- Email: [email protected]
BYOD – popular and problematic
FEATURE combat this and the CBEST scheme is the result.1 While the scheme is largely dedicated to the finance sector, it provides inspiration for all organisations and previews the direction that the many different sectors will take in the coming years. CBEST engages two types of external expertise. Firstly it engages the best that the security testing marketplace has to offer to provide access to skills comparable to that of the attacker. To target this resource effectively, a threat intelligence company is engaged to identify the current threats specific to that particular financial organisation. On a tri-party basis, the latest threats are explored and where there is uncertainty about the effectiveness of existing controls, the threat is played out on a near 1:1 basis by the security tester. If the results are positive, then there is an opportunity to move onto the next scenario. If the results show that compromise is possible, then the organisation can increase the controls even further in order to better mitigate the threat. To the security testing marketplace this is a really exciting development; this type of intelligence-led testing is a chance to really make a difference to security in organisations that are already considered very secure. For those familiar with CHECK and CREST as the benchmark standards for security testing, CBEST is the new top-tier standard.2
CBEST inspired intelligence-led testing isn’t for everyone. It is ideal for organisations that think that they have done all that they possibly can to protect their most sensitive information. However, for organisations still coming up to par by their own reckoning, this sophisticated approach is likely to prove a poor use of resources. For less secure companies, there are easier ways to assess the threats. Basic common-sense might be enough in some cases just by assessing against typical best-practice provisions; in others, less sophisticated red-teaming, scenario-based testing and threat workshops might be the better option.
Recognising the threat A lot can be learned from some of the most resilient organisations and the ways in which they address the most sophisticated threats. It starts by recognising that ‘cyber threats’ are the latest in a long line of threats and that a modern, risk-based approach to information security is central to everything that follows. By considering the threats to different types of information, risk-appropriate controls can be applied. This might mean introducing very robust controls in a few specific locations, but being able to increase access to information at lower risk. A process for assessing risk and
appropriate controls is provided in ISO 27001:2013 and there is lots of good information available on sensible controls. When as a team there is a feeling that all of the bases are covered, but there is a desire to do more, intelligence-led testing and similar services can take things to the next level. Managing sophisticated threats is challenging, but not impossible, and modern information is at the heart of it.
About the author Simon Saunders is a managing consultant with Portcullis and has been in the information security industry for over 10 years. He regularly works with businesses to help them better understand their information security requirements, to identify where the current approach fails to deliver and to provide solutions for bridging these gaps. These tasks have seen Saunders operate as interim CISO at an international law firm, as well as completing numerous shorter projects across a wide range of sectors.
References 1. CBEST. CREST. Accessed Sept 2014. www.crest-approved.org/industry-government/cbest/index.html. 2. ‘CREST and CHECK’. CREST. Accessed Sept 2014. www.crestapproved.org/information-securitytesters/crest-and-check/index.html.
BYOD – popular and problematic Phil Beckett, Proven Legal Technologies It was recently announced that the term Bring Your Own Device (BYOD) was officially added to the Chambers dictionary. This latest buzzword describes the scheme that allows employees to use their personal smartphones, tablets and other electrical equipment in the workplace. It also enables work materials to be accessed outside of the office domain and is evidently becoming a widespread phenomenon.
Dominating our lives Twenty-first century technologies have begun to dominate every sphere of our lives, with an unlimited number of
September 2014
devices occupying our attention 24 hours a day. With this kind of technology now being used both socially and within working environments, it is hardly surprising that a cross-over is occurring, whereby
Phil Beckett
employees use personal devices to access work material at any time. This has led to companies noticing increased work activity during holiday leave as employees submit to the temptation of checking easily accessible emails and information. In response to this growing trend, Google recently reported that it acquired Divide, the New York-based
Network Security
7
FEATURE Samsung’s recent white paper titled ‘The Future of Work’ advises businesses that they should adapt to new employee behaviours and technologies.2 The advice is driven by digital developments and the infiltration of personal devices into the work place in the form of smartphones, BlackBerrys, tablets and laptops. However, letting employees lead the IT domain could lead to lack of control and compromised security for firms.
Social networking
The Samsung ‘Future of Work’ report found that, in European countries, UK employees were the most likely to use Facebook in the workplace in defiance of corporate policies.
technology start-up whose software allows the separation of work and personal data on devices. In addition, technology giant Apple is currently designing its next version of iOS with a split screen function, letting users efficiently switch between applications.
“It is important to consider the potentially serious data security implications that can arise. By inviting personal devices into the office, firms of all sizes may be compromising both their security and their intellectual property” The fact that large companies like these are now adapting their products to suit the needs of BYOD demonstrates the widespread popularity and acceptance of this new way of working. However, while BYOD may bring benefits like efficiency and flexibility to its users, it is important to consider the potentially serious data security implications that can arise as well. By inviting personal devices into the office, firms of all sizes may be compromising both their security and their intellectual property. It is worth noting that nearly 500 million mobile phones will be shipped worldwide by 2016, of which 65% will be used for BYOD according to analyst firm IDC.1 With Google and Apple 8
Network Security
(among many others) set to take advantage of the developments of BYOD, firms must be equally savvy in managing it. This includes making sure that the management team educates itself and its employees on the potential risks and is prepared to implement the measures needed to address them.
Managing BYOD and the cloud As broadband speeds get faster and faster, company information is increasingly stored offsite and accessed through the Internet – via the cloud. This revolutionary data storage mechanism allows for much greater flexibility and availability and can also help to cut costs and reduce the time spent on paperwork. As such, employees are increasingly using cloud storage sites such as OneDrive, DropBox or Google Drive, rather than hard copies, to transfer or back-up their data. As always, there are risks to this approach. First, cloud storage is as intangible as it sounds, which means that companies must take steps to ensure their data is easily accessible and forensically viable should an investigation take place. Employees should therefore be encouraged to use time- and costeffective cloud-based tools, but only under careful supervision and according to agreed rules and guidelines.
The ubiquitous nature of social media makes this form of communication an additional security risk. Consumer favourites such as Facebook, Whatsapp and Twitter are now an integral part of daily life for many people and are easily accessible on smartphones that are being used for both personal and business purposes. As a result, there are many more opportunities to share material, either intentionally or unintentionally, which can end up causing a security breach for the business. Applications like these are also extremely hard to monitor since they are often used on personal mobiles rather than company computers. For this reason, firms should consider whether they want social media platforms to be accessible in a working environment at all. Tools are constantly under development to enable firms to block or restrict access to social networking sites, as well as monitor traffic. However, developments like these are typically followed by a new way of getting around them, especially for tech-savvy Generation Z employees. As such, firms should favour a preventative approach, perhaps by blocking the use of these applications on work devices altogether.
A risky business As the line between work and personal life continues to blur, firms need to sharpen this divide in order to avoid putting themselves at risk. In many cases, BYOD not only results in a loss of control, but can also affect network availability and result in data loss. It can also cause employees to violate industry regulations, break company rules, damage employer-employee trust,
September 2014
FEATURE expose valuable intellectual property and undermine critical business obligations, whether knowingly or otherwise.
“In addition to focusing on complying with key regulatory requirements, firms will need to ensure that they protect themselves from the negative consequences of security breaches and fraudulent activity” This is especially critical in regulated industries such as banking and financial services. Data breaches and security shortcomings can result in large fines and damage to reputation and brand name for firms operating in this sector. As such, in addition to focusing on complying with key regulatory requirements, firms will need to ensure that they protect themselves from the negative consequences of security breaches and fraudulent activity.
The crime scene In the unfortunate event that a security breach should occur and an investigation is required, an experienced forensic team will need to determine an individual’s pattern of behaviour. They will consider not only the incident in question, but wider context and information, including all relevant sources, connections and activity. The challenge, especially when working with a system that does not consist of physical files or fingerprints, is to capture forensically viable information. When companies allow unrestricted access to BYOD schemes, cloud storage and social media access, they are actually leaving themselves very vulnerable since data can be downloaded and transferred very easily. This can make a forensic examination extremely complex and legally unclear, especially when an undetermined number of personal devices are involved. Investigators need to begin by identifying all available software platforms and data sources that have been used. Workplace activity patterns, such as emails, file transfer history, cloud access and Internet history data bases, should also be accessible for investigation, in addition to social media profiles like
September 2014
LinkedIn, Facebook and traces of Skype and video calls. All of these sources can provide rich information and expose malpractice. When considering compliance, employee training and holding investigative procedures, companies should bear in mind the large number of devices and platforms they have, leaving no stone unturned. They must also be aware of their rights and what information is accessible without consent, should such situations arise, and how to manage staff motivation during this process. It can be quite invasive and pose a concern for employees.
Preventing problems This complex system of investigation can be made simpler with thorough planning, policies, and contracts covering employee and employer rights, including policies on legitimate access to web applications, and companies’ rights to audit and monitor privately owned devices during an investigation.
“A preventative approach in which all parties have an understanding of their rights, policies and sanctions is always preferable to working out these details after the crime” For example, where BYOD schemes are used, there must be a clear list of approved devices and which applications can be scrutinised in the event of an investigation. Firms must also take steps to protect their data by implementing robust firewalls, anti-virus software, and encryption methods to minimise risks. In addition, employees should be fully trained to understand the importance of risk management and intellectual property, as well as their employers’ rights to remove company data from any personal device. A preventative approach in which all parties have an understanding of their rights, policies and sanctions is always preferable to working out these details after the crime.
Bring your own danger The increasing popularity of BYOD should be seen as a call to action for all firms,
especially if they want to protect themselves from the loss of sensitive data, valuable intellectual property or any other risks that will cause damage to the businesses. Precautionary measures include the implementation of appropriate network access strategies, security policies, data protection software, employee training, and a clear contract of authorisations and rights. Choosing to allow BYOD schemes and access to social networking platforms should be an informed decision, rather than an employee- or media-led trend. Should access be granted, companies must be ready to comply with a full forensic investigation at any time and be fully prepared to deal with the consequences of a worst-case scenario.
About the author Phil Beckett is managing director at Proven Legal Technologies. He joined the team after spending seven years leading Navigant Consulting’s European Forensic Technology practice. Beckett has a masters degree in forensic computing from Cranfield University and is a Fellow of the Association of Chartered Certified Accountants (ACCA), winning the ACCA Gold Medal when he qualified in 2001. Throughout his career, he has provided advice to lawyers, regulators, corporate entities, not-for-profit organisations and other stakeholders in relation to forensic investigations and e-disclosure projects in both the public and private sectors in the UK and also internationally. He specialises in advising clients concerning the preservation and investigation of digital evidence, the interrogation of complex data sets and the disclosure of electronic documents. He is also a qualified fraud examiner and has been a recognised court expert in relation to various aspects of digital evidence, producing numerous expert reports.
References 1. ‘Stats about the future of BYOD’. Akuity, 17 Mar 2014. Accessed Sept 2014. www.akuity.com/2014/03/17/ seven-stats-about-the-future-of-byod/. 2. Warman, Matt. ‘Are employees taking over IT?’. The Telegraph, 2 Aug 2014. Accessed Sept 2014. www. telegraph.co.uk/technology/technology-topics/11006410/Are-employeestaking-over-IT.html.
Network Security
9
CBEST inspired intelligence-led testing isn’t for everyone. It is ideal for organisations that think that they have done all that they possibly can to protect their most sensitive information. However, for organisations still coming up to par by their own reckoning, this sophisticated approach is likely to prove a poor use of resources. For less secure companies, there are easier ways to assess the threats. Basic common-sense might be enough in some cases just by assessing against typical best-practice provisions; in others, less sophisticated red-teaming, scenario-based testing and threat workshops might be the better option.
Recognising the threat A lot can be learned from some of the most resilient organisations and the ways in which they address the most sophisticated threats. It starts by recognising that ‘cyber threats’ are the latest in a long line of threats and that a modern, risk-based approach to information security is central to everything that follows. By considering the threats to different types of information, risk-appropriate controls can be applied. This might mean introducing very robust controls in a few specific locations, but being able to increase access to information at lower risk. A process for assessing risk and
appropriate controls is provided in ISO 27001:2013 and there is lots of good information available on sensible controls. When as a team there is a feeling that all of the bases are covered, but there is a desire to do more, intelligence-led testing and similar services can take things to the next level. Managing sophisticated threats is challenging, but not impossible, and modern information is at the heart of it.
About the author Simon Saunders is a managing consultant with Portcullis and has been in the information security industry for over 10 years. He regularly works with businesses to help them better understand their information security requirements, to identify where the current approach fails to deliver and to provide solutions for bridging these gaps. These tasks have seen Saunders operate as interim CISO at an international law firm, as well as completing numerous shorter projects across a wide range of sectors.
References 1. CBEST. CREST. Accessed Sept 2014. www.crest-approved.org/industry-government/cbest/index.html. 2. ‘CREST and CHECK’. CREST. Accessed Sept 2014. www.crestapproved.org/information-securitytesters/crest-and-check/index.html.
BYOD – popular and problematic Phil Beckett, Proven Legal Technologies It was recently announced that the term Bring Your Own Device (BYOD) was officially added to the Chambers dictionary. This latest buzzword describes the scheme that allows employees to use their personal smartphones, tablets and other electrical equipment in the workplace. It also enables work materials to be accessed outside of the office domain and is evidently becoming a widespread phenomenon.
Dominating our lives Twenty-first century technologies have begun to dominate every sphere of our lives, with an unlimited number of
September 2014
devices occupying our attention 24 hours a day. With this kind of technology now being used both socially and within working environments, it is hardly surprising that a cross-over is occurring, whereby
Phil Beckett
employees use personal devices to access work material at any time. This has led to companies noticing increased work activity during holiday leave as employees submit to the temptation of checking easily accessible emails and information. In response to this growing trend, Google recently reported that it acquired Divide, the New York-based
Network Security
7
FEATURE Samsung’s recent white paper titled ‘The Future of Work’ advises businesses that they should adapt to new employee behaviours and technologies.2 The advice is driven by digital developments and the infiltration of personal devices into the work place in the form of smartphones, BlackBerrys, tablets and laptops. However, letting employees lead the IT domain could lead to lack of control and compromised security for firms.
Social networking
The Samsung ‘Future of Work’ report found that, in European countries, UK employees were the most likely to use Facebook in the workplace in defiance of corporate policies.
technology start-up whose software allows the separation of work and personal data on devices. In addition, technology giant Apple is currently designing its next version of iOS with a split screen function, letting users efficiently switch between applications.
“It is important to consider the potentially serious data security implications that can arise. By inviting personal devices into the office, firms of all sizes may be compromising both their security and their intellectual property” The fact that large companies like these are now adapting their products to suit the needs of BYOD demonstrates the widespread popularity and acceptance of this new way of working. However, while BYOD may bring benefits like efficiency and flexibility to its users, it is important to consider the potentially serious data security implications that can arise as well. By inviting personal devices into the office, firms of all sizes may be compromising both their security and their intellectual property. It is worth noting that nearly 500 million mobile phones will be shipped worldwide by 2016, of which 65% will be used for BYOD according to analyst firm IDC.1 With Google and Apple 8
Network Security
(among many others) set to take advantage of the developments of BYOD, firms must be equally savvy in managing it. This includes making sure that the management team educates itself and its employees on the potential risks and is prepared to implement the measures needed to address them.
Managing BYOD and the cloud As broadband speeds get faster and faster, company information is increasingly stored offsite and accessed through the Internet – via the cloud. This revolutionary data storage mechanism allows for much greater flexibility and availability and can also help to cut costs and reduce the time spent on paperwork. As such, employees are increasingly using cloud storage sites such as OneDrive, DropBox or Google Drive, rather than hard copies, to transfer or back-up their data. As always, there are risks to this approach. First, cloud storage is as intangible as it sounds, which means that companies must take steps to ensure their data is easily accessible and forensically viable should an investigation take place. Employees should therefore be encouraged to use time- and costeffective cloud-based tools, but only under careful supervision and according to agreed rules and guidelines.
The ubiquitous nature of social media makes this form of communication an additional security risk. Consumer favourites such as Facebook, Whatsapp and Twitter are now an integral part of daily life for many people and are easily accessible on smartphones that are being used for both personal and business purposes. As a result, there are many more opportunities to share material, either intentionally or unintentionally, which can end up causing a security breach for the business. Applications like these are also extremely hard to monitor since they are often used on personal mobiles rather than company computers. For this reason, firms should consider whether they want social media platforms to be accessible in a working environment at all. Tools are constantly under development to enable firms to block or restrict access to social networking sites, as well as monitor traffic. However, developments like these are typically followed by a new way of getting around them, especially for tech-savvy Generation Z employees. As such, firms should favour a preventative approach, perhaps by blocking the use of these applications on work devices altogether.
A risky business As the line between work and personal life continues to blur, firms need to sharpen this divide in order to avoid putting themselves at risk. In many cases, BYOD not only results in a loss of control, but can also affect network availability and result in data loss. It can also cause employees to violate industry regulations, break company rules, damage employer-employee trust,
September 2014
FEATURE expose valuable intellectual property and undermine critical business obligations, whether knowingly or otherwise.
“In addition to focusing on complying with key regulatory requirements, firms will need to ensure that they protect themselves from the negative consequences of security breaches and fraudulent activity” This is especially critical in regulated industries such as banking and financial services. Data breaches and security shortcomings can result in large fines and damage to reputation and brand name for firms operating in this sector. As such, in addition to focusing on complying with key regulatory requirements, firms will need to ensure that they protect themselves from the negative consequences of security breaches and fraudulent activity.
The crime scene In the unfortunate event that a security breach should occur and an investigation is required, an experienced forensic team will need to determine an individual’s pattern of behaviour. They will consider not only the incident in question, but wider context and information, including all relevant sources, connections and activity. The challenge, especially when working with a system that does not consist of physical files or fingerprints, is to capture forensically viable information. When companies allow unrestricted access to BYOD schemes, cloud storage and social media access, they are actually leaving themselves very vulnerable since data can be downloaded and transferred very easily. This can make a forensic examination extremely complex and legally unclear, especially when an undetermined number of personal devices are involved. Investigators need to begin by identifying all available software platforms and data sources that have been used. Workplace activity patterns, such as emails, file transfer history, cloud access and Internet history data bases, should also be accessible for investigation, in addition to social media profiles like
September 2014
LinkedIn, Facebook and traces of Skype and video calls. All of these sources can provide rich information and expose malpractice. When considering compliance, employee training and holding investigative procedures, companies should bear in mind the large number of devices and platforms they have, leaving no stone unturned. They must also be aware of their rights and what information is accessible without consent, should such situations arise, and how to manage staff motivation during this process. It can be quite invasive and pose a concern for employees.
Preventing problems This complex system of investigation can be made simpler with thorough planning, policies, and contracts covering employee and employer rights, including policies on legitimate access to web applications, and companies’ rights to audit and monitor privately owned devices during an investigation.
“A preventative approach in which all parties have an understanding of their rights, policies and sanctions is always preferable to working out these details after the crime” For example, where BYOD schemes are used, there must be a clear list of approved devices and which applications can be scrutinised in the event of an investigation. Firms must also take steps to protect their data by implementing robust firewalls, anti-virus software, and encryption methods to minimise risks. In addition, employees should be fully trained to understand the importance of risk management and intellectual property, as well as their employers’ rights to remove company data from any personal device. A preventative approach in which all parties have an understanding of their rights, policies and sanctions is always preferable to working out these details after the crime.
Bring your own danger The increasing popularity of BYOD should be seen as a call to action for all firms,
especially if they want to protect themselves from the loss of sensitive data, valuable intellectual property or any other risks that will cause damage to the businesses. Precautionary measures include the implementation of appropriate network access strategies, security policies, data protection software, employee training, and a clear contract of authorisations and rights. Choosing to allow BYOD schemes and access to social networking platforms should be an informed decision, rather than an employee- or media-led trend. Should access be granted, companies must be ready to comply with a full forensic investigation at any time and be fully prepared to deal with the consequences of a worst-case scenario.
About the author Phil Beckett is managing director at Proven Legal Technologies. He joined the team after spending seven years leading Navigant Consulting’s European Forensic Technology practice. Beckett has a masters degree in forensic computing from Cranfield University and is a Fellow of the Association of Chartered Certified Accountants (ACCA), winning the ACCA Gold Medal when he qualified in 2001. Throughout his career, he has provided advice to lawyers, regulators, corporate entities, not-for-profit organisations and other stakeholders in relation to forensic investigations and e-disclosure projects in both the public and private sectors in the UK and also internationally. He specialises in advising clients concerning the preservation and investigation of digital evidence, the interrogation of complex data sets and the disclosure of electronic documents. He is also a qualified fraud examiner and has been a recognised court expert in relation to various aspects of digital evidence, producing numerous expert reports.
References 1. ‘Stats about the future of BYOD’. Akuity, 17 Mar 2014. Accessed Sept 2014. www.akuity.com/2014/03/17/ seven-stats-about-the-future-of-byod/. 2. Warman, Matt. ‘Are employees taking over IT?’. The Telegraph, 2 Aug 2014. Accessed Sept 2014. www. telegraph.co.uk/technology/technology-topics/11006410/Are-employeestaking-over-IT.html.
Network Security
9