SlideShare a Scribd company logo

Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Controls You Want) One approach to reduce risk

Download as PPTX, PDF
C
centralohioissa

A method to define minimum controls, policies, and procedures to apply to devices not controlled by the organization.

1 of 24
Bring Your Own Device And Whatever Security Controls You Want Steven Keil Aaron & Hur, Inc. skeil@aaronhur.com March 19, 2016 © 2016 Aaron & Hur, Inc.
Introduction  Started in Information Technology in 1982 with Big Blue  Network and Security Consulting since 1994  Certifications include: CISSP, CEH, CCNA. Retired certifications include MCSE (and Master CNE if anyone cares. Life was so simple with Netware 3.12)  Currently employed as a Security & Data Privacy Lead for a government agency right around the corner  Happily married father of three children and four grandchildren (soon to be five!)
We all know this is true….. (No offense to Chuck Norris fans!)
Project History  We knew we had a problem.  This became my project for my Masters Degree in Information Security from Western Governors University.  See next slide   Now working on implementing.
Graduated in February at Disney World
Project Overview  BYOD was instituted to save the cost of supplying the contractors with laptops  Basic security controls were inconsistent and varied widely depending on the vendor, user, and the device  The result was BYODAWSCYW  My project was to define minimum controls, policies, and procedures to apply to devices not controlled by the organization
Some of the risks  If a device was not patched in a timely manner, malware or a virus could attack a device on the internal LAN
Risks continued  A lost or stolen device could have the organization’s data on it and not be encrypted
Risks continued  A device could spread malware through the internal network or grant access to the organization data without the users knowledge
How To Reduce Risk?  By providing 1. A list of minimum security controls 2. A “Bring Your Own Device” policy draft incorporating these controls for adoption 3. Written procedures to maintain the policy and controls for: ○ Android smartphones and tablets ○ Apple Personal Computers, smartphones and tablets ○ Windows Personal Computers, smartphones and tablets
Areas Researched  NIST Series for Computer Security (800- 124 R1)  SANS Critical Controls  CIS Benchmarks  Interview with staff vendors to determine current controls implemented
Areas Researched cont.  Appropriate Federal regulations  IRS  HIPAA (Health Insurance Portability and Accountability Act of 1996)  Current Organizations policies  Internet, E-mail, and other IT Resources  Encryption  IT Security Awareness and Training  Mobile Computing  And others
Solution  One of our success factors was to recognize that the organization’s security team does not supply or have direct control over the computers (primarily laptops) and other devices.  We made the controls “standards based.” This means that as long as a security control is implemented in a reasonable fashion or an approved countermeasure is implemented, it may be deemed acceptable.
Solution continued  For example different devices have different encryption methods. As long as encryption is enabled this control is met.  Apple iPhones and iPads Data Protection  Android tablets and phone dm-cryp  Windows computers Bitlocker  Apple computers FileVault  Only grant access to internal LAN after verification of fifteen controls
The Security Control List 1) Personal Devices (Laptop/Tablet/Smartphone) shall be registered by providing the following information to designated staff when joining the project: a. Serial Number b. MAC addresses for Wi-Fi and Ethernet (if applicable) c. IMEI for cellular connections (if applicable) 2) A Supported Operating System shall be installed and running on the device. (Laptop/Tablet/Smartphone) 3) Current operating system patches shall be installed within 30 days of latest release unless an exception is granted. (Laptop/Tablet/Smartphone) 4) Application updates shall be installed within 30 days of latest release unless an exception is granted. (Examples: Java, Office, etc.) (Laptop/Tablet/ Smartphone)
5) Antivirus and antimalware shall be installed and configured with current signatures and configured to scan for malicious software not less than weekly (Laptop) 6) Storage must be encrypted per the Encryption Policy IT-14. External storage shall also be encrypted (Examples include SD cards, “Thumb” Drives etc.) (Laptop/Tablet/Smartphone) 7) A local firewall shall be enabled (Laptop) 8) A strong password or Personal Identification Number (PIN) consisting of a minimum of 8 characters shall be used on the device. Refer to policy for additional guidance. (Laptop/Tablet/Smartphone)
9) A timer shall be configured to lock the screen after 15 minutes or less of inactivity (Laptop/Tablet/Smartphone) 10) Jailbreaking or use of rooted devices shall not be permitted (Tablet/Smartphone) 11) A device wipe will be initiated after 10 consecutive attempts to access the device or alternately a remote wipe shall be enabled (Tablet/Smartphone) 12) “Find my Phone” or device locating similar service enabled (Tablet/ Smartphone)
13) Backups must be encrypted (Examples: iPhone/iPad on iTunes, laptop on an external hard drive, or an employer provided remote backup, Android on local PC, etc.) (Laptop/Tablet/Smartphone) 14) No device sharing shall be permitted. (Examples: Apps accessing email on smartphones and tablets do not require authentication. Data stored on a laptop hard drive could be accessed by non staff personnel.) (Laptop/Tablet/Smartphone) 15) Access to Federal Tax information from mobile devices is prohibited. (Tablet/ Smartphone)
Status to date:  Received approval from Leadership for draft controls list  Policy drafts are in review  Proof of Concept completed.  Using the POC to validate the job aids, checklists, and overall process
How Potential Obstacles Were Overcome  Involving leadership, POC Volunteers, and staff with assessing the job aids, controls list, and policy draft to get early feedback  Making the job aids available to all staff for guidance and to make their devices safer  Checklists for use in the review process for rapid assessment  “Preapproval” process where controls were already met by a reputable vendor.  Trust but verify approach
What I Learned  Use of existing regulations was key  The majority of the controls list was derived from portions of eight organizational policies and three federal regulations (including HIPAA)  Now all in one place for staff to understand and to meet audit requirements  Most staff want to comply  The staff want to operate safely and see the benefit to protecting their own data and devices  Lacking understanding of what their device settings can provide  Security Team can lead and educate instead of always being the “hammer” and demanding compliance
What was learned continued  This is a project that is in the process of being implemented.  It has been an excellent opportunity to work with non security staff and leadership.  It will take time to get approval from the organization for the policy and to finish the implementation ○ Patience, flexibility, and willingness to compromise are important to getting consensus to move forward  Overall Systems security will be enhanced when this is fully implemented by securing the endpoints
Summary  The business side wants to adopt BYOD to save cost and increase productivity  Security must be able to provide alternatives to reduce risk to the organization when this is implemented
References  Johnson, D (2012). BYOD - a short list of resources. C. Norris meme. Retrieved from: http://doug- johnson.squarespace.com/blue-skunk- blog/2012/11/7/byod-a-short-list-of- resources.html  http://pcvirusesremoval.blogspot.com/2014/ 02/trojan-horse-generic32cbws-virus.html  http://www.imdb.com/title/tt0400903/  http://debaffle.net/tech-primer-online- services-and-encryption-part-1/

More Related Content

Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Controls You Want) One approach to reduce risk

  • 1. Bring Your Own Device And Whatever Security Controls You Want Steven Keil Aaron & Hur, Inc. skeil@aaronhur.com March 19, 2016 © 2016 Aaron & Hur, Inc.
  • 2. Introduction  Started in Information Technology in 1982 with Big Blue  Network and Security Consulting since 1994  Certifications include: CISSP, CEH, CCNA. Retired certifications include MCSE (and Master CNE if anyone cares. Life was so simple with Netware 3.12)  Currently employed as a Security & Data Privacy Lead for a government agency right around the corner  Happily married father of three children and four grandchildren (soon to be five!)
  • 3. We all know this is true….. (No offense to Chuck Norris fans!)
  • 4. Project History  We knew we had a problem.  This became my project for my Masters Degree in Information Security from Western Governors University.  See next slide   Now working on implementing.
  • 6. Project Overview  BYOD was instituted to save the cost of supplying the contractors with laptops  Basic security controls were inconsistent and varied widely depending on the vendor, user, and the device  The result was BYODAWSCYW  My project was to define minimum controls, policies, and procedures to apply to devices not controlled by the organization
  • 7. Some of the risks  If a device was not patched in a timely manner, malware or a virus could attack a device on the internal LAN
  • 8. Risks continued  A lost or stolen device could have the organization’s data on it and not be encrypted
  • 9. Risks continued  A device could spread malware through the internal network or grant access to the organization data without the users knowledge
  • 10. How To Reduce Risk?  By providing 1. A list of minimum security controls 2. A “Bring Your Own Device” policy draft incorporating these controls for adoption 3. Written procedures to maintain the policy and controls for: ○ Android smartphones and tablets ○ Apple Personal Computers, smartphones and tablets ○ Windows Personal Computers, smartphones and tablets
  • 11. Areas Researched  NIST Series for Computer Security (800- 124 R1)  SANS Critical Controls  CIS Benchmarks  Interview with staff vendors to determine current controls implemented
  • 12. Areas Researched cont.  Appropriate Federal regulations  IRS  HIPAA (Health Insurance Portability and Accountability Act of 1996)  Current Organizations policies  Internet, E-mail, and other IT Resources  Encryption  IT Security Awareness and Training  Mobile Computing  And others
  • 13. Solution  One of our success factors was to recognize that the organization’s security team does not supply or have direct control over the computers (primarily laptops) and other devices.  We made the controls “standards based.” This means that as long as a security control is implemented in a reasonable fashion or an approved countermeasure is implemented, it may be deemed acceptable.
  • 14. Solution continued  For example different devices have different encryption methods. As long as encryption is enabled this control is met.  Apple iPhones and iPads Data Protection  Android tablets and phone dm-cryp  Windows computers Bitlocker  Apple computers FileVault  Only grant access to internal LAN after verification of fifteen controls
  • 15. The Security Control List 1) Personal Devices (Laptop/Tablet/Smartphone) shall be registered by providing the following information to designated staff when joining the project: a. Serial Number b. MAC addresses for Wi-Fi and Ethernet (if applicable) c. IMEI for cellular connections (if applicable) 2) A Supported Operating System shall be installed and running on the device. (Laptop/Tablet/Smartphone) 3) Current operating system patches shall be installed within 30 days of latest release unless an exception is granted. (Laptop/Tablet/Smartphone) 4) Application updates shall be installed within 30 days of latest release unless an exception is granted. (Examples: Java, Office, etc.) (Laptop/Tablet/ Smartphone)
  • 16. 5) Antivirus and antimalware shall be installed and configured with current signatures and configured to scan for malicious software not less than weekly (Laptop) 6) Storage must be encrypted per the Encryption Policy IT-14. External storage shall also be encrypted (Examples include SD cards, “Thumb” Drives etc.) (Laptop/Tablet/Smartphone) 7) A local firewall shall be enabled (Laptop) 8) A strong password or Personal Identification Number (PIN) consisting of a minimum of 8 characters shall be used on the device. Refer to policy for additional guidance. (Laptop/Tablet/Smartphone)
  • 17. 9) A timer shall be configured to lock the screen after 15 minutes or less of inactivity (Laptop/Tablet/Smartphone) 10) Jailbreaking or use of rooted devices shall not be permitted (Tablet/Smartphone) 11) A device wipe will be initiated after 10 consecutive attempts to access the device or alternately a remote wipe shall be enabled (Tablet/Smartphone) 12) “Find my Phone” or device locating similar service enabled (Tablet/ Smartphone)
  • 18. 13) Backups must be encrypted (Examples: iPhone/iPad on iTunes, laptop on an external hard drive, or an employer provided remote backup, Android on local PC, etc.) (Laptop/Tablet/Smartphone) 14) No device sharing shall be permitted. (Examples: Apps accessing email on smartphones and tablets do not require authentication. Data stored on a laptop hard drive could be accessed by non staff personnel.) (Laptop/Tablet/Smartphone) 15) Access to Federal Tax information from mobile devices is prohibited. (Tablet/ Smartphone)
  • 19. Status to date:  Received approval from Leadership for draft controls list  Policy drafts are in review  Proof of Concept completed.  Using the POC to validate the job aids, checklists, and overall process
  • 20. How Potential Obstacles Were Overcome  Involving leadership, POC Volunteers, and staff with assessing the job aids, controls list, and policy draft to get early feedback  Making the job aids available to all staff for guidance and to make their devices safer  Checklists for use in the review process for rapid assessment  “Preapproval” process where controls were already met by a reputable vendor.  Trust but verify approach
  • 21. What I Learned  Use of existing regulations was key  The majority of the controls list was derived from portions of eight organizational policies and three federal regulations (including HIPAA)  Now all in one place for staff to understand and to meet audit requirements  Most staff want to comply  The staff want to operate safely and see the benefit to protecting their own data and devices  Lacking understanding of what their device settings can provide  Security Team can lead and educate instead of always being the “hammer” and demanding compliance
  • 22. What was learned continued  This is a project that is in the process of being implemented.  It has been an excellent opportunity to work with non security staff and leadership.  It will take time to get approval from the organization for the policy and to finish the implementation ○ Patience, flexibility, and willingness to compromise are important to getting consensus to move forward  Overall Systems security will be enhanced when this is fully implemented by securing the endpoints
  • 23. Summary  The business side wants to adopt BYOD to save cost and increase productivity  Security must be able to provide alternatives to reduce risk to the organization when this is implemented
  • 24. References  Johnson, D (2012). BYOD - a short list of resources. C. Norris meme. Retrieved from: http://doug- johnson.squarespace.com/blue-skunk- blog/2012/11/7/byod-a-short-list-of- resources.html  http://pcvirusesremoval.blogspot.com/2014/ 02/trojan-horse-generic32cbws-virus.html  http://www.imdb.com/title/tt0400903/  http://debaffle.net/tech-primer-online- services-and-encryption-part-1/

Editor's Notes

  1. © 2016 Aaron & Hur, Inc.
  2. © 2016 Aaron & Hur, Inc.
  3. © 2016 Aaron & Hur, Inc.
  4. © 2016 Aaron & Hur, Inc.
  5. © 2016 Aaron & Hur, Inc.
  6. © 2016 Aaron & Hur, Inc.
  7. © 2016 Aaron & Hur, Inc.
  8. © 2016 Aaron & Hur, Inc.
  9. © 2016 Aaron & Hur, Inc.
  10. © 2016 Aaron & Hur, Inc. http://www.apple.com/ http://www.microsoft.com/en-us/ http://www.cnet.com/android-update/
  11. © 2016 Aaron & Hur, Inc.
  12. © 2016 Aaron & Hur, Inc.
  13. © 2016 Aaron & Hur, Inc.
  14. © 2016 Aaron & Hur, Inc.
  15. © 2016 Aaron & Hur, Inc.
  16. © 2016 Aaron & Hur, Inc.
  17. © 2016 Aaron & Hur, Inc.
  18. © 2016 Aaron & Hur, Inc.
  19. © 2016 Aaron & Hur, Inc.
  20. © 2016 Aaron & Hur, Inc.
  21. Mario from clip art Reference not required © 2016 Aaron & Hur, Inc.
  22. © 2016 Aaron & Hur, Inc.
  23. © 2016 Aaron & Hur, Inc.
  24. © 2016 Aaron & Hur, Inc.