A number of studies have shown that the benefits that come along with a Bring Your Own Device (BYOD) policy are multiple when it comes to improving efficiency of employees. On the basis of these studies, many organizations across the globe proceeded to implement this policy but not all of them managed to carefully consider the impact such a policy would have on the cybersecurity of the organization itself.
With BYOD, you basically allow employees to bring their own devices (such as laptops) to work and connect to the company’s internal network so they can access organizational resources. It also tends to allow said employees to take the devices home and in some cases, get remote access tools installed on the personal devices to allow them to connect to the same internal organizational resources while they are not on site. As you can imagine, the benefits are quite numerous, but as cybersecurity experts, what we naturally tend to look for are weak spots in such policies and how hackers can leverage these flaws to gain access to your internal network and resources.
A few years ago while I was teaching a class on Penetration Testing and Vulnerability Assessment in India, a Nigerian student of mine asked me a question that has become a staple with close to all the other classes I have taught since then. She asked me “why do we learn how to attack computer systems rather than just learn how to defend them only?” This was a very valid question and I simply quoted to her Sun Tzu’s famous phrase from the Art of War, that if you know your enemy and know yourself, you need not to fear the result of a hundred battles. So as cybersecurity experts, they would need to learn how to check if their own systems are flawed and also try to simulate what malicious hackers may do to gain access to their systems. The major difference between them as ethical hackers and malicious hackers is the purpose for which they would be engaging in the hacking activities.
Getting back on point with BYOD security, if your organization allows employees to access organizational resources using personal devices, it is imperative that you have a BYOD policy in place. The reason why I feel that this argument is very relevant today is because of the WannaCry ransomware that is running rampant in over a hundred countries across the globe. The method it uses to spread itself is in the form of a malware known as a Worm. This basically means that it propagates itself across the whole network and infects any computer that does not have the patch for this particular exploit.
The patch in question, MS17-010, was released back in March by Microsoft and it has also been released for Windows versions that are no longer supported such as Windows XP.
Now, considering this scenario, say an employee has been infected by the WannaCry ransomware or he/she has been attacked using the EternalBlue exploit (which is the exploit that is used to implement WannaCry). If they connect to the internal network, it is most likely that all your organizational computers will be infected if they are not patched already.
This scenario also highlights the point that within your BYOD policy, it is imperative that you state all personal devices are to be registered with the ICT department and accommodated in the patch management framework of your organization. If not, measures should be made to make sure the network segments accessible to the BYOD devices are not the same as the ones where your system-critical resources also reside.
As a way of preparation, it’s advisable to undergo penetration testing exercises on your systems, whether it is done as an in-house activity or by an external party. In such cases, it is also in your best interests to include the BYOD policy and related devices within the scope of the pen test. These exercises tend to highlight the flaws in your policies and systems and will also come with recommendations as to measures to help mitigate discovered threats.
To round things up, gone are the days when the cases of malware attacks used to be a foreign thing that would never affect Zimbabwe. Case in point, a few years ago, one of our Harare Institute of Technology B.Tech Information Security and Assurance graduates actually developed a crypto-ransomware penetration testing tool that tested for and exploited particular vulnerabilities in Windows systems and then popped up a warning message instead of the ransom message. It would then automatically trigger the download of patches for the vulnerabilities and also the update of the installed antivirus software. Also, the malware researcher who discovered a way to mitigate the WannaCry ransomware is only 22 years old. The fact of the matter is, technology is available to us all wherever we go, and so are the resources needed to attack and protect computer systems.
The best we can do to stay ahead of the curve is implement best practices in cybersecurity and ensure that we are ready to counter or respond to any imminent attack. It is not a case of “if” you will be attacked, but “when” you will experience a cyber-attack
Comments
Post a Comment