Why Your BYOD Policy & Compliance Is Failing
In recent months, the debate over the future of BYOD has intensified. On the one hand, we really don’t need Gartner to tell us what we are already witnessing — that more than half of all businesses will require employees to bring their own device by the end of 2017; while on the other hand a study by CompTIA has indicated a near a 20% drop in BYOD friendly companies since 2013. The latter study concluded that 53% of companies have actually banned private devices all together, in stark contrast to 2013 when only 34% did so.
A recent study conducted by Crowd Research Partner did find that there is wide disparity in how companies are implementing BYOD, if at all. 13% of companies have not and will not allow BYOD, 32% of companies only allow BYOD for select employees and 40% maintain a completely open policy for all employees. Meanwhile, 9% of companies plan to start incorporating BYOD over the course of 2017, while 3% have recently ended their allowance of BYOD altogether.
Current Policies Are Insufficient
One of the trending issues that IT teams are facing is facilitating popular employee demand for BYOD on the one hand and demands from the executive board, HR and legal teams to create enforceable procedures for policy and compliance. IT knows full well that everyone is checking company email and accessing cloud files from wireless networks from their homes, coffee shops and hotels but there is nothing they can do to stop it.
A critical mistake that many organizations make is by focusing exclusively on the upper layers, while ignoring the lower layers. The OSI model is divided into two parts.
- The host (upper) layers, includes the application, presentation, session and transportation, which controls the applications that run on a network.
- The media (lower) layer, which is comprised of the network, data link and physical and controls the delivery of messages over the network and is responsible for formatting and encoding data.
There is no question that IT must contend with an array of threats to the upper level however, there is a distinct knowledge gap regarding the changing landscape between the device and the LAN/WAN. Criminals are not only manipulating wireless networks to launch attacks, but are setting up their own malicious access points, which is undetectable to the endpoint user. Cybercriminals are doing this in a number of ways that will leave your company’s data vulnerable.
Wireless Network Manipulation + Femtocel = Risky 4G.
In recent months, it has come to light that the fast and reliable 4G LTE, while certainly fast may not be all that safe. Cyber criminals can easily take advantage of the LTE failsafe, which was designed for emergency situations, like a natural disaster when a cell tower might become overloaded. The failsafe automatically redirects the phone to another tower, allowing cellular service to continue uninterrupted. The attacker takes advantage of this by switching the device to a femtocell, which the phone recognizes as a legitimate tower.
Once your device is taken over via the femtocell, any cellular data going in and out from the device can be captured. Additionally, attackers have the capability of downgrading the device from 4G LTE to 2G, which means the device is even less secure. So, if you are a CISO or IT professional instructing employees to use a personal hotspot via their phones 4G, as a way of maintaining a level of safety, you are out of luck.
Rogue Access Points a Growing Threat
The issues with 4G security only reinforce what we already know about the vulnerability of existing wireless networks. Furthermore, the growing threat by the use of Rogue Access Points, should be concerning, because of the challenges it poses to IT policy and compliance. The fact is, that creating a rogue access point is cheaper than ever before and the ability to deploy them is easier than ever. There are a number of questions that an IT team should clarify, including; the capacity to seal any area (on or off premise) from wireless threat or maintaining full visibility into the various networks to which employees are connecting. Since traditional hotspots are not going away anytime soon and IT must find a way of securing this space.
Rogue Access Points are divided into four categories, which is important to understand in order to know how to implement a solution. They are Evil-twin, Improperly Configured, Unauthorized, and Compromised.
Evil-twin – Fairly easy to set up and based on a software installed on a portable device. Because SSID and BSSID, which are the only identifiers in IEEE 802.1,1 can easily be manipulated, the evil-twin remains indistinguishable from the legit access point.
Improperly Configured – This could simply be a problem with the authentication, encryption settings or improper update. These misconfigurations can leave the door open for outsiders to take control.
Unauthorized – While a rare occurrence, it has happened that unsecure and misconfigured WLAN antennas have been set up within larger organizations to create easier access to the internet within the workplace. This in turn can compromise the entire system.
Compromised – WPA-PSK and WEP secure communication between the user and access point via shared keys. If these keys are hacked, the access point can go rogue. Hacking software that does not require any deep knowledge is very readily available, so a compromised AP is certainly a threat to be contended with.
Many experts suggest using a VPN to counter rogue access points, but they are not foolproof for three reasons.
- VPN could only be a potential solution in combating certain types of rogue access points, like evil-twin.
- With Port forwarding, an IP can be easily be uncovered by luring an unsuspecting user to clicking a phishing link.
- The gap between launching a VPN and connecting with the network, leaves the device venerable during those few critical moments.
What can be done?
IT policy and compliance need to be broadened to cover both the upper and lower levels of the OSI model. Only when IT has control over the communication channel between the device and cellular network will they be able to truly secure the endpoint. Coronet provides a holistic cloud based platform that protects and seals any area within the office or without from wireless threats to complete your BYOD policy.
