See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/336197252

Bring Your Own Device: Policies, Culture, and the Challenges for the
Cybersecurity Framework

Presentation · April 2015

DOI: 10.13140/RG.2.2.14712.60168

CITATIONS READS
0 16

1 author:

Ben Block Jones II

Mississippi Office of Attorney General
17 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

The Cathedra Thompson and the Primacy of the Bishop of St. Columb View project

All content following this page was uploaded by Ben Block Jones II on 01 October 2019.

The user has requested enhancement of the downloaded file.

 STATE OF MISSISSIPPI

OFFICE OF THE ATTORNEY GENERAL

JIM HOOD
ATTORNEY GENERAL

Bring Your Own Device: Policies, Culture, and the Challenges for the
Cybersecurity Framework
Ben Jones (bejones@mdot.ms.gov)

The emergence of "Bring Your Own Device" [BYOD] phenomenon has been well-
documented. Agency-controlled mobiles devices fall into two categories: agency issued
and BYOD. An agency-issued device is owned by the agency, centrally-managed for
security and issued to an individual for their exclusive use. “Bring Your Own Device”
[BYOD] refers to personally owned-information systems.

This overview will discuss six specific questions:

1. How the mobile phone industry focuses on security issues and what the industry
sees as trends in cyber threats to mobile security;
2. The BYOD policy culture and where that fits into the overall security plan. (ie:
dangers in bringing your own device into our state system & problems that can
result from crime - anything from data breach to simple data theft & especially
when files are on the actual device);
3. Where mobile security fits into the whole cybersecurity framework and the
challenges mobile technology present.
4. What are some of the downsides of a BYOD policy?
5. How does a user know if an app is safe?
6. Does a smartphone need anti-virus protection?
The term entered common use when the Santa Clara, Calif.-based Intel began its
official opt-in pilot program allowing non-IT issued devices to access secure company
email, calendar and documents in 2009. Some 3,000 people signed up for the pilot. In
2013, more than 23,500 devices representing 19 per cent of Intel worldwide staff are
part of the company’s BYOD program.1 Just as the PC revolution freed the enterprise
from centralized mainframes, consumers began using home computer to work after
hours as the technology became more affordable. Today, devices such as
smartphones and touchpads with their smaller form factor and wireless access can
store millions of pages of text, thousands of pictures, or hundreds of videos—the very
same capabilities as a laptop or desktop computer.

Now, BYOD has become a matter of convenience and personal preference--employees

choose to bring the tools they use at home to the office. BYOD promises tantalizing
values, such as greater employee productivity and reduced technology costs.
Executives and employees want to use their devices and are demanding network
access and IT support. On the downside, BYOD has created an upheaval for IT
professionals and employers, who must adapt whether they like it or not. Moreover,
companies and agencies can no longer take a wait-and-see approach to BYOD.

While BYOD promises the enterprise some small values, such as greater employee
productivity and reduced technology costs, a BYOD policy comes with heightened
security risks, unforeseen costs and internal support issues, straining IT support teams
with the sheer complexity of the issue and solutions. Cisco's 2013 Annual Security
Report called this the “any-to-any problem:” how to secure any user, on any device,
located anywhere, accessing any application or resource. Not too long ago, security
could be managed with a software and hardware solutions. Today, it can't be done by
hand. There are just too many knobs and users. In the simple scenario of an employee
upgrading from an iPhone 4 to a 4s, that device has now been handed over to a
unknown salesperson or technician. To be sure, cybercriminals are taking advantage of
the “any-to-any” world.

The first consideration for a BYOD policy is to classify your data and decide which
devices will have access. Segregate data based on sensitivity and grant access based
on such policies. An employee-owned smartphone will probably end up with access, so
you've got to decide. Just e-mail? What applications? What data? In a BYOD
environment, data MUST be tightly controlled. Truly sensitive and classified systems,
devices, data, and applications should be outside the scope of any BYOD.
Organizations can limit their exposure by implementing tiered levels of access,

                                                            
1
 Nick Rockel, “The Future of Work: Work Has Become One Big BYOD Party,” the Globe and Mail (28 March 2013), 
available online at: http://www.theglobeandmail.com/report‐on‐business/careers/the‐future‐of‐work/work‐has‐
become‐one‐big‐byod‐party/article10497706/ accessed 10 March 2015. 
providing minimal access (such as electronic mail only to BYOD devices) and more
access (such as applications and data) to agency-owned devices. In 2012, IBM created
BYOD policies around twelve “personas” which define the employees’ privileges and
access rights.2

Second, the enterprises must bring the device under some form of organizational
control. Inevitably, that means investing in a Mobile Device Management (MDM)
platform that can control which devices can access specific applications or data on your
network. An MDM solution (which has both a server and client components) can also
carry out activities such as: device provisioning and configuration; software distribution;
encryption and password management; remote wipe and lock. As MDM solutions move
to cloud-based Software as a Service (SaaS), the organization should aware that the
Federal has compliance audits on cloud services as mandated by the Federal
Information Security Management Act of 20023 and the Federal Risk and Authorization
Management Program (FedRAMP) which was implemented in 2014.4 The Federal
government maintains a list of authorized and provisionally-authorized "compliant cloud
systems" at http://cloud.cio.gov/fedramp/cloud-systems Amazon Web Services and
Microsoft Azure (which comes with Office 365) have become front-runners in public
solutions, while the Treasury, USDA and OMB MAX have developed their own
government cloud solutions for Federal, State and Local.

Third, restrictions should be imposed on apps and download restrictions. In Feb 2012,
many legitimate iOS apps were discovered to upload the user's address book without
permission. Andriod OS would upload pictures without permission. Some apps neglect
to encrypt the users' login credentials. Apps should be screened and available from
agency apps store and public apps like iTunes or Google Play should be avoided. Also,
if your agency is developing apps, beware that you can inadvertently introduce security
vulnerabilities. Even Fortune 100 companies make mistakes. In a best practice, the
agency should engage an "external set of eyes" not involved in the app development to
audit the apps and check for problems.

Fourth, the agency should conduct an agency-wide mobile security audit to check for
vulnerabilities and address security concerns. Some federal agencies such as the
Internal Revenue Service conduct an annual risk assessment. The risk assessment
should identify threats and vulnerabilities against these devices including a review of the
security controls in place to ensure that devices are able to function while minimizing

                                                            
2
 Brian Bergstein, “IBM Faces The Perils of “Bring Your Own Device,” MIT Technology Review, Business Report (May 
2012) 
3
 44 U.S.C. § 3541 et seq. 
4
 See http://www.cio.gov/protect/fedramp/ 
residual risk. This requires the agency to have a good understanding of their mobile
environment and its limitations.5

In the coming years, employers may see less and less economic benefits in a liberal
BYOD environment. In a recent California Labor Code case involving a company policy
that required its employees to use personal phones for work-related calls, the Court
ruled that the Code requires the employer to reimburse the employee.6 The decision
raises some interesting issues: how will the employer or employees track usage? Will
the employee submit a Time & Expense (T&E) report? What about policies that allow
BYOD but do not require one to BYOD?

The lack of BYOD policy can affect evidence preservation and litigation holds. Bear in
mind that discovery of relevant data begins the lawsuit and issues of relevance and
admissibility based on relevance two distinct points in the discovery phase of litigation.
In a recent Department of Labor case,7 a Special Master reported on the discovery
collection and production. Originally, key players said they didn't use personal devices
for work, but an analysis of the signature lines of e-mails revealed that, in fact, they did.
Subsequent depositions showed that such use was widespread. Two executives used
their own laptops offsite to type notes for use in negotiations and the existence of these
laptops were not disclosed. This resulted in a court-ordered inspection of the personal
devices of key personnel which found that, while no responsive electronically-stored
information [ESI] existed on these devices, the failure to preserve, collect or search
these devices likely resulted in the destruction of responsive ESI and substantially
increased the time and cost of the proceedings. The failure to answer truthfully
regarding mobile devices made fault a moot point and the hospital faces continuing
sanctions.8

The Federal government through National Institute of Standards and Technology the
Federal CIO Council and is currently wrangling with BYOD, issuing new guidance for
agencies almost on an annual basis.9 The Federal CIO Council has a published a
BYOD resource toolkit, “The “Bring Your Own Device – A Toolkit to Support Federal

                                                            
5
 See IRS Publication 1075 “Tax Information Security Guidelines For Federal, State and Local Agencies” (October 
2014 ) and” Safeguards Technical Assistance Memorandum Protecting Federal Tax Information (FTI) within a 
Mobile Device Environment” Internal Revenue Service (17 July 2014). 
6
 Cochran v. Schwan's Home Service, Inc., 176 Cal.Rptr.3d 407 (Cal. App. 2 Dist. 2014) review denied. 
7
 Small et al v University Medical Center of Southern Nevada, No. 2:13‐CV‐00298 (D.Nev. filed Jul. 26, 2012) 
8
 Small v. University Medical Center of Southern Nevada, Slip Copy, 2014 WL 4079507 (D.Nev.,2014) 
9
 “Guidelines for Managing the Security of Mobile Devices in the Enterprise,” NIST Special Publication 800‐124 
Revision 1 (July 2013) available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800‐124r1.pdf 
accessed 10 March 2015. 
Agencies Implementing Bring Your Own Device (BYOD) Programs.”10 The State of
Delaware’s BYOD policies have drawn the attention.

The State of Delaware BYOD Policy was one of the case studies included in the CIO
Council’s toolkit. The Delaware policy reinforces seven basic precepts of BYOD
security:

1. Strong password;
2. Password history;
3. Password that expires;
4. Inactivity time out;
5. Lock out after seven failed attempts to log on;
6. Remote wipe if device is compromised or failure to log on after seven
failed tries; and
7. Encryption, if device is capable of employing it (data-in-transit encryption,
data-at-rest encryption as well as strong log-in authentication).

In 2015, many commentators forecast the following BYOD trends:

 iOS products11, both jail-broken and non jail-broken devices12, will be the
target of more cyberattacks. In 2014, ninety-nine percent of all mobile
malware in 2013 targeted Android13 devices. Android users also have the highest
encounter rate (71 percent) with all forms of web-delivered malware, followed by
Apple iPhone users with 14 percent of all web malware encounters. However,
mobile malware that targets specific devices made up just 1.2 percent of all web
malware encounters in 2013.
 Companies will be forced to reconsider their BYOD policies as tablets and
mobile phones will be targeted by new malware threats. In 2014, 100
percent of business networks analyzed by Cisco have traffic going to websites
that host malware. In 2012, IBM revisited and scaled back their initial BYOD
policy finding that it wasn’t saving them any money and publishing a list banned
apps and websites, including Apple’s iCloud, and creating policies around twelve
“personas” that dictate privileges and access.14 These “across the board no
exceptions” solutions will probably transform BYOD into BYOD* (with asterisk).
 Mobile device attacks focused on credential, auto-login and authentication
attacks
 More cloud breaches

                                                            
10
 http://www.whitehouse.gov/digitalgov/bring‐your‐own‐device 
11
 iOS is Apple’s mobile operating system used on many Apple devices. 
12
 Jail‐broken refers to a device that is freed from the iOS limitations programmed by the manufacturer and the 
telephone carrier. 
13
 Android is the mobile operating system developed by Google and based on Linux. 
14
 Bergstein ibid. 
  Network and application security will continue to converge with the
increase in cloud services--each end will become more dependent on the
other.
 Increase development of a responsive zero-trust model for security (treat
every device with suspicion even within the enterprise).

PREDICTION:

At least one corporate data breach will be traced back to a compromised

mobile device connecting through a trusted enterprise wireless network
using automatic privileges or authentications associated with that device.
Think about Personal Hotspot on your iPhone 4s

Of course, there will always be:

 Malware "drive-by" downloads - Even within a MDM environment, mitigation of

malicious malware within BYOD environments may not be possible.
 Phishing scams, fake apps and fake links that link to malicious websites - At its
peak, spam related to the Boston Marathon bombing made up 40 percent of all
spam messages delivered worldwide on April 17, 2013.
 Windows XP - Known vulnerabilities with this old system exist.
 Commercial point of sale (POS) and Internet of Things (IoT)15 exploits
 Java exploits - Disable all java functionality if you have it enabled.

And there always be three constants:

 Mobile devices introduce security risk when they are used to access enterprise
resources;
 Mobile devices easily connect with third-parties with unknown security postures
outside of the enterprise’s control;
 Technologies do not stand still, and neither do attackers.

To quote the two sentences found throughout several sections of the 2014 U. S.
Department of Justice’s Criminal Justice Information Services (CJIS) Security Policy:

                                                            
15
 The term “IoT” here refers to industrial devices that are monitored across the internet or an internal network 
(such as the malware attack on the Iranian nuclear centrifuges with the StuxNet worm virus which targeted 
Microsoft Windows computers, then the Windows‐based Siemens Step7 software which operates industrial 
control systems. 
 “If personally owned devices are utilized within the environment in a Bring Your Own
device (BYOD) scenario, specialized and costly incident handling procedures and
processes may need to be developed to support compliance for those devices. The
costs associated with enhanced incident handling procedures may need to be
incorporated in the cost and risk based analysis to allow personally owned devices in
the BYOD scenario, as the technical methods and risk to achieve compliance under
BYOD scenarios may exceed any cost savings potentially achieved through BYOD.”16

Finally, does a smartphone need anti-virus protection? Mobile devices, such as

smart phones and tablets, typically need to support multiple security objectives:
confidentiality, integrity, and availability. To achieve these objectives, mobile devices
should be secured against a variety of threats. If you're not running some kind of anti-
malware app on your Android smartphone or tablet, then you're putting yourself at risk
of infection from corrupted apps and other kinds of malware. It took a long time before
people realized that they need antivirus/malware protection for their computers. If a
device is accessing the internet, it is just as vulnerable as any other computer on the
internet. But common sense and prudence will more valuable--slow down and ask
questions. Where did this come from? Who is the author? Should I put this on my
business phone? What does "free" really mean? There is no such thing as safe
apps—they all have some compromise of privacy and metadata and, perhaps, a
larger hidden price.

                                                            
16
 Sec. Section 5.5.6.1 “Incident Handling”  See also “Access Controls,” “Device Controls,” “System Use 
Notification,” “Bring Your Own device (BYOD) Employment,” and “Device Tracking and Recovery”  

View publication stats