, many IT professionals are either unaware, or simply do not know how to calculate this risk, let alone manage it. Morrow [166] argues that there is no single solution to securing your network from the vulnerabilities and risks that BYOD introduces. Instead, he proposes that "to counter these sophisticated threats, organisations should employ a layered security strategy that provides necessary access to corporate information while minimising risk and maintaining compliance". To go further, one must place importance on more than just authorised and unauthorised access and must ensure that content delivery is secured from transport to delivery and subsequent end-point access.

To do so requires the dismissal of archaic network visualisations, a BYOD device is a part of your network that needs to be protected. Employing strategies such as "compartmentalising access to sensitive data", employing better "auditing logs" and log analysis, and deploying strategies that are actively engineered to address BYOD are all required to reduce data loss.

Education can also be seen as a critical factor in BYOD security (see section 3.4.2).

Enabling users to be able to distinguish between the use and appropriateness of such devices in the workplace will help to reduce accidental, careless leaks. Ensuring that employees are familiar with security policy and procedure will also be of benefit [166].

2.6 Privacy

The role of privacy is important to our investigations as it contributes towards a user’s decision-making process. Specifically with respect to data, privacy is often a key concern for users. In the digital age, inter-connectivity and the BYOD trend presents many challenges in areas such as location tracking, search history, and cookie usage. As such, it is necessary to understand exactly how privacy is defined, how it can be related to specific problem domains, and ultimately how it impacts the decision-making process.

Privacy is a "state in which one is not observed or disturbed by other people" [79].

Information privacy refers to "the user’s ability to control when, how, and to what extent information about themselves will be collected, used, and shared with others" [162].

Figures [2.15, 2.16] [162], denote which information users share, and to whom they share it with respectively. The likelihood of information sharing and the willingness to share with a given party reduces radially meaning that users are more likely to disclose sensitive personal information with somebody they know and trust rather than a large organisation with whom they do not.

2.6 Privacy 55

Fig. 2.15 Who users share their information with [162]

Fig. 2.16 The information users share [162]

Privacy was far simpler to preserve before the digital technology age. Records were physically based, and observations were physical and impossible to record in real-time. Since then, the birth of modern technology, specifically computer-based technologies, has allowed for autonomous data collection and mass surveillance. No longer are records solely physical, or observations simply literal recollections; there is now a digital footprint. The impact of this footprint is significant and the rights to control and the methods in which it is controlled and secured is a topic that is highly controversial and not fully understood. In essence, the problem has arisen far quicker than a remedy can be doctored.

Acquisti [2], highlights the complexities we face with modern day privacy and states that "several technological approaches have been proposed to solve the problem of personal

privacy" and that "in almost any conceivable scenario, when making purchases, ... the identity of the individual can be disassociated from the rest of the information revealed during the transaction". Furthermore, he states that "comapnies based on such technologies (preserving anonymity) ... have struggled to balance the differing needs of the various parties in the privacy equation ... failing to gain to widespread adoption". This is important as it implies that identities are requested outside of necessity, eluding to the presence of external influences.

This idea is supported through the knowledge that whilst "privacy and security of per-sonal information remain a concern for many, the economic incentives have not generated widespread adoption, and government intervention has increased the responsibilities for companies to collect personal information, without determining their liabilities for misuses of those data" [2]. For this reason, it is common to view privacy from an economics perspective.

One of the major difficulties underlying preserving privacy lies with the very ambiguity of the phrase itself and hence, "protecting privacy is a vague concept" [2]. This is exemplified through the notion that not only do different parties "have opposite interests and views about the amount of information to disclose during a certain transaction" but that the individual may also "face trade-offs between [their] need to reveal and [their] need to conceal different types of personal information" [2].