For this part of your project, you will focus on wireless networking security. B

Question

For this part of your project, you will focus on wireless networking security.

Bering (Chicago) has decided that it needs to redesign its manufacturing floor network by opening it up to wireless access, so that those responsible for the flow of the manufacturing facility will have the ability to move around and access the manufacturing and customer databases anywhere and at any time on the floor using a variety of mobile devices.

However, having wireless access within the facility can potentially open up the network to a variety of attacks. These threats can come from individuals visiting the office, users within the office/on the floor and possible external threats (for example, the signal can be picked up outside the office as leakage as it is an easily intercepted medium and does not require a physical connection.)

You have been charged with addressing this redesign. In addition, you need to be aware of how your design will support policies regarding Bring Your Own Device (BYOD) and wireless communication. Review the example polices provided as reading for this Module as examples of the typical requirements that make up these policies.

Note: Workers on the factory floor use a mixture of devices including tablets and laptops.

You are required to create a design proposal in which you:

Create a wireless access point diagram using the provided Floor Plan. Consider and note placement of all wireless access points:

Diagram the placement and area of the signal coverage.

Ensure overlap of wireless signals and ensure there is no “blank spots”.

Minimize any potential signal leakage outside the facility.

Address the following in the written part of your proposal:

Analyze vulnerabilities of mobile devices in regard to usability and scalability based on your research and suggest methods to mitigate the vulnerabilities of mobile devices.

Explain what types of devices you would use and any updates you would make to your previous networks diagram. Note: You are NOT updating the diagram itself.

How do you plan to protect the network from rouge access points?

How should all wireless access points be secured/hardened?

Justify whether you are going to allow a guest network or not and if you are, how will you protect the network?

Discuss how your design will support policies regarding Bring Your Own Device (BYOD) and wireless communication. Be sure to tailor this part of your project so that it is technically comprehensive and clear but does not rely on technical language to meet the expectations of the target audience of non-technical, executive leadership, and customers. Note: Review the example polices provided as reading for this Module as examples of the typical requirements that make up these policies.

Provide a brief Executive Summary of how your design is meeting the strategic goals of the company outlined in the Course Project Introduction if applicable.

Explanation / Answer

Any BYOD solution shoul have the following 5 components:

Mobile Devices

Mobile devices typically need to support multiple security objectives. These can be accomplished through a combination of security features built into the mobile devices and additional security controls applied to the mobile devices and other components of the enterprise IT infrastructure. The most common security objectives for mobile devices are as follows:

To achieve these objectives, mobile devices should be secured against a variety of threats. Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices Before designing and deploying mobile device solutions, organizations should develop system threat models for the mobile devices and the resources that are accessed through the mobile devices. Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added. The major security concerns for these technologies that would be included in most mobile device threat models are discussed below.

Mobile devices are typically used in a variety of locations outside the organization's control, such as employees' homes, coff e shops, hotels, and conferences. Even mobile devices used only within an organization's facilities are often transported from place to place within the facilities. The devices' mobile nature makes them much more likely to be lost or stolen than other devices, so their data are at increased risk of compromise. When planning mobile device security policies and controls, organizations should assume that mobile devices will be acquired by malicious parties who will attempt to recover sensitive data either directly from the devices themselves or indirectly by using the devices to access the organization's remote resources.

The mitigation strategy for this is layered. One layer involves protecting sensitive data—either encrypting the mobile device's storage so that sensitive data cannot be recovered from it by unauthorized parties, or not storing sensitive data on mobile devices. Even if a mobile device is always in the possession of its owner, there are other physical security risks, such as an attacker looking over a teleworker's shoulder at a coffee shop and viewing sensitive data on the mobile device's screen (e.g., a password being entered). A second mitigation layer involves requiring authentication before gaining access to the mobile device or the organization's resources accessible through the device. A mobile device usually has a single authenticator— not a separate account for each user of the device—as it is assumed that the device has only one user. So there is no username, just a password, which is often a personal identification number (PIN). More robust forms of authentication, such as domain authentication, can be used instead of or in addition to the built-in device authentication capabilities.

Mobile devices come in all shapes and sizes, from smartphones, notebooks and tablets, to the new-breed hybrid convertibles and detatchables that made headlines at the Consumer Electronics Show 2013. While mobility boosts enterprise employee efficiency by delivering "anywhere access" to business data and systems, it obliterates what's left of the increasingly ineffective corporate network perimeter.

Many security managers have already discovered the disconcerting implications: less control than ever over enterprise data access from a myriad of consumer devices—including a groundswell of bring your own devices (BYODs)—and more difficulty determining which devices are accessing which systems and data.

So it's no surprise that as use of personal mobile devices grows and becomes pervasive inside and outside the office, employers are struggling to enable secure use of BYODs. Anthony Peters, director of information technology at Burr Pilger Mayer Inc., a 400-strong financial services firm headquartered in San Francisco, said his tidy, policy-driven corporate BlackBerry world was shattered several years ago by the Apple iPhone craze.

Ask anyone who says they don't have BYODs to review their logs—I guarantee they'll find Mobile Safari.

Dave Martin, CSO, EMC Corp.

"Today, we're almost entirely BYOD," Peters said. "We allow iPhone 3GS and above, Windows Mobile and Android. We have just 7 BlackBerrys left that I'm hoping to retire soon."

Burr Pilger Mayer is not alone. Enterprise BYOD adoption rates vary by region and industry, but by analyst estimates, have reached 40% to 75%—driven largely by consumer smartphones and tablets. According to Black Diamond, Wash.-based market research firm Osterman Research, there are now nearly twice as many personally owned iPhones, iPads and Android devices today than their corporate-issued counterparts. Simply banning BYODs from the workplace rarely works.

"Ask anyone who says they don't have BYODs to review their logs—I guarantee they'll find Mobile Safari," said Dave Martin, vice president and CSO at Hopkinton, Mass.-based EMC Corp. "Disallowing BYODs just pushes them underground where you lose visibility. I'd rather see BYODs and deal forensically with risks than try to convince myself that I can block them outright. Experience has shown that's a failed strategy; users find a way in. But if you're too permissive, you're open to data loss. We are unable to lock down BYODs in the same way, so we need to be smarter about how we use them."

Getting a handle on BYOD risks

BYODs pose many business risks; some widely recognized and others less-understood. The Security for Business Innovation Council—a team composed of Global 1000 information security leaders—cited lost or stolen BYODs as its top concern. The danger here is clear: Although BYODs that go missing may well contain sensitive data, according to Osterman Research, less than 1 in 4 can be remotely wiped.

What's more, employers often cannot assess data breach exposure on unmanaged BYODs. "It comes down to losing control of your data," Martin said. "When email is retrieved [over cellular] and opened on a BYOD, I lose visibility into data access. In a phishing attack, I'd have no idea it even happened, and I [would] lose any chance of [forensic investigation]."

When BYODs bypass inbound filters normally applied to corporate devices, they're vulnerable to malware—a fast-growing risk, particularly in regard to Android devices. BYODs that bypass outbound filters elevate risk of non-compliance with data privacy laws and regulatory requirements. As BYOD use grows, so will the frequency of these risky behaviors.

It's tempting to tackle these risks by locking BYODs down just like corporate devices, but organizations that have tried run head-long into personal privacy barriers. "In the beginning, we had a lot of push-back," Peters said. "[Users worried there would be] too much Big Brother and we'd be too involved in their personal lives. We talked to senior management, HR and legal from the start, spending significant time with individuals, showing them how [BYOD security policies] would work. That was really helpful in policy design."

Balancing BYOD risk versus privacy

BYOD agreement checklist

A BYOD agreement checklist recommended by the Security for Business Innovation Council includes:

Source: "Realizing The Mobile Enterprise," Security for Business Innovation Council, published by RSA Security.

This push-back is precisely why many mobile device management (MDM)vendors are adding more granular policies and tools. For example, some MDM products can now be configured to collect and display location and call histories from corporate devices, but not BYODs. Such options emerged because employers with international presence face additional risk when it comes to privacy regulations.

PRO+

Content

Find more PRO+ content and other member only offers, here.

E-Handbook

Mobile security trends point to unifying policy and tools

E-Handbook

Are you next-gen secure? Defense-in-depth security key to IT

E-Handbook

How to secure a wireless network and thwart growing threats

"Lack of clarity—especially for multi-nationals with EMEA presence—is giving employers pause," said John Marshall, CEO of AirWatch, an MDM vendor based in Atlanta. "They don't want to allow BYOD as a convenience and then find they're not in compliance with some country's regulations. We're seeing customers being more careful about personal privacy expectations—not inventorying personal apps installed on BYODs, [and] not wiping personal data on BYODs, and the like."

Although regulations vary from country to county, many require informed consent to access personal information. This has given rise to enrollment processes that notify users about all possible MDM capabilities, whether employed or not, followed by customized "terms of service" that describe how the employer intends to manage the BYOD—what information will be collected, what actions can be taken, and what workers must agree to in order to complete enrollment and gain access to business data and systems.

An organization can address many BYOD privacy and compliance concernsby focusing on business assets. "We'll always have to manage devices; we'll always have to manage users, but what we manage about them can be narrower," said Jonathan Dale, marketing manager with Blue Bell, Pa.-based mobile service provider Fiberlink Communications Corp. He said it is now possible and preferred for IT to secure mail, apps, content and users' browser experience by applying different policies to certain user groups.

The MDM market is flooded with vendors offering integrated and standalone tools to manage sandboxed enterprise applications, corporate data containers and secure Web browser environments. "If you're just managing apps or content, there's no way you can make a mistake and see or wipe personal data," Marshall said. "This approach generally allows a company to extend BYOD to a much larger audience."

Policies that work for BYODs

At Burr Pilger Mayer, which uses Fiberlink's Maas360 Software as a Service (SaaS)-based MDM product, BYODs are redirected to an enrollment portal, where user and device eligibility is determined. "Next, users must agree to give IT some control—for example, if your device goes missing, call us first so that we can wipe your phone before you call your provider," Peters said. "Then we apply PIN length/change, encryption and wipe requirements."

These controls are widely embraced by the industry as table stakes for all devices. But BYOD success or failure lies in policy specifics. "Many people want to treat smartphones like desktop extensions. This is a disaster in practice," said Ahmed Datoo, chief marketing officer of Citrix Inc.'s Zenprise MDM unit. "Smartphone users don't have the patience to tap in eight-character passcodes, including caps and numbers—especially given frequent re-entry. All it takes is one device wipe accident and users will start removing [IT-managed controls]."

In fact, 26% of the 500,000 corporate and BYODs under Fiberlink MaaS360 control have policies that don't require passcodes. Of the rest, 53% require a 4-5 digit PIN, 16% 6-7 digits, and a mere 2% require alphanumeric passcodes, Dale said. While a malicious hacker could more easily crack a short PIN once he or she has possession of a device, it appears that employers are willing to accept that risk in trade for basic device restrictions, visibility and as-needed control.

For restrictions, full-device encryption is standard-issue on iPhones, iPads, BlackBerrys and brand-new Windows 8 phones, but only a subset of Androids. Dale reported that 44% of MaaS360 policies enforce encryption on Android devices. A growing number of employers may be adopting strategies similar to Burr Pilger Mayer, namely allowing unencrypted Androids, but compensating by storing corporate documents in a secure data container or using self-encrypted/authenticated sandboxed applications.

"We make sure that our documents are encrypted and prevented from getting into the wrong hands," Peters explained. "We also track which documents people download and when they are synchronized with the cloud or forwarded." By focusing [on] only these business assets, Peters said the company has been able to fully embrace BYOD without risking non-compliance or losing its ability to control and report on access.

Avoiding BYOD security management pitfalls

Limited BYOD management also enables more granular wipe. "Selective wipe has become the de facto standard," Dale said. "Our customers are no longer using full-device wipe on either corporate or BYO devices."

Wiping only corporate settings, data and apps can protect business assets while leaving personal data and settings intact. Here again, policy matters: A scorched earth approach may mitigate business risk, but it removes MDM control and visibility, inhibiting assisted remediation. Instead, a more measured approach begins with user/IT notification, followed by as-needed escalation.

For example, Burr Pilger Mayer uses blacklists to detect when data-sharing apps are installed. "We go talk to employees about what they're using apps for and not to share our data," Peters said. "If we see that same app on 100 devices, we can assess the trend and decide how to respond."

At Zenprise, customer use of blacklists and whitelists is growing for different reasons. "If you look at blacklisted apps, they're either games or sharing apps like Dropbox," Datoo said. "Step back and consider why users download these. They aren't looking to bypass security; they're just trying to be productive. IT should think about how to meet those needs more securely, such as letting devices link to SharePoint docs, surrounded by data leak prevention."

Focusing on enablement

Enablement is a common thread among many organizations with large, successful BYOD populations. Rather than thinking of BYOD as the replacement of corporate devices, Marshall said it's better to conceptualize it as a strategy to enable mobility for those who never carried corporate devices—a formal BYOD program with automated, over-the-air onboarding and configuration can do wonders for productivity.

Integration between MDM and network infrastructure to automate on-boarding is growing, while precisely what those BYODs can access is shrinking. "We want to make our network easy to access and provide value, but if we gave BYODs access to legacy systems, that would be a miserable experience," EMC's Martin said. Instead of allowing BYODs to access core network resources, the company selectively publishes enterprise data to new mobile apps; users get the data they need, and the company ensures it can be accessed securely and wiped quickly and easily if necessary.

Dale sees growth geo-fencing—combining current location with policy, such as disabling cameras on mobile devices when they are inside high-security areas. "We see geo-fencing used in education and retail to enforce policies that prohibit taking pictures of students or require secure Web browsing on campus," he said. "Geo-fencing can be great for use cases where it's helpful to re-provision the device based on location."

To ensure safe, effective use of BYOD in the enterprise, Martin said IT and security teams should work in partnership to assess emerging tools such as data containers and sandboxed apps while getting started with basic controls. Those controls can allow for less arbitrary permit/deny decisions each time a user carries in a new type of device.

"If you're doing nothing about BYODs, don't sit on the fence and wait," Martin said. There's significant risk that can be addressed at relatively little cost."

Related Questions

Navigate

• Browse (All)
• Browse F
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.