IT Security Issues
Controlling BYOD on the Cheap:
- Requiring employees to manually ensure that same controls are followed on their devices - Try to maintain security without the MDM -- In most cases will not be as effective as MDM Also recommended: - Not forwarding company email messages to noncompany computer systems, personal email accounts, cloud service providers, or file-sharing services - Protecting against unauthorized observation of sensitive information in public places. nearly 80 percent of companies enforce only the most basic option to protect their data on employees' phones: a 4-5 digit PIN research in 2015 from IBM Security into one million BYOD and corporate-issued device
Four Step Social Engineering Attack
1) information gathering 2) developing relationship 3) Exploitation 4) Execution
Traits for Attacks - Trust Relationship
Attackers build relationships with their intended victims through seemingly innocent conversations or email communications
Managing Devices Remotely
Best Practice: Mobile Device Management (MDM) solution achieved by installing MDM software on employee device. Once installed, an MDM solution can enforce security policies. Auditors should verify these policies are in place: - Anti-malware and firewall policy - mandates security software - App/operating system update policy - upgrades and patches - App-vetting policy - ensures that only trustworthy "white listed" apps can be installed - Encryption policy - encrypt and secure contents of the device's business container - PIN policy - PIN complexity rules and expiration periods - Remote wipe policy - ideally erases device's business container contents (not personal contents) should the device be lost or stolen
Risks of BYOD: Data Loss (risk to employee not organization)
Employee Loses data when organization wipes out data on lost phone or if employee leaves company
Benefits of BYOD - Employees
For Employees: - Avoid carrying additional device - Ability to use device employee wants to use - Reduces need for training as using their own device
Benefits of BYOD - Organization
For the Organization: - Cost Savings - User pays all or some portion of Device and Service Plan - Eliminates or reduces IT infrastructure - Increases employee productivity - ease of telecommuting with personal device
Traits for Attacks - Guilt or Sympathy
Human users have a tendency to believe other's expressed attitudes (e.g., sad voice), behaviors (e.g., facial signs), and statements (e.g., poor performance) are true, and these individuals may attempt to avoid guilt in helping attacker
Risks of BYOD: Data Breach
If an employee-owned device connected to the company's network becomes compromised by malware from downloading a malicious app or faulty device security, the whole network is susceptible to this
Protection Against Social Engineering Attacks
Information systems (IS) security management depends on technological measures and managerial endeavors - The key to protection against this is a combination of technical, behavioral, and procedural countermeasures - Many feel that the "human factor" of IT security is the weak link
Social Engineering Attacks - Shoulder surfing
Looking over one's shoulder
Effective Defenses Against Social Engineering
Multi discipline approach including: - Technology - Policies: 1) develop clear, concise security policies that are enforced consistently throughout the organization 2) develop simple rules defining what information is sensitive and develop a data classification policy 3) require the requestors identity when restricted actions are required - Procedures: which reinforce prompt recognition of and appropriate reaction to SE attacks by training employees to recognize and properly to react to unusual requests and refusal to provide additional information - Standards: Employee training and awareness programs- -- Should focus on human aspects of social engineering -- Incident response: Plan actions for when incident occurs
Social Engineering Attacks
Pretexting - most common - Phishing - Shoulder surfing - Dumpster diving
Personality Traits
These leading psychology-driven traits for possible SE attacks - Diffusion of responsibility - Ingratiation - Authority - Trust Relationship - Guilt or Sympathy
Psychological Aspects
Three key aspects of social psychology could explain emotional cues for SE attacks: 1. Alternative routes to persuasion (i.e., central route and peripheral route) 2. Attitudes and beliefs: - refer to the differences between the victim's attitude and beliefs about the SE attacker and SE attacker's attitudes and beliefs about his/her anticipated or definite victims 3. persuasion and influence techniques rely on peripheral routes to persuasion that are effective to influence others SE attacks are categorized into human-based and technology-based intrusions
Risks of BYOD: Data Leak
When employee shares company data from a mobile device with an unauthorized app or third party, may place corporate data at a significant risk - Theft of data contained on stolen or lost device - Employees forward sensitive documents to unauthorized individuals or make them available through unsecured cloud file-sharing provider - caused by malware in apps w/ nearly 40 percent of companies not properly securing the mobile apps they build for customers According to a March IBM-Sponsored Ponemon Institute Study
Social Engineering (SE)
a combination of techniques used to manipulate victims into divulging confidential information or performing actions that compromise security
SE Technology-based attacks
access confidential information by employing computer software programs such as pop-up windows, e-mail attachments, and websites
SE Human-based attacks
are interactions between the attacker and the victim who possesses valuable information.
Traits for Attacks - Authority
plays a vital role since people are conditioned to respond to authority figures without painstakingly verifying their legitimacy
Auditing The BYOD Program
practices allow employees to use their own personal portable devices to access the company's email and internal network. "Growth of employee-owned devices in the workplace is placing new demands on enterprises struggling to protect both personal and professional data
Traits for Attacks- Diffusion of Responsibility
targeted victims are made to believe that they are not solely responsible for their actions this trait works well with moral duty when the individual victim conceives that what he/she responds to is of vital importance The victim feels guilty if he/she doesn't help another perceived employee (who is the attacker)
Social Engineering Attacks - Pretexting
the act of creating and using a contrived scenario to persuade a potential victim to voluntarily reveal information or perform actions
Peripheral route to persuasion
the attacker tends to make the intended victim more susceptible to persuasion by triggering strong emotions such as fear or excitement
Central route of persuasion
typically doesn't work - persuade victims to provide desired information without fabricating unreal scenarios
Traits for Attacks - Ingratiation
victims are led to believe that compliance with a request will enhance their chances of receiving some benefit e.g. looking good to management
