okay so you've got this big meeting coming up about byd security right and I bet you're feeling a little overwhelmed by all the information out there but that's exactly why we're doing this deep dive we're going to take nist's guide to securing biod environments so you can walk into that meeting feeling like a total biod security pro yeah I think everyone has that moment of like okay how do I even begin to tackle this it's a beast of a topic for sure it really is and you know it's interesting because bod is so great for flexibility every everyone loves that but then you get hit with all these security and privacy risks it's like a double-edged sword right you want the convenience but then you have to worry about all the potential downsides exactly and I think that's exactly why NY decided to create this guide in the first place they recognized that bod was going to be a major challenge for organizations so they wanted to provide a framework some guidance to help people navigate it they knew this wasn't going to be easy not at all the guide actually says straight up that BYOD can be a security PR's worst nightmare you've got all these different devices different operating systems different apps different user habits it's just a lot to keep track of yeah you're basically dealing with the wild west of Technology right exactly and nist doesn't shy away from that complexity which is why their guide is so extensive right it's thorough but they do a good job of breaking it down into digestible chunks like they've got an executive summary for those who just need a highle overview kind of like here's the big picture don't worry about the details exactly then they dive deeper into the approach in architecture so that's where they get into the why and the how of securing BYOD right you got it and then for the truly hardcore Tech folks they've got a whole section on implementation guidance that's where the river meets the road the nitty-gritty details of making all this stuff work exactly and what's really interesting to me is that NIS took a much broader approach to risk assessment than we typically see they didn't just look at the obvious external threats like hackers and malware they also delved into internal vulnerabilities and even what they call problematic data actions problematic data actions hm that's a new one for me yeah it's basically nist acknowledging that even with the best of intentions sometimes the way we try to secure bod can actually end up compromising employee privacy oh I see where you're going with this give me an example okay so let's say your company has a policy that allows it to remotely wipe a device if it gets lost or stolen seems reasonable right you don't want sensitive of data falling into the wrong hands sure but what if that wipe accidentally deletes all of the employees personal photos their contacts their messages that's a major invasion of privacy exactly and it can happen so even with good intentions there can be unintended consequences absolutely and that's why nist is trying to highlight these potential pitfalls they want organizations to think carefully about how their security decisions might impact employee privacy that's about finding that balance right exactly and to help us understand the full range of threats and vulnerabilities nist put together this thing called the nist mobile threat catalog the mobile threat catalog yeah it's basically a laundry list of everything that can go wrong in a boid environment this is notless required reading for any security professional it really is and they don't just focus on external threats they actually get into some of the ways our own actions or our policies can lead to problems so it's not just about protecting ourselves from the bad guys out there it's also about being aware of the mistakes we might make ourselves you got it self-awareness is key okay so let's dive into the mobile threat catalog what are some of the things that really stand out to you things that you think would make our listener go oh wow I need to be more careful well one that's super relevant to all of us is what nist calls intrusive apps they've got specific codes for these in the catalog ap2 and apc2 and it's basically the idea that we've all downloaded an app that seemed harmless at first but then later we realized it was collecting way more information than it needed to oh yeah like that flashlight app that wants access to your microphone and contacts what's that about exactly and the scary part is a lot of people just click accept on those permissions without really thinking about it that's true we're all guilty of that and sometimes those apps are intentionally malicious designed to steal data or spy on you but other times it's just carelessness on the part of the app developers either way it's a risk we need to be aware of it's like you can't even trust a flashlight app these days and then of course we've got good old-fashioned fishing scams those are still a major threat especially on mobile devices where we're often checking email on the go and might be more likely to click a bad link without thinking you know you get that email from your bank saying you need to update your account info and you're in a rush so you just click the link without really looking closely exactly and that's all it takes for an attacker to gain access to your credentials so fishing is a big one and nist has a specific code for this one too it's aut9 and it highlights how attackers can trick people into giving up sensitive information through fake emails or text messages that look totally legit oh yeah those can be really convincing especially when they use social engineering techniques like creating a sense of urgency or fear it's like they know exactly how to push our buttons it's scary how sophisticated they've become so we've got intrusive apps we've got fishing scams it's starting to feel like a Minefield out there yeah and that's just the beginning the mobile threat catalog goes into all sorts of other potential threats and nist really encourages organizations to do their own thread analysis taking into account their specific industry their employees the data they handle because you know the threat landscape is constantly changing so what's a major risk today might be old news tomorrow so it's not enough to just read the guide once you got to keep coming back to it making sure your strategy is up to date exactly think of it as your BYOD security Bible something you refer to regularly Okay so we've painted a pretty Grim picture so far but there's got to be a solution right nist wouldn't just leave us hanging with a list of all the ways by can go wrong without offering some guidance on how to fix it of course not that's where the real meat of the guide comes in they actually lay out a pretty robust example solution and it's based on this idea of a layered security approach okay so instead of putting all our eggs in one basket we're building a fortress with multiple layers of Defense you got it and nist has assembled a whole team of security Technologies to help us build this Fortress now keep in mind these are just examples not endorsements every organization has to figure out what works best for them but the guide gives us a great starting point okay I like the sound of this so who are the key players on this security Dream Team well first up you've got the trusted execution environment or t now this one gets a little technical uhoh drug and alert don't worry I'll keep it simple think of the te as a little Vault on the device itself it's designed to protect your most sensitive data and operations even if phone is compromised so even if a hacker managed to get into my phone the really important stuff would still be locked away in this fault exactly it's a pretty nisty piece of technology and companies like Qualcomm Have Been instrumental in developing it okay that's one layer defense what else we got next up is Enterprise Mobility management or emm now this is your it team's secret weapon it's basically a control panel for managing and securing all those BYOD devices so this is where it gets to play Big Brother well kind of but it's more about giving them the tools to enforce security policies push out updates even wipe devices remotely if they need to okay but hopefully with some safeguards to prevent those accidental data Wipes we talked about earlier absolutely you always have to think about the Privacy implications and there are tons of emm solutions out there each with its own quirks nist actually highlights IBM's MZ 360 as one example in their guide Okay so we've got our Secure Vault on the device itself and then we've got our it control panel what's next well no sec Fortress is complete without a good moat and drawbridge right oh I see where you're going with this tell me more that's where the virtual private Network or VPN comes in you can think of it like an encrypted tunnel for your data so even if you're working from a coffee shop with dodgy Wi-Fi your data is still protected from eavesdroppers so basically the VPN is our invisibility cloak keeping our data safe as it travels across the internet I like the way you think and companies like Palo Alta networks have been big players in the VPN space providing that extra layer of security okay this security dream team is shaping up nicely who else is on the roster next up we've got our app bouncer app vetting this is where things get really interesting because it's about being proactive stopping threats before they even get a chance to cause trouble so instead of just reacting to attacks we're putting a system in place to make sure that only trustworthy apps are allowed on the devices in the first place exactly think of it like a security checkpoint for your your apps and in n's example they highlight a company called crypto wire their technology can actually analyze apps for things like malware data leakage even sneaky permissions that might be trying to access your data without your knowledge that's wild so they're basically doing background checks on all the apps before we let them into the party that's a great way to put it and it's a crucial part of a layered security approach okay I'm loving this analogy so who's the last member of our security a team last but definitely not least we have mobile threat defense or MTD this one is like your personal bodyguard always on the lookout for suspicious activity ready to take action ooh so MTD is like our 247 security detail scanning for threats and neutralizing them before they can do any damage exactly and in nist's example they tapped a company called zimperium for this role their technology can detect and block all sorts of mobile threats from malware and fishing attacks to network intrusions it's pretty impressive stuff okay I'm sold this security Dream Team sounds like they could take on anything but here's the million-dollar question did nist actually test this solution out in the real world you bet they build a whole simulated biod environment in their lab and they put this layered security approach through the ringer okay drum roll please what happened well one of the key takeaways is that the combination of emm and VPN is like an impenetrable wall when it comes to blocking unmanaged devices they simulated an attack where someone tried to connect with a device that wasn't authorized and bang amam the system shut it down immediately oh I love it it's like that scene in a heist movie where the laser grid appears and the bad guys are like nope not today exactly it was really effective and remember that whole issue with Selective wiping potentially deleting personal data well nist's testing showed that it can work but it's not foolproof they actually found that it might need to implement extra controls to prevent accidental data loss so even with the best intentions and the latest technology there's still room for human error always and that's why having clear policies and procedures as well as employee training is just as important as the technology itself right you could have the best security system in the world but if someone leaves their phone unlocked at a coffee shop it's all for nothing exactly and that actually brings us to another interesting finding from nist's testing app vetting while super valuable is only as good as the policies you put in place you have to decide which apps are allowed which ones are banned what level of scrutiny each app will undergo so it's not just about having the technology it's about using it wisely absolutely you have to be thoughtful about your app vetting strategy and make sure it aligns with your overall security goals wow this is a lot to take in I know right but hopefully you're starting to see how nist's guide can be a real Lifesaver for organizations trying to navigate the murky Waters of BYOD security totally it's like they've given us a flashlight to help us see through the darkness exactly and the best part is they even go deeper in volume C of the guide providing detailed instructions for actually implementing each component of the security solution so if you're a techie who loves to Tinker they've got you covered so it's like a Choose Your Own Adventure you can go as deep as you need to yeah depending on your level of expertise and how much you want to customize your setup you got it and all this information is freely available on n's website which is pretty awesome this has been so helpful I feel like I've gone from feeling overwhelmed to actually being excited to tackle this BYOD challenge that's what we like to hear and remember BYOD security is an ongoing Journey not a destination okay so before we move on to part two I want to leave you with a question to ponder what surprised you most about what we've discuss today and what are you going to prioritize for your own BYOD strategy that's a great question and keep in mind the nccco the national cyber security Center of Excellence is always there to help if you have specific questions don't be shy reach out so till next time stay curious and keep on diving deep see you in part two it's kind of funny when you think about it what's that we always talk about by Security in these big abstract terms you know threats vulnerabilities policies but at the end of the day it's all about protecting real people and their data yeah absolutely and those real people let's be honest they're already juggling like a million things multiple devices apps work projects and then we add Security on top of all that it can feel kind of overwhelming right it can and that's why I think nist's focus on those problematic data actions is so important it forces us to think about the human impact of our security decisions we're not just securing gadgets we're dealing with people's lives their work their personal information it's a big responsibility yeah it really is it's easy to get lost in the technical stuff and forget that there are real people on the other side of all these policies exactly and those people need to be able to actually use their devices effectively you don't want to create a security Fortress that's so impenetrable that nobody can get any work done it's all about finding that balance between security and usability and that's the real challenge yeah that's where it gets tricky it's like walking a tight rope it is too much security and people get frustrated too little and you're leaving yourself open to all sorts of risks exactly it's a delicate dance that's for sure but the good news is nist's guide gives us a framework to think through all of this they acknowledge that there's no one- siiz fits-all solution every organization is different they have their own culture their own risk tolerance their own security needs so it's more like a starting point a set of guiding principles that you can adapt to your own situation exactly think of it as a security toolbox nist shows you what tools are available how they work and then you get to decide which ones are right for you so you build your own security Dream Team you got it okay I want to go back to the nist mobile threat catalog for a minute we talked about intrusive apps and fishing earlier what else should we be aware of what are some of the threats that might not be so obvious well one that's particularly relevant to biod is te3 which deals with outdated phones remember we're talking about employees using their personal devices here so you don't always have control over what software they're running oh yeah that's a good point and I'm guessing older phones are more likely to have security vulnerabilities absolutely they might be running outdated operating systems that haven't been patched for known security flaws or they might not have the latest security features built in so it's kind of like driving a car with bald tires and no airbags exactly you're just asking for trouble and this is why nist really stresses the importance of keeping devices up to date but with bod you can't really Force employees to upgrade their personal phones right right you can't force them but you can certainly encourage them to do so yeah maybe offer some incentives like a discount on a new phone exactly you got to make it appealing and speaking of things that can be painful let's talk about Brute Force attacks those are covered under te5 in the catalog oh yeah Brute Force attacks those sound scary they can be it's basically a trial and error method where an attacker just keeps trying different password or pin combinations until they get lucky and with mobile devices it's even easier because people tend to use shorter simpler PIN codes that's right and if an attacker gains physical access to your device they can just keep trying different codes without being detected it's different from a computer where you might get locked out after a few field attempts so it's like trying to break into a safe by just spinning the dial over and over again exactly and unfortunately with enough time and persistence this method can actually work so what do we do about it well nist recommends a few things first encourage employees to use strong PIN codes a combination of letters numbers and symbols and at least six characters long okay so longer is stronger absolutely and you can also configure devices to lock out after a certain number of failed attempts this can really slow down attackers and make it much harder for them to guess the right code smart so we've covered outdated phones Brute Force attacks is there anything else lurking in the shadows of this mobile threat catalog oh plenty more there's te6 which deals with how apps store credentials this one gets a little technical but the gist is that some apps don't do a great job of protecting passwords and other sensitive information oh so even if I have a super strong password it could still be compromised if the app itself is flawed that's right it's like having a high Security Vault but then leaving the key under the doorm Yik so what's the solution here do we just tell employees to delete all their apps well not quite but it does underscore the importance of that app vetting process we talked about earlier if you're carefully screening the apps that are allowed on devices you can significantly reduce the risk of introducing these kinds of vulnerabilities right so it's not just about having strong passwords and keeping your phone updated it's about choosing the right apps in the first place you got it app vetting is a powerful tool in the BYOD security Arsenal Okay so we've talked about about a lot of potential problems but I want to Circle back to the solutions for a minute you mentioned earlier that nist actually tested out their layered security approach in their lab what were some of the key findings what actually worked well one of the things that really stood out was how effective that combination of emm and VPN was at blocking unmanaged devices remember that laser grid analogy we talked about earlier it played out perfectly in their tests I love when a plan comes together no unauthorized access allowed what else did they learn well remember how we talked about selective wiping being a bit tricky they found that it can be a good way to protect employee privacy but it's not always as precise as we'd like it to be so even with the best intentions there's still a risk of accidentally deleting personal data it's possible it really depends on how the device is configured how the data is stored there are a lot of technical factors involved the takeaway for me was that selective wiping is a powerful tool but it needs to be used with caution and you need to have really clear policies in place to guide its use makes sense it's not a button you want to just hit randomly so what about those privacy settings we were talking about earlier things like location tracking and app usage monitoring did nist have any insights on how to handle those they did and this is where it gets really interesting because they found that while you can restrict data collection from bye devices it often comes with a trade-off a trade-off what do you mean well for example if you disable location tracking you might lose the the ability to remotely locate a lost or stolen device oh I see or if you restrict access to certain apps employees might not be able to access resources they need for their work so it's a balancing act trying to find that sweet spot where security and privacy can coexist without sacrificing usability exactly and nist's guide really helps us think through those tradeoffs and make informed decisions it's all about finding the right balance for your organization and your employees okay so let's bring it back to our listener who prepping for that big BYOD meeting what are some key takeaways they can use to impress their colleagues maybe even their boss well for starters they can show that they really understand the nuances of BYOD security they can talk about those less obvious threats like outdated phones boot Force attacks and the importance of striking that balance between security and privacy it's like they have a secret weapon knowledge exactly and they can talk about nist's layered security approach those different components like The Trusted execution environment Enterprise Mobility management vpns app vetting mobile threat defense they'll sound like a total cyber security pro oh I love it so they walk into the meeting armed with knowledge ready to tackle any B challenge that comes their way that's right and even if they don't have all the answers they'll know where to find them and the trusty nist guide so they're not just prepared for this meeting they're prepared for anything Bo throws at them exactly they've got the knowledge the tools and the mindset to create create a secure and privacy conscious BYOD environment this is awesome I feel like I could walk into that meeting myself now I'm sure you could and remember BYOD security is a journey not a destination the threats are always changing so it's important to stay informed and adapt your strategies accordingly okay before we wrap up this part of the Deep dive I have a question for you if you could wave a magic wand and instantly change one thing about BYOD security what would it be hm that's a great question I think I would make everyone and I mean everyone from the CEO to the newest employee instantly understand the importance of striking that balance between security privacy and usability ooh that's a good one if everyone truly understood the shared responsibility aspect of byid security it would make a huge difference absolutely it's not just an IT problem it's something we all need to be invested in well said so until next time stay curious and keep on diving deep see him in part three all right welcome back to the show it's time to wrap up our deep dive into biod security and honestly I feel like my brain is bursting with new knowledge after going through this nist guide with you it's a lot to take in for sure but that's why we're here right to break it down and make it digestible so you can actually use this information exactly so before we officially close things out I want to kind of zoom out look at the big picture we've covered so much ground risk assessments that tricky balance between security and privacy nist's whole layered approach roach to keeping those biod devices locked down if you had boil it all down what are the key takeaways that will really help our listener make their biod program a success you know I think one of the biggest things that stands out to me is this idea that biod security is not a one-time fix it's a journey a process of continuous Improvement okay I like that Journey because the threats are always evolving new vulnerabilities are popping up all the time so your strategies your solutions they need to be able to keep pace so it's not like you can just set a policy in place and then forget about it absolutely not it's an ongoing process you got to be constantly assessing your lisks implementing Solutions monitoring how they're working making adjustments as needed and then repeating the whole cycle so it's like a feedback loop always evolving exactly and that actually brings me to another really important point the need for collaboration ooh tell me more about that well BYOD security isn't just an IT issue it impacts every part of the organization you need folks from HR legal operations everyone needs to be on the same page to make sure your policies are actually workable that they're aligned with the overall business goals so it's about breaking down those silos getting everyone talking to each other exactly the more communication the better and here's a thought don't forget about your employees oh yeah they're the ones who are actually using these devices every day exactly and their input their feedback it's incredibly valuable it's so easy to get caught up in the technical details the policies the procedures and forget that there are actual human beings who are impacted by all of this m exactly and those human beings they might see things from a different perspective they might highlight potential problems that we've overlooked like hey this security measure is making it impossible for me to do my job exactly so talk to your employees ask for their input on policies be open to their feedback it'll make your BYOD programs stronger and more effective in the long run makes sense happy employees happy security team exactly and while we're on the topic of people I want to Circle back to privacy for a moment we talked earlier about how some bog policies can feel intrusive you know they can blur the lines between the company's need for security and the employees right to privacy how do we navigate that tricky territory it's definitely a tough one and I think the NIS guide really hits the nail on the head here they emphasize the importance of transparency you know make sure your employees understand what data is being collected how it's being used what controls they have over their own privacy so it's all about open communication clear policies no hidden agendas absolutely and don't be afraid to involve your employees in the decision-making process ask for their input on those privacy policies be open to their feedback they're the ones most affected by these policies so they should have a voice I love that it's about building trust creating a culture of shared responsibility for security and privacy exactly and at the end of the day even with the best policies the latest technology BYOD security it's an Ono going Journey not a destination right there will always be new challenges new threats to address but with the right mindset the right tools and a collaborative approach you can create a BYOD environment that's both secure and empowering for your employees that's a great point and if our listener needs a little help along the way nist is there to support them their website is packed with resources and the nck the national cyber security Center of Excellence they're always ready to answer questions yeah don't hesitate to reach out they have a f fantastic resource okay so as we wrap up this final part of our Deep dive into BYOD security I want to leave our listener with one last thought BYOD is here to stay it's not going anywhere in fact it's only going to become more common in the years to come so embrace the challenge stay informed be proactive and remember knowledge is your most powerful tool when it comes to building a secure and successful bod program couldn't have said it better myself so until next time stay curious and keep on diving deep see you on the next deep dive
2025-01-03 06:55