This is a guest blog post. Views expressed in this post are original thoughts posted by Glen Kemp, Solutions Consultant at SecureData Europe. These views are his own and in no way do they represent the views of the company he works for.

The Bring Your Own Device (BYOD) explosion has happened, it’s over, and it’s history. Wireless networks are groaning at the seams with hundreds of additional personal devices connected to networks.  This post is not about that, it’s about where I believe many organisations have a blind spot in terms of risk.

The migration of “consumer” devices from home to work was perhaps inevitable from the first time a Palm Pilot made its way into the office. However, what is less obvious is the way that Enterprise grade technologies are starting to appear in the home. 

Source: http://www.computerhistory.org/revolution/mobile-computing/18/321

Enabling Technology

The one technology which perhaps has done the most to enable “working from home” policies is ubiquitous access to broadband Internet. In Europe this has mostly been driven by a rollout of “DSL” services and the in the US by a combination of technologies including digital cable.  From early on, the home broadband router was established as a cheap and easy way to get a user with a handful of devices onto the Internet and ultimately onto the corporate network. In many cases, a “stripped down” version of Linux provides ready-made network operating system with the basic routing and network address translation features to enable quick and easy access. The use of a Linux as starting point was a no-brainer as the “free” operating system could be easily customised and required very little processing power.  As time and processing power has marched on, the level of sophistication in these devices has quietly increased to the point where their capabilities shame some big brand networking vendors. Simple Network Attached Storage (NAS) file and print services are included in products from Netgear and Draytek, full IPSEC VPN branch and remote user VPN tunnel services are built into “consumer” devices from Billion and full VoIP gateway features are available from FRITZ!Box. At this highly competitive end of the market features are piled on to stay relevant. The nature of the beast is that whilst cosmetically these devices may look different, for the most part they use the same basic Open-source applications licensed via the GPL. For example:

• Apache used for the administration Web Server
• IP Tables used to provide firewalling features
• Samba providing NAS services
• Twonkyvision providing uPnP services
• OpenSSL for encryption services

The issue here is that these services tend to be cut down builds with either default settings enabled and/or security features disabled. Within an Enterprise, patching and maintaining these services would be someone’s responsibility. However, in the home networking word ease of use and features play second fiddle to security; once setup these components do not tend to be patched by vendor, let alone the users as vulnerabilities are uncovered.

Equipment at Home

The unaddressed risks go deeper when you consider what else is being attached to the home network. Whilst devices such as game consoles and the odd Apple product are to be expected, these are reasonably well hardened devices and don’t actually contain relatively few externally exploitable services. What is perhaps more insidious is the rise of home networking appliances. Whilst the utility and ubiquity of the fabled “Internet connected refrigerator” is somewhat in doubt; there are plenty of other Internet enabled devices creeping into the home. In the UK and US outlets such as Comet, PC World, and Best Buy stock home NAS devices from companies such as Netgear, Drobo, and QNAP.  This class of device is primarily aimed at providing home users with an easy way of backing up images, music and other files in a “safe” place so they can be accessed remotely.  This technology initially was very limited, but to refer to these devices as “mere” Network Attached Storage is vastly underestimating their capabilities and the risks attached.  The “home” NAS market suffers from the same competitive demands as the home router market were features are king. As a result, these gigahertz-class devices often have relatively large amounts of RAM, disk space and a very easy to use GUI. They can be easily configured with a full blown Web, email, LDAP, Proxy server and more all with a lovely web interface. At the more extreme end, but still well within the consumer budget, some of the larger devices are fully VMware certified.  Whilst many IT technical people will have some sort of setup at home ranging from an extra PC to a scaled down enterprise network, the provision of a full virtual environment at home creates additional, unknown and undocumented risks.  

The issue is not perhaps that they are running a home “Asterisk” voice gateway, but that they are making this accessible from the web. Vendors such as Synology and QNAP have “Free” iPhone and Android apps to allow user to access their files from anywhere. Some fairly major networking vendors still don’t have comparable clients their corporate VPN gateways. This may go some way to explain the very high expectations end-users have had for corporate remote access from portable devices. What does this mean for the enterprise security policy?

Although it is very much still the “thin end of the wedge” other Internet connected devices are starting to make use of this “connected” home technology without spending a king’s ransom.  Devices such as the Heatmiser Wifi-enabled thermostat allow you to control your home’s central heating from anywhere via and iPhone app or via any Internet connected web browser.

The risk not (re)assessed

This provides the biggest indication of the risks lie. When we started down the “working from home” route, the number of devices at home was very few and the access was allowed outbound only.  Now, the number of home devices has increased dramatically.  Through services such as Dynamic DNS and integrated cloud solutions, an end-user can easily host application services at home. This begs the question: Should an enterprise security audit include home workers’ personal device management? Ideally, yes; the enterprise should have some visibility over local services.  In the real world; this is not going to happen in any meaningful way.

Why does this or should this matter to Mr Joe Average network administrator? There are a couple of reasons I can think of:

• Unless your device management data leakage prevention technology is very effective and/or draconian there is a much greater risk that a user will copy “for safe keeping” corporate data onto their lovely big NAS device. This is much more likely if you have corporate policies with tight user data quotas or have suffered an unrecovered loss of data
• The current generation of consumer technology provides means; motive, and opportunity for a user working from home expose company data (deliberately or otherwise) to the Internet. Locking a user out of the network no longer effectively prevents them exploiting or sharing digital assets. Data sharing sites such as Dropbox and SkyDrive are much more readily available and do not require a degree in computer science to utilise.

Addressing the risk

How can we address this? Well, the obvious thing is to stop categorising users working from home as anything like being trusted.

• The time has come to end the tyranny of the “Any Any Accept” rule on the VPN edge for even strongly authenticated users. IT Departments must start to take an interest and understand what types of applications users are actually accessing across the WAN and VPN. 
• “Always on” security controls for any device accessing corporate data mail are a necessity, not an option. This means the basics need to be covered in terms of Firewall policy, Anti-Virus and patch Management. 
• Active Data Leakage Prevention needs to brought up the agenda; organisations need to understand who is using their data and where is it going when the user walks out of the front door.
• User education needs to underline all of the above; technical controls can prevent many screw ups and deliberate attacks; but alone they cannot cover every base. Users need to understand the fluid nature of data and accept some level of responsibility for its care and use. It’s a hackneyed saying, but prevention is better than cure in this case.

How can Juniper help?

To combat these kinds of threats Juniper’s Junos Pulse suite of tools can give much better visibility and control over smart devices and conventional “fat client” platforms.  Junos Pulse Mobile Security Suite can ease the burden of BYOD and the consumerisation of IT by delivering anti-malware, loss and theft protection and mobile device management (MDM) for a variety  The Junos Pulse client for Windows integrates VPN, Endpoint protection and network access control features in a single, unified managed client.

I would be interested to hear your thoughts on the consumerisation of IT and what this means from a security stand point, so please do add your comments below.