Secure, Network Compliant BYOD Solutions Are NOT a Myth

In a recent article featured on Forbes.com, Bring Your Own Device (BYOD) is described as an inevitable component of the evolving office ecosystem. In the same article, a statistic borrowed from an IBM study & reveals that 81% of organizations reported their employees are using their personal mobile devices to connect to “company resources”. If you are an AV integrator or the head of IT, this statistic probably conjures fears of rampant network security risks.

But BYOD doesn’t necessarily equate to network security problems. Based on the current trend of using mobile devices in the workplace – secure, network compliant BYOD solutions are almost certain to arrive in the very near future. It is up to technology innovators to meet the market demand by developing, testing, vetting, and integrating the products to keep up with the trends we see around us. In short, embracing the changing workplace dynamics – and the products that support them – is likely the only way forward.

Like any other disruptive trend in technology, there are growing pains in the adoption phase. One of the biggest growing pains for BYOD in the workplace is security. So what does a secure BYOD solution look like?

We have identified 3 key criteria for secure, network compliant BYOD solutions.

1. Routable TCP/IP Traffic with Adjustable Base Ports

The complexity of many corporate and campus networks is often matched only by their uniqueness. After all, the many subnets and VLANs included on the enterprise network were set up to serve the unique requirements of the specific organization. Therefore the likelihood of any other enterprise having the same network setup is infinitesimally small. This is why it’s so important that BYOD solutions that hit the network feature routable TCP/IP traffic with adjustable base ports – so the solution can be configured flexibly to fit the network without creating additional, unnecessary work for the IT department. This is also important in order to avoid violating IT policy, which could prohibit the deployment altogether.

2. Controlling Access from all those Devices

Another security risk associated with BYOD revolves around the regulation of access in the workplace once these devices are supported on the network. To use a common use case as an example, if a wireless BYOD presentation is taking place in the conference room, how do you prevent uninvited users from sharing content to from their device and disrupting the meeting?

For this reason, access control is our second criteria for BYOD solutions. A solution to this challenge would be to offer multiple access modes that can be set in-room or remotely. Access could then also be locked by an admin or left up to users in the room to determine when beginning a session. Additionally, access control options could be dynamic, which means they could be changed during a meeting without interrupting the flow of information posted to the shared display.

In addition to these modes, it would be ideal if any session could be closed once all in attendance have joined. This combination of access control options creates secure access for nearly every type of meeting and use case.

3. Remote/Centralized Management

It’s a hard truth that nearly all technology crashes at some point or another, and those crashes can lead to big issues for the IT department and the network. That’s why remote/centralized control is such an important factor for BYOD solutions, especially large deployments.

Not having the ability to monitor, configure, and update BYOD solutions on your network from a remote/centralized work station makes larger, more complex deployments difficult to manage. Ideally, there would be a way to support remote/centralized management of every instance across the network. Network administrators could then monitor, configure, and update settings for any/all instances from their workstation anywhere on the network.

With BYOD becoming a standard in work spaces, security is and will remain a paramount concern and consideration for evaluating new solutions. The best solutions with work with your existing network and make it (relatively) easy for your IT department to securely deploy, monitor, and manage the system. BYOD presents many inherent risks, but many of these risks can and should be addressed by solutions that work within secure network environments.

Planning Network Security

The Need for Computer / Network Security:

Computer / network security includes:

Control of physical accessibility to computers / network
Prevention of accidental data
Erasure, modification, compromise
Detection and prevention of
Intentional internal security breaches
Unauthorized external intrusions (hacking)

All three legs of the triangle must exist for a network intrusion to occur:
Motive
A reason to want to breach your security
Means
The ability
Opportunity
The chance to enter the network
This last item is the administrator’s only chance at controlling events.

Principles of Network Security:
Network security goals are sometimes identified as Confidentiality.
Only the sender and intended recipient should “see” the message Integrity.
Sender and receiver want to make sure that the message is not altered in transit, or afterwords. Authentication
The sender and receiver want to confirm each other’s identity Availability.
Services and resources must be available and accessible.

Understanding Risk Management:
A key principle of security is that no network is completely secure.
Information security deals principally with risk management.
The more important an asset, the more it is exposed to security threats, thus the more resources you must put into securing it.

Understanding Risk Management – 2:
In general, without training, administrators respond to a security threat in one of three ways:
Ignore the threat, or acknowledge it but do nothing to prevent it from occurring.
Address the threat in an ad hoc fashion.
Attempt to completely security all assets to the utmost degree, without regard for usability or manageability
None of these strategies take into account what the actual risk is, and all of them will usually lead to long-term failure.

What are Some Risks?
Eavesdropping
Interception of messages
Hijacking
Taking over the role of a sender or receiver.
Insertion
Of messages into an active connection
Impersonation
Spoofing a source address in a packet or any field in a packet
Denial of service (DOS).
Prevent others from gaining access to resources, usually by overloading system.

Managing Risk:
Once the assets and their corresponding threats have been identified risk management can consist of:
Acceptance
Mitigation
Transference
Avoidance

Accepting Risk:
If you take no proactive measures, you accept the full exposure and consequences of the security threats to an asset.
Should accept risk only as a last resort when no other reasonable alternatives exist, or when the costs are extremely high.
When accepting risk, it is always a good idea to create a contingency plan.
A contingency plan details a set of actions that will be taken after the risk is realized and will lessen the impact of the compromise of loss of the asset.

Mitigating Risk:
The most common method of securing computers and networks is to mitigate security risks.
By taking proactive measures either to reduce an asset’s exposure to threats or reduce the organizations dependency on the asset, you are mitigating the security risk.
A simple example: installing antivirus software.

Transferring Risk:
Transfer security risk to another party has many advantage including:
Economies of scale, such as insurance.
Use of another organization expertise and services.
Example: using a web hosting service.
When undertaking this type of risk transference, the details of the arrangement should be clearly stated in a contract known as a service level agreement (SLA).

Avoiding Risk:
The opposite of accepting risk is to avoid the risk entirely.
To avoid risk, you must remove the source of the threat, exposure to the threat, or your organization reliance on the asset.
Generally, you avoid risk when there are little to no possibilities for mitigating or transferring the risk, or when the consequences of realizing the risk far outweigh the benefits gained from undertaking the risk.
An example can be a military or law enforcement dBase that, if compromised, could put lives at risk.

Implementing Security:
Think of security in terms of granting the least amount of privileges required to carry out the task.
Example: consider the case of a network administrator unwittingly opening an e-mail attachment that launches a virus.
If the administrator is logged on as the domain administrator, the virus will have administrator privileges on all computers in the domain and thus unrestricted access to nearly all data on the network.

Defense in Depth:
Imagine the security of your network as a series of layers.
Each layer you pull away gets you closer to the center, where the critical asset exists.
On your network, defend each layer as though the previous outer layer is ineffective or nonexistent.
The total security of your network will dramatically increase if you defend at all levels and increase the fault tolerance of security.
Example: to protect users from launching an e-mail-borne virus, in addition to antivirus software on the users’ computers, you could use e-mail client software that blocks potentially dangerous file types from being executed, block potentially dangerous attachments according to their file type, and ensures that the user is running under a limited user account.

Reducing the Attack Surface:
An attacker needs to know of only one vulnerability to attack your network successfully, whereas you must pinpoint all you vulnerabilities to defend your network.
The smaller your attack surface, the better chance you have of accounting for all assets and their protection.
Attackers will have fewer targets, and you will have less to monitor and maintain.
Example: to lower the attack surface of individual computers on your network, you can disable services that are not used and remove software that is not necessary.

Addressing Security Objectives:
Controlling Physical Access to
Servers
Networked workstations
Network devices
Cabling plant
Being aware of security considerations with wireless media related to portable computers.
Recognizing the security risk.
Of allowing data to be printed out.
Involving floppy disks, CDs, tapes, other removable media.

Recognizing Network Security threats:
To protect your network, you must consider the following:
Question: from whom or what are you protecting if?
Who: types of network intruders and their motivations.
What: types of network attackers and how they work.
These questions form the basis for performing a threat analysis.
A comprehensive threat analysis should be the product of brainstorming among people who are knowledgeable about the business processes, industry, security, and so on.

Classifying specific Types of Attacks:
Social engineering attacks
DOS attacks
Scanning and spoofing
Source routing and other protocol exploits
SOFTWARE and system exploits
Trojans, Viruses and worms

It is important to understand the types of threats in order to deal with them properly.

Designing a Comprehensive Security Plan:
RFC2196, the Site Security Handbook.
Identify what your are trying to protect.
Determine what you are trying to protect it from.
Determine how likely the anticipated threats are.
Implement measures that will protect your assets in a cost-effective manner.
Review the process continually and make improvements each time a weakness is discovered.

Steps to Creating a Security Plan:
Your security plan will generally consist of three different aspects of protecting your network.
Prevention: the measures that are implemented to keep your information from being modified, destroyed, or compromised.
Detection: the measures that are implemented to recognize when a security breach has occurred or has been attempted, and possibly, the origin of the breach.
Reaction: the measures that are implemented to recover from a security breach to recover lost or altered data, to restore system or network operations, and to prevent future occurrences.

Security Ratings:
The U.S. government provides specifications for the rating of network security implementations in a publication often referred to as the Orange Book, formally called the DOD Trusted Computer System.
Evaluation criteria, or TCSEC.
The Red book, or Trusted Network Interpretation of the TCSEC (TNI) explains how the TCSEC evaluation.
criteria are applied to computer networks.
Canada has security rating systems that work in a similar way.
CTPEC

Security Ratings -2:
To obtain a government contract, companies are often required to obtain a C2 rating.
A C2 rating has several requirements.
That the operating system in use be capable of tracking access to data, including both who accessed it and when it was accessed.
That users’ access to objects be subject to control (access permissions).
That users are uniquely identified on the system (user account name and password).
That security-related events can be tracked and permanently recorded for auditing (audit log).

Protect People And Property With A Monitored Home Security Network

A monitored home security network provides homeowners an affordable and effective way to keep occupants safe and protect their investment in the house and its contents. These services monitor the property around the clock and every day of the year. Alarm systems alert the service provider in the event of burglaries, fires, medical emergencies, floods and other situations where the home’s occupants are in need of help.

The standard alarm system to prevent burglary or theft is a basic closed circuit that surrounds the house. Installers typically attach sensors to the hardware in doors, windows and other entryways. As long as the system remains activated, if someone forces open the window or door, the sensors will sound the alarm.

Systems installed outdoors often have motion sensors. If anyone walks near the sensors, bright lights will be turned on, thus exposing the intruder. This is often enough of a deterrent to convince the intruder to leave immediately.

Pet owners used to stay away from motion detectors because they were worried about false alarms. With advancements in technology, certain motion sensors are able to distinguish between humans and pets. The sensors use mass and weight parameters to tell the difference between a small pet and a human.

The system will usually include a digital keypad installed somewhere near the front entryway. Homeowners use a personal code to arm or disarm the system. The keypad may also provide a convenient and fast way to contact local police, fire and other emergency responders.

Some systems also include a keychain remote. With the remote, the homeowner can control the alarm system from anywhere inside the house with no need to walk to where the keypad is installed. The portable remote also works from outside the house within a certain distance.

Consumers should purchase a system that has battery backup. This feature is especially valuable in areas that frequently lose power due to storms. An emergency backup lets homeowners rest assured their property remains protected without interruption.

To discourage trespassers, homeowners can display yard signs and window decals in strategic places. Decals and signs indicate the property is protected by an alarm system. Burglars usually look for an easy target to exploit. They are far more likely to move along when they see any evidence of an alarm or surveillance system on the property.

Consumers can choose a system with a control panel that doubles as an intercom with two-way communications capabilities. With this setup, the control panel will respond to voice commands from almost anywhere inside the house. Residents can still request help from an emergency dispatcher even if something is preventing them from interacting directly with the control panel.

Homeowners with a reliable monitored home security network know that help will be on the way at the first sign of a fire, break in or any other type of emergency. They can relax when they travel knowing their property is under protection 24 hours a day. Purchasing a security system is a wise investment because it can save lives and protect your property.