!!!!!!!!!!!!!!!!!!!!!!!!!!

BYOD%Security%Scanning:!!What%You%Need%To%Know!

!!!!!!!!!!!!!!!!!!!!!!!

iScan!Online,!Inc.!19111!N!Dallas!Parkway!

Suite!200!Dallas,!TX!75287!

www.iscanonline.com!+1.214.276.1150!

! !

!

BYOD!Security!Scanning!What!You!Need!To!Know! !Copyright!©!2013!iScan!Online,!Inc.!

2!

!!

Introduction*When!the!early!history!of!the!21st!century!is!written,!two!dominant!technology!trends!will!stand!out.!One!is!the!move!to!the!cloud,!empowered!by!virtualization.!The!other!will!be!how!Bring!Your!Own!Device!(BYOD)!ushered!in!the!postVPC!era,!the!consumerization!of!IT!and!Shadow!IT!systems!built!and!used!without!organizational!approval.!While!BYOD!offers!many!positive!productivity!and!communication!benefits,!it!also!is!the!source!of!nightmares!which!keep!many!IT!and!security!administrators!up!at!night.!!There!is!no!doubt!that!BYOD!has!swept!over!the!workplace!like!a!tsunami.!A!recent!study!by!Cisco!1!showed!that!95%!of!organizations!use!BYOD!in!some!form!or!another.!This!is!an!overwhelming!statistic!that!shows!BYOD!has!reached!well!beyond!critical!mass.!!!!At!the!beginning!of!the!BYOD!movement,!IT!management!simply!forbid!users!to!access!corporate!resources!with!personally!owned,!unmanaged!devices.!Eventually!the!IT!security!industry!responded!with!solutions,!which!allowed!IT!managers!to!embrace!BYOD!rather!than!just!forbidding!it.!Unfortunately,!too!many!of!these!solutions!are!little!more!than!PC!solutions!reVskinned!for!enterprise!mobility.!!!!Given!that!today,!95%!of!organizations!allow!BYOD!devices,!the!threat!and!risk!to!corporate!data!and!applications!continues!to!grow!exponentially.!While!all!types!of!mobile!devices!and!operating!systems!could!be!targeted,!those!with!the!greatest!market!share!tend!to!attract!the!greatest!number!of!attacks.!For!this!reason,!along!with!its!open!nature,!Google’s!Android!system!is!attracting!a!lot!of!attention.!!!!There!are!already!documented!attacks!against!Android!2.!!It!is!not!that!Android!is!inherently!less!secure!than!other!mobile!systems,!its!very!popularity!makes!it!a!bigger!target!for!malware.!Most!security!experts!predict!a!rough!time!ahead!as!the!pace!and!severity!of!Android!and!other!mobile!security!threats!increase!over!the!coming!months!and!years.!!

What*is*at*stake?*Some!observers!casually!dismiss!the!threat!of!BYOD!security!breaches.!After!all,!while!most!phones!and!tablets!are!accessing!email!and!cloud!services,!they!have!limited!exposure!to!internal!corporate!networks.!!But!the!threat!is!in!fact!very!real.!!The!factors!that!are!driving!adoption!of!BYOD!are!also!driving!accessibility!by!these!devices!to!all!corporate!resources.!!More!and!more!internal!programs!and!applications!are!being!updated!with!frontVend!mobile!app!components!and!made!available!to!users!of!BYOD!devices.!!!!The!whole!notion!of!a!corporate!“castle”!surrounded!by!a!fortified!perimeter!is!growing!quainter!and!more!obsolete!every!day.!It!is!not!just!devices!that!are!mobile—people!are!increasingly!mobile.!BYOD!has!set!employees!free,!to!work!and!interact!with!an!organizations!network!from!any!place!and!at!any!time.!To!empower!these!employees,!organizations!must!allow!employee!owned!devices!access!to!corporate!assets.!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1!http://newsroom.cisco.com/release/854754/Cisco-Study-IT-Saying-Yes-To-BYOD!2!http://www.networkworld.com/news/2013/032713-new-malware-shows-android-has-268140.html!

!

BYOD!Security!Scanning!What!You!Need!To!Know! !Copyright!©!2013!iScan!Online,!Inc.!

3!

Once!these!devices!are!allowed!to!access!corporate!data,!they!consequentially!pose!a!risk!and!become!a!high!value!vector!for!attack.!In!today’s!world!of!sophisticated!threats!like!Advanced!Persistence!Threats!(APT)!and!mobile!endpoint!attacks,!larger!network!breaches!typically!start!with!a!toehold!gained!through!a!single!device.!Once!they!have!compromised!a!single!device,!attackers!can!use!that!device!to!attack!and!infiltrate!other!devices!on!the!network.!Any!compromised!device!may!contain!valuable!assets!itself!or!may!open!a!path!to!other!devices!and!corporate!data.!!Another!potential!security!risk!is!the!data!stored!on!the!BYOD!device!itself.!Whether!it!is!found!in!copies!of!email!sent!to!others,!in!attachments!to!emails!received,!or!in!documents!or!contact!information,!there!is!almost!inevitably!personally!identifiable,!confidential!information!stored!on!the!typical!BYOD!device.!!This!means!that!no!matter!how!much!security,!process!and!policy!are!in!place!to!protect!corporate!networks,!the!weakest!link!may!very!well!be!in!the!pocket!or!purse!of!a!corporate!employee.!!

Existing*BYOD*Security*Solutions*Today’s!BYOD!security!solutions!typically!fall!into!two!primary!categories,!antiVmalware!and!mobile!device!management!(MDM).!It!may!help!to!examine!both!of!these.!!In!regards!to!antiVmalware!on!BYOD!devices,!it!is!still!very!much!like!antiVmalware!on!PCs.!There!are!virus!detection!engines,!white!listing,!black!listing,!DLP,!and!other!technologies!built!into!antiVmalware!suites.!Unfortunately,!these!complex!apps!can!impact!mobile!device!performance!while!not!necessarily!making!the!user!or!organization!any!safer.!!Traditional!antiVvirus!firms!as!well!as!some!new!mobileVonly!companies!are!offering!these!host!based!antiVmalware!suites.!Yet!at!a!time!when!many!in!the!security!industry!are!saying!that!PC!antiVvirus!and!antiVmalware!are!all!but!useless,!these!same!pundits!continue!to!push!antiVmalware!software!as!a!viable!solution!for!mobile!devices.!!MDM!appeared!initially!to!be!the!killer!application!needed!to!make!BYOD!safe!for!the!workplace.!It!offered!the!hope!that!BYOD!devices!could!meet!corporate!policies,!allowing!IT!groups!to!enforce!configuration!standards!and!maintain!compliance.!Many!MDM!solutions!also!provide!remote!device!security!functions,!including!remote!lock,!remote!wipe!and!remote!location.!!While!antiVmalware!and!MDM!BYOD!solutions!are!important,!neither!can!deliver!the!opportunistic,!onVdemand!scanning!capabilities!needed!to!provide!worldVclass!security!in!a!mobile!enterprise!environment.!To!gain!true!clarity!into!the!state!of!an!organizations!BYOD!security!and!risk!posture,!it!may!help!to!understand!the!details!and!requirements!of!BYOD!scanning.!!!!

BYOD*Security*Scanning*–*What*is*it?*Scanning!has!been!part!of!the!security!toolbox!for!a!long!time,!and!most!organizations!understand!the!importance!of!assessing!the!vulnerability!posture!of!devices!and!networks!by!scanning!both!internally!and!externally.!But!what!exactly!is!BYOD!security!scanning?!!!!BYOD!Security!Scanning!is!the!ability!to!identify!and!assess!any!endpoint!device!for!vulnerabilities,!secure!configurations!or!unprotected!data!at!rest,!regardless!of!where!the!device!is!physically!located!or!how!it!is!accessing!corporate!data!and!applications.!!Existing!scanning!technologies!are!great!for!static!networks!where!devices!are!not!onVthe–go!such!as!printers,!routers!or!servers.!However,!legacy!

!

BYOD!Security!Scanning!What!You!Need!To!Know! !Copyright!©!2013!iScan!Online,!Inc.!

4!

network!scanning!solutions!have!little!or!no!ability!to!assess!tablets,!smartphones,!laptops!or!other!devices!as!they!dynamically!access!the!network,!applications!and!data.!

!!The!demands!of!security,!risk!and!compliance!management!require!BYOD!security!scanning!to!do!more!than!look!for!common!vulnerabilities.!As!stated!earlier,!scanning!for!secure!configurations!and!identifying!confidential!data!such!as!primary!account!number!(PAN)!credit!card!data!or!personal!health!information!(PHI)!are!also!mandatory!for!BYOD!security!scanning.!!The!world!of!mobile!connectivity!introduces!new!challenges!for!identifying!risks,!threats,!and!achieving!compliance.!This!mobile!world!also!requires!that!scanning!technologies!adapt!to!today’s!networks.!It!is!not!practical!or!technologically!sound!to!deploy!appliances!and!complex!software!in!an!attempt!to!secure!BYOD!devices!and!other!endpoints!that!are!mobile!and!not!static.!!!

BYOD*Security*Scanning*–*The*5*Requirements**What!should!an!organization!look!for!in!a!robust!Bring!Your!Own!Device!Security!Scanning!solution?!These!are!the!requirements!of!an!enterpriseVclass!BYOD!scanning!system.!

1. Integrates*With*Your*Business*Many!organizations!have!spent!millions!of!dollars!acquiring!and!developing!technology!to!support!remote!and!mobile!workers.!These!solutions!range!from!web!applications!to!traditional!IT!management!for!computing!devices.!To!ensure!seamless!and!effective!scanning,!BYOD!security!scanning!solutions!should!provide!out!of!the!box!integration!with!these!existing!business!technologies!to!initiate!the!scanning!process.!Some!examples!of!these!solutions!are:!!

• Endpoint!Management!solutions!• Remote!Monitoring!and!Management!• Single!SignVon!• Web!Application!Portals!• Email!and!Calendaring!Applications!

2. Schedule*Not*Required*Because!BYOD!implies!that!employees!are!free!to!move!on!and!off!the!network!on!their!own!schedule,!it!also!means!that!security!scanning!technologies!cannot!depend!on!network!locations!or!scheduled!times.!Scans!must!be!triggered!by!events!rather!than!by!IP!address!ranges!and!specific!points!in!time.!

According!to!Cisco’s!IBSG!2012!BYOD!report,!47%!of!employees!are!considered!“mobile!workers”!but!60%!of!employees!use!a!mobile!device!for!work.!

!

BYOD!Security!Scanning!What!You!Need!To!Know! !Copyright!©!2013!iScan!Online,!Inc.!

5!

3. Support*Mobile*Devices*with*Native*Apps*There!is!no!reliable!way!to!assess!a!smartphone!or!tablet!without!the!presence!of!a!native!app!on!the!device.!Providing!a!native!app!assures!that!the!results!derived!from!the!scan!are!accurate!and!upVtoVdate.!To!ensure!global!distribution!and!conformity!to!any!operating!system!API!restrictions,!native!device!apps!should!be!distributed!via!the!device!type’s!authorized!application!store.!

4. No*Credentials*Required*Because!of!the!“Y”!in!BYOD,!it!is!virtually!guaranteed!that!IT!departments!will!not!have!administrative!access!to!these!devices.!This!presents!serious!challenges!for!most!security!assessment!technologies.!Any!solution!that!delivers!BYOD!security!scanning!should!provide!scanning!without!requiring!administrative!credentials!on!the!device.!The!scan!process!should!execute!as!part!of!normal!user!operation!and!should!not!prompt!the!user!for!privilege!escalation!or!interfere!with!their!normal!work.!

5. Built*For*The*Cloud*There!are!many!types!of!mobile!workers!and!BYOD!situations,!and!many!home!office!and!remote!personnel!may!never!actually!connect!directly!to!the!corporate!network.!However,!these!devices!need!to!be!assessed!no!matter!where!they!are!located.!BYOD!security!scanning!solutions!should!provide!the!ability!to!assess!devices!from!the!cloud,!allowing!organizations!to!secure!those!devices!regardless!of!their!location!or!network!connection.!!

!!

iScan*Online*Delivers*BYOD*Security*Scanning*The!BYOD!phenomenon!is!revolutionizing!vulnerability!scanning!in!the!enterprise!environment.!IT!administrators!who!traditionally!scheduled!vulnerability!scanning!during!off!hours,!now!find!those!routine!scans!are!missing!many!of!the!actual!endpoints!that!access!their!corporate!data!and!applications.!Because!many!devices!are!not!on!the!network!when!scans!are!performed!or!the!scanning!technology!doesn’t!assess!the!particular!type!of!device,!or!because!administrative!credentials!are!required—the!devices!will!be!missed!by!previousVgeneration!assessment!and!remediation!efforts.!!The!consequences!can!be!dire.!The!2012!Verizon!Breach!Report!indicates!that!60%!of!all!compromised!assets!were!user!owned!devices.!Fortunately,!these!types!of!breaches!are!avoidable!with!proper!vulnerability!detection!and!remediation!of!user!owned!devices.!!Just!as!BYOD!ushered!in!more!dynamic!and!adaptive!ways!of!computing,!iScan!Online!delivers!scanning!technology,!which!can!be!deployed!in!a!dynamic,!easy!and!cost!effective!manner.!iScan!Online!works!in!the!way!that!users!work,!and!provides!visibility!in!to!the!security,!compliance!and!risk!posture!of!their!devices.!

!

BYOD!Security!Scanning!What!You!Need!To!Know! !Copyright!©!2013!iScan!Online,!Inc.!

6!

iScan*Online*Device*Support*!

iScan!Online!supports!scanning!Android!and!Apple!iOS!mobile!devices!via!native!mobile!apps!which!are!distributed!through!Google!Play!and!the!iTunes!App!store.!The!iScan!Online!native!mobile!apps!provide!vulnerability!scanning,!configuration!assessment,!data!discovery!and!remote!management!of!devices!including!remote!lock,!remote!wipe!and!geoVlocation.!!!!Scanning!of!traditional!laptops,!servers!and!workstations!are!also!accomplished!with!iScan!Online!via!a!browser!plugin.!Scanning!Windows!and!OS!X!systems!through!a!web!browser!is!a!simple!affordable!solution!that!can!be!integrated!into!to!any!website!or!web!application,!or!distributed!to!users!via!email!and!calendar!invitations.!!!!!iScan!Online!also!provides!a!command!line!interface!(CLI)!or!command!line!scanner!for!scanning!Mac!OSX!and!Windows!laptops,!desktops!and!servers.!The!command!line!scanner!can!be!used!as!a!simple!integration!point!with!many!monitoring!and!management!tools.!!!!!!!!

!

*

*

*! *

Expert*Tip*#1*Implementing!iScan!Online’s!Native!Mobile!App,!browser!plugin!and!command!line!scanner!addresses!BYOD!Security!Requirements!#3!&!#4.!

!

BYOD!Security!Scanning!What!You!Need!To!Know! !Copyright!©!2013!iScan!Online,!Inc.!

7!

*

iScan*Online*BYOD*Security*Scan*Types*

*

Vulnerability*Scan*Detects!known!vulnerabilities!in!the!operating!system!and!installed!applications.!

Configuration*Scan*Examines!the!local!settings!of!devices!to!detect!common!configuration!issues!such!as!password!settings,!network!configuration,!running!services,!antiVmalware!status!and!others.!!

Data*Discovery*Scan*Data!discovery!scans!can!be!configured!to!search!for!a!wide!variety!of!data,!such!as!unencrypted!cardholder!data!and!social!security!numbers!among!other!person!identifiable!information!(PII).!!!All!scan!types!can!be!initiated!via!the!iScan!Online!cloud!console!regardless!of!device!type!or!physical!location.!!!iScan!Online!provides!an!optional!selfVservice!scanning!feature!which!allows!device!users!to!initiate!scans,!view!the!results!of!the!scan!on!the!device,!and!take!steps!to!remediate!any!findings.!!The!selfVservice!scanning!feature!helps!improve!security!awareness!and!education!among!mobile!device!users,!and!ultimately!reduces!overall!risk!for!corporate!data!and!applications.!*

!

BYOD!Security!Scanning!What!You!Need!To!Know! !Copyright!©!2013!iScan!Online,!Inc.!

8!

Managing*BYOD*Security*Scanning*Today,!many!organizations!must!manage!devices,!scans!and!compliance!across!the!globe.!iScan!Online’s!multiVtenant!cloud!console!provides!management!of!devices,!reporting,!analysis,!remote!scan,!remote!lock,!remote!wipe!and!geolocation!on!a!global!scale.!!!

!!

! *

Expert*Tip*#2*iScan!Online’s!Scan!cloud!architecture!and!management!console!addresses!BYOD!Security!Requirement!#5.!

!

BYOD!Security!Scanning!What!You!Need!To!Know! !Copyright!©!2013!iScan!Online,!Inc.!

9!

Out*Of*The*Box*Scanning*iScan!Online!provides!out!of!the!box!integration,!including!templates!and!examples!for!a!variety!of!systems!management,!remote!management!and!office!productivity!solutions!including:!!

1. Microsoft!Active!Directory!2. LogMeIn!3. Kaseya!4. Web!Applications!5. Email!/!Calendaring!!

!!

*

*

Opportunity*Knocks*iScan!Online!BYOD!scans!are!not!based!on!the!outdated!limitations!of!network!discovery,!IP!addresses!or!time!schedules—but!on!the!natural!opportunities!to!assess!a!device.!These!opportunities!present!themselves!based!on!the!types!of!devices!and!scan!deployment!strategies!selected!by!the!organization.!Consider!these!deployment!strategies:!!

• Using!iScan!Online’s!web!application!methodology,!devices!can!be!assessed!during!the!web!app!authentication!process.!

• Using!iScan!Online’s!email!/!calendaring!templates,!users!could!simply!be!reminded!to!visit!a!URL!to!initiate!a!scan.!

• Using!iScan!Online’s!JavaScript!templates,!scanning!can!be!integrated!into!web!content!filtering!or!other!proxy!based!solutions!

!These!scan!deployment!strategies!highlight!iScan!Online’s!opportunistic!approach!to!scanning.!This!allows!devices!to!be!identified!and!assessed!as!they!are!accessing!corporate!resources,!not!just!based!on!a!schedule!or!block!of!IP!addresses.!!

! *

Expert*Tip*#3*iScan!Online’s!out!of!the!box!integrations!addresses!BYOD!Security!Requirement!#1.!

Expert*Tip*#4*iScan!Online’s!opportunistic!approach!addresses!BYOD!Security!Requirement!#2.!

!

BYOD!Security!Scanning!What!You!Need!To!Know! !Copyright!©!2013!iScan!Online,!Inc.!

10!

*

Conclusion*Analyst!reports!and!press!articles!continue!to!announce!the!“Death!of!the!PC”.!In!the!first!quarter!of!2013,!IDC!reported!that!PC!Shipments!had!fallen!14%,!the!biggest!drop!since!IDC!began!tracking!shipment!data!in!1994.!!Given!this!shift,!it!is!clear!that!organizations!are!adopting!BYOD!to!reduce!costs!by!replacing!traditional!desktop!and!laptop!computers!with!lower!cost!smartphones!and!tablets.!Unfortunately!these!userVowned!devices!go!largely!ignored!by!traditional!assessment!and!security!solutions!and!present!significant!challenges!to!maintaining!a!secure!operational!environment.!!!iScan!Online!has!completely!reVimagined!security!scanning!for!a!BYOD!world!and!delivered!an!innovative!solution!to!address!today’s!enterpriseVclass!BYOD!scanning!requirements.!!Register!now!for!a!free!14!day!trial!of!iScan!Online!at!http://www.iscanonline.com!!

*

*

*

About*iScan*Online,*Inc.*iScan!Online,!Inc.!is!a!provider!of!BYOD!security!scanning!solutions!for!addressing!the!security!assessment!of!mobile!devices!and!remote!workers.!iScan!Online!offers!customers!the!ability!to!scan!anyone,!anytime!and!anywhere!with!an!internet!connection!and!browser.!!Changing!the!paradigm!of!vulnerability!assessments!to!address!the!changing!needs!of!today's!mobile!workforce,!iScan!Online!delivers!its!scanning!services!through!a!series!of!browserVbased!technologies,!native!mobile!apps!and!cloud!solutions.!!!iScan!Online!is!the!first!and!only!vendor!to!perform!PAN,!PCI!and!Vulnerability!scanning!without!installing!complex!software!or!the!need!for!hardware.!iScan!Online!currently!supports!Microsoft!Windows,!Apple!OS!X,!Android!and!Apple!iOS!mobile!devices.!!!!!!