Bring Your Own Device (BYOD) Security By Josh Bennett & Travis Miller
Today's Agenda Introduction of BYOD systems Benefits of BYOD systems BYOD Risks - Reduced Security Case Studies o Malware: IOS_IKEE Worm Exploit o Corporate Data Exfiltration: TTB No-Data Clients o Approved Applications: EEOC BYOD Pilot 10-Step Secure Implementation Process BYOD Security Policies Closing Thoughts Questions
Benefit of BYOD Systems -Improved mobility -Avoiding carrying / maintaining multiple devices -Employee benefit -Reduced costs
Diminished Regard for Security Driving Risks -Lack of awareness -Increased workload -Technical support prioritization -Mobile OS updating difficulty -Impulsive MDM solution purchases -Informal adoption
Case Study: iOS Malicious Worm Issue: Presence of Malware Security Approach: Maintain Original OS & Patches Example: IOS_IKEE worm; exploits jailbroken Apple mobile devices
Case Study: Alcohol and Tobacco Tax and Trade Bureau (TTB) Issue: Corporate Data Exfiltration Security Approach: Virtual Desktop & No-Data Thin Clients VMware servers => RSA encrypted => WinLogon Read-Only permissions
Case Study: U.S. Equal Employment Opportunity Commission (EEOC) BYOD Pilot Issue: Approved Application Downloads/Agreement Security Approach: Required Third-Party Apps - Novell GroupWise Notifylink MDM cloud provider was required GroupWise apps to connect
Bradford Network's 10-Step Secure Implementation Process
1.Determine the Mobile Devices That Are Allowed (Acceptable, Safe Devices) 2.Determine the OS Versions That Are Allowed (Secure OS Versions) 3.Determine the Apps That Are Mandatory/Required (Configuration) 4.Define the Devices Allowed By Group/Employees (Device Policies by Users) 5.Define Network Access (Who, What, Where, When)
10-Step Secure Implementation Process 6.Educate Your Employees (Communicate Policies) 7.Inventory Authorized & Unauthorized Devices (Trusted vs. Untrusted Devices) 8.Inventory Authorized & Unauthorized Users (Trusted vs. Untrusted Users) 9.Controlled Network Access Based on Risk Posture (Provision Network Access) 10.Continuous Vulnerability Assessment & Remediation (Enhance Other Solutions)
BYOD Security Policies 1.Prohibit download/transfer of sensitive business data 2.Required password(s) on personal device(s) 3.Agreement to maintain original OS with appropriate patches/updates 4.Device will not be shared with others 5.Remote wipe after X password attempts or device is reported lost 6.Agreement to encryption connection policies (ex. Federal Information Processing Standard (FIPS) 140-2)
Closing Thoughts -BYOD is already common -Risks and rewards BYOD Organizations should: -Educate themselves on nature and variety of risks -Research organizational impacts -Develop implementation process based on best practices -Establish and enforce sound security policies
Questions?
Bibliography byod-strategy#btnNext many-it-groups-still-struggle-with-consumerization/ papers/wp_decisive-analytics-consumerization-surveys.pdf content/us/pdfs/business/reports/rpt_implementing_byod_plans.pdf