With a growing number and type of devices, enterprises need to assume that they are vulnerable, analysts say The debates about whether the BYOD (bring your own device) trend makes economic and security sense for enterprises raged on during 2012, and will continue through 2013 and beyond.But the reality is that BYOD is expanding, not only because of the number of employees doing it, but also because the kinds of devices are expanding as well. Instead of just laptops and smartphones, there are now tablets and mini-tablets.Mat Young, senior director of the products group for Fusion-io, was only stating the obvious when he observed earlier this week, “Many enterprise employees no doubt received new tablets this holiday season. And many are likely to bring them to work on Wednesday, Jan. 2, 2013 — perhaps the biggest day ever for the BYOD trend.”So, for most enterprises the question is not whether to encourage BYOD or block it, but how best to cope with it. [Joan Goodchild in Leading Edge: Should security be responsible for BYOD policy?]Ian Tibble argues at Infosec Island that the security of the devices themselves is almost irrelevant. “The place where security is at these days, isn’t a place where we can effectively manage user device security … we lost that battle,” he wrote. “The stance has to be based on an assumption that one or more devices in corporate subnets has been compromised.” And Luke Philips at TechSling noted that Google’s new security feature called “application verification service” with the release of Android 4.2 is not as secure as advertised.Citing a study by Xuxian Jiang, a computer science professor at North Carolina State University, he wrote, “the Google AVS is only effective in stopping 15% of known malware threats. This is a scarily low number for IT departments … IT departments, if they haven’t already, need to make enterprise mobility policy their top priority for the new year,” he wrote.One idea came during a recent panel discussion of mobile security by CISOs at an event hosted by CSO magazine: Since the device is untrusted anyway, let users do as they like, but isolate corporate apps, data and network access from whatever else is on the device — “containerize” it.But, the CISO acknowledged that it was still just an idea, not a product.In the realm of reality, Gartner recommended after a major survey last year: “Enterprises should focus on mobile data protection (MDP), network access control (NAC), and mobile device management (MDM) tools to support their BYOD and new enterprise mobile platform efforts.”Andrew Jaquith, CTO of Perimeter E-Security, agrees in part. “MDM can help ensure that the most essential mobile security policies are enforced, for example requiring a PIN and an auto-destruct policy,” he said. “MDM can ensure that content, or full-device encryption, is enabled on platforms that support it, such as iOS and BlackBerry,” he added. “However, Android devices offer no guarantees about whether encryption will be present or not, so we generally recommend retrofitting Android devices with a lightweight encrypted container app.”But Jaquith is not so enthused about NAC, which he calls “a fussy technology that doesn’t work well in dynamic environments.”“The idea is noble: block any devices not known to IT from accessing the network,” he said. “But in practice, NAC is very brittle because it presupposes that IT can somehow know all of the devices that should be allowed to be on the network. With BYOD, they can’t — indeed, that is the point of BYOD.”Jeff Wilson, principal analyst of security at Infonetics Research, said another problem with NAC is cost. “It’s not a reasonable investment for all sizes of company — it’s mainly aimed at larger companies,” he said. But he added: “Companies of all sizes do need to establish what devices are connecting to their network, and what they’re doing when they’re connecting.” John Prisco, CEO of Triumfant, calls all three Gartner recommendations “superficial security checks.”“We should be approaching BYOD security on a deeper level. What we really need is something that looks at the integrity of the endpoint,” he said. “NAC alone, for example, just gives the device access to the network — what good does this do on its own, especially when it has been easily spoofed by hackers in the past for entry?”Wilson agrees with the notion that employee devices need to be assumed to be unsafe. He said many companies can add an SSL VPN client to employee mobile devices to allow for corporate connectivity. “I think that for smaller customers, or customers looking for some lighter-weight MDM and MDP solutions, the SSL VPN client will be the way,” he said.Prisco called for anomaly-based detection on mobile endpoints, like those on computer endpoints. “To do this, security professionals need to put an agent on the endpoint that will be able to collect all of the data entering the network no matter what kind of mobile device, tablet or laptop the employee brings to the enterprise,” he said.Jaquith said explicit BYOD “Acceptable Use Policies” should be added in addition to technological fixes. Among the security policies he suggests: Require encryption for sensitive company information.“Protect each device with a five- or six-digit numeric passcode,” Jasquith said. “When combined with a 10-wrong-tries auto-destruct policy, this is stronger than a typical desktop password policy, and easier to use as well.” Related content news UK CSO 30 Awards 2023 winners announced By Romy Tuin Dec 05, 2023 4 mins CSO and CISO C-Suite Roles news analysis Deepfakes emerge as a top security threat ahead of the 2024 US election As the US enters a critical election year, AI-generated threats, particularly deepfakes, are emerging as a top security issue, with no reliable tools yet in place to combat them. By Cynthia Brumfield Dec 05, 2023 7 mins Election Hacking Government Security Practices feature How cybersecurity teams should prepare for geopolitical crisis spillover CISOs can anticipate and prepare for cyberattacks conducted by participants in geopolitical conflict such as the Israel/Hamas war by understanding the threat actors' motivations and goals. By Christopher Whyte Dec 05, 2023 12 mins Advanced Persistent Threats Threat and Vulnerability Management Risk Management news analysis P2Pinfect Redis worm targets IoT with version for MIPS devices New versions of the worm include some novel approaches to infecting routers and internet-of-things devices, according to a report by Cado Security. By Lucian Constantin Dec 04, 2023 5 mins Botnets Hacker Groups Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe