BYOD Risk Assessment And Certificate-based Authentication

Importance of Cybersecurity Threats

To address the contemporary and emerging risks from the cyber threats the organisation is facing, some critical components of organisation information system are being discussed. These include BYOD policy, certificate-based authentication and phishing handling instruction.

In this study, an organisation has hired a cyber-security consultant, which has given responsibility to direct them about potential threat due to the information system. They are currently using password-based authentication system so as to prevent important data. It is secured by a password.

As a consultant, it is very important for me to attain all knowledge related to possible cybersecurity threat such as Ransomware, Malware and Phishing (Furnell, Emm and Papadaki, 2015). The sorts of cyber threats based on different principle but their aim is to only steal user information.

The digital world has become a scary place, as every day there is some news about breaches, attacks, threats and bank of new systems that claims to solve all these issues (Saini, Rao and Panda, 2012). In business world, critical information assets are referred to all those information and data that are very worthy and needs higher-level protection. In addition, a firm can only ensure this protection when they have an ability to deploy next-level technologies within a defined scope (Buyya et al, 2009). For an organisation, critical assets may be a database of contacts, financial data, clients and customers information and so on.

Since the origin of BYOD, it is easier even for an outsider to snip information or attain financial gain. Below are stated a range of different external threats in context of BYOD.

• Malware– Malware is always been a prominent threat to corporate information (Potts, 2012). After implementation of BYOD policy, existent security vulnerabilities in staff mobile device are exploited by malware to gain trusted information.
• Phishing – Cyber threat stage is also increasing with phishing, which may evade traditional network security devices to gain personal information (Jang-Jaccard and Nepal, 2014).
• Social Engineering – In BYOD context, lack of security awareness also creates persistent threat. For instance, attackers may send email spam to spread malware and for native users who just know to check email may get impacted as operations performed on personal mobile devices are tougher to monitor (La Polla, Martinelli and Sgandurra, 2013).
• Malicious Mobile Applications– As of personal device, employee can also install unauthorised application for the function of their daily work activities and this makes enterprise to have no control over the devices. In addition, rooted mobile devices create more opportunities for these malicious applications (A. Harrisn and P. Patten, 2014).

Internal threat context might challenge digital investigations due to various factors like tampering of data by high-trusted user, ignorance of company security policies and many more.

• Uncontrolled Initiation of Assorted Devices – It significantly increases threats to sensitive information. As different employees have different devices, these may not be compatible with the enterprise security measures and protocols and this lead to no meeting of minimum-security requirements.
• Sharing of information on personal cloud services – These devices can be used by employees due to personal reasons also outside the workplace. This increases productivity of employee however at the same time, cloud storage, these devices are exposed to hacking activities, and this information sharing on cloud services may bring potential malware infection (Patel et al, 2013). This makes more difficult for the company to ensure integrity and confidentiality of information considering cloud repositories (Modi et al, 2013).
• Mixture of personal and business information – Employee may use the device for their personal purposes also such as contact with family members and friends. Hence, accessing and sharing of information of both personal and organisation information in the same device may impact information integrity and also increase uncertainty.
• Lost, Stolen and Unlinked Mobile Devices – It is also possible that staff might be allowed “remember password” option in application or web browser, and may remain their accounts to be logged in. In addition, many employees keep business information on their devices even after disconnected from the corporate and this all increase the risk of identity forgery.

Considering qualitative risk assessment approach, the organisation can prevent access to personal data. This approach does not rely on numerical approaches, but it provides description and explanation of the issue and offer suitable recommendation and the purpose to which risk assessment is linked (Nieto-Morote and Ruz-Vila, 2011).

Hence, in qualitative risk assessment, it is found that the risk is associated with external and internal threat and to overcome these risks, one need to install latest encryption algorithms, firewalls, antivirus applications and avoid using open network internet (Pearce, Zeadally and Hunt, 2013). Below, it is stated the process in which there is occurrence of risk assessment.

1. Recognise the Hazard.
2. Identify who might be affected and how
3. Measure the risk and adopt control measures.
4. Record your discoveries and apply them.
5. Give review to your assessment and update if important.

Certificate-based authentication uses various Digital Certificate to recognize a user or device before allowing access to a network, application, resource, etc. (Zissis and Lekkas, 2012). It helps to avoid the risk of assessments. Considering its principle, as the process authenticates, the document that is provided it fetches its principal name from the certificate of user than submit it. The primary name here is taken as a distinct identifier for the user instead of id or password. The same principle name will be used for any personal assessment and this will make the user caught whoever try to access it, as all information will be shown to security faculty. Data will be displayed, as the principal name that is given to the user is the email address present in the security certificate.

BYOD Policy and Threat Context

Benefits

• Centrally, Authentication can effectively be revoked.
• Higher level of security in comparison with public-key authentication.
• User can easily access many servers at the same time from one particular location.
• For identity verification, secret private keys will also be helpful if any issue occurs.

Drawbacks

• The cost of preliminary deployment may increase, as it requires a public-key infrastructure.

Compare

Both password-based authentications and certificate-based authentication are used for security purposes so as to prevent important data of any user or organisation. However, certificate-based authentication is known to be more reliable and secure as personal information also displays in certificate-based mechanism and for each purpose, a particular key is allocated (Nguyen, Laurent and Oualha, 2015).

In relation to BYOD, if both authentication mechanism combined, it is possible that rate of threats is decreased (Garg and Mahapatra, 2009). Hence, implementation of both this mechanism will reduce the threats significantly.

One of the biggest risk that is significantly spreading is spam. It is defined as continuous sending of message over the network with aim of harassing, advertising, threating, and mostly for scattering malware (C?lt?k, and Gungor, 2008).

Some of its characteristics are –

• Fake identities are used by people for personal gains.
• Request for personal data of the user.
• Using procedure of threatening.
• Asking for advance money while dealing incorporation.
• Various messages are also intended to hut individual emotions such as “u won a lottery”.

Spam Act 2003 –

• In mail, if title of message is received in short, it is treated as spam as per this act.
• Any advertising email linked with electronic products and commercials is considered as spams.
• In mail, if message is comprised of any description of words or website account, it is also reflected as spams.
• Spreading same message repeatedly for promotional purpose is also be considered as spam.

Any user or organisation can avoid these threats by not seeing or replying to these emails and messages unless they are sure of the sender. In addition, various antiviruses’ applications can also be looked upon as a preventive measure.

Real-life Examples:

• In first real-life example, I think all are aware that in Gmail, there is a spam folder where all spam and virus messages automatically saved by Gmail and most of time we are not aware that we received a spam message.
• Very known spam “You earn a reward of $10 million, Claim your prize!!” is depicting that spammers earned a lot of amount with this fraud.
• Many people also defrauded with a bank email stating –“dear customer of the _ bank, we are upgrading our system for superior user experience and so provide your personal information”

Conclusions

As a consultant of IT department, to prevent my organisation from all these issues, I would definitely suggest certificate-based authentication mechanism. In addition, I would also like to consider various aspects relating to BYOD policy that is recently implementation in the firm.

Lastly, I would like to consider all these above ways to prevent staff and me both from any sort of spamming, malware or attack. Moreover, I will also develop an appropriate plan for IT system of organisation so that any cybersecurity threat i.e. ransomware, malware and phishing not steals any sort of personal information.

References

Buyya, R., Yeo, C.S., Venugopal, S., Broberg, J. and Brandic, I. (2009) Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation computer systems, 25(6), pp.599-616.

Ç?lt?k, A. and Gungor, T. (2008) Time-efficient spam e-mail filtering using n-gram models. Pattern Recognition Letters, 29(1), pp.19-33.

Furnell, S., Emm, D. and Papadaki, M. (2015) The challenge of measuring cyber-dependent crimes. Computer Fraud & Security, 2015(10), pp.5-12.

Garg, N. and Mahapatra, R.P. (2009) Manet security issues. IJCSNS, 9(8), p.241.

Harris, M. and P. Patten, K. (2014) Mobile device security considerations for small-and medium-sized enterprise business mobility. Information Management & Computer Security, 22(1), pp.97-114.

Jang-Jaccard, J. and Nepal, S. (2014) A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), pp.973-993.

La Polla, M., Martinelli, F. and Sgandurra, D. (2013) A survey on security for mobile devices. IEEE communications surveys & tutorials, 15(1), pp.446-471.

Modi, C., Patel, D., Borisaniya, B., Patel, A. and Rajarajan, M. (2013) A survey on security issues and solutions at different layers of Cloud computing. The journal of supercomputing, 63(2), pp.561-592.

Nguyen, K.T., Laurent, M. and Oualha, N. (2015) Survey on secure communication protocols for the Internet of Things. Ad Hoc Networks, 32(1), pp.17-31.

Nieto-Morote, A. and Ruz-Vila, F. (2011) A fuzzy approach to construction project risk assessment. International Journal of Project Management, 29(2), pp.220-231.

Patel, A., Taghavi, M., Bakhtiyari, K. and JuNior, J.C. (2013) An intrusion detection and prevention system in cloud computing: A systematic review. Journal of network and computer applications, 36(1), pp.25-41.

Pearce, M., Zeadally, S. and Hunt, R. (2013) Virtualization: Issues, security threats, and solutions. ACM Computing Surveys (CSUR), 45(2), p.17.

Potts, M. (2012) The state of information security. Network Security, 2012(7), pp.9-11.

Saini, H., Rao, Y.S. and Panda, T.C. (2012) Cyber-crimes and their impacts: A review. International Journal of Engineering Research and Applications, 2(2), pp.202-209.

Zissis, D. and Lekkas, D. (2012) Addressing cloud computing security issues. Future Generation computer systems, 28(3), pp.583-592.