byod
DESCRIPTION
TRANSCRIPT
BYOD:Bring your own demons?
ÁNGEL L. TRINIDAD RIGAU
C|HFI, CFE, CISA, MCTS, MCITP, MCSA, MCT, CICA
Agenda Introduction
Benefits
Cons
BYOD and Regulations
Hostile Environment - Threats
Security Enhancement
Legal Matters
Final Thoughts
Questions
Introduction Bring your own devices (BYOD), it’s a new
trend of permitting that employees can bring personally owned mobile devices (smartphones, tablets and laptops) to the workplace and use those devices to access, store or create company information.
The rapid rise of mobile devices and the introduction of them to the workplace bring new security and operational issues to companies.
Benefits More productive employees
24/7 access to the company’s email and information stored in the company’s servers.
Higher morale among employees because they can use the technology that they want and not what the company provide.
Low or no cost to the company Hardware is bought and maintained by the employee Sometimes, carrier calls and internet cost also are
paid by the employees Advantage of new technology
Cons Less security Administrative cost
Software acquisition to manage mobile devices Develop policies and procedures Management issues
Infrastructure costs Service (Carriers) cost Not full control of the device
BYOD and Regulations
HIPAA Protect private data
Encrypt emails and data On the device
On the transmission
Remote management of devices
Controls to access data and applications
Monitoring
Malware and threats protection
Compliance reporting
PCI/DSS Explicit approval of authorization to use the
device
Authentication (two factor authentication)
Comprehensive list of devices (make and model) and OS (iOS, Android, Windows, RIM)
List of personnel with access to this devices
Labeling of devices with owner information
Device encryption
Transmission security (SSL/TLS, IPsec)
Mobile Devices and personal/confidential data are heavily regulated in some industries.Not recommended or have a lot of aspirins at hand. A violation of any regulation carried a fine. (up to 1.5 Millions per violation on HIPAA) (Other Regulations: GLBA, HITECH, SOX)
Hostile Environment-Threats
Lost or stolen devices The very best advantage of mobile devices is It’s
worst enemy. Mobile devices are small, compact and …. Yes, MOBILE. Lost or stolen devices are the pinnacle of BYOD threats.
Attack surface Rogue apps can extract contact information and
data from mobile devices. Even if you only allow authorized app, a scan of a
QR code can download an app.
Hostile Environment-Threats
Attack vector Attackers can connect mobile devices to open
wireless access points and start scanning your network.
Backtrack (and now KALI) have ARM versions that can be installed and be used in mobile devices.
Rogue Apps Apps should be sandboxed. Only allow authorized
applications on devices with company’s data stored.
Rogue apps are entryways of malware infections.
Hostile Environment-Threats
Jailbrake/ Rooted DevicesPeople tend to crave for power and control.
One thing they do first with mobile devices is jailbrake or root it. This open a new window of threats. Access of rogue applications (and users!) to the root account could be dangerous to the company’s data.
Security Enhancement Management
A plethora of mobile devices exist with different models, OS’s, that a possible chaos could erupt at any moment.
List of all devices allowed access to the company and prepare a periodical reports.
Look for unauthorized devices on you network
Mobile Device Management Mobile expense control (downloads, roaming and international costs)
Remotely locate, lock and wipe lost devices
Security control checks Anti-virus
Lock mechanism
Apps
Jailbreak/root
Automatically wipe company data
Security Enhancement OS Update
Look for solutions that include different os.
Notification to users SMS before wiping, exceeding data or service plan limit
Personal data segregation Photos, email, calendar, call logs, voicemail, texts
Protect entryways to Corporation Firewall rules checked and double checked!
Secure wireless access points Single recurrent error
VPN
Quarantine unauthorized devices
Enrollment Bulk enrollment or single enrollment Authentication with Active Directory
Policy Reason for authorization Devises allowed on company infrastructure Data services or personal plan (Stipend) Security Applications Authorized
Security Enhancement
Cont. Policy
Services Provided
What data the employee can access with the device
Help desk services to personal device
Agreement between employee and company
Personal data
Education of employees of the risk associated with BYOD
Training of encryption application and communication
Not every “C” level employees knows about encryptions and safe communications
Security Enhancement
Legal Matters
First thing first- I'm NOT a Lawyer Legal issues may arise
If the employee Is a suspect in an internal investigation, can I take possession of the mobile device for analysis?
The employee may be accountable for any access from the mobile device if he/she lost it?
Privacy?
Final Thoughts
BYOD is here to stay Prepare an analysis of the pros and cons of the
implementation of BYOD in your company Regulate the use of BYOD
Policies anyone?Training programs for employees
