BYOD – what’s all fuss the about?

BYOD (bring your own device) seems to be the buzz word at the moment. It’s almost impossible to pick up an IT magazine and not have an article in there on BYOD.

The general consensus is that BYOD is great for organisations from a cost saving and productivity perspective, and provides the ability to attract Gen Y employees who prefer their own IT equipment as opposed to using ones provided by their employer.

However, with reward comes risk and the security is one of them. With an unmanaged device comes the risk of malware walking into your network. Compromised machines can act as an avenue for attackers to circumvent your traditional security controls and gain unauthorised access to your network. Machines connected to your network left unattended in all sorts of places are an invitation for a hacker to use this as an attack vector into your network.

But hang on a minute, haven’t we been doing this for a while? Many of us have had contractors come in with their machines and plugging into our networks without too many issues. The point is that once this is fanned out to the entire user base, the sheer size of the ‘deployment’ becomes the issue. But with good policies and security controls a lot of these risks can be mitigated.

Below is a checklist that I believe can significantly reduce the risk associated with BYOD. I have broken this up in three broad categories the first being:

Policies and procedures

Provide the guidance necessary to both IT and users to encourage and enforce appropriate behaviours.

  • Appropriate Policies. Ensure that a policy is in place providing guidance on securing internal infrastructure from BYOD threats. This includes providing appropriate guidance to users via the IT Acceptable Use Policy.
  • Access/Security Policies and Procedures. Ensure policies and procedures are in place to guide and govern how access to network resources are granted and controlled
  • End User Education. Teach end users the basics of security as outlined in the IT Acceptable Use Policy.
  • Disaster Recovery Strategy. Have a disaster recovery plan in place to ensure timely recover from a network outage (just in case).

Device security

This is critical is the endpoints which are largely unmanaged can present an excellent attack vector. Points to consider here are:

  • Enforce encryption of all corporate message transmissions (e.g. Outlook Mobile Access over HTTPS).
  • Ensure all Internet browsing from BYOD devices passes through the Corporate Web Proxy.
  • Require users to enable BYOD device firewall if available.
  • Require users to implement anti-malware protection if available.
  • Require users to enable device PINs and enforce complexity requirements.
  • Require users to enable screensaver timeout/device lock.
  • Require users to enforce encryption on BYOD devices and removable media used in BYOD devices.
  • Require users to utilise the most secure available operating system for BYOD devices and to patch the devices monthly.
  • Require users to use encrypted (VPN) communication to the BYOD devices if possible. For wireless communications use appropriate 802.11i wireless networking security standards as defined by the Wi-Fi Alliance such as WPA2.
  • Use of appropriate 802.1X authentication methods for wireless communication to the BYOD devices.
  • Implement the ability to remote wipe lost devices (if you are brave enough).

Try and implement as many of the above controls as possible. The use of a Mobile Device Management platform may help. The important decision to be made here is to strike a balance between keeping corporate information secure and at the same time not fully managing or taking ownership of users’ devices! This is a corporate decision that will largely depend on the organisation’s risk appetite.

Network/internal security

The idea here is to isolate your data and servers into a secure environment of their own and protect them. Approach the user endpoints as untrusted devices (since they actually are) and protect your core information assets. Things to consider here are:

  • Network Access Control (NAC). Deploy NAC technology to restrict and control the admission of BYOD devices to the network to ensure breached / infected devices do not connect to the internal network.
  • Network Segmentation and Firewalling. Separate logical IT assets into security zones reflecting the value of the information being protected as determined by the business. Separate user networks from server networks to ensure that an infection into one zone does not automatically propagate into the next.
  • Strong authentication. Deploy strong authentication using password, token and/or biometric authentication mechanisms to provide more secure means of sign on. Since BYOD devices can be easily stolen or misplaced, having two-factor authentication can help prevent easy access to the internal network using these devices.
  • Least privilege authentication. Do not allow any more access rights than required. Since BYOD devices are untrusted, all access granted to users must be strictly controlled to ensure that any unauthorised access provides limited exposure. Grant access based on ‘need to know’ only.
  • Secure Wireless. Securing wireless deployments. With BYOD, there is a greater likelihood of wireless deployments. These need to be secured in line with corporate policy and best practice.
  • Secure Remote Access. Ensuring controlled remote access to the organisation’s IT resources. This must include remote access using VPN technology and two-factor authentication. BYOD devices are likely to drive greater adoption of remote access which must be secured.
  • Directory Access and Security. Looks at the security and access control mechanisms in place within the organisation’s directory (e.g. Active Directory, eDirectory, etc.) that governs access to organisational IT resources. Since the risk of breaches increase with BYOD devices, the internal directory must be as secure as possible.
  • Network Intrusion Detection and Prevention. Enabling detection and prevention measures for network based intrusions. Due to the possible increase in vulnerabilities brought about by BYOD devices, appropriate network IPS technology must be deployed to detect any threats.
  • Proactive Detection and Response. Ensure that event management and incident response is performed consistently 24x7 so that intrusions can be appropriately managed.
  • Data Leakage Prevent. Implementing tools that can prevent confidential corporate data being taken out of the organisation either maliciously or accidently. Consider protecting data at rest (storage, SANS, etc.), transit (network and gateways) or in process (server equipment).

As stated earlier, the number of controls you deploy will depend on your risk appetite and user population. With careful planning and deployment, BYOD can allow an organisation to exploit its benefits of cost savings, greater productivity and the ability to attract Gen Y employees without exposing the organisation to undue risks.

Join the CSO newsletter!

Error: Please check your email address.

More about EnablingetworkIntrusionIPS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ashwin Pal

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts