Security Vulnerability of BYOD Systems

Question: Discuss about the Security Vulnerability of BYOD Systems. Answer: Introduction: Aztek is a finance organization based from Australia. Aztek has been using old manual systems for managing its operations and workforce with limited number of computers used by some of the employees. However, with recent expansion of the company, the company has realized the need for hiring new employees as well as digitizing most of its operations. However, for this, the company would need to have a huge number of systems which can be a significant cost to the company. Thus, the company thought of considering the BYOD model that would allow its employees to use their own devices such that the procurement cost of the company for taking personal computers or laptops for employees is largely eliminated. However, this would add the employee devices to the critical infrastructure and when these devices are also used for personal purpose outside the purview of the company, certain security risks may be faced by the organization. In Australia, the government does not have very strict laws or acts for securing BYOD devices. However, some of the local and state governments in Australia, surveillance program can be run for employees working in specific territories. New South Wales and the Australian Capital Territory are key jurisdiction areas in Australia. When following legal procured, the legal frameworks defined by these territorial bodies would be used. A per these acts, organizations in Australia are given the freedom to use own employee surveillance methods and security policies. However, the federal, territorial or state jurisdictions failed in Australia to provide any sound measures against unauthorized users. Moreover, companies cannot track the devices used by employees except in the cases of certain serious situations. One law is called ANSW Act which can be used for applying in the case of BYOD devices as it applied to employees not only while working inside the organization but also outside it. Employers can use their own decided surveillance procedures for monitoring communication of their employees when using BYOD devices outside the company setting. Any communication not complying with the act can be monitored and strict action can be taken to restrict such communication. This can be used for stopping sharing of sensitive files of the company by its employees outside the local network. An overt surveillance is used by Aztek using monitoring software and before 15 days of any surveillance, employees are informed. Another governance act is Workplace Privacy Act 2011 (ACT) which has defined procedures that can be used for surveillance of employee communication that happens over email. Telecommunications (Interception and Access) Act 1979 can also be applied to the digital media communication. This covers interception related permissions and communication that is happening between two employees within an organization. Employers can track the message content that is shared but personal information such as email address, Meta data and duration of communication cannot be traced. The section 5F of this law gives protection to BYOD operating model with the ability to contravene when the law is violated by an employee. It can lead to 3 years of an imprisonment and 900 penalty units at maximum for sender as well as receiver (Attorney-Generals Department, Canberra , 2011). Aztek can deploy an Acceptable Use Policy for establishing a regulatory environment such that following decisions can be taken: What surveillance procedure for tracking of BYOD communication devices? How can the surveillance be carried out? Whether to use surveillance process continuously? If surveillance should be carried out for specified duration or should on for a full tenure? Privacy Act (APP 5) needs company to develop a BYOD management policy for which some preparation is required such as (Wiseman, 2013): If an employer needs to store some information about the employee then it can be done While tracking communication , no personal information may be recorded by the employer When an employee discloses any information outside, it should be known to the company Policy statements can define way of using employee information, reporting procedures in case of data breach, and the access rights (GILBERT, 2014) Security Posture of Aztek As a part of critical infrastructure, BYOD can cause risks of security posture of Aztek and some of the impact areas could be: Risks that alter Azteks security posture Risks because of using mobile devices Risks may be caused by differences in geographies, people or laws Some barriers to deployment of BYOD in finance industry are location regulations, industry requirements, and difficulties in controlling mobile usage. Certain compliance procedures can be used for security in financial companies such as mobile device security procedures, risk management, and mobile environment management. Securing Mobile Devices: Astek used to use the mobile devices supplied by the same organization and thus, have similar software making it easier for the company to establish control over the devices. It was also easy to establish policy controls and apply to them. This included control on employee rights so as to allow only limited exposure to them. There was a unified interface that could be used for managing critical applications by users (Kim Hong, 2014). However, with BYOD, the devices would not have unified interface or software which would also not be owned or controlled by the employer. Because of the lack of consistency in the use of mobile devices, no uniform control system may be applied to different devices. This would thus affect the security posture or Aztek and to protect system because of this change, new policies have to be formulated. This would ensure the improved security for mobile devices with different configurations and settings as well as specific application vulnerabilities. Protection can be established in several ways such as by preventing use of critical applications over mobile but this would not be very encouraging for professionals to make use of mobile device for office purposes. Thus, an alternate and more flexible approach may be needed which is also taking care of the risks with mobile environment. Risks with BYOD devices: Risk from stolen mobile devices: It has been seen that over 22% of mobile devices get stolen everywhere but only 50% of these are actually recovered. If an employee devices which is not fully protected gets stolen and it has the settings already established for connecting to the critical infrastructure of the organization, it can lead to an unauthentic view of the company by a possible thief. The employee may not be very keen on protecting devices and on the other side; the user stealing mobile device may connect with the critical infrastructure of the system using a Private Virtual Network. People can misuse the data obtained in this way. Password encryptions can be used for preventing such access. Other than these, there can be other protection measures like wiping off data from remote place. Risks form Physical Access: BYOD device can be taken outside the organizational environment which can expose them to ay third person. If this turns out to be a hacker, there is a probability that the company would face a virus attack which would threaten the entire critical infrastructure of the company. These issues can be reduced if the organization uses certain device management policies. End user ownership related risks: As BYOD devices belong to individuals, they have higher sense of ownership and thus, they are not very satisfied with any restrictions put by the organization. They may unlock the access restriction or jailbreak systems leading to the exposure of critical infrastructure to more risks. Even in the case of stealing of a device, the employee may not inform the company immediately so that they can take actions (Morrow, 2012). Risks due to increased data access: If VPN connection used in BYOD devices is not very secure, the device owner would probably face the risk of losing data. Security bugs may enter the system though the social media or other connections that may have been established. Risks due to lack of awareness about security risks: If employees do not have sufficient knowledge about security aspects then this lack of awareness can cause vulnerabilities. Thus, it is important to have safe procedures to secure devices. There can be some measures that can be taken by Aztek or protection of BYOD devices: Keep devices monitoring and identify vulnerabilities. Device management policies can be determined and implemented. Use of security best practices can be encouraged in employees such as PIN code generation, complex encryption and remote data wiping. A baseline may be created considering specification and configurations of operating system or software Addressing App Risks: BYOD devices are a part of critical infrastructure of an organization and thus, any malicious code entering into such a device would risk a complete compromise of the critical infrastructure system. Malware protection software when installed in these devices, it can help. However, if security settings are changed by an employee then it can lead to more vulnerability. Use of data compartmentalisation is one of the methods that can be used to avoid such issues. Managing mobile environment: Employees tend to change their devices or software frequently and thus the IT assets information does not remain updated always. Different hardware and software cycles and several upgrades can cause differences. If devices are not managed properly and the employee does not implement required patches on time, it can increase vulnerability(EY, 2013). Policies related to mobile usage, patching, local service support and self-service solutions can be used here. Risk Assessment A Cybersecurity framework can be utilized for assessing risks. The framework defines security practices that are flexible, and reusable, as well as based on priority, performance and cost. The regulatory body and IT security experts have mutually formed this framework. It has a mechanism defined to describe security posture, identify improvement scope, prioritize plan, monitor progress and communicate risks to stakeholders. The framework identifies the following: Security functions: These include risk identification, incidence detection IT assets protection, response planning, and data recovery. Categories and subcategories: Risk function are categorized into asset management, access control and incident detection. Each category has a sub-category such as notification under protection. These include the guidance provided by industry experts for enhancing protection There are four key tiers of security that are identified by the framework. Lower levels provide less protection while higher tiers have better protection. Tier 1 has partial protection provided by an integrated risk management program without processes formalized Tier 2 has protection provided by an integrated risk management program with some processes formalized and certain activities and priorities defined for categories Tier 3 has protection for whole organization and devices. It has formalized risk management and framework also has consistency methods for making changes in this tier. Highest level of protection is provided at tier 4 which is adaptive to security landscape and its management becomes a part of the company culture. As per this framework, Aztek would conduct a basic security review. This review involves opportunity identification for security posture enhancement, security requirements communication to stakeholders and protection policy enforcement for BYOD devices. Basic review: The current practices carried out in an organization can be explored in the basic review which involves risk identification and management, incident detection, risk response plan, device protection, and system recovery. The current security system of the company is more suitable for traditional settings and thus, new practices have to be adopted. Establishing security program: A New security program may be implemented using following steps: Define the objectives and set priorities for various business activities involving IT assets. BYOD devices scheme would add to the IT asset management scope and priorities. Establish end point security in the BYOD devices as they can also travel out of the premises of the office. With end point security, control can be established over BYOD devices but at the same time, the company must ensure that privacy of employees is not violated (Romer, 2014). A security program may be established with determination of vulnerabilities and threats faced by BYOD devices. Some of the risks would be data loss and consumer data leakage. With devices connected to internet, vulnerabilities are increased and thus, established security controls may have to be enhanced (Tokuyoshi, 2013) Security activities can be divided into some categories and sub-categories. These categories can be identity theft, unauthorized access, financial fraud, and financial record modification. A risk assessment of each type of threat or risk is done below: Identity Thefts: A hacker can misuse the identity information of a user if stolen and create a monetary damage t the customers or the company. This can cause financial losses as well as a loss of reputation. The company would also need to compensate for the risk to its customers. Finance Records Modification: If a financial detail in the database of the company gets hacked, the hackers can take out money from the accounts without the knowledge of account holders and the loss is identified only after a lot of it is already made. Unauthorized Access: If a hacker gets an unauthorised access t a device then it can lead to launch of attacks by the hacker on the critical infrastructure of the company. DDOS attacks are the ones that disrupt company operations and prevent genuine users from assessing their systems. Financial Fraud: If user credentials are stolen, hackers can use it to gain financial benefits and thus, user credentials have to be protected. Target profiles with requirements and influences of each stakeholder may be prepared as follows: Risk Category Stakeholders Requirements Identity Thefts Employees Device users Secure information stored in personal devices Records alteration Aztek Management Employees Users Prevent modification of stored information by unauthentic user. Unauthorized access Users Management An internal security policy may be used for protecting leakage or misuse of financial information. Financial fraud Consumers Companies Investors Potential financial fraud patterns in the industry may be analyzed and sufficient protective measure maybe taken Security system gaps are first identified analysed, and then priorities are set for every category that maybe created on the basis of mission, benefits, risks, or costs. These gaps can be related to system vulnerabilities, knowledge awareness in employees, and monitoring systems. After creating the plan for security management every category as well as the sub-category would be considered for implementation (NIST, 2014). Opportunity Identification: Industry cases can be studied to understand the best practices that can be used for the Aztek system. Some of these practices are: Trusted sources can be identified from untrusted sources using infrastructure controls Stringent controls may be used while accessing critical applications through devices such as multifactor authentication. Employees must be made aware of the security cases and implications so that they can be careful Data Security Policies can be used for managing wireless systems, media usage employee code of conduct and so on through proper authorization systems used for protecting user devices. Some strategies include encryption, MDM, sandboxing, wiping and so on(Paschke, 2014). When BYOD devices are connected to the internet, it is exposed to many risks that can be prevented using appropriate policies for protection for environment security. Productivity reduction and data loss can result from mismanagement of BYOD devices. It is imperative to monitor and track the devices. Sensitive data can be removed from the mobiles such that there are no risks of sharing them. A remote wiping would help erase the stored data from a mobile in case it is stolen(Infrascale, 2014). Data losses can cause serious financial losses for the company. Thus, there is a need to have a control on how data is used and what data is shared. Certain data protection rules and strategies can be used such as: Employee logs on the use and sharing of files can be created Company can use password management policies for creating safe passwords. Some restrictions can be set for employees outside with minimal access to company systems minimal(WatchGaurd, 2013). Users must be taught on different concepts of security such as device administration, data encryption, authentication, malware, incidence response, and more(Office of the Privacy Commissioner of Canada, 2015). References Attorney-Generals Department, Canberra . (2011, March 28). Telecommunications (Interception and Access) Act 1979 . Retrieved from rm.coe.int: https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680304330 EY. (2013). Bring your own device - Security and risk considerations for your mobile device program. EY. GILBERT, P. L. (2014). Surveillance of workplace communications:What are the rules? TOBIN. Infrascale. (2014). BYOD Program Best Practices for Data Protection Security . Infrascale. Kim, K. Hong, S. (2014). Study on Enhancing Vulnerability Evaluations for BYOD Security.International Journal Of Security And Its Applications,8(4), 229-238. https://dx.doi.org/10.14257/ijsia.2014.8.4.20 Morrow, B. (2012). BYOD security challenges: control and protect your most sensitive data.Network Security,2012(12), 5-8. https://dx.doi.org/10.1016/s1353-4858(12)70111-3 NIST. (2014). Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology. Office of the Privacy Commissioner of Canada. (2015). Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization?: Privacy and Security Risks of a BYOD Program. Office of the Privacy Commissioner of Canada. Paschke, C. (2014). Bring Your Own Device Security and Privacy Legal Risks. Information Law Group. Romer, H. (2014). Best practices for BYOD security.Computer Fraud Security,2014(1), 13-15. https://dx.doi.org/10.1016/s1361-3723(14)70007-7 Tokuyoshi, B. (2013). The security implications of BYOD.Network Security,2013(4), 12-13. https://dx.doi.org/10.1016/s1353-4858(13)70050-3 WatchGaurd. (2013). BYOD: Bring Your Own Device or Bring Your Own Danger? WatchGaurd. Wiseman, C. (2013). BYOD: Bridging the gap.Seced,2013(9). https://dx.doi.org/10.12968/sece.2013.9.1832