Date post: | 30-Mar-2015 |
Category: |
Documents |
Upload: | madilyn-trewin |
View: | 212 times |
Download: | 0 times |
Bring Your Own Device (BYOD)
SecurityBy Josh Bennett & Travis Miller
Today's Agenda
• Introduction of BYOD systems
• Benefits of BYOD systems
• BYOD Risks - Reduced Security
• Case Studieso Malware: IOS_IKEE Worm Exploito Corporate Data Exfiltration: TTB No-Data Clientso Approved Applications: EEOC BYOD Pilot
• 10-Step Secure Implementation Process
• BYOD Security Policies
• Closing Thoughts
• Questions
Benefit of BYOD Systems
-Improved mobility
-Avoiding carrying / maintaining multiple devices
-Employee benefit
-Reduced costs
Diminished Regard for Security Driving Risks
-Lack of awareness
-Increased workload
-Technical support prioritization
-Mobile OS updating difficulty
-Impulsive MDM solution purchases
-Informal adoption
Case Study: iOS Malicious Worm
Issue: Presence of Malware
Security Approach: Maintain Original OS & Patches
Example: IOS_IKEE worm; exploits jailbroken Apple mobile devices
Case Study: Alcohol and Tobacco Tax and Trade Bureau (TTB)
Issue: Corporate Data Exfiltration
Security Approach: Virtual Desktop & No-Data Thin Clients
VMware servers => RSA encrypted => WinLogon
Read-Only permissions
Case Study: U.S. Equal Employment Opportunity Commission (EEOC) BYOD Pilot
Issue: Approved Application Downloads/Agreement
Security Approach: Required Third-Party Apps - Novell GroupWise
Notifylink MDM cloud provider was required GroupWise apps to connect
Bradford Network's 10-Step Secure Implementation
Process
10-Step Secure Implementation Process
1.Determine the Mobile Devices That Are Allowed (Acceptable, Safe Devices)
2.Determine the OS Versions That Are Allowed (Secure OS Versions)
3.Determine the Apps That Are Mandatory/Required (Configuration)
4.Define the Devices Allowed By Group/Employees (Device Policies by Users)
5.Define Network Access (Who, What, Where, When)
10-Step Secure Implementation Process
6.Educate Your Employees (Communicate Policies)
7. Inventory Authorized & Unauthorized Devices (Trusted vs. Untrusted Devices)
8. Inventory Authorized & Unauthorized Users (Trusted vs. Untrusted Users)
9.Controlled Network Access Based on Risk Posture (Provision Network Access)
10.Continuous Vulnerability Assessment & Remediation (Enhance Other Solutions)
BYOD Security Policies
1. Prohibit download/transfer of sensitive business data
2. Required password(s) on personal device(s)
3. Agreement to maintain original OS with appropriate patches/updates
4. Device will not be shared with others5. Remote wipe after X password attempts
or device is reported lost6. Agreement to encryption connection
policies (ex. Federal Information Processing Standard (FIPS) 140-2)
Closing Thoughts
-BYOD is already common
-Risks and rewards
BYOD Organizations should:-Educate themselves on nature and variety of risks-Research organizational impacts-Develop implementation process based on best
practices-Establish and enforce sound security policies
Questions?
Bibliography
http://www.whitehouse.gov/digitalgov/bring-your-own-device#_ftnref4 http://www.slideshare.net/BradfordNetworks/the-10-steps-to-a-secure-byod-strategy#btnNext http://www.letsunlockiphone.com/ios-viruses-iphone-ikee-b-worm/ http://blogs.unisys.com.disruptiveittrends/2011/07/12/one-year-on-too-many-it-groups-still-struggle-with-consumerization/
http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_decisive-analytics-consumerization-surveys.pdf
http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_implementing_byod_plans.pdf