![Page 1: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/1.jpg)
www.ernw.de
Bring Your Own Risk On Your Own Device
Rene Graf & Enno Rey {rgraf, erey}@ernw.de
![Page 2: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/2.jpg)
www.ernw.de
Who we are ¬ Old-school network geeks, working as security researchers for
¬ Germany based ERNW GmbH - Independent - Deep technical knowledge - Structured (assessment) approach - Business reasonable recommendations - We understand corporate
¬ Blog: www.insinuator.net
¬ Conference: www.troopers.de (You obviously found that ;-)
15.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #2
![Page 3: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/3.jpg)
www.ernw.de
Agenda ¬ Intro & “Device Lifecycle”
¬ Going through the Lifecycle
¬ Conclusions
20.03.2012 #3 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 4: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/4.jpg)
www.ernw.de
The “mobile world” is getting crazy
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #4
![Page 5: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/5.jpg)
www.ernw.de
The devices
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #5
![Page 6: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/6.jpg)
www.ernw.de
The operating systems
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #6
![Page 7: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/7.jpg)
www.ernw.de
There are quite some flavors of mobile device usage out
there!
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #7
![Page 8: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/8.jpg)
www.ernw.de
There’s the traditional way …
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #8
![Page 9: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/9.jpg)
www.ernw.de
Corporate owned devices ¬ Corporate device with corporate
use only (o rly?).
- Will probably not work with all the “smart devices” out there.
- Still, some (organizations) try to.
What We Actually See in the Wild
20.03.2012 #9 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 10: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/10.jpg)
www.ernw.de
Corporate owned devices ¬ Corporate device with private use
allowed
- That’s what we actually see a lot out there.
- At least when “the new mobile devices” are “in place”.
What We Actually See in the Wild
20.03.2012 #10 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 11: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/11.jpg)
www.ernw.de
Then, there are private devices
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #11
![Page 12: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/12.jpg)
www.ernw.de
What happens when you do not support “these modern
devices at all”?
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #12
![Page 13: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/13.jpg)
www.ernw.de
The Reality ¬ People just bringing their devices in and
connecting those to WLAN / EAS (or $SOME_BACKEND). - In quite some orgs any technically savvy user
can do that. - Even seen, that users switch SIM cards from
BB to $SMARTPHONE.
¬ Users forwarding $CORP_EMAIL to their gmail accounts, to open them while sitting on the couch with their (private) iPads...
What We Actually See in the Wild
20.03.2012 #13 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 14: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/14.jpg)
www.ernw.de
You think that is not the case in your environment?
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #14
![Page 15: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/15.jpg)
www.ernw.de
Ever had a look at your MS Exchange logs?
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #15
![Page 16: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/16.jpg)
www.ernw.de
If you allow private devices …
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #16
![Page 17: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/17.jpg)
www.ernw.de
… that would be called “Bring your own device” (BYOD).
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #17
![Page 18: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/18.jpg)
www.ernw.de
And that’s what this talk is about!
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #18
![Page 19: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/19.jpg)
www.ernw.de
Motivation ¬ FIRST: It’s NOT about saving money!
¬ Enable users to “work with their favorite device”
¬ Make them “available in their free time” => That’s evil ;-)
¬ Users have to carry only one device. - Btw. You can also achieve this by allowing private
use of corporate devices.
Why do this?
20.03.2012 #19 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 20: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/20.jpg)
www.ernw.de
The Talk’s Message on One Slide ¬ BYOD = fundamental paradigm shift
¬ When looking a at device’s full lifecycle, it seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if
at all) might not be sufficient.
¬ So, the goal of talk: à Enable you to get a better understanding of the risks associated with BYOD, and how to potentially mitigate them.
20.03.2012 #20 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 21: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/21.jpg)
www.ernw.de
The Reality ¬ Organizations supporting BYOD often
rely on container apps for data separation. - And maybe AUPs.
¬ Question is: Is that sufficient?
20.03.2012 #21 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 22: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/22.jpg)
www.ernw.de
Just to make this clear ¬ We‘re not “against BYOD“. - Or container apps, for that matter. - And BYOD might be one of the fights
you can‘t win anyway.
à So we just want to cover some
aspects that we think are often overlooked.
20.03.2012 #22 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 23: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/23.jpg)
www.ernw.de
Let’s have a look at a typical MD’s lifecycle
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #23
![Page 24: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/24.jpg)
www.ernw.de
Lifecycle
Acquisition
20.03.2012 #24 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
Usage End of Life
Sell old device via et al.
![Page 25: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/25.jpg)
www.ernw.de
Three Angles - How does $SOME_STEP_FROM_LC
usually work with a “company managed approach“?
- How is it potentially performed in a BYOD world?
- What can go wrong, in BYOD world?
20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #25
![Page 26: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/26.jpg)
www.ernw.de 20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #26
![Page 27: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/27.jpg)
www.ernw.de
Initial Acquisition ¬ Careful selection of devices, based on
their (well-understood?) features
¬ Supply chain to some degree “known and trusted“.
¬ Supply chain potentially covered by contracts. - At least as part of general T+C.
Company managed device
20.03.2012 #27 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 28: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/28.jpg)
www.ernw.de
Initial Acquisition ¬ A mess! ¬ Supply chain “unknown and potentially
not trustworthy“.
¬ Potentially no or weak legal/contractual controls.
BYOD
20.03.2012 #28 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 29: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/29.jpg)
www.ernw.de
Initial Acquisition ¬ Device “already low level compromised“ might not be “securable“, even with $CONTAINER.
¬ Do you trust that brand new iPad 3 you can win
@Troopers? ;-) - BTW: 1729-6671-2834-5338-9309
¬ Or that “brand new smartphone prototype“ the VP of R&D just received at a fair trade in $SOME_EMERGING_MARKET?
¬ User buys device which no longer gets updates.
What can go wrong? A story from the field.
20.03.2012 #29 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 30: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/30.jpg)
www.ernw.de
Initial Acquisition ¬ Take clear stance if jailbroken/rooted devices to be allowed within BYOD or not. - Might contradict “full liberal approach“.
¬ User education on supply chain importance & issues.
¬ Try to govern supply chain ($ORG buys devices and gives those away)? - Will probably not work, for a number of legal or
psychological reasons. ¬ $ORG gives user some money (as some
bonus) to buy device - User may then by cheap ones $SOMEWHERE to
“earn some money”
What we suggest
20.03.2012 #30 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 31: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/31.jpg)
www.ernw.de 20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #31
![Page 32: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/32.jpg)
www.ernw.de
Device in Use ¬ The device is mostly used for
company purposes.
- And secondly for private stuff (if allowed).
Company managed
20.03.2012 #32 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 33: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/33.jpg)
www.ernw.de
Device in Use ¬ $ORG imposes the rules.
- How they are protected (Passcode)
- What restrictions are enforced.
- What backend services ([i]Cloud) may be used.
Company managed
20.03.2012 #33 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 34: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/34.jpg)
www.ernw.de
Device in Use ¬ $ORG imposes the rules.
- What software / apps are installed / prohibited.
- Which platforms are allowed - iOS, Android, WP7, BB, …
Company managed
20.03.2012 #34 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 35: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/35.jpg)
www.ernw.de
Device in Use ¬ $ORG imposes the rules.
- To what extend private use is allowed.
- Who else may use the device
- Which media content is allowed to store.
Company managed
20.03.2012 #35 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 36: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/36.jpg)
www.ernw.de
Device in Use ¬ $ORG imposes the rules.
- If, where and how the device syncs /
backups its contents
- iTunes, iCloud, Google Sync, …
Company managed
20.03.2012 #36 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 37: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/37.jpg)
www.ernw.de
Data in Use ¬ Majority of device use for personal/
private purposes.
- Willingness to physically hand over device to other persons probably higher. - Can/should be addressed in AUP.
- Willingness to forward emails to gmail account might (even) be higher.
BYOD
20.03.2012 #37 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 38: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/38.jpg)
www.ernw.de
Data in Use ¬ User makes the rules.
- Or at least decides what $ORG may do with her device.
à Ever tried prohibiting app installation ? ;-)
BYOD
20.03.2012 #38 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 39: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/39.jpg)
www.ernw.de
Data in Use ¬ No restrictions regarding apps
- User won’t accept “Facebook denied”
- User installs “whatever app she wants”
- Majority of applications from $SOMEWHERE.
BYOD
20.03.2012 #39 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 40: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/40.jpg)
www.ernw.de
Data in Use ¬ Users also probably won’t accept
strong monitoring of his/her device.
- Especially not the workers council.
BYOD
20.03.2012 #40 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 41: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/41.jpg)
www.ernw.de
Data in Use ¬ User cannot be advised to perform
certain steps (update, …) as device is not owned by $ORG
- (can be locked out, but that’s all)
- Also, try wiping the device of your boss cause of missing patches ;-)
BYOD
20.03.2012 #41 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 42: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/42.jpg)
www.ernw.de
Data in Use ¬ Devices cannot be audited
- would you let your private device be audited by $SOME_IT_GUY? ;-)
BYOD
20.03.2012 #42 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 43: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/43.jpg)
www.ernw.de
What can happen ¬ Device can get lost / stolen
- Positively, if the user forgets his device somewhere, she might put more effort in getting it back (cause its her own asset / money)
- So you wipe the device / container & replace the device, right?
20.03.2012 #43 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 44: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/44.jpg)
www.ernw.de
What can happen ¬ Device can get lost / stolen
- Oh, wait. It’s the users responsibility to “get a new one”.
- Which might take some time, as users typically do not have replacement devices.
- Which in turn leads to users not being fully “work ready” for a couple days.
20.03.2012 #44 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 45: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/45.jpg)
www.ernw.de
What can happen ¬ Broken breaks down
- So you’ll wipe it before sending it to repair, right?
- What if this is not possible anymore?
- If it’s a VIPs device, you would probably just replace it and destroy the old one.
- If this is a private device, the user will send it back anyway.
20.03.2012 #45 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 46: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/46.jpg)
www.ernw.de
What can happen ¬ And what about a replacement?
- For private devices, this typically takes longer, as users do not have the “business flag”.
- What if the user has no money left to buy a new one? ;-)
20.03.2012 #46 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 47: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/47.jpg)
www.ernw.de
What can happen ¬ And what about restoring data?
- Ok, container solutions typically cover this by simply provision the device.
- But if no container is used, users may not have access to a backup (home PC)
- You also cannot backup users devices cause of privacy law limitations.
- And as you do not want to have $ILLEGAL_MEDIA on $ORG systems.
20.03.2012 #47 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 48: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/48.jpg)
www.ernw.de
What can happen ¬ Users private device gets compromised / infected.
- And this device probably will contain corporate data / credentials within the backup (depending on the container solution)
- Also certainly, some $CLOUD_SERVICE_CREDENTIALS are stored on this box (iCloud, …)
- Which in turn will probably hold backed up data.
20.03.2012 #48 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 49: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/49.jpg)
www.ernw.de
What can happen ¬ User’s $CLOUD account gets
compromised.
- Which again possible contains corporate data.
20.03.2012 #49 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 50: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/50.jpg)
www.ernw.de
What can happen ¬ Regarding cloud services …
- As you cannot forbid cloud usage.
- Some of them may affect corporate data, even if it is not allowed to use cloud services.
- Think of iMessage - cheap for international MSGs - If a users uses this service, this also affects
corporate “SMS” messages (passwords and the like)
20.03.2012 #50 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 51: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/51.jpg)
www.ernw.de
What can happen ¬ Malware infection
- What would you do normally?
- Investigate / analyze it forensically?
- Well, the user decides if he/she gives the phone to you.
20.03.2012 #51 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 52: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/52.jpg)
www.ernw.de
What can happen ¬ User not ready for work
- Regarding his/her data plan
- If the users is roaming, he/she might not be willing to pay for roaming costs - And thus doesn‘t
- Or users get locked due to unpaid invoice
20.03.2012 #52 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 53: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/53.jpg)
www.ernw.de
What can happen ¬ User may press charges on $ORG
- $ORG wiped device due to policy violation (Jailbreak, …)
- Destroying users data (the pictures he took from some relative’s marriage and was supposed to deliver them).
20.03.2012 #53 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 54: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/54.jpg)
www.ernw.de
Data in Use ¬ Container solutions might not provide the maturity you expect.
- Did you hear Dmitry‘s talk this morning, on password safes? - This might give an idea as for the overall
maturity of security software in the mobile device space.
- In the course of a pentest we found a major flaw in a major solution. - On Android, under certain (not too uncommon)
circumstances, temp-files stored outside container.
What can possibly go wrong?
20.03.2012 #54 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 55: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/55.jpg)
www.ernw.de
Data in Use ¬ Good accompanying AUPs needed in case $container used. - No corp data ever to be handled outside container.
- E.g. forwarded to gmail account.
¬ Evaluate (before project! ;-) if $USER_POPULATION is willing to accept restrictions of container. - I mean it‘s VIPs...
¬ Perform own pentesting or ask for detailed security reports. - See above, whole space still a bit immature.
Our recommendations
20.03.2012 #55 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 56: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/56.jpg)
www.ernw.de
Don‘t Forget ¬ User‘s private device can be located
from company. - Which the workers council may not like
that much ;-) - And the user neither.
¬ Think about: - $ADMIN likes $SECRETARY - And “by accident” shows up at the same
bars.
There Might be New Threats from the User‘s Perspective, Too
20.03.2012 #56 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 57: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/57.jpg)
www.ernw.de
Co workers location A hotel? Oh, wait. Who else is there? Or, what is he doing at my home?
20.03.2012 #57 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 58: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/58.jpg)
www.ernw.de 20.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #58
![Page 59: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/59.jpg)
www.ernw.de
End of life ¬ $ORG takes them back.
¬ And [hopefully] decommissions them accordingly.
¬ Maybe, instead of selling them, $ORG destroys them.
Company owned
20.03.2012 #59 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 60: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/60.jpg)
www.ernw.de
End of life ¬ User sells device on ebay - See our decommissioning newsletter
¬ Give to friends/kids/spouse
¬ Give to ERNW for hacking lab ;-)
¬ And probably asks to provision his new device after that (and then its too late to give advice).
BYOD
20.03.2012 #60 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 61: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/61.jpg)
www.ernw.de
End of life ¬ Data exposure
- $ORG getting bad press
- Nobody will ask if it was a private device, if $CONF_DATA shows up on the internet.
What can possibly go wrong
20.03.2012 #61 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 62: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/62.jpg)
www.ernw.de
Conclusions ¬ Acceptable use policy
¬ Think about the _whole_ lifecycle.
¬ Separate private / business data
¬ Limit local data storage
20.03.2012 #62 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg
![Page 63: Bring Your Own Risk - TROOPERS20 · seems that in many BYOD discussions some risks might not be considered appropriately. - Just looking at container solutions (and AUPs, if at all)](https://reader035.vdocuments.us/reader035/viewer/2022071215/6044fff56a393825a64b929f/html5/thumbnails/63.jpg)
www.ernw.de
There’s never enough time…
THANK YOU… ...for yours!
15.03.2012 © ERNW GmbH | Breslauer Straße 28 | D-69124 Heidelberg #63