What are the risks associated with personal, unsanctioned apps on corporate devices and why?

• From a security perspective, what are the personal apps/app types that you think CISOs should never want to find on a company-owned device and why?
• What’s your advice for setting policies that discourage and/or stop employees from using unauthorized apps?

Loading new applications onto any device poses some level of risk, if these applications are for personal use or are unsanctioned the risk is likely to be greater. The corporate security tools are put in place to help protect the corporate devices, (e.g. PCs, laptops, phones, tablets and servers etc). These tools were not expected to have to deal with personal or non-business applications, so it could lead to risks arising when unsanctioned applications are installed. Even a simple application like WhatsApp which can be installed on pretty much any device these days, can cause a security headache as it could be used to exfiltrate data with no visibility of what has been sent. Privacy concerns now means that messages sent via WhatsApp are encrypted so the company tools usually used for monitoring would not be able to see what has been sent whether legitimate or not.

Many applications can be downloaded from several different download sites, how can the individual wanting the application know if the download is legitimate and not a malware infested copy? On mobile and tablet devices there are so called safe download mechanisms (e.g. Google play store and Apple’s AppStore), but even these can sometimes contain apps riddled with malware. Using these sanctioned stores can give a reasonable level of confidence that you are getting the official software. Outside of these app stores it can become much harder, many application provider use external portals to house downloads rather than their own servers. Which poses problems for would be downloaders, or ones who are just so desperate to get the application they want, they do not stop to consider where it comes from. Taken together these create a minefield, which is part of the reason that many companies have a white list policy of allowed applications, but not all of them put in place security tools to properly monitor or enforce it.

So we have the risks of data leakage and malware infected applications, but in addition to that unnecessary applications are adding to the load on devices, meaning they are using more CPU, memory and disk space, on the whole this may be seen as not much of a risk as many devices are never particularly heavily utilised, but with the increase in Cloud usage and virtual desktops this could become more of an issue, with Cloud primarily being a pay as you use service the costs could be ramped up by all the unnecessary usage caused by the additional applications. Although this may not be a security risk per se, it is a risk to the business itself that could mean that some projects cannot run for financial reasons, which could impact security in the longer term.

The CISO needs to ensure that their security team is up to speed with the risks posed by unsanctioned applications and that they are adhering to the prescribed rules, as per company policy. This helps to support the drive to monitor and manage the usage across the rest of the staff. With regards to problematic and risky applications that the CISO needs to be concerned with, it is not so much specific applications but certain types of applications, ones that mask what the individual is doing is of particular concern (e.g. applications that allow files and data to be sent with no audit trail or non-corporate VPN applications). Often people install things to suit their own purpose and do not really think about the potential wider issues, as an example I have seen someone install a VPN as they wanted to use BBC iPlayer when they were travelling outside the UK for work reasons, this seems a sensible option but raises the question of what else that VPN is hiding. Additionally, It is possible on some Windows 10 machines to be able to download software from the Microsoft Store without the need for administrator privileges, from here it is possible to install Kali Linux, other than maybe some specialist roles no one in an organisation should really be having this sophisticated hacking tool installed on a corporate device. One final thought on concerning applications is CryptoMiners, these tend to use an immense amount of computing resources and are often connected to ‘dark areas’ of the internet, these should also be of great concern to any CISO and the business they work for, if miners are operating on their network.

How do we stop people installing unapproved software and applications? There are some options at least, device white listing, which only allows certain executable and associated files to run. This would mean that any application that was not approved would be stopped before you could run it, this would also help with a malware infested copy of a legitimate application as the executable would be different, usually picked up by the MD5 hash being different. This option though can be quite labour intensive to setup and manage, but is often worth the effort. Another option, that is widely adopted, that could help to minimise the downloading of applications to corporate devices is to create a separate (guest) Wi-Fi network for staff to use that is completely segregated from the internal network. This guest network allows the use individuals own devices whilst in the office with no risk to the business and has the added benefit of keeping staff happier as they can just use their phone, for example, when in the office and not have to use their own data or use the corporate device in an unwanted manner.