BYODAWSCYWBring Your Own Device And Whatever Security Controls

You Want

Steven KeilAaron & Hur, Inc.

skeil@aaronhur.comMarch 19, 2016© 2016 Aaron & Hur, Inc.

Introduction Started in Information Technology in 1982 with Big

Blue Network and Security Consulting since 1994 Certifications include: CISSP, CEH, CCNA. Retired

certifications include MCSE (and Master CNE if anyone cares. Life was so simple with Netware 3.12)

Currently employed as a Security & Data Privacy Lead for a government agency right around the corner

Happily married father of three children and four grandchildren (soon to be five!)

We all know this is true…..(No offense to Chuck Norris fans!)

Project History We knew we had a problem. This became my project for my Masters

Degree in Information Security from Western Governors University.See next slide

Now working on implementing.

Graduated in February at Disney World

Project Overview BYOD was instituted to save the cost of

supplying the contractors with laptops Basic security controls were inconsistent and

varied widely depending on the vendor, user, and the deviceThe result was BYODAWSCYW

My project was to define minimum controls, policies, and procedures to apply to devices not controlled by the organization

Some of the risks If a device was not patched in a timely manner,

malware or a virus could attack a device on the internal LAN

Risks continuedA lost or stolen device could have the

organization’s data on it and not be encrypted

Risks continuedA device could spread malware through the

internal network or grant access to the organization data without the users knowledge

How To Reduce Risk? By providing

1. A list of minimum security controls2. A “Bring Your Own Device” policy draft

incorporating these controls for adoption3. Written procedures to maintain the policy and

controls for:○ Android smartphones and tablets○ Apple Personal Computers, smartphones and tablets○ Windows Personal Computers, smartphones and

tablets

Areas Researched NIST Series for Computer Security (800-

124 R1) SANS Critical Controls CIS Benchmarks Interview with staff vendors to determine

current controls implemented

Areas Researched cont. Appropriate Federal regulations

IRSHIPAA (Health Insurance Portability and

Accountability Act of 1996) Current Organizations policies

Internet, E-mail, and other IT ResourcesEncryptionIT Security Awareness and TrainingMobile ComputingAnd others

Solution One of our success factors was to

recognize that the organization’s security team does not supply or have direct control over the computers (primarily laptops) and other devices.

We made the controls “standards based.” This means that as long as a security control is implemented in a reasonable fashion or an approved countermeasure is implemented, it may be deemed acceptable.

Solution continued For example different devices have different

encryption methods. As long as encryption is enabled this control is met.Apple iPhones and iPads Data

ProtectionAndroid tablets and phone dm-crypWindows computers BitlockerApple computers FileVault

Only grant access to internal LAN after verification of fifteen controls

The Security Control List1) Personal Devices (Laptop/Tablet/Smartphone) shall be registered by providing the following information to designated staff when joining the project:

a. Serial Numberb. MAC addresses for Wi-Fi and Ethernet (if applicable)c. IMEI for cellular connections (if applicable)

2) A Supported Operating System shall be installed and running on the device. (Laptop/Tablet/Smartphone)3) Current operating system patches shall be installed within 30 days of latest release unless an exception is granted. (Laptop/Tablet/Smartphone)4) Application updates shall be installed within 30 days of latest release unless an exception is granted. (Examples: Java, Office, etc.) (Laptop/Tablet/ Smartphone)

5) Antivirus and antimalware shall be installed and configured with current signatures and configured to scan for malicious software not less than weekly (Laptop)6) Storage must be encrypted per the Encryption Policy IT-14. External storage shall also be encrypted (Examples include SD cards, “Thumb” Drives etc.) (Laptop/Tablet/Smartphone)7) A local firewall shall be enabled (Laptop)8) A strong password or Personal Identification Number (PIN) consisting of a minimum of 8 characters shall be used on the device. Refer to policy for additional guidance. (Laptop/Tablet/Smartphone)

9) A timer shall be configured to lock the screen after 15 minutes or less of inactivity (Laptop/Tablet/Smartphone)10) Jailbreaking or use of rooted devices shall not be permitted (Tablet/Smartphone)11) A device wipe will be initiated after 10 consecutive attempts to access the device or alternately a remote wipe shall be enabled (Tablet/Smartphone)12) “Find my Phone” or device locating similar service enabled (Tablet/ Smartphone)

13) Backups must be encrypted (Examples: iPhone/iPad on iTunes, laptop on an external hard drive, or an employer provided remote backup, Android on local PC, etc.) (Laptop/Tablet/Smartphone)14) No device sharing shall be permitted. (Examples: Apps accessing email on smartphones and tablets do not require authentication. Data stored on a laptop hard drive could be accessed by non staff personnel.) (Laptop/Tablet/Smartphone)15) Access to Federal Tax information from mobile devices is prohibited. (Tablet/ Smartphone)

Status to date: Received approval from Leadership

for draft controls list Policy drafts are in review Proof of Concept completed.

Using the POC to validate the job aids, checklists, and overall process

How Potential Obstacles Were Overcome

Involving leadership, POC Volunteers, and staff with assessing the job aids, controls list, and policy draft to get early feedback

Making the job aids available to all staff for guidance and to make their devices safer

Checklists for use in the review process for rapid assessment

“Preapproval” process where controls were already met by a reputable vendor. Trust but verify approach

What I Learned Use of existing regulations was key

The majority of the controls list was derived from portions of eight organizational policies and three federal regulations (including HIPAA)

Now all in one place for staff to understand and to meet audit requirements

Most staff want to complyThe staff want to operate safely and see the benefit to

protecting their own data and devicesLacking understanding of what their device settings can

provide Security Team can lead and educate instead of always

being the “hammer” and demanding compliance

What was learned continued This is a project that is in the process of being

implemented. It has been an excellent opportunity to work with

non security staff and leadership.It will take time to get approval from the organization

for the policy and to finish the implementation○ Patience, flexibility, and willingness to compromise are

important to getting consensus to move forward Overall Systems security will be enhanced

when this is fully implemented by securing the endpoints

Summary

The business side wants to adopt BYOD to save cost and increase productivity

Security must be able to provide alternatives to reduce risk to the organization when this is implemented

ReferencesJohnson, D (2012). BYOD - a short list of

resources. C. Norris meme. Retrieved from: http://doug-johnson.squarespace.com/blue-skunk-blog/2012/11/7/byod-a-short-list-of-resources.html

http://pcvirusesremoval.blogspot.com/2014/02/trojan-horse-generic32cbws-virus.html

http://www.imdb.com/title/tt0400903/http://debaffle.net/tech-primer-online-services-

and-encryption-part-1/