The problems in mobile device management (MDM) were highlighted at an event in central London.
Hosted by Context Information Security at its Context Oasis event, it revealed ways MDM can be bypassed or prove to be ineffective on iPhone and Android. Speaking at the event, Rob Sloan, head of response at Context said that “on the mobile side, the hacktivists know we’re here and they know what to go after”.
The theme of the afternoon was the complications posed by bring your own device (BYOD) policies, and Sloan said that often the main challenge was in knowing what devices are in an organisation, what operating systems and versions they were running.
Also speaking from Context was senior consultant Alex Chapman, who said that BYOD presents “untrusted devices that you need to trust enough”. Commenting on updates to operating systems and software, he said: “Fixing vulnerabilities on your desktop involves rolling out updates, but it is different with BYOD as there are a small number of devices but lots of versions and extensions and they all need to be considered.
“What I would like to see from MDM solutions is to be able to force system updates and ensuring that they can be applied. We also recommend looking at the security of the operating system before you deploy Apple or Android devices.”
Speaking to IT Security Guru, Chapman and head of research at Context, Michael Jordon, said that when pushing out policies to personal devices, a user will have to submit this to a policy of a minimum version of the operating system which would specify what is allowed and what version is supported.
Chapman said: “A policy will say what a company is happy to support, but some companies will have it forced upon them.” Jordon said: “If a company really wanted to do BYOD, I would say do it, but I would always advise against it.”
A
report published on BYOD by Context concluded that there will always be a trade-off between convenience and security, as devices can only be locked down so much before users chose not to opt-in to the scheme.
Its research found that MDM solutions in a BYOD environment cannot prevent unknown malicious applications from recording sound via the phone’s microphone, or tracking user location using the built in GPS. Also while Jailbreak/Root detection is implemented by all the MDM solutions reviewed, they work in very much the same way as anti-virus, only detecting known Jailbreak/Root methods and applications, which are often trivial to bypass by technical users or malicious hackers.
“BYOD implementations carry an inherent risk and while fully restrictive security policies are possible to configure with corporately owned and maintained devices, ultimately these restrictions are unrealistic in a BYOD environment,” said Chapman.
“A successful BYOD implementation requires a fine balance of usability and security to ensure an appropriate level of user buy-in. Insecure settings, device use and software update frequency can all affect the security of the device and in turn, corporate data in a BYOD environment.”
Speaking at a recent roundtable, Quentyn Taylor, director of information security at Canon, said that a problem is that BYOD allow a user to bring the device in, but policy also needs to de
termine when a personal device is subject to searches and e-discovery procedures.
He said: “In a modern office you have a personal machine and a corporate device, and while the generational activities are different, it is a question of how you manage them.
Speaking at the same roundtable, Adrian Davis, principal research analyst at the Information Security Forum (ISF), said that BYOD can be many things, and a lot of businesses are struggling to keep pace with technology as they cannot keep up with the “gamification”.