AUDITING FOR PERSONALLY-OWNED DEVICES

Transcription

1 Digital Forensics TECHNICAL ARTICLE AUDITING FOR PERSONALLY-OWNED DEVICES Warren Kruse, CISSP, CFCE, EnCE, DFCP Vice President for Digital Forensics

2 Auditing for Personally-Owned Devices Bring Your Own Device (BYOD) is the increasingly common practice of allowing employees to use personally-owned mobile devices, such as cellular phones or tablets, in the workplace and for jobrelated activities. According to Gartner Research, The proliferation of lower-priced tablets and their growing capability is accelerating the shift from PCs to tablets. 1 Gartner further anticipates that users will increasingly rely on their tablet as their main computing device. Given this, it seems likely that the use of personally-owned devices at work will continue to rise. Arguably, there are important benefi ts to be gained by allowing BYOD, including improved productivity and morale; however, the practice also introduces signifi cant challenges. First, if confi dential or proprietary business information is stored on employees devices, organizations may face serious problems where information security is concerned. Additionally, when employees use a device for both business and personal tasks, the resulting data is blended which means employees personally identifi able information may be subject to collection in the event the employer becomes involved in litigation. The suggestion that an employee may be required to submit to such a procedure raises serious issues where the individual s right to privacy is concerned. In its Commentary on Rule 34 and Rule 45, Possession, Custody, or Control, the Sedona Conference notes that the reality is that an employee may constructively and realistically have both custody and control over a BYOD device, although the device may hold enterprise owned information; the employee both owns and accesses the data. Without the employee s consent, an employer is not likely to have the legal right to both secure control and custody of the device, much less preserve information on the same device. 2 To guard against potential confl icts, organizations often implement BYOD policies which make use of the personally-owned device conditional upon the employee s consent to collection and analysis of mobile device data in the event of a legal obligation. However, without an effective means of auditing the technical infrastructure, enforcement of such a policy is impossible, as are meaningful information security measures and effective management of discovery efforts. A recent survey polled respondents on their employers BYOD practices and policies, and sought to capture any additional information they wanted to share. The results were surprising 60% of respondents indicated their fi rms allowed personally-owned devices to be used, but a majority of the respondents indicated their organizations did not have a policy addressing BYOD. Only one respondent indicated that their organization performed compliance auditing for BYOD. 2

3 The need to audit for BYOD is summed up in this statement: users bring their own mobile devices no matter what IT says 92% of companies report that some workers are using non-companyissued computing devices for work-related tasks. 3 Clearly, a well-defi ned and executable auditing program is a necessary component of information security and discovery preparedness across the organization. However, recognizing the need, and determining how to actually do it are two very different matters. As evidenced by the results of the survey, organizations need practical guidance regarding the nuts and bolts of BYOD auditing. In this article, we discuss many of the critical elements, including mobile device management, secondary concerns, and manual auditing. Auditing via Mobile Device Management The fi rst, most critical component of any audit methodology is a Mobile Device Management platform, or MDM. The MDM is an application which creates a unique ID for every device on which it is installed; thereafter, all communication between the device and corporate resources, such as an server, includes the device s ID. This makes it easy to detect and report on devices which weren t issued by the organization or registered by way of the MDM. Fig. 1: Devices which are not connecting via the MDM can be identifi ed. Most MDM platforms support a variety of responses to connection attempts by unregistered devices, from simply denying the connection and logging the attempt, to wiping all data from the offending device. There are a great number of MDM platforms on the market. As with virtually every kind of technology, choosing the one which will best meet your organization s needs is a daunting challenge in and of itself. However, Enterprise ios has compiled a comparison of the major players, which provides a good starting point. Secondary Concerns MDM platforms aren t an instant solution - no MDM can completely prevent every form of unauthorized access, or capture every activity for auditing purposes. Alternative access methods like EWS, POP, and imap can afford determined users a means of connecting to organizational IT resources while avoiding the MDM and other, traditional audit methods. 3

4 Manual Auditing The absence of a proper MDM platform doesn t mean that you re without any means of assessing BYOD behavior. Below, we discuss some simple steps you can take to better understand your organization s device usage. Using ActiveSync ActiveSync is a data synchronization protocol developed and released by Microsoft, to keep , calendar events, and contacts on a mobile device up to date with your desktop and server data. Each time the device connects to the server to sync its messages, the device s model number and IMEI, or International Mobile Station Equipment Identity, are sent to the server and recorded in the log. This means that you can run a scheduled report on the Exchange ActiveSync logs, and compare the recorded IDs with an inventory of approved device IDs. You can then respond in the manner which your organization deems appropriate - for example, by simply warning employees who are in violation of your policies, or by blocking all unauthorized devices from communicating through ActiveSync. This can be done using your Exchange Server s Allow/ Block/Quarantine list, or with a simple power shell script. This approach makes the assumption that the organization has an accurate inventory of all corporate devices in use. Often, organizations keep very inaccurate records regarding companyissued devices, and there s no effi cient way to reconcile IMEI numbers once devices are out in the fi eld. Using Network Access Control If your organization has an active and working Network Access Control system in place, access control becomes a simple matter of authorizing good systems (with a built-in certifi cate, run-time system confi guration check, or real-time password entered by the end user). Anything that can t be authorized by the NAC becomes unauthorized and is blocked. Like ActiveSync, NAC systems keep logs which can be parsed and analyzed to identify unauthorized equipment. Auditing in the Cloud The cloud offers important benefi ts in cost control and resource management; however, if devices and platforms are no longer directly managed, adding MDM-like controls often proves diffi cult. What s more, logs may be harder to access, so manual auditing will be more time-consuming and challenging. If your organization is considering migrating to the cloud, ensure that the following are in place with your cloud storage / application provider especially if you re migrating mail service: Identity Management: The provider must be able to demonstrate that user identities and access controls are carefully monitored. 4

5 Availability: The provider must offer consistently high (99.5% or higher) uptimes, and must provide documented procedures for recovering from a breach or loss. Logging and monitoring: The provider must have extensive logging and auditing mechanisms in place, and should be willing and able to assist with analysis of your users activities upon request. Conclusion BYOD policies provide real benefi ts for employees, but they also pose real challenges for technical teams. Auditing employees use of corporate IT resources can become an unmanageable task without the right tools and techniques. If possible, a Mobile Device Management platform should be in place to automate and streamline the more common auditing activities. If an MDM is unattainable, tech teams can use manual techniques to gather and analyze data regarding employees activities. Of course, any cloud migration strategy should include consideration of audit needs and requirements, and stakeholders should be well-informed regarding the impact that cloud services will have on auditing efforts The Sedona Conference: Commentary on Rule 34 and Rule 45 Possession, Custody, or Control, April (registration required)

6 About the Author Warren G. Kruse II, MSc, CISSP, CFCE, EnCE, DFCP Vice President, Data Forensics, Altep, Inc. - An Advanced Discovery Company With more than 30 years experience in law enforcement and forensic science, Warren is the author of Computer Forensics: Incident Response Essentials. The diverse range of matters Warren has assisted with includes theft of trade secrets, Wikileaks investigations, misappropriation of intellectual property, breach of contract, internal employment disputes, fraud investigations, and wage and hour class actions, among others. Warren previously served as the President of the Digital Forensics Certifi cation Board. 6

7 DECADES OF EXPERIENCE. PROVEN TECHNOLOGIES. UNSURPASSED SERVICE. CONSULTING DATA FORENSICS Litigation Readiness 30(b)(6) Witnesses Subject Matter Experts ediscovery Liaisons Compliance Risk Assessment High Tech Investigations BYOD Strategy Expert Testimony Standard & Non-Standard Data Acquisition Incident Response CYBER SECURITY DISCOVERY Computer System Security Analysis Penetration Testing Data Incident Investigation Data Breach Notifi cation Data Privacy Collection Early Data Assessment Electronic Data Discovery Paper Discovery Secure Hosting and Review ESI Vault To learn more about our certifi cations visit us at cations For a list of our locations visit us at Altep, Inc. (800) Altep, Inc. - All Rights Reserved