A method to define minimum controls, policies, and procedures to apply to devices not controlled by the organization.

1. Bring Your Own Device And Whatever Security Controls
You Want
Steven Keil
Aaron & Hur, Inc.
skeil@aaronhur.com
March 19, 2016
© 2016 Aaron & Hur, Inc.

2. Introduction
 Started in Information Technology in 1982 with
Big Blue
 Network and Security Consulting since 1994
 Certifications include: CISSP, CEH, CCNA.
Retired certifications include MCSE (and Master
CNE if anyone cares. Life was so simple with
Netware 3.12)
 Currently employed as a Security & Data Privacy
Lead for a government agency right around the
corner
 Happily married father of three children and four
grandchildren (soon to be five!)

3. We all know this is true…..
(No offense to Chuck Norris fans!)

4. Project History
 We knew we had a problem.
 This became my project for my Masters
Degree in Information Security from
Western Governors University.
 See next slide 
 Now working on implementing.

5. Graduated in February
at Disney World

6. Project Overview
 BYOD was instituted to save the cost of
supplying the contractors with laptops
 Basic security controls were inconsistent and
varied widely depending on the vendor, user,
and the device
 The result was BYODAWSCYW
 My project was to define minimum controls,
policies, and procedures to apply to devices
not controlled by the organization

7. Some of the risks
 If a device was not patched in a timely manner,
malware or a virus could attack a device on the
internal LAN

8. Risks continued
 A lost or stolen device could have the
organization’s data on it and not be encrypted

9. Risks continued
 A device could spread malware through the
internal network or grant access to the
organization data without the users knowledge

10. How To Reduce Risk?
 By providing
1. A list of minimum security controls
2. A “Bring Your Own Device” policy draft
incorporating these controls for adoption
3. Written procedures to maintain the policy and
controls for:
○ Android smartphones and tablets
○ Apple Personal Computers, smartphones and
tablets
○ Windows Personal Computers, smartphones and
tablets

11. Areas Researched
 NIST Series for Computer Security (800-
124 R1)
 SANS Critical Controls
 CIS Benchmarks
 Interview with staff vendors to determine
current controls implemented

12. Areas Researched cont.
 Appropriate Federal regulations
 IRS
 HIPAA (Health Insurance Portability and
Accountability Act of 1996)
 Current Organizations policies
 Internet, E-mail, and other IT Resources
 Encryption
 IT Security Awareness and Training
 Mobile Computing
 And others

13. Solution
 One of our success factors was to
recognize that the organization’s security
team does not supply or have direct control
over the computers (primarily laptops) and
other devices.
 We made the controls “standards based.”
This means that as long as a security
control is implemented in a reasonable
fashion or an approved countermeasure is
implemented, it may be deemed
acceptable.

14. Solution continued
 For example different devices have different
encryption methods. As long as encryption is
enabled this control is met.
 Apple iPhones and iPads Data Protection
 Android tablets and phone dm-cryp
 Windows computers Bitlocker
 Apple computers FileVault
 Only grant access to internal LAN after
verification of fifteen controls

15. The Security Control List
1) Personal Devices (Laptop/Tablet/Smartphone) shall be
registered by providing the following information to
designated staff when joining the project:
a. Serial Number
b. MAC addresses for Wi-Fi and Ethernet (if
applicable)
c. IMEI for cellular connections (if applicable)
2) A Supported Operating System shall be installed and
running on the device. (Laptop/Tablet/Smartphone)
3) Current operating system patches shall be installed
within 30 days of latest release unless an exception is
granted. (Laptop/Tablet/Smartphone)
4) Application updates shall be installed within 30 days of
latest release unless an exception is granted. (Examples:
Java, Office, etc.) (Laptop/Tablet/ Smartphone)

16. 5) Antivirus and antimalware shall be installed and
configured with current signatures and configured
to scan for malicious software not less than weekly
(Laptop)
6) Storage must be encrypted per the Encryption
Policy IT-14. External storage shall also be
encrypted (Examples include SD cards, “Thumb”
Drives etc.) (Laptop/Tablet/Smartphone)
7) A local firewall shall be enabled (Laptop)
8) A strong password or Personal Identification
Number (PIN) consisting of a minimum of 8
characters shall be used on the device. Refer to
policy for additional guidance.
(Laptop/Tablet/Smartphone)

17. 9) A timer shall be configured to lock the
screen after 15 minutes or less of inactivity
(Laptop/Tablet/Smartphone)
10) Jailbreaking or use of rooted devices
shall not be permitted (Tablet/Smartphone)
11) A device wipe will be initiated after 10
consecutive attempts to access the device
or alternately a remote wipe shall be
enabled (Tablet/Smartphone)
12) “Find my Phone” or device locating
similar service enabled (Tablet/
Smartphone)

18. 13) Backups must be encrypted (Examples:
iPhone/iPad on iTunes, laptop on an external
hard drive, or an employer provided remote
backup, Android on local PC, etc.)
(Laptop/Tablet/Smartphone)
14) No device sharing shall be permitted.
(Examples: Apps accessing email on
smartphones and tablets do not require
authentication. Data stored on a laptop hard
drive could be accessed by non staff
personnel.) (Laptop/Tablet/Smartphone)
15) Access to Federal Tax information from
mobile devices is prohibited. (Tablet/
Smartphone)

19. Status to date:
 Received approval from Leadership
for draft controls list
 Policy drafts are in review
 Proof of Concept completed.
 Using the POC to validate the job
aids, checklists, and overall process

20. How Potential Obstacles Were
Overcome
 Involving leadership, POC Volunteers, and
staff with assessing the job aids, controls
list, and policy draft to get early feedback
 Making the job aids available to all staff for
guidance and to make their devices safer
 Checklists for use in the review process for
rapid assessment
 “Preapproval” process where controls were
already met by a reputable vendor.
 Trust but verify approach

21. What I Learned
 Use of existing regulations was key
 The majority of the controls list was derived from
portions of eight organizational policies and three
federal regulations (including HIPAA)
 Now all in one place for staff to understand and
to meet audit requirements
 Most staff want to comply
 The staff want to operate safely and see the
benefit to protecting their own data and devices
 Lacking understanding of what their device
settings can provide
 Security Team can lead and educate
instead of always being the “hammer” and
demanding compliance

22. What was learned
continued
 This is a project that is in the process of
being implemented.
 It has been an excellent opportunity to work with
non security staff and leadership.
 It will take time to get approval from the
organization for the policy and to finish the
implementation
○ Patience, flexibility, and willingness to compromise
are important to getting consensus to move
forward
 Overall Systems security will be enhanced
when this is fully implemented by securing
the endpoints

23. Summary
 The business side wants to adopt BYOD
to save cost and increase productivity
 Security must be able to provide
alternatives to reduce risk to the
organization when this is implemented

24. References
 Johnson, D (2012). BYOD - a short list
of resources. C. Norris meme.
Retrieved from: http://doug-
johnson.squarespace.com/blue-skunk-
blog/2012/11/7/byod-a-short-list-of-
resources.html
 http://pcvirusesremoval.blogspot.com/2014/
02/trojan-horse-generic32cbws-virus.html
 http://www.imdb.com/title/tt0400903/
 http://debaffle.net/tech-primer-online-
services-and-encryption-part-1/