Explain Security to Employer

Question

My employer wants/wanted to install a 3rd party app on my personal cell phone. One of the issues that we are still not seeing eye-to-eye with is regarding security.

Here are some issues that concern me:

The 3rd party sent everyone in our company the same password in a company-wide e-mail.
The app does not have a way to change the password.
All of our usernames are predetermined and easily guessable.
It's possible to login as anyone from any device into this app.

My boss has used a car analogy, suggesting that I'm requesting security similar to "full roll cage, 5 point safety harness, helmet, and HANS device, and a fire suppression system". I've pointed out that the security of the app is more like that of a Ford Pinto. I've compared his car safety analogy to "more like using 2-factor authentication with 32 character randomly generated password using a mix of lowercase, uppercase, numbers, and special characters stored via salted password (inefficient) hashing with each user having a different randomly generated salt".

I am no security expert. Perhaps I was incorrect with my response to him. Can someone point me to either a better response (e.g. an unbiased source)?

Update A few people have asked what type of app it is. The best way I can explain it is a social media app for just our company.

It is your personal cell phone, why should you install any company ordered software in the first place? — Max, Jan 25 '16 at 08:19
Questions like this are often not a good fit for stackexchange. For reasons why, I recommend the question ["How do I explain ${something} to ${someone}?"](http://meta.programmers.stackexchange.com/questions/6629/how-do-i-explain-something-to-someone) on programmers meta-stackexchange. — Philipp, Jan 25 '16 at 09:07
You might want to discuss legal accountability. If anyone can login as anyone then rogue employees can use others' accounts to try and degrade their reputation and secure a promotion, for instance. — Steve Dodier-Lazaro, Jan 25 '16 at 09:35
The Internet is not a smooth, paved super highway patrolled by friendly, well-meaning policemen. It is like the Wild West meets a Mad Max dystopia. So in point of fact, if my employer were asking me to drive a car into this analogy on business, I would ask for them to provide safety systems for the car, and not to scoff. — kojiro, Jan 25 '16 at 11:20
If a disgruntled employee leaves for example how will they be stopped from logging in as any user and messing with it? — JamesRyan, Jan 25 '16 at 12:23
Could you tell us more about what this program is used for? It doesn't sound like anyone involved has their stuff together, except for you. I am, of course, referring to both your employer, and the company issuing this terrible product. — Mark Buffalo, Jan 25 '16 at 14:18
Is the fact that this is going on your personal phone an important element for you, or is that a secondary concern? — schroeder, Jan 25 '16 at 15:35
The majority of the answers, and your question itself, seem to be ignoring one of the primary concerns: **what is the data**? Depending on the data, it might be perfectly acceptable for the app to not even use passwords and just rely on usernames for identification. Not all data is worth securing. — DavidS, Jan 25 '16 at 18:47
Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/34984/discussion-on-question-by-w0lf42-explain-security-to-employer). — Rory Alsop, Jan 28 '16 at 19:42
Just sign on as your boss, and post that "all employees must uninstall the app". Problem solved! — Caleb, Jan 29 '16 at 09:44

score 138 · Accepted Answer · answered Jan 25 '16 at 11:46

138

Let's address your points one by one.

The 3rd party sent everyone in our company the same password in a company-wide e-mail.

A password that everyone knows is not a password. It's like leaving the key under the mat, only without the mat to hide it.

The app does not have a way to change the password.

So if you ever lose your keys or think someone else might have them, you can't change the locks - and from point 1, we know that your keys are already in other people's hands.

All of our usernames are predetermined and easily guessable.

So, the people who have your keys also know where you live.

It's possible to login as anyone from any device into this app.

Put the first three together - other people have your keys, they know where you live, and you can't change the locks - and yeah, this is the result. Anyone can get into somewhere that should be yours alone. To recycle your employer's car analogy, he's asking all employees to lock their cars but leave the keys in the door, and then park in the company car park underneath a sign with their name on.

And on top of all this, he's asking you to do this on your personal phone. Your employer has no right to be touching that device. Depending on what this app does, this could be exposing your personal data to risk because of a third-party security flaw that you have no control over.

Even if the third-party app isn't malicious and doesn't do anything that causes a risk, there's no guarantee that it's 100% free of accidental flaws or bugs that might cause a security weakness or present an opportunity for some other malicious party to exploit. Given this third-party company's atrocious handling of basic security practices like "don't email passwords", "don't re-use passwords", and "always allow users to change their passwords", the chances of their app being completely safe, secure and free of vulnerabilities is looking pretty slim.

answered Jan 25 '16 at 11:46

anaximander

1,531
1
10
14

27

Actually, his boss can demand to secure his device if he's to let it into corporate network. That's perfectly reasonable request. It's only execution that's "with friends like those, who needs enemies". – Agent_L Jan 25 '16 at 17:04
32

That's true, but a) that's something you'd choose to accept by asking to connect your personal device to a corporate network, and b) what's being described here does not make the device more secure - quite the opposite. – anaximander Jan 25 '16 at 17:07
1

On iOS and Android, don't we mostly rely on the OS sandboxing apps so that one bad apple doesn't spoil the bunch? – DavidS Jan 25 '16 at 18:45
6

Good explanation. I'm of the opinion that BYOD shouldn't be allowed, and that all devices accessing the network in question should belong to the employer. I would not use my personal phone on my employer's network for any reason. – Mark Buffalo Jan 25 '16 at 19:20
11

I would alter the analogy a bit to a set of cars all with the same key, and when an employee leaves the company, they take their copy of the key with them. – jpmc26 Jan 25 '16 at 21:09
1

"the chances of their app being completely safe, secure and free of vulnerabilities is looking pretty slim" uhm, did I miss something. It *already* is unsafe, insecure, and the huge gaping "vulnerability" is obvious! – PyRulez Jan 25 '16 at 22:40
2

@PyRulez it's vulnerable to people who know the password. What I'm saying is that there might be a bug or exploit that makes it vulnerable to generic malicious types, via various remote attacks, which opens your phone up to viruses and other nasties. – anaximander Jan 25 '16 at 23:00
@DavidS, Yes, iOS and Android do sandbox apps, but that does not prevent badly written apps (like this one) from doing nasty things or leaking or exposing personal data. (Remember that all users of the app in question are using the same password!) – Jonas Czech Jan 26 '16 at 14:57

score 54 · Answer 2 · answered Jan 25 '16 at 08:48

54

My advice is to try to explain the security implications from a risk based approach. What could happen if you installed an app with such poor security? You don't have to explain how to take advantage of the poor security in the app, but just expose the risk. Impersonation alone is a very significant turn off for many managers, someone could do something bad and blame another person, even as a prank it could lead to serious repercussions.

In my experience, managers need to balance risk with benefit, and once they see what may go wrong they start to wonder if its really worth it.

answered Jan 25 '16 at 08:48

Purefan

3,570
19
26

13

This is the best answer in terms of how to impress upon your manager the **business need** of being secure. The key here is about *risk assessment* and is taught to any security engineer. My advice to you is to do your best to express your concerns but at some point if you still feel like you do not want to be associated with a company with lack security -leave. – Matthew Peters Jan 25 '16 at 13:02
3

+1 because risk assessment should be a familiar concept to your boss; framing the risks to the business should help him understand. – Simba Jan 26 '16 at 13:51

Dmitry Grigoryev · Answer 3 · 2016-01-25T17:42:30.403

22

While analogies are useful when explaining basic concepts to someone completely unfamiliar with the field, they actively harm professional discussions. Understand that every analogy is subjective, and non-representative of any field-specific details. Actually, the car analogy is especially bad because it confuses safety and security. Bottom line, use analogies with care, and stop using them the moment you feel carried away.

Instead, I would ask your employer how to deal with specific threats you can identify. For one, this app seems to be vulnerable to impersonation. Tell your boss how you can use this app to pretend to be someone else, and ask him what counter-measures will be implemented to prevent this.

edited Jan 25 '16 at 17:42

answered Jan 25 '16 at 12:10

Dmitry Grigoryev

10,122
1
26
56

2

I do not agree at all about your point on the use of analogies. They are extremely useful to find common ground in a discussion, especially when there is a mismatch in knowledge on a technical topic. Your point about the safety/security confusion is a good one though. – schroeder Jan 25 '16 at 15:32
10

@schroeder Analogies are best used in one-way communication: "Use strong passwords! They are essential just like safety belts, would you drive without one?" This conveys a message, but there's no discussion possible over that statement. A meaningful conversation cannot afford to be translated from original field's terms into analogy's terms and back, you'll lose all meaning in the process. Besides, where did the car analogy get the OP and his boss? Looks like nowhere to me. – Dmitry Grigoryev Jan 25 '16 at 15:51
2

I have seen far too many infosec professionals cram technical details down the throats of business leaders in the name of "technical accuracy". Communication, and even education, is about opening a useful channel of communication that works in both directions. As I said, analogies can be that starting point to find common ground for *both* parties to foster greater understanding. Though, it does require that both parties be willing to listen to each other... – schroeder Jan 25 '16 at 17:33
3

@schroeder I decided to make my answer more diplomatic, but I still believe analogies have little place in discussions. Education is different, because the analogy comes from the instructor and is carefully chosen to fulfill the properties which are discussed. Accepting analogies from students will be far less efficient, don't you think? – Dmitry Grigoryev Jan 25 '16 at 17:50
As an educator, an analogy from a student helps me understand what the student understands. Again, it helps to create 2-way understanding. I love it when my students try to frame a topic in an analogy. – schroeder Jan 25 '16 at 18:22
If you make the edit " ... they *can* actively harm ...", I will scrub all my comments. I completely agree with your qualification at the end of that paragraph. – schroeder Jan 25 '16 at 18:24
3

"For example, I can become you and order everyone to uninstall it one day one. (This is actually the *best* possible outcome in this scenario.)" – PyRulez Jan 25 '16 at 22:41
The car analogy didn't lead anywhere because the OP didn't respond to it particularly well. The car analogy has the value that it leads to a counter-argument featuring each employee having a key that unlocks all cars (and being able to take that key with them when they leave), as discussed in other comments. – Scott - Слава Україні Jan 28 '16 at 17:47

Mark Buffalo · Answer 4 · 2016-01-28T17:59:07.697

Without knowing more about what type of data this program has access to, I can't really advise you, but it does sound like terrible security practices. Your boss's analogy against security is also a very bad one: this is one of the many ways breaches start.

If, during an audit after being breached, your company is revealed to have subpar and extremely incompetent security standards (such as what he's suggesting now), he could be held liable for any damages to customer data.

The 3rd party sent everyone in our company the same password in a company-wide e-mail. Shockingly common, but it depends on what this is used for.
The app does not have a way to change the password. Now this is terrible. What happens if one of them gets hacked, or an employee is disgruntled and leaves?
All of our usernames are predetermined and easily guessable. I've actually come across several of these implementations in both usernames and passwords in the past. With usernames, such things are to be expected. For example, many companies set your email address to lastfirst, first.last and other variations. I'd be more worried about passwords in this case.
It's possible to login as anyone from any device into this app. So what does this app do? Knowing more about the app would allow us to offer better advice.

Concerns about the "program"

Here are some things that concern me: I've seen this before. It may be completely different, or it may be the same. Take this with a grain of salt.

This sounds like your employer is trying to ask everyone to install something on their personal cell phones so they can monitor your phone usage like a trojan horse. Tell your employer that you'll be more than happy to allow this if provided a company phone.

Keep in mind, you should not have anything personal on your company phone. Your employer can and will snoop around. In fact, even using the company exchange email on your personal phone can allow your employer full control over it. It's right there in the requested permissions when you try to set up your company email, even if it's on your personal phone. Don't do it.

I'm of the opinion that BYOD shouldn't be allowed, and that all devices connecting to a machine should belong to the employer. Personally, I would not use my personal phone or devices on my employer's network. I wouldn't want to accidentally introduce a vulnerable device to the network, and I wouldn't want them to introduce a vulnerable application to my device.

well if you still want your company mails, try to check for imap, that might also be available and doesnt give the employer (or rather his IT department) control over your phone. — My1, Jan 25 '16 at 16:43
+1 for the audit/liability argument, which should strike fear into any manager's heart. If your company has a Legal Department, you might want to ping them and get them to weigh in. — Scott - Слава Україні, Jan 28 '16 at 17:54

score 7 · Answer 5 · answered Jan 25 '16 at 15:53

Your cell phone, your security

It is your cell phone and you have the right to secure it as you see fit. However, you may consider taking the opposite approach - saying it will not be secured at all (see below).

Their cell phone, their security

If your company demands that you use a mobile device to access company data, which is well within their right, then the company should provide that device, secured to their specifications. That way they take responsibility for securing the platform on which their application resides.

Corporate data security policy

Look at your corporate security policy and look at this from a corporate security officer point-of-view:

By using your device, they cannot possibly ensure the security of the data the application is providing, nor the security of the app itself, as your device is not a secured platform.

What is the policy of your company regarding laptops? Do the laptops have to have encrypted hard drives? And, be secured? If so, then so should the phones, which points back to them providing their own devices for this purpose.

Flip the Argument - be concerned about their data

(Note: This may not work if your company is fast and loose with data security.)

Instead of saying you keep your device super secured, you instead say that you cannot ensure it will be secured, that other people will have access to it, and you cannot take responsibility for any data breaches or accidental data loss.

For example, if this application deals in any way with PII data, or could be a vector to obtaining PII data if hacked, your corporate data security officer simply cannot allow it, unless your device is under their control - making it their device.

What if your phone is lost? They don't mind that their data is accessible? What if you let your little cousin Willy play with your phone, forgetting the app is still open and available, and little Willy deletes data? Is that OK?

By taking on the role of protecting their data, you are making a business case that using personal cell phones to house corporate data is bad business decision.

score 6 · Answer 6 · answered Jan 26 '16 at 03:01

One thing that a lot of people lose track of (on both sides of the fence), when talking about security, is:

What are you protecting?

I have several accounts "protected" by one, easy to guess password. This is because, if it gets hacked, I don't care.

Is the password protecting your phone, or is it protecting the company's data? If you have to know the password, then I'm guessing the later. If so, the fact that it's on your phone is somewhat of a red herring - your phone is not at risk. In fact, your use of the app does not increase anyone's risk - if you never use it, the risk remains.

What is the value of the data, if it is stolen or modified, to the company? What damage can be done?

If there is little or no consequences to this data getting out, swallow your pride and move on.

In cases like these, unless security is your job, you may have little influence regarding this software. Put in writing your concerns - that an unauthorized person could relatively easily copy/modify whatever data (as appropriate, depending on what the app does), point out the potential embarrassment/losses to the company/lost customers (if appropriate). . Be prepared to be ignored, and if you do, accept it. Keep a copy of the letter/email, just in case.

I hope this goes without saying:

DO NOT! UNDER ANY CIRCUMSTANCES! HACK THE SYSTEM TO SHOW IT CAN BE DONE! EVEN JUST A LITTLE BIT! (unless you are explicitly authorized by the company to do this!)

It is tempting for many people to "show" the risks. Embarrassing security admins (or anyone!) who are bad at their jobs is a terrible way to make people grateful to you - even if they probably should be.

The last advice is on point. Also because if you reveal that you have the ability, if someone ever happens to get hacked, you'll be the first suspect. This is doubly so if you have made enemies in the company by making them look dumb. — a20, Jan 26 '16 at 03:07
It's not even "next time" - it's this time. You've embarrassed someone, and at the same time done something that is against the rules, and even the law. You've given them both motive an opportunity. — AMADANON Inc., Jan 27 '16 at 00:24

score 4 · Answer 7 · answered Jan 25 '16 at 08:48

Assuming that the app provides access to some private information, you should just provide a Proof of Concept to your employer. Ask him for an official permission beforehand to do so(doing any such thing without permission might land you into trouble, depending on your company's policies). After you've secured the permission, show him/her how easily can you login using his/her credentials and gain access to private information.

Also, without every employee's explicit consent, the company shouldn't have any right to install any kind of data on employees' personal cell phones.

When he agrees to a Proof of Concept just impersonate the boss and send an invitation (as him) to everyone for drinks (paid by him) after work in the local pub around the corner. I had to do that with a particularly stubborn case once. Didn't actually send it, but hovered my finger over the send button while I let him read the message. — Tonny, Jan 26 '16 at 14:59

Peter · Answer 8 · 2016-01-25T16:06:51.627

The problem - which might not be a problem at all, depending on what the app actually does - is that you can log in as someone else, and someone else can log in as you. The password never changes, so pretty soon people who no longer work at the company can still log in as someone who does still work there.

The scary thing is that the 3rd party company does use passwords despite passwords being pointless in this case. If everyone has the same password, there shouldn't be a password at all. This is scary because it shows the company does not understand security and should not be trusted with confidential data.

Simply put, if the app is only there to figure out who brings cake to celebrate something, who likes what kind of cake, and to prevent too many cakes from being brought in at the same day, you're good. However, if the app is used for confidential data such as performance tracking and reviews, your company might soon be in legal trouble. Despite what the 3rd party does, it must be obvious to your company that the data is not secure, therefore part of the responsibility rests with them.

If you need an analogy, these files are either stored in a locker, inside the company office, and only select people have a key, or the files are stored in a cardboard box in the cafeteria - and the cafeteria is open to the general public.

(1) Well, the vendor probably sells the app to other companies (or at least tries to), and, if they issue a different password to each customer (i.e., each company), that would provide a key-under-the-transparent-doormat level of illusory security. (2) I think the phrase "you're good" is inappropriate in any answer to this question. If the vendor is so security-unconscious that they would do business like this, there's a risk that their app is so buggy that it compromises the overall security of the phone. — Scott - Слава Україні, Jan 28 '16 at 18:06

score 2 · Answer 9 · answered Jan 25 '16 at 08:22

2

for starters, you should tell him that it's your personal cell phone and he has no right to mess with your phone.

using your car analogy, the app looks like that the car uses a warded lock (I hope wrote that correctly) and the fact that everyone has the same password that cannot be changed gives them a skeleton key, so all that's left is guess where you left your car (a.k.a. what your username is), which isnt that hard for people inside the company and then steal your car.

well storing passwords with a salted hash is the minimum standard these days, so that wouldnt count that much ino your security, but as a description for your mega-safe car I would describe a 3-factor (password+key+biometrc) lock.

answered Jan 25 '16 at 08:22

My1

394
2
12

1

There are valid use cases where an employer has an expectation to install something on your personal device. The question is not about the employer's *right* to install something, but about communicating the security issues involved about the app, not about access to the phone. – schroeder Jan 25 '16 at 15:35
well I also talked about the security but how can an employer expect that an employee installs something on his personal phone? if it would have a seperate work part as some blackberries have which is seperate from the personal part I might get it, but usually there's no reason why an emplyer should expect that an emplyee installs an app on his private phone, at least in my opinion – My1 Jan 25 '16 at 16:39
In USA, an employer cannot legally require installation on your phone. However, they CAN legally say bringing a smart phone onto company property without certain kinds of apps would be an unallowable security risk. – WGroleau Jan 26 '16 at 06:21

score 2 · Answer 10 · answered Jan 26 '16 at 01:50

2

IMHO first of all when talking to high bosses - start with losses. They do NOT like them, but to make a desirable effect, you must make a really GOOD evaluation of every loss, in $. The most effective vectors - according to my practice - are :

Law enforcement costs. What penalties by which law are appliable to your company if things go wrong. Make a full list, law+"penalty amount"
PR losses. To calculate that just take a company profit data and cut it a half, for a scenario of competitor(s) take the company's current place at market due to reputation loss/damage.
Recovery costs for pt.1 and 2 Yes, every damage needs a repair! And it costs some money, usually

But do not stop here! You also MUST provide a very detailed plan with a Gantt diagramm attached about how to make things right : time and costs, step by step

And just make a numbers in your final slide, let them compare. It worked many times for me, but you need to invest a good part of your time and patience making all theese tiny nuts-and-bolts working together as a swiss clock.

answered Jan 26 '16 at 01:50

Alexey Vesnin

1,565
1
8
11

1

You might be a lot of things but "practical" is not one of them – nicholaswmin Jan 26 '16 at 02:29
1

Actually using this tactics I have managed to build three IT security systems in three different companies here in Russia, so it's a real practice advice – Alexey Vesnin Jan 26 '16 at 02:40
No doubt - It's just that it's a simple explanation that's needed here or a refusal. If these kind of confrontations required a business strategy to win the upper hand I would just get an MBA degree and ace life in general – nicholaswmin Jan 26 '16 at 02:43
@NicholasKyriakides The key of this explanation is as simple as give a boss two numbers to compare. And you can't "just win", generally speaking : a wise strategy and a proper tactics are must-have requirement in life, from cradle to grave. Regardless of MBA, WTF and so-forth-three-letter-words. IMHO – Alexey Vesnin Jan 26 '16 at 14:30

score 2 · Answer 11 · answered Jan 26 '16 at 06:15

I recently retired from ten years health care I.T. preceded by sixteen in defense. In health care, an annual audit finding that app would have serious unpleasant consequences with government-mandated public quality ratings. In defense, a random audit finding that could send someone to prison.

If my employer asked me to put that on my phone, besides pointing out the above, I'd suggest to the manager that someone pissed at him will log in with the manager's name, post pornography, and get the manager fired.

score 1 · Answer 12 · answered Jan 26 '16 at 14:14

This is all about risk assessment. That's should be a key concept for a manager. He needs to understand the risks -- not the technicalities, but the actual risk. So explain it like this:

Fact: Everyone has the same password and username format, and can't change it.

Risks:

Disgruntled former employees could log in as anyone and read anyone's messages, or send messages under anyone's name.
Current employees would be able to misuse the system by logging in as other users to 'prank' each other, eg by sending messages "from the boss".

If your boss doesn't want either of these things happening, then he needs to sort out the password problem immediately.

The disgruntled former employee risk is probably the most significant: if you fire someone it should be easy to revoke all their access rights, but if they know how to log in as anyone else in the company, then revoking their rights won't do anything to stop them leaking all your company secrets to your competitor that just hired them.

You haven't revealed what the app will be used for, other than a vague 'internal social media' comment. The severity of the risk to the company will depend on (a) how many people are using it, (b) the level of seniority of people using it, and (c) what kinds of information is sent through it.

For example, if the app is intended for the staff simply to have somewhere to chat among themselves then the risk is lower than if management intend to use it to send confidential information to staff.

There is still a risk though regardless, because even in the most benign case it would still make for a wide open opportunity for social engineering.

Explain Security to Employer

12 Answers12

Concerns about the "program"