An Introduction on Design and Implementation on BYOD and Mobile Security

BYOD AND MOBILE SECURITY
Sina Manavi 13Feb 2014

ABOUT ME

My name is Sina Manavi ,
Master of Computer Security and Digital Forensics
CEH and CHFI Certificate Holder
Contact : Manavi.Sina@gmail.com

AGENDA

•
•
•
•
•
•
•
1.
2.
3.
4.

What are mobile devices?
Mobile device threads
BYOD
BYOD Pros and Cons
4 Steps to design BYOD:
BYOD Strategy
Mobile Hacking techniques demo:
Android Phone
Mobile Application Security
Laptop
Pendrives

• BYOD or BYOA
• How to Secure the data storages and
transportation

THREATS

•
•
•
•
•
•
•
•
•

Unauthorized Access
Infected Machine
Unreliable Application
Camera ? !
Media Storages
Mobile Phones
Internet Surfing
Network Access
Cloud ?

•
•
•
•

Malware
Synchronization
Phishing or SMiShing
Malicious Links or Websites

BYOD?!!!

Using the personally owned mobile devices such as smart
phones, IPad, Tablets , laptop, thumb drives to access organization network
and corporate data such as databases, organizational software, emails…etc.

BYOD PROS

• Cost effective:
•

No need to buy lots of PC, Tablets

• Technology familiarity:
•

Apple users are more comfortable with apples likewise windows user are more likely to use
windows applications

•

Flexibility:

•

Employees don’t need to carry both their personal devices and their work needs, they can work
whenever wherever they need while they have access to all data needed

BYOD CONS

Cost for employee:
• Not everybody has such devices,
• Increase usage and transportation may lead to quicker depreciation
• Repairing, upgrading or any possible accident would be under employee responsibility
which is not very pleasant

BYOD CONS

Different devices:
different OS, application and quality level, which brings difficulties in managing them.

Security:
Normally companies spend a lot amount of money to buy firewalls, Anti-viruses, original
application which as yearly supports and maintenance. Which employees cant afford such
prices himself

BYOD CONS (CONT…)

Security:
while PODs contain corporate data, it can bring security risk of data leackage
Privacy issue for employee, PODs should be accessible on demand for the organization
whenever they need to investigate, they might not be happy to surf internet or perform
their routine daily life with that device (e.g instant messaging, calls, social networking, web
browsing ,personal images….)

• What happens if an employee leave?!!!!!!!!!!

ICT AND POD

• Information and Communication Techonology devices ( Owned by
Organization) (ICT)
• Personally Owned Device (POD)

4 STEPS TO DESIGN BYOD

1.
2.
3.
4.

Know your businesses and regulatory
Creating a protocol Foundation
Legal Right and responsibility
Security Concerns

STEP 1: KNOW YOUR BUSINESSES
AND REGULATORY

•
•
•
•
•

What does the company seek to gain from BYOD?
What unique divisions does the organization have?
What information and applications need to be accessed by each division?
What level of security will be applied to this information?
What are the data-usage requirements for each division?

STEP 2: CREATING A PROTOCOL
FOUNDATION

Sourcing: Where did the device or softwares come from? Was it a preferred
vendor or some random source?
Supporting devices: what if one individual employee uses very unknown device
?should the IT team be able to support all type of devices and vendors ?
Bandwidth: allocating bandwidth to employees based on their activity and
requirement related to his responsibility at work. (high speed bandwidth for
downloading?)
Business support vs. personal support: supporting all type of application although
they are not related to organization routines? For financial department is it
necessary to support Photoshop or 3D MAX? or Does multimedia design team
need to support specific hardware?
Device Lost: what strategy do you need for a lost device? Wiping the device
remotely? Detach it from network or known devices?

STEP 3: LEGAL RIGHT AND
RESPONSIBILITY

• Responsibility
The BYOD policy should determine who is responsible to protect data on the device?

• Privacy:
How much access can organization have to the private files of the employees

• Regulation and rights
Different countries and companies have their own regulation and rights

STEP 4: SECURITY CONCERNS

• Device:
what kind of device , OS and hardware is accessible for organization.

• Security:
In what level security and risk are needed for each device and employee.

• Application management:
What application can be installed on the device, and assign proper level of
control based on the employee requirement to perform her job

• Data access
Data access should be allocated based in a proper way, no need to give access
of financial or human resource department to nonrelated departments.

BYOD POLICY

• Individual user can only use the POD, if it has configuration and software
installed with the right privilege, otherwise they just can use guest internet
or network which has no access to the corporation network.
• Each POD has to have specific registered digital certificate, and it
shouldn’t be copy from one POD to another POD, although devices
blonge to one person

BYOD STRATEGY

• POD should be utilized with appropriate for of userID, Passwords and
authentication devices.
• Organization has the right to investigate and control its information and
device functionality, backup, retrieve, modify and deleting the corporation
data , without permission of owner or user POD

BYOD STRATEGY

• All PODs should have proper Antivirus according to the Administrator
management policy
• Synchronize the created or modified valuable corporate data on the
POD using corporate network or using secure removable media
• All the data should be transfer through the network or media storages in
encrypted form for instance :
 Network (SSl or VPN)


Storage Media ( using like TrueCrypt)

BYOD STRATEGY

As organization may need to investigate the POD on demand based on the
reasonable expectation, the possibility of gaining access to the personal data is
high, users should be advice to store their private data in different directory
with a clear name such as “private” or “personal”

BYOD STRATEGY

Before any video/audio recording inside organization should be confirmed
with management Installing application on PODs should be under control of
the management (such as Email Client, social networks, web browser…etc.)
Employees and administrators should be educated and aware of risks and
vulnerabilities of the PODs

BYOD STRATEGY

Data that are not allowed to be stored, process, create on PODs:
• Classified secret files or above
• Highly valuable or sensitive information
• Big data such as 1Gb of corporate data on POD

BYOD STRATEGY

These strategies and policy may be different in different organization due to
organization nature and functionality

BYOD SECURITY PLAN STEPS

1- Identify the risk elements that BYOD introduces with a research group
2- Decide how to enforce policies for devices connecting to your network
3- Build a project plan to include these capabilities:
 Remote device management
 Application control

 Policy compliance and audit reports
 Data and device encryption
 Augmenting cloud storage security
 Wiping devices when retired
 Revoking access to devices when end-user relationship changes from employee to guest
 Revoking access to devices when employees are terminated by the company

BYOD SECURITY PLAN STEPS

4- Evaluation
 from each department chose number of users to see the feedbacks

MOBILE HACKING DEVICE HACKING
TECHNIQUES DEMO: LAPTOP

•
•
•
•

Using hacking tools such Cain and Able
Wireshark for network sniffing
Bruteforce tools for password cracking
Sql injection or cookie injector tools for compromising the organization
database or website authentication.
• Virtualization application for Anti-Forensics activity

• Demo Now 

TECHNIQUES DEMO: MEDIA STORAGE

• Using personal data storage for backuping or running personal application
or data
• Running USB live tools such as Backtrack , Helix, or
• Live CD/DVD OS which has illegal tools such as Dropbox, google
Drive,….for accessing the or stealing data.
• Usually USB or live CD/DVD tools can be utilized for Anti-Forensics
activity
• Personal VPN to hide their activity

• Demo …… now 

BYOD OR BYOA

• Bring Your Own Device = Bring Your Own Application
• Downloading unknown applications or downloading application from
untrusted appstores such as cracked tools can brings malwares as a gift to
the organization.
• Employees show be limited in downloading application which is beyond
the BYOD policy list
• Mobile phones should not be rooted or jailbreak
• Application should be download from trusted app markets such as
official Apple app-store or google Play or Microsoft app-store.

HOW TO SECURE DATA ON BYOD

• all the data storages must encrypt corporate data
• Just legitimate user can leave organization with corporation data
• All data transfer through network should be encrypted via SSL or VPN
which belongs to organization

TECHNIQUES DEMO: ANDROID PHONE

• Network Spoofer / Dsicovery
[Need root access]
• Shark for root ( like Wireshark on PC) [Need root access]

•
•
•
•
•
•
•

TcpDump
Ettercap
dSploit
dDoS tool for Mobile Devices
Bluetooth Cloning
DroidShip
etc

ANDROID HACKING

Demo stealing file from android phone…

NOW MY QUESTION?

Whats your opinion about BYOD?
• Do you think BYOD increase the IT and security cost
• Brings more risk to organization
• Data leakage
• Data lost
• Stealing data

Thanks for your attention

If you have any Question don’t hesitate to ask:

Manavi.Sina@gmail.com

An Introduction on Design and Implementation on BYOD and Mobile Security

More Related Content

What's hot

Viewers also liked

Similar to An Introduction on Design and Implementation on BYOD and Mobile Security

More from Sina Manavi

Recently uploaded

An Introduction on Design and Implementation on BYOD and Mobile Security

Editor's Notes