Fear and Loathing in BYOD
A SANS Analyst Survey sponsored by the Trusted Computing Group.
It’s not shocking to see media reports depicting the growth and continued adoption of mobile devices in enterprise networks. Smartphones and tablets enable improved personal productivity, on-demand data access and applications previously inaccessible with legacy devices. The modern workforce is demanding mobile device access to business data, and the potential benefits to enterprise networks granting this access are many.
Simultaneously, attackers are identifying new opportunities and benefits associated with exploiting mobile devices and applications. From simply stealing a device to perpetrating complex traffic-manipulation exploits, attackers are getting better at leveraging the mobile device compromise opportunities for their financial gain. On-phone data exploitation, along with theft of passwords, VPN and other access credentials, and remnants of sensitive data are all of value to attackers and their automated malware programs. And while these devices may contain limited information, their access to email and other corporate accounts make them a perfect entry point to compromise previously inaccessible networks.
These are trends backed up by the SANS 2nd Survey on BYOD (Bring Your Own Device) Security Policies and Practices, which was taken by 576 IT professionals during the months of October and November in 2013.
The long-term mobile device security threats reported by IT professionals in this survey stem from insufficient technical enforcement to support of basic controls such as device management, monitoring or policy enforcement. The survey exposes plenty of fear and loathing by IT professionals in the BYOD space.
The purpose of this survey was to understand mobile device security trends and to identify the techniques organizations are adopting to mitigate threats associated with mobile devices and BYOD. The professionals who took this survey represent the front lines of IT, setting policy for mobile device use, managing deployments of mobile devices and tackling the tough technical challenges associated with meeting the mobile device operational requirements of end users while maintaining the security
requirements of the organization.