Upload
centralohioissa
View
529
Download
0
Embed Size (px)
Citation preview
BYODAWSCYWBring Your Own Device And Whatever Security Controls
You Want
Steven KeilAaron & Hur, Inc.
[email protected] 19, 2016© 2016 Aaron & Hur, Inc.
Introduction Started in Information Technology in 1982 with Big
Blue Network and Security Consulting since 1994 Certifications include: CISSP, CEH, CCNA. Retired
certifications include MCSE (and Master CNE if anyone cares. Life was so simple with Netware 3.12)
Currently employed as a Security & Data Privacy Lead for a government agency right around the corner
Happily married father of three children and four grandchildren (soon to be five!)
We all know this is true…..(No offense to Chuck Norris fans!)
Project History We knew we had a problem. This became my project for my Masters
Degree in Information Security from Western Governors University.See next slide
Now working on implementing.
Graduated in February at Disney World
Project Overview BYOD was instituted to save the cost of
supplying the contractors with laptops Basic security controls were inconsistent and
varied widely depending on the vendor, user, and the deviceThe result was BYODAWSCYW
My project was to define minimum controls, policies, and procedures to apply to devices not controlled by the organization
Some of the risks If a device was not patched in a timely manner,
malware or a virus could attack a device on the internal LAN
Risks continuedA lost or stolen device could have the
organization’s data on it and not be encrypted
Risks continuedA device could spread malware through the
internal network or grant access to the organization data without the users knowledge
How To Reduce Risk? By providing
1. A list of minimum security controls2. A “Bring Your Own Device” policy draft
incorporating these controls for adoption3. Written procedures to maintain the policy and
controls for:○ Android smartphones and tablets○ Apple Personal Computers, smartphones and tablets○ Windows Personal Computers, smartphones and
tablets
Areas Researched NIST Series for Computer Security (800-
124 R1) SANS Critical Controls CIS Benchmarks Interview with staff vendors to determine
current controls implemented
Areas Researched cont. Appropriate Federal regulations
IRSHIPAA (Health Insurance Portability and
Accountability Act of 1996) Current Organizations policies
Internet, E-mail, and other IT ResourcesEncryptionIT Security Awareness and TrainingMobile ComputingAnd others
Solution One of our success factors was to
recognize that the organization’s security team does not supply or have direct control over the computers (primarily laptops) and other devices.
We made the controls “standards based.” This means that as long as a security control is implemented in a reasonable fashion or an approved countermeasure is implemented, it may be deemed acceptable.
Solution continued For example different devices have different
encryption methods. As long as encryption is enabled this control is met.Apple iPhones and iPads Data
ProtectionAndroid tablets and phone dm-crypWindows computers BitlockerApple computers FileVault
Only grant access to internal LAN after verification of fifteen controls
The Security Control List1) Personal Devices (Laptop/Tablet/Smartphone) shall be registered by providing the following information to designated staff when joining the project:
a. Serial Numberb. MAC addresses for Wi-Fi and Ethernet (if applicable)c. IMEI for cellular connections (if applicable)
2) A Supported Operating System shall be installed and running on the device. (Laptop/Tablet/Smartphone)3) Current operating system patches shall be installed within 30 days of latest release unless an exception is granted. (Laptop/Tablet/Smartphone)4) Application updates shall be installed within 30 days of latest release unless an exception is granted. (Examples: Java, Office, etc.) (Laptop/Tablet/ Smartphone)
5) Antivirus and antimalware shall be installed and configured with current signatures and configured to scan for malicious software not less than weekly (Laptop)6) Storage must be encrypted per the Encryption Policy IT-14. External storage shall also be encrypted (Examples include SD cards, “Thumb” Drives etc.) (Laptop/Tablet/Smartphone)7) A local firewall shall be enabled (Laptop)8) A strong password or Personal Identification Number (PIN) consisting of a minimum of 8 characters shall be used on the device. Refer to policy for additional guidance. (Laptop/Tablet/Smartphone)
9) A timer shall be configured to lock the screen after 15 minutes or less of inactivity (Laptop/Tablet/Smartphone)10) Jailbreaking or use of rooted devices shall not be permitted (Tablet/Smartphone)11) A device wipe will be initiated after 10 consecutive attempts to access the device or alternately a remote wipe shall be enabled (Tablet/Smartphone)12) “Find my Phone” or device locating similar service enabled (Tablet/ Smartphone)
13) Backups must be encrypted (Examples: iPhone/iPad on iTunes, laptop on an external hard drive, or an employer provided remote backup, Android on local PC, etc.) (Laptop/Tablet/Smartphone)14) No device sharing shall be permitted. (Examples: Apps accessing email on smartphones and tablets do not require authentication. Data stored on a laptop hard drive could be accessed by non staff personnel.) (Laptop/Tablet/Smartphone)15) Access to Federal Tax information from mobile devices is prohibited. (Tablet/ Smartphone)
Status to date: Received approval from Leadership
for draft controls list Policy drafts are in review Proof of Concept completed.
Using the POC to validate the job aids, checklists, and overall process
How Potential Obstacles Were Overcome
Involving leadership, POC Volunteers, and staff with assessing the job aids, controls list, and policy draft to get early feedback
Making the job aids available to all staff for guidance and to make their devices safer
Checklists for use in the review process for rapid assessment
“Preapproval” process where controls were already met by a reputable vendor. Trust but verify approach
What I Learned Use of existing regulations was key
The majority of the controls list was derived from portions of eight organizational policies and three federal regulations (including HIPAA)
Now all in one place for staff to understand and to meet audit requirements
Most staff want to complyThe staff want to operate safely and see the benefit to
protecting their own data and devicesLacking understanding of what their device settings can
provide Security Team can lead and educate instead of always
being the “hammer” and demanding compliance
What was learned continued This is a project that is in the process of being
implemented. It has been an excellent opportunity to work with
non security staff and leadership.It will take time to get approval from the organization
for the policy and to finish the implementation○ Patience, flexibility, and willingness to compromise are
important to getting consensus to move forward Overall Systems security will be enhanced
when this is fully implemented by securing the endpoints
Summary
The business side wants to adopt BYOD to save cost and increase productivity
Security must be able to provide alternatives to reduce risk to the organization when this is implemented
ReferencesJohnson, D (2012). BYOD - a short list of
resources. C. Norris meme. Retrieved from: http://doug-johnson.squarespace.com/blue-skunk-blog/2012/11/7/byod-a-short-list-of-resources.html
http://pcvirusesremoval.blogspot.com/2014/02/trojan-horse-generic32cbws-virus.html
http://www.imdb.com/title/tt0400903/http://debaffle.net/tech-primer-online-services-
and-encryption-part-1/