Thursday, August 9, 2018

Security Testing | Security 4 No0bs - Saying 'Yay' to BYOA

How could BYOA (bring your own application) play a part in security?

Source - Ministry of Testing - 30 Days of Security Testing Challenge (2017)

Dear reader, I'd like to take a few minutes to present my take on this whole idea of personal apps on personal devices whiles on company time. Seems like the issue of BYOA is ever-increasing as more and more business adopt cloud-based solutions for things like data storage, design, collaboration, and the like. Using the metaphor of a box as security, every user with a personal device using their own apps is poking holes in the box. It's not hyperbole to regard each app (non-Company Approved)as a potential attack proxy.

With that said, the following is a list of things off the top of my head that I see as issues resulting from BYOA. Its a simple list and I'm sure more can be added as IoT evolves:

What is BYOA?

As it is defined in most places, BYOA (Bring your own application) is the practice of using third-party applications. This can be anything cloud-based, external-facing, or otherwise remotely accessible.

The problem inherent in this practice stems from individuals, with personal devices, introducing apps that can utilize the same resources as other applications in the system, in essence making them "friendly".

What harm can it do?

  1. Cloud-storage Apps

  2. Locally, users may be able to store and retrieve data from a centralized system. Monitors are put in place to track the flow of data, and roles-based access determines who gets what.

    The challenge is how to control this stream of data in the cloud.
    Authentication credentials may provide some form of control, but the likelihood of a data breach, social engineering attack, or other means of accessing the server is high.

  3. Collaboration Apps

  4. On the surface, collaboration apps appear harmless, but if an application not approved by Network Administrators is used, there is the potential for exposure to attacks not limited to trojan horses or packet sniffing.
    Network Admins may have a tough task of regulating what is / is not admissable on the network.

  5. Social Network Apps

  6. Another potential attack vector, social network apps present the opportunity of introducing malware into the system by way of interacting with the wifi, blue-tooth connection, and distinct device settings.
    All one has to do to introduce such an attack is simply click on a link, post, or image and **BOOM** an attack has begun.

What should I do?

Granted there are more scenarios that illustrate the point I'm trying to make about BYOA, but the solutions to ensuring the chance that a security incident never occurs is to be mindful of the apps in use.

While at work, be to use apps approved for work use only, and be cognizant that any communication using company resources will be monitored. Any suspicious activity will be flagged.

What should I NOT do?

The answer to this is simple:
  1. Don't use "your" apps for work

  2. As an employee (end-user), one should strive to avoid using any unapproved applications.

  3. Don't use "your" social apps during work hours

  4. Avoid sharing anything, clicking anything, streaming anything, or downloading anything not work related.

  5. Don't store anything in the cloud

  6. Storing copies of any company information remotely. This may be construed as a security policy violation with dire consequences.

Conclusion

As a user ...

Keep a close eye on the apps that you ARE using, especially ones approved for work, and keep any non-work related activity for when you are off the clock.

As innocuous as it may be, the idea of BYOA is novel but perilous. The transmission of information - Inbound / Outbound - is a security risk no organization can afford.

No comments:

Post a Comment