AUDITING FOR PERSONALLY-OWNED DEVICES

Similar documents
CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

PROVIDING INVESTIGATIVE SOLUTIONS

Information Security Incident Response Plan

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Cyber Risks in the Boardroom Conference

Information Security Incident Response Plan

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

BYOD WORK THE NUTS AND BOLTS OF MAKING. Brent Gatewood, CRM

BUILT FOR THE STORM. AND THE NORM.

WHITEPAPER. How to secure your Post-perimeter world

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

BHConsulting. Your trusted cybersecurity partner

Credit Card Data Compromise: Incident Response Plan

THINGS YOU NEED TO KNOW BEFORE DELVING INTO THE WORLD OF DIGITAL EVIDENCE. Roland Bastin Partner Risk Advisory Deloitte

Archiving. Services. Optimize the management of information by defining a lifecycle strategy for data. Archiving. ediscovery. Data Loss Prevention

The Maximum Security Marriage: Mobile File Management is Necessary and Complementary to Mobile Device Management

Security Breaches: How to Prepare and Respond

BYOD Risks, Challenges and Solutions. The primary challenges companies face when it comes to BYOD and how these challenges can be handled

Big data privacy in Australia

PEDs in the Workplace: It s a Mad, Mad BYOD World

Sales Presentation Case 2018 Dell EMC

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Information Security Policy

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Securing Health Data in a BYOD World

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Anticipating the wider business impact of a cyber breach in the health care industry

Five Tips to Mastering Enterprise Mobility

CHANGING FACE OF MOBILITY RAISES THE STAKES FOR ENDPOINT DATA PROTECTION

LCU Privacy Breach Response Plan

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

ARCHIVING FIRST STEPS TOWARDS ENTERPRISE INFORMATION ARCHIVING

Avoiding the Pitfalls of Bring Your Own Device Policies

Oracle Data Cloud ( ODC ) Inbound Security Policies

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Mobile Device Management: A Real Need for the Mobile World

HPE DATA PRIVACY AND SECURITY

IBM Resilient Incident Response Platform On Cloud

Operationalize Security To Secure Your Data Perimeter

Sage Data Security Services Directory

Data Privacy Breach Policy and Procedure

BHConsulting. Your trusted cybersecurity partner

MOBILE DEVICE MANAGEMENT OR PRETTY MUCH EVERYTHING YOU NEED TO KNOW ABOUT MOBILE DEVICES IN THE WORKPLACE!

NEN The Education Network

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

A Roadmap for BYOD Adoption. By Jon Oltsik, Sr. Principal Analyst, and Bob Laliberte, Sr. Analyst

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Understanding Computer Forensics

Information Security Management Criteria for Our Business Partners

By: James A. Sherer, Melinda L. McLellan, & Emily R. Fedeles 1

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Best Practices for Campus Security. January 26, 2017

PTLGateway Data Breach Policy

Automating the Top 20 CIS Critical Security Controls

Apex Information Security Policy

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

The Common Controls Framework BY ADOBE

Say Goodbye to Enterprise IT: Welcome to the Mobile First World. Sean Ginevan, Senior Director, Strategy Infosecurity Europe

SDR Guide to Complete the SDR

ForeScout Extended Module for Splunk

Top Ten Tips for Managing e-discovery Vendors

Available online at ScienceDirect. Procedia Computer Science 78 (2016 ) Madhavi Dhingra

PROFILE: ACCESS DATA

EU General Data Protection Regulation (GDPR) Achieving compliance

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Information Security BYOD Procedure

COURSE BROCHURE CISA TRAINING

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Standard for Security of Information Technology Resources

When Recognition Matters WHITEPAPER CLFE CERTIFIED LEAD FORENSIC EXAMINER.

Product Overview Archive2Azure TM. Compliance Storage Solution Based on Microsoft Azure. From Archive360

21 CFR PART 11 COMPLIANCE

Exchange 2007 End of Service: Modernize with Office 365. Todd Sweetser Technical Solutions Professional

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

DATA BREACH NUTS AND BOLTS

Cyber Security Program

Donor Credit Card Security Policy

RSA INCIDENT RESPONSE SERVICES

Certified Digital Forensics Examiner

Demonstrating Compliance in the Financial Services Industry with Veriato

Professional Training Course - Cybercrime Investigation Body of Knowledge -

The HIPAA Omnibus Rule

Bring Your Own Device. Peter Silva Technical Marketing Manager

Securing Institutional Data in a Mobile World

Trustlook Insights Q BYOD Trends & Practices

Shielding the Organization from Data Risk & E- Discovery Failures

OpenText Buys Guidance Software

Transcription:

Digital Forensics TECHNICAL ARTICLE AUDITING FOR PERSONALLY-OWNED DEVICES Warren Kruse, CISSP, CFCE, EnCE, DFCP Vice President for Digital Forensics

Auditing for Personally-Owned Devices Bring Your Own Device (BYOD) is the increasingly common practice of allowing employees to use personally-owned mobile devices, such as cellular phones or tablets, in the workplace and for jobrelated activities. According to Gartner Research, The proliferation of lower-priced tablets and their growing capability is accelerating the shift from PCs to tablets. 1 Gartner further anticipates that users will increasingly rely on their tablet as their main computing device. Given this, it seems likely that the use of personally-owned devices at work will continue to rise. Arguably, there are important benefi ts to be gained by allowing BYOD, including improved productivity and morale; however, the practice also introduces signifi cant challenges. First, if confi dential or proprietary business information is stored on employees devices, organizations may face serious problems where information security is concerned. Additionally, when employees use a device for both business and personal tasks, the resulting data is blended which means employees personally identifi able information may be subject to collection in the event the employer becomes involved in litigation. The suggestion that an employee may be required to submit to such a procedure raises serious issues where the individual s right to privacy is concerned. In its Commentary on Rule 34 and Rule 45, Possession, Custody, or Control, the Sedona Conference notes that the reality is that an employee may constructively and realistically have both custody and control over a BYOD device, although the device may hold enterprise owned information; the employee both owns and accesses the data. Without the employee s consent, an employer is not likely to have the legal right to both secure control and custody of the device, much less preserve information on the same device. 2 To guard against potential confl icts, organizations often implement BYOD policies which make use of the personally-owned device conditional upon the employee s consent to collection and analysis of mobile device data in the event of a legal obligation. However, without an effective means of auditing the technical infrastructure, enforcement of such a policy is impossible, as are meaningful information security measures and effective management of discovery efforts. A recent survey polled respondents on their employers BYOD practices and policies, and sought to capture any additional information they wanted to share. The results were surprising 60% of respondents indicated their fi rms allowed personally-owned devices to be used, but a majority of the respondents indicated their organizations did not have a policy addressing BYOD. Only one respondent indicated that their organization performed compliance auditing for BYOD. 2

The need to audit for BYOD is summed up in this statement: users bring their own mobile devices no matter what IT says 92% of companies report that some workers are using non-companyissued computing devices for work-related tasks. 3 Clearly, a well-defi ned and executable auditing program is a necessary component of information security and discovery preparedness across the organization. However, recognizing the need, and determining how to actually do it are two very different matters. As evidenced by the results of the survey, organizations need practical guidance regarding the nuts and bolts of BYOD auditing. In this article, we discuss many of the critical elements, including mobile device management, secondary concerns, and manual auditing. Auditing via Mobile Device Management The fi rst, most critical component of any audit methodology is a Mobile Device Management platform, or MDM. The MDM is an application which creates a unique ID for every device on which it is installed; thereafter, all communication between the device and corporate resources, such as an email server, includes the device s ID. This makes it easy to detect and report on devices which weren t issued by the organization or registered by way of the MDM. Fig. 1: Devices which are not connecting via the MDM can be identifi ed. Most MDM platforms support a variety of responses to connection attempts by unregistered devices, from simply denying the connection and logging the attempt, to wiping all data from the offending device. There are a great number of MDM platforms on the market. As with virtually every kind of technology, choosing the one which will best meet your organization s needs is a daunting challenge in and of itself. However, Enterprise ios has compiled a comparison of the major players, which provides a good starting point. Secondary Concerns MDM platforms aren t an instant solution - no MDM can completely prevent every form of unauthorized access, or capture every activity for auditing purposes. Alternative access methods like EWS, POP, and imap can afford determined users a means of connecting to organizational IT resources while avoiding the MDM and other, traditional audit methods. 3

Manual Auditing The absence of a proper MDM platform doesn t mean that you re without any means of assessing BYOD behavior. Below, we discuss some simple steps you can take to better understand your organization s device usage. Using ActiveSync ActiveSync is a data synchronization protocol developed and released by Microsoft, to keep email, calendar events, and contacts on a mobile device up to date with your desktop and server data. Each time the device connects to the email server to sync its messages, the device s model number and IMEI, or International Mobile Station Equipment Identity, are sent to the server and recorded in the log. This means that you can run a scheduled report on the Exchange ActiveSync logs, and compare the recorded IDs with an inventory of approved device IDs. You can then respond in the manner which your organization deems appropriate - for example, by simply warning employees who are in violation of your policies, or by blocking all unauthorized devices from communicating through ActiveSync. This can be done using your Exchange Server s Allow/ Block/Quarantine list, or with a simple power shell script. This approach makes the assumption that the organization has an accurate inventory of all corporate devices in use. Often, organizations keep very inaccurate records regarding companyissued devices, and there s no effi cient way to reconcile IMEI numbers once devices are out in the fi eld. Using Network Access Control If your organization has an active and working Network Access Control system in place, access control becomes a simple matter of authorizing good systems (with a built-in certifi cate, run-time system confi guration check, or real-time password entered by the end user). Anything that can t be authorized by the NAC becomes unauthorized and is blocked. Like ActiveSync, NAC systems keep logs which can be parsed and analyzed to identify unauthorized equipment. Auditing in the Cloud The cloud offers important benefi ts in cost control and resource management; however, if devices and platforms are no longer directly managed, adding MDM-like controls often proves diffi cult. What s more, logs may be harder to access, so manual auditing will be more time-consuming and challenging. If your organization is considering migrating to the cloud, ensure that the following are in place with your cloud storage / application provider especially if you re migrating mail service: Identity Management: The provider must be able to demonstrate that user identities and access controls are carefully monitored. 4

Availability: The provider must offer consistently high (99.5% or higher) uptimes, and must provide documented procedures for recovering from a breach or loss. Logging and monitoring: The provider must have extensive logging and auditing mechanisms in place, and should be willing and able to assist with analysis of your users activities upon request. Conclusion BYOD policies provide real benefi ts for employees, but they also pose real challenges for technical teams. Auditing employees use of corporate IT resources can become an unmanageable task without the right tools and techniques. If possible, a Mobile Device Management platform should be in place to automate and streamline the more common auditing activities. If an MDM is unattainable, tech teams can use manual techniques to gather and analyze data regarding employees activities. Of course, any cloud migration strategy should include consideration of audit needs and requirements, and stakeholders should be well-informed regarding the impact that cloud services will have on auditing efforts. 1. http://www.gartner.com/newsroom/id/2408515 2. The Sedona Conference: Commentary on Rule 34 and Rule 45 Possession, Custody, or Control, April 2015. https://thesedonaconference.org/download-pub/4115 (registration required) 3. http://www.itmanagerdaily.com/it-consumerization-policy-keys/ 5

About the Author Warren G. Kruse II, MSc, CISSP, CFCE, EnCE, DFCP Vice President, Data Forensics, Altep, Inc. - An Advanced Discovery Company wkruse@altep.com @warren_kruse With more than 30 years experience in law enforcement and forensic science, Warren is the author of Computer Forensics: Incident Response Essentials. The diverse range of matters Warren has assisted with includes theft of trade secrets, Wikileaks investigations, misappropriation of intellectual property, breach of contract, internal employment disputes, fraud investigations, and wage and hour class actions, among others. Warren previously served as the President of the Digital Forensics Certifi cation Board. 6

DECADES OF EXPERIENCE. PROVEN TECHNOLOGIES. UNSURPASSED SERVICE. CONSULTING DATA FORENSICS Litigation Readiness 30(b)(6) Witnesses Subject Matter Experts ediscovery Liaisons Compliance Risk Assessment High Tech Investigations BYOD Strategy Expert Testimony Standard & Non-Standard Data Acquisition Incident Response CYBER SECURITY DISCOVERY Computer System Security Analysis Penetration Testing Data Incident Investigation Data Breach Notifi cation Data Privacy Collection Early Data Assessment Electronic Data Discovery Paper Discovery Secure Hosting and Review ESI Vault To learn more about our certifi cations visit us at https://altep.com/about-us/certifi cations For a list of our locations visit us at https://altep.com/contact-us#locations @Altep_Inc. Altep, Inc. www.altep.com (800) 263-0940 2016 Altep, Inc. - All Rights Reserved 20150506

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback