BYOD & Security Assessments

Bring Your Own Device (BYOD) is a big topic at the moment and I’m sure that you’re already looking at how to address BYOD functionally or have already implemented BYOD at your organization.  I’m not going to debate the pros and cons of BYOD.  I’m also not going to argue for or against it from a security perspective – at this point being ‘for or against’ is irrelevant, it’s happening whether or not the security team thinks it’s a good idea. What I’m going to address in this post is a very high-level discussion about how best to identify and address the technical risks that BYOD will expose in your environment.  From the perspective of security, what BYOD really means is that what was historically a fully ‘internal’ environment is now exposed to ‘outside’ threats.  A comprehensive approach to address internal security (which was often not understood and therefore not fully funded by executives – I mean ‘it’s behind the firewall, right?’) is now even more critical to your organization.  If the CEO and CFO want to use their personal iPads at work, then they need to understand the security risks that they are inherently accepting by pushing for a BYOD environment. Even though many organizations have already implemented BYOD, I’m going to start this quick discussion as if you haven’t yet done so.  Why?  For two reasons:

1. Because there are companies out there that haven’t yet put an approach in place and
2. You may not have been given the time/resources/budget that you know you needed when being pushed to implement BYOD and you might need more ammunition when you go to the top execs to explain to them why they now have a security problem…

In the list of things I’m not going to do – I’m also not going to talk about specific device management technology, anti-virus options, etc. because, frankly, I’m not qualified and there are so many options out there right now vying for dominance that it would take too long to go through all of the various pieces and parts of this rapidly changing space (even if I did have the expertise). So, onto a quick review of the assessment steps that would be completed prior to/post BYOD implementation…

1. Pre-BYOD
1. Risk Assessment
1. You need to perform a real risk assessment – documenting the risks associated with the internal environment, the inclusion of devices not entirely within your control, and what applications and data are going to be potentially exposed to individuals working with their own technology.
2. Executives need to understand the risks and agree that the benefits to the organization outweigh those risks
3. During this process you should also document requirements of any of the technology solutions that are going to be chosen to facilitate BYOD.  This is going to be heavily informed by the risk assessment – make sure that the solutions/policies/processes under consideration address the risks identified in the risk assessment
2. Network Architecture Review: This can be performed as part of the risk assessment, but someone (preferably someone external to the team actually managing the networks) needs to review both current network architecture and the proposed architecture for BYOD.  This includes reviewing any firewalls that are being put in place to segment the BYOD environment away from other critical internal environments.
3. Technical Assessment of the environment pre-implementation: Why?  Because any existing issues that have been masked by the fact that the environment was internal (or were simply ignored because management didn’t put any priority on protecting the network from insider threats) may now be a lot more relevant.  You need to fully understand the issues associated with your internal environments now that you are going to be bringing outside devices in behind the external firewalls
2. Post-BYOD
1. Post-implementation Penetration Test: A good penetration test (not just a scan or fully-automated assessment) is really necessary post BYOD implementation.  If done properly this pen test will provide a reasonably good review of everything that is exposed via the BYOD environment.  Make sure that whomever is doing the testing (again, not the people responsible for the BYOD implementation or the general network management) is looking at all three layers of the environment – application, infrastructure, and OS.  This should catch any major security issues associated with configuration, network management, and the applications or data that are exposed to the BYOD devices.
2. Periodic Assessments: Organizations now routinely assess their external environments on a regular schedule; however, this is not always the case with internal environments.  With BYOD this needs to change – the internal environment needs to be looked at a lot more frequently than in the past and should receive the same scrutiny and attention as the external network.

Ultimately, as a security professional, BYOD should just be one more area of attention in your vulnerability management program, but it’s an area that some of the non-technical executives don’t always understand.  Hopefully, by taking the proper steps to review and assess the BYOD environment both pre- and post-implementation, your organization can enjoy the benefits of BYOD while minimizing the risk.

Alex Crittenden