Bring Your Own Device (BYOD)

SecurityBy Josh Bennett & Travis Miller

Today's Agenda

• Introduction of BYOD systems

• Benefits of BYOD systems

• BYOD Risks - Reduced Security

• Case Studieso Malware: IOS_IKEE Worm Exploito Corporate Data Exfiltration: TTB No-Data Clientso Approved Applications: EEOC BYOD Pilot

• 10-Step Secure Implementation Process

• BYOD Security Policies

• Closing Thoughts

• Questions

Benefit of BYOD Systems

-Improved mobility

-Avoiding carrying / maintaining multiple devices

-Employee benefit

-Reduced costs

Diminished Regard for Security Driving Risks

-Lack of awareness

-Increased workload

-Technical support prioritization

-Mobile OS updating difficulty

-Impulsive MDM solution purchases

-Informal adoption

Case Study: iOS Malicious Worm

Issue: Presence of Malware

Security Approach: Maintain Original OS & Patches

Example: IOS_IKEE worm; exploits jailbroken Apple mobile devices

Case Study: Alcohol and Tobacco Tax and Trade Bureau (TTB)

Issue: Corporate Data Exfiltration

Security Approach: Virtual Desktop & No-Data Thin Clients

VMware servers => RSA encrypted => WinLogon

Read-Only permissions

Case Study: U.S. Equal Employment Opportunity Commission (EEOC) BYOD Pilot

Issue: Approved Application Downloads/Agreement

Security Approach: Required Third-Party Apps - Novell GroupWise

Notifylink MDM cloud provider was required GroupWise apps to connect

Bradford Network's 10-Step Secure Implementation

Process

10-Step Secure Implementation Process

1.Determine the Mobile Devices That Are Allowed (Acceptable, Safe Devices)

2.Determine the OS Versions That Are Allowed (Secure OS Versions)

3.Determine the Apps That Are Mandatory/Required (Configuration)

4.Define the Devices Allowed By Group/Employees (Device Policies by Users)

5.Define Network Access (Who, What, Where, When)

10-Step Secure Implementation Process

6.Educate Your Employees (Communicate Policies)

7. Inventory Authorized & Unauthorized Devices (Trusted vs. Untrusted Devices)

8. Inventory Authorized & Unauthorized Users (Trusted vs. Untrusted Users)

9.Controlled Network Access Based on Risk Posture (Provision Network Access)

10.Continuous Vulnerability Assessment & Remediation (Enhance Other Solutions)

BYOD Security Policies

1. Prohibit download/transfer of sensitive business data

2. Required password(s) on personal device(s)

3. Agreement to maintain original OS with appropriate patches/updates

4. Device will not be shared with others5. Remote wipe after X password attempts

or device is reported lost6. Agreement to encryption connection

policies (ex. Federal Information Processing Standard (FIPS) 140-2)

Closing Thoughts

-BYOD is already common

-Risks and rewards

BYOD Organizations should:-Educate themselves on nature and variety of risks-Research organizational impacts-Develop implementation process based on best

practices-Establish and enforce sound security policies

Questions?

Bibliography

http://www.whitehouse.gov/digitalgov/bring-your-own-device#_ftnref4  http://www.slideshare.net/BradfordNetworks/the-10-steps-to-a-secure-byod-strategy#btnNext http://www.letsunlockiphone.com/ios-viruses-iphone-ikee-b-worm/ http://blogs.unisys.com.disruptiveittrends/2011/07/12/one-year-on-too-many-it-groups-still-struggle-with-consumerization/

http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_decisive-analytics-consumerization-surveys.pdf

http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_implementing_byod_plans.pdf