BYOD Policy, Risks & Strategies

The defining characteristic of any technological artefact is its utility. For information networks, utility is almost analogous to flexibility and indeed, somewhat antithetical to security. Against this, the notion of Bring Your Own Device (BYOD) creates a push-pull. A push in qualitatively facilitating utility via ANY device and a pull demanding policy constraints in the name of security are observed. In opening a network to ANY device, which is essentially what the concept of BYOD means, we balance these contending priorities by judiciously redefining where our trust boundaries1 lie and subsequently pivoting to an adaptive posture which has the capability to flex when needed.

To facilitate this examination lets consider the two very different BYOD use cases of classroom and office. In the case of the classroom, BYOD democratises value and enhances inclusivity and, in the office, it amplifies productivity and facilitates agility. Each of the use cases considered demonstrates a different resultant in the trade-off between the contending arenas of the people process and technology trilemma presented in Palanisamy et al2,3

Looking first at the classroom, as alluded to previously, the calculus of threat adopts a specific posture in response to the gamut of socio technical factors at play such as the ages, capabilities and ideology of people, the rigour of overarching process and the limitations in terms of technology. It must also be noted that the worst credible outcome is reasonably limited in scope in this environment. It is reasonable to conclude that the desire to afford students a level and inclusive playing field in terms of the gains which BYOD brings to their educational experience moves the needle towards less rigour and more openness.

Conversely, in a corporate environment, the demands in terms of policy, education, and process are likely to be significantly more restrictive. Indeed, as described in Belanger et al4, they tend to dissuade the user from enjoying the additional facility BYOD can provide due to their concerns about self-efficacy.5 Additionally, their ability to bring a device that meets the narrower definition of what is acceptable in terms of the technology of hardware and software, further challenges. In this situation, the stakes are higher, the worst credible outcome more forbidding, whilst the people are likely to be more compliant to policy, receptive to education and the technology more restrictive.

Looking a little more closely at the realm of the technical challenges to BYOD, we must focus first on the temporal nature of a threat surface. Keeping devices updated is fundamental to a coherent and effective security policy. The threats that a failure to do this can expose resources to, can manifest themselves in two ways. First, the timely and regular patching of all software in use on our devices is essential to attain and retain a protected threat surface. Vulnerabilities are being discovered all the time and unless software is patched with fixes as they are developed and promulgated, simply standing still subjects a device to an ever-increasing pool of potential exploits to which it is vulnerable. Indeed, the vulnerability to an exploit becomes amplified once the exploit has been discovered, announced and patched. Second, the generational nature of hardware means that it is typical for step-changes in hardware to be accompanied by step-changes in the software which runs on it. Practically this can mean that certain devices of a given obsolete hardware are simply not capable of being patched with software which is being kept up to date.

In addition to this issue the simple numbers of new models appearing in common use by the average user has increased exponentially and continues to grow. Palanisamy2 states that, “Today, employees and their mobile devices are inseparable and very much part of their daily lives”2 The proliferation of devices and use cases makes it more challenging to negotiate policy space such that processes can cover the maximum if not all the devices which may appear at the site. Most BYOD devices are wireless but not all and this too presents further complexity.

Looking next at the practice of password management, effective password management governed by stringent policies forcing users into restrictive practices of renewal and complexity is superficially sound but Zhang, Montrose et al6 demonstrate that the argument is far more nuanced than most discourse reflects. They call into question the continued use of expiration and complexity as a metric and, in the longer term, provide evidence to facilitate a move away from passwords altogether. Given however that passwords will be a component of our defence in depth for quite some time yet, the necessity to co ordinate the requirements with the likely weaker behaviours observed when users are managing their own devices becomes stark.

Logging also described in7 as an integral part in the jigsaw of defence in depth and likely to be barely used in BYOD devices is worth consideration. In a network comprised of corporate hosts under comprehensive management, logging of events to a central repository will be highly recommended but the achievement of a comparable level of protection in terms of accounting presents a significant challenge. Fortunately, off-the-shelf solutions exist for mobile device management (MDM) and mobile application management (MAM). Such services eg Microsoft Intune8, provide an overarching technological and policy framework to ensure that rigour is applied to a BYOD network without the need for a piecemeal approach. Specifically, to the above considerations, it makes the access of BYOD devices contingent upon running an approved combination of hardware and software and ensures that password policy is applied without exception. Furthermore, by maintaining a record of devices connected and maintaining enhanced logging over many aspects of their activity, the question of a lack of logging is also addressed in such a way as to tie the activity tightly to the host. This system too however is at the mercy of its own currency of patching and can, if allowed to lapse, present a system with new vulnerabilities.

REFERENCES

  1. Shostack, A. (2014) Threat modeling. 1st ed. Indianapolis: Wiley.
  2. Palanisamy, R., Norman, A.A. and Mat Kiah, M.L. (2020) ‘BYOD Policy Compliance: Risks and Strategies in Organizations’, The Journal of computer information systems, pp. 1–12. doi:10.1080/08874417.2019.1703225.
  3. Schlarman, S. (2001) ‘The People, Policy, Technology (PPT) Model: Core Elements of the Security Process’, Information systems security, 10(5), pp. 1–6. doi:10.1201/1086/43315.10.5.20011101/31719.6.
  4. Belanger F, Crossler RE. Dealing with digital traces: understanding protective behaviors on mobile devices. J Strateg Inf Syst. 2018;28(1):34–49. doi:10.1016/j.jsis.2018.11.002.
  5. Bandura, A. (1995) Self-efficacy in changing societies. Cambridge: Cambridge University Press.
  6. Zhang, Y., Monrose, F. and Reiter, M. (2010) ‘The security of modern password expiration’, in Proceedings of the 17th ACM conference on computer and communications security. ACM, pp. 176–186. doi:10.1145/1866307.1866328.
  7. Gilbert, J., Diogenes, Y. and Mazzoli, R. (2016) Enterprise Mobility with App Management, Office 365, and Threat Mitigation: Beyond BYOD. Pearson Education.
  8. Microsoft (2021) Microsoft Intune is an MDM and MAM provider for your devices. Available at: https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune (Accessed:02 Dec 2021).

Book Review – The Fourth Turning

The Fourth Turning: What the Cycles of History Tell Us about America’s Next Rendezvous with Destiny

by William StraussNeil Howe

So for week one, I cheated a little as Id been reading this book since November but I make no apologies for that. Its a book with its own website (https://www.fourthturning.com/) and is one I found out about whilst watching a YouTube video (https://www.youtube.com/watch?v=O1_LrREYQ8c) featuring Raoul Pal and Robert Breedlove. Its a powerful video on its own and one which I recommend you watch but as to the book, it did not fail to impress although not as much as I’d hoped it would.

The premise of the book is that the human race, demographically and socially exists to a meta level cyclical beat and that the beat, which repeats itself every 80-100 years and is known as a saeculum among other things, contains four generations of the human lifecycle. Indeed, it carries THE four generations of the human lifecycle, pueritia, iuventus, virilitas and senectus.

The book presents a fascinating description of the history of humanity going back to late medieval times against this context and does so quite persuasively. In doing so it categorises the generations of human society within a saeculum as four stereotypes namely prophet, nomad, hero and artist. It also defines the four parts of a saeculum as societal high, awakening, unravelling and crisis.

There is much about this book that is speculative, indeed at times it felt a bit like reading a horoscope but the underlying premise is fascinating and has merit. Whilst the speculation seemed to detract from the book somewhat and it could probably have been written in 60% of the word count, I’d recommend it as a 3.5 out of 5.

Happy New Year 2022

So its 2022. Another year gone and a new one already driven off the forecourt. New year means new start and so we typically resolve to do things differently at this watershed moment in the year with a resolution. Im old enough now to know the pattern of behaviour I usually demonstrate with this act and its rarely a successful one. The best laid plans of mice and men…. But last year, I thankfully succeeded. I resolved to remove the booze from my life for the full year whilst getting fit by dropping my BMI from over 35 to under 25, and thankfully I succeeded.

So, fresh from the end of year splurge, newly invigorated and a little heavier again, I’ve made a new resolution. It builds upon the success of last year although Ill need a couple of weeks to undo the splurge and this year the theme is to S T R E T C H myself.

I feel like my weight/fitness issue is thankfully now under control so by way of capitalising on my new fitness, I want to move on to the next phase and stretch my mind as well as my body.

A few years ago I read nearly a hundred books in a year. My goal was to hit the hundred and I fell short but it was truly a wonderful experience for mind, body and soul. I’ve always been aware of the value of books and have always striven to read more than I do however usually that sentiment just results in a persistent guilt that I don’t. So this year the target is simple. Read one book per week, every week and to keep me honest I’ll write a review here on my blog of each book I read.

Secondly, another area I’ve known I should do better at is in physical stretching. I simply have never really done it at all apart perhaps grudgingly at the start of a run because everybody around me was doing it. So again, this year I resolve to stretch once a day and maybe throw in some floor exercises if the mood takes me. I’ll blog about it too, although perhaps a bit less regularly.

So there it is. A commitment in digital black and white. Watch this space for progress and growth.

PS. You can also find me on Goodreads at https://www.goodreads.com/user/show/44526047-paula-livingstone

Stuxnet: The Cyber Cruise Missile

The Internet was developed as a military system first and foremost and, as is often the case, the subsequent utility it has more recently afforded peacetime humanity is only a fringe benefit. The decision therefore, by Israel with, at the very least, the tacit support of the United States to develop offensive malware, whilst appearing on the face of it to be a watershed moment in the militarisation of the Internet, was actually the continuation of a long embedded trend line. The fact is, there was no Rubicon to cross and the trajectory of modern warfare will continue into cyberspace with increasing speed.

Against this backdrop then, the development of Stuxnet appears to have been the starting pistol of a new arms race in the field of cyberweapons. This field however is largely invisible and as a result is immune to the clamour for regulation that would accompany such a step change in real-world military technology under normal circumstances. Although it happened a decade ago, there is still no international treaty to limit the damage that can be brought to bear by a small fragment of computer code upon an entire country’s telecom, banking or energy infrastructure. The recent colonial pipeline event in the eastern United States will have left the west in no doubt that it is in everybody’s interests to push for one before the tables are further turned and more chaos is wrought upon society.

Stuxnet was developed with a single purpose in mind. Its development and level of complexity implies that it was only capable of being brought into existence by a nation state but for all its finesse, the deliberate network based isolation of the plant in Natanz, (the uranium enrichment facility in Iran which was its intended target) meant that it still had to be carried in by hand and delivered manually. It is almost certainly a measure of the chaotic picture in Natanz following its delivery, that the malware eventually made it back out into the wild and infected thousands upon thousands of systems worldwide.

The victims of the Stuxnet attack were ostensibly the Iranians but, as described already, there have been thousands of others in the intervening time since its release. This is the rub. It is extremely challenging for the creators of these nefarious programs to stop them after they have done what was intended and indeed the very creation of mechanisms to do this runs counter to their intended purpose in the first place.

The target of Stuxnet was an ICS (Industrial Control System). Such systems, often somewhat obsolete and poorly architected to cope with malware as well as more mainstream enterprise systems, are the systems which control our critical infrastructures such as energy, transport, telecom and industrial networks. These enormous networks, known collectively as operational technology as opposed to information technology fulfil a unique role in modern life and their disruption can be catastrophic with consequences up to and including massive loss of human life.

Stuxnet is a variety of malware known as a worm. It was first discovered by a security contractor in June 2010 and quickly became an almost household name due to the news coverage it attracted. Analysis of the source reveals that it has been developed to specifically target the SCADA (Supervisory Control And Data Acquisition) and PLC (programmable Logic Controller) systems used by Iranian nuclear R&D. It operates by attacking an MS Windows application used to control uranium enrichment centrifuges built by Siemens using the following five vulnerabilities:

  • MS08-067 RPC Vulnerability – allowed a remote user rights equal to a local user
  • MS10-046 – LNK Vulnerability – allowed remote insertion of malware
  • MS10-061 – Spool Server Vulnerability – allowed a malicious print request to take control of a server
  • MS10-073 – Win32k.sys Vulnerability – opens a vulnerability to execute kernel privileges
  • CVE-2010-2772 – Siemens SIMATIC Win CC Default Password Vulnerability – use of known default password to access the system3

Ultimately Stuxnet was successful in achieving its end goals but it also succeeded in achieving far more than that, attracted a lot of unwelcome publicity and ratcheted up the stakes in the business of cyberwarfare. One supposes that, if it hadn’t come along, another candidate would have but it is certain that Stuxnet changed the face of Critical Infrastructure Cyberespionage forever and there is no going back.