BYOD: Why managing devices is not enough

As part of the Digital Government Strategy, agencies are embracing mobile computing and developing policies to address the emerging bring-your-own-device trend.

Developing BYOD policies is beneficial because they will help agencies reduce costs and increase productivity. But federal agencies have particular challenges when it comes to implementing BYOD: They handle data that must be protected for reasons of national security or taxpayer privacy, and they are the targets of a determined subset of attackers.

The defense industrial base and the intelligence community are obvious objectives, but any federal agency has escalated risk.

Cybersecurity incidents at federal agencies have increased 680 percent in the past six years, according to the Government Accountability Office -- and those are just the incidents we know about. That number is expected to increase as more personal mobile devices connect to agency networks and applications.

Given that malware and stolen identities are primary avenues of attack, here are some steps that agencies can take to ensure that their BYOD policies are as effective as possible.

1. Understand the malware risk. It is increasingly difficult to avoid malware. Users can unwittingly pick up drive-by downloads through common activities such as clicking on shortened URLs in Twitter, doing an image search or even clicking on an infected ad in a trusted site.

Furthermore, personal systems typically lack the malware defenses of managed systems. The risk of acquiring malware increases for devices, such as iPads, that are shared among family members. And because smart phones are on the rise, attackers are writing more malware for mobile apps.

2. Be aware of the identity problem. Often, the purpose of a malware program is to gain log-in credentials. That means agencies have to worry about malware on any device that employees or contractors use because their credentials are at risk of being compromised.

Common Access Card authentication is not enough to protect systems from stolen identities and malware. For instance, Man-in-the-browser Trojan horses on a legitimate user's device can hijack an authenticated session using CAC cards. In addition, attackers are targeting the certificate authorities, such as EMC’s RSA, to effectively gain the keys to the kingdom.

3. Focus on applications. The BYOD discussion typically focuses on managing devices. But the larger threat for agencies is to their applications and data because inconspicuous malware on personal devices -- mobile and otherwise -- can let attackers gain access to federal systems.

There are steps that every agency can and should take immediately to address the growing risk to sensitive applications and data. As always in the security field, a layered defense is the best strategy.

* Help protect your employees against malware. If possible, give your employees malware protection for home computers and personal laptop PCs that they use to access government applications.

* Analyze incoming connections for malware. Use real-time technologies to examine incoming connections to sensitive systems for signs of malware manipulating the session. This will alert you to potential attacks or other malware that could compromise a session.

* Add device identification. By adding device identification technologies to sensitive applications (including email), you can find devices that do not match a legitimate user -- for example, those that hide their true location or are known to be infected with malware.

For even better coverage, make sure those defenses can share information with one another and with a global network of known threats and malicious systems.