Question:
Discuss About The Attacks Taxonomy On Bring Your Own Devices?
Aztek has a large network of employees, customers, partners, vendors and stakeholders. The primary goal of the organization is to enhance its customer base by providing better, accurate and secure financial services along with the enhancements of revenues. BYOD will allow the use of employee-owned devices which will lead to better productivity of the employees and will assist in the achievement of the goals. The project is feasible from the organizational point of view.
The operations that will be carried out by the employees will be tracked and monitored using remote tracking and management. The employees will also be able to access the organizational tools and applications from their homes and outside of office premises to gain hands-on on the applications. This will lead to lesser occurrence of operational mistakes. The BYOD scheme will therefore be feasible from the operational point of view.
Technical tools and applications that are being used by the organization are compatible with most of the recent and widely used operating systems. These tools will be easily integrated with the devices of the employees. Also, the security department will install the necessary technical controls and applications for enhancing the security of the device. The project is feasible from the technical point of view.
There are no laws or regulations created by the Australian Government regarding the prevention of employee-owned devices in the offices. There are specific rules to financial industry that will be adhered during the project along with information privacy laws. The project is feasible from the political point of view as well.
There are many risks that have been identified from the security aspect in association with the BYOD scheme. These risks may emerge as the potential disadvantages for the project. However, it is possible to put a check on these risks and avoid them by using correct set of methods, plans, policies and controls.
There will be many advantages that will be offered with the implementation of BYOD in the organization. The first advantage would be in the form of reduced costs. The costs associated with the procurement of the devices, maintenance of the devices, infrastructural and operations costs will be reduced. The employees will be allowed to access most of the organizational tools and applications from any of the remote location which would enhance their operational excellence leading to better productivity and efficiency levels. The customers will also be satisfied as their demands will be met and the quality of services will also improve. This would lead to better revenues and market shares as well.
Aztek has decided to allow the employees to bring their personal devices at the workplace for the execution of professional tasks and activities.
The company is based out of Australia and the country does not have any specific laws in place for the governance and surveillance of the employees making use of any form of application or service outsourcing. However, the specific business domains do have certain rules and regulations defined. The business domain and functional area for Aztek is finance. There are two primary jurisdiction areas in Australia that is, New South Wales and Australian Capital Territory. The use and application of the electronic communication and networking varies in these areas which shall be followed by Aztek as per the service territory.
Australian Securities and Investment Commission (ASIC) is a government body that regulates all the financial transactions and services at the federal, state and territory levels. There are laws that have been set up under this body for the regulation of electronic payments under the e-payments code and for the financial access control and management as well. These laws and guidelines shall be followed (Asic, 2017).
BYOD scheme would allow the employees to make use of their devices for the organizational activities outside of the office premises as well. NSW is an Act that has been defined for the surveillance of the employee activities and processes beyond the office premises. The communication and operational activities will be tracked on the employee device under this act and there would be restriction on the sharing of information with the resources outside of the office or a particular project. Aztek may also make use of overt surveillance which would involve automated software for the purpose of tracking. In this case, the employees must be told about the same 14 days prior to the conduction process.
The employees may also exchange emails and messages using their devices which may include financial information and details. Workplace Privacy Act 2011 has been defined by the Australian government for the email surveillance and tracking. The data that will be exchanged by the employees on their mail servers will be monitored by Aztek as per the rules of this act (Act, 2016).
Telecommunications Act 1979 has also been defined by the Australian Government to cover the permissions that are associated with communication interception. It has been established to ensure the integrity of the communications so that any of the unknown communications do not take place. This act only covers the content tracking and does not include the tracking of email address or metadata (Coe, 2011).
The financial information that will be processed and managed by the devices of the employees under the BYOD scheme would also be required to abide by the rules under Intellectual Property and information privacy. The privacy and security of the information will be maintained under these laws and regulations.
Privacy Act (APP 5) has also been defined for the maintenance and management of the information privacy. The devices of the employees must not store or process the personal information of other employees or the customers of Aztek. The access rules and the user privileges shall also be defined for the purpose of information access. In case of a data breach, the employees must be aware of the process that they must follow for reporting the matter to the senior management (Oaic, 2014).
There are a number of security postures and policies that must be considered and modified in association with Aztek with the introduction of BYOD scheme. It would include the current state of security in the organization, use of mobile devices currently in use along with the future use of the devices, geographical strategies that shall be followed for the deployment of the project.
The finance industries that are present in a particular country need to abide by certain rules and regulations at the federal and state level along with the territory and industry level. Such financial constraints and necessities have been discussed in the section above. In case of Aztek, another area of concern that shall be monitored and handled is the security of the devices, information and networks. There are certain weaknesses in the current security state of Aztek which are included as follows:
The security loopholes that have been identified above will require a lot of investment to be done to make sure that the security infrastructure is improved. With the use of the BYOD scheme, there will be many devices that will be brought by the employees in the organization and the need to procure additional set of devices will not be required. However, this scheme will have its own security risks and concerns.
In the organizations that have a single vendor or manufacturer of the devices, it is easy to control the security status through unified management. There is a single set of security control and checks that need to be implemented to attain overall security of the devices.
However, in the case of outsourcing, the security policies and plans that are required to be followed are different. The employees in this case will bring their own devices to the organization which will have different security framework, different operating systems, different data and information capabilities etc. There is no uniform security scheme that can be designed and implemented so that the overall security of all the devices is ensured. The device portfolio will also expand with the BYOD scheme with the inclusion of Smartphones, laptops, tablets etc. from different sources. The current security policy will therefore require many updates to be done and installed (Curran, Maynes and Harkin, 2015).
The approach such as locking down of the devices outside of the company networks would not work as the devices are personally owned by the employees and the practice would discourage them to adapt to the BYOD scheme. A flexible approach which is also secure would be required for the management of the risks. The use of access control on the official applications that include critical and sensitive information can be done outside of the office network (Gillies, 2016).
There are many risks that are associated with the device itself. For instance, the device of the employee may get lost or may get stolen by an entity that may get access to the organizational information if the device would be connected to the VPN. The confidential information would then get exposed to such unauthorized entities and for this device tracking and security would be of utmost importance.
There may also be ownership issues that may crop up. The employees will be the owners of their devices and would like to have a complete ownership on their data and information. They may attempt to jailbreak the devices which may have an extremely negative impact on the device security. The terms and conditions under the BYOD scheme shall therefore be clearly explained to the employees before they agree to bring their devices at the workplace (Tokuyoshi, 2013).
There are also certain basic mechanisms that can be used for the protection of the devices and the information present in these devices.
With the use of BYOD scheme, there can be two categories of application specific risks that may be observed. These risks include the malware attacks through the applications that are installed which would demand the highest level of malware protection. There may also be exploitation of the security vulnerabilities present in the application which may lead to the compromise of the security of sensitive and confidential information. Enhanced application management will be necessary for this purpose so that such risks are avoided and controlled (Romer, 2014).
There shall also be upgrades and security updates that must be installed in the devices and for the applications that are present in the devices to make sure that the security risks specific to device version or application version are avoided.
The Cybersecurity framework that is followed in this case is based upon the flexible and high performance mechanisms that can be used for the enhancement of the security posture in an organization.
The core of the framework includes the definitions for the functions along with the categories and sub-categories along with the references that come under the security checklist. The set of functions comprise of the risk identification, asset protection, incident identification, planning of the responses along with the recovery of the data. There are different categories that are used including asset management and control, access management and control, detection and prevention systems. The information security mechanisms against the security risks that are defined have been done for the information in transition along with the information at rest.
There are different tiers to security that Aztek must follow and consider and it must be ensured that the security state must move towards the highest tier.
In case of Aztek, the BYOD scheme will bring with it a lot many new challenges and issues. The employees of an organization may also change and there may be new devices that may be added in the set of devices to be managed by the organization. There will be a continuous change in the threat landscape and therefore, the risk assessment process that is followed in this case shall be in tier-4 (Singh et al., 2014).
An analysis of the threats and vulnerabilities has been done in association with the BYOD scheme and the results have been summarized in the table below.
|
Risk Name |
Risk Impact (1 to 5 with 5 being highest) |
Risk Probability (1 to 5 with 5 being highest) |
Risk Rank (Impact x Probability) |
Suggested Response Strategy |
|
Information Breach |
5 |
4 |
20 |
Risk avoidance |
|
Information Leakage |
4 |
4 |
16 |
Risk avoidance |
|
Information Loss |
4 |
4 |
16 |
Risk avoidance |
|
Lost/Stolen Devices |
5 |
2 |
10 |
Risk mitigation |
|
Insider Threats |
5 |
4 |
20 |
Risk transfer |
|
Man in the Middle Attacks |
3 |
3 |
9 |
Risk avoidance |
|
Spoofing Attacks |
4 |
3 |
12 |
Risk avoidance |
|
Application and System Vulnerabilities |
3 |
4 |
12 |
Risk avoidance |
|
Hacking of the APIs |
3 |
3 |
9 |
Risk mitigation |
|
Denial of Service Attacks |
4 |
3 |
12 |
Risk avoidance |
|
Malware Attacks |
3 |
5 |
15 |
Risk avoidance |
|
Phishing Attacks |
4 |
3 |
12 |
Risk mitigation |
|
Eavesdropping Attacks |
3 |
4 |
12 |
Risk avoidance |
|
Social Engineering Attacks |
5 |
4 |
20 |
Risk mitigation |
Table 1: Risk Register
There are several countermeasures and security programmes used to make sure that the risks that have been assessed above are handled carefully.
Once the initial round of planning and analysis is completed, there shall be mapping on the type of the countermeasure that shall be applied. For example, there are certain risks that can be controlled and avoided by using administrative checks only while there are a few risks that may demand a technical tool and application for the avoidance and management of the risk (Stoecklin et al., 2016).
There are several countermeasures that have been developed which can be applied in order to overcome, avoid, prevent, detect and control the security risks that are associated with the decision of Aztek to provide the employees with the permission to bring their devices at work.
Data is one of the biggest assets for Aztek as it is the case with every other organization and there are various measures that may be used and implemented for making sure that the risks associated with the data and information are avoided. Some of these measures include access control, incident recording and resolution, privacy standards, codes of conduct, use of social media, encryption techniques, anti-denial and anti-malware tools etc. These may also include the employee and user awareness along with training sessions on the security practices to be followed.
In case of the BYOD scheme, the probability and the types of probable risks increase as there are different access points that may be used for giving shape to the attack. The attack surface would increase along with the attack window. Aztek would be required to make use of end-to-end data protection techniques to make sure that the security risks and attacks are avoided. The mismanagement of the devices that will be owned by the employees may be the biggest contributor in the occurrence of the data security attacks and risks. There must be policies that must be created for data protection in case of employee resignation and transfer. The tools, applications and information present in the device of the employee shall be allowed to be remotely wiped out and a cross examination of the same shall also be carried out.
There can be severe implications in terms of financial and legal obligations that may be caused with a weak data security. There are certain measures that must be used to avoid the same.
There is a lot of data that is managed by Aztek that belongs to different categories and may have different security requirements. The following table defines the data classification and the corresponding security strategies that shall be applied.
|
Type of Data |
Information included under this classification |
Damage to the Information Sets in case of security attack |
Security strategy to be used |
|
Highly sensitive data |
Social security numbers of the employees and customers, PIN codes and passwords to access the bank accounts |
In case of a security risk or an attack to this type of information, there may be legal or financial obligations that the organization may have to face in terms of legal punishments or financial penalties |
The highest form of security shall be applied to protect this information. Only the CEO and CIO of the organization shall be allowed to access this data category and there shall be no modifications allowed by any entity (Morrow, 2012). |
|
Sensitive and Confidential Internal Data |
Contract information with the third part vendors, details of the projects taken up by the organization |
The reputation of the organization in the market may suffer as the customers will not be able to invest their trust in the organization and the competitors may gain advantage of the disclosed information (Yoo, Park and Kim, 2012) |
The administrative and technical controls must be used to protect this category of information. There shall also be physical controls set up with data access provided only to the CEO, CIO, Data administrator and Security Manager. |
|
Private Data |
Internal organizational charts, communication mechanisms, project methodologies and approaches |
There may be negative implication in terms of the stakeholder engagement as the internal details of the organization will be revealed in public |
The administrative and technical controls must be used to protect this category of information. There shall also be physical controls set up with data access provided only to the CEO, CIO, and Data administrator, Security Manager, Security Analyst, Stakeholders and Data Scientists. |
|
Public Data |
Solutions provided by the organization, list of products offered, names of popular clients |
The data shall be disclosed only as intended by the management of the organization. In case of the early disclosure, there may be negative implications in terms of the competitive advantage to the other entities in the market |
The information shall be protected by using the security controls and mechanisms and the stakeholders shall be able to view the information with modifications to be applied only by the data administrator. |
Table 2: Data Classification & Security Analysis
Conclusion
The management and administration at Aztek has decided to implement the Bring Your Own Devices (BYOD) project.
BYOD scheme would allow the employees to make use of their devices for the organizational activities outside of the office premises as well. The finance industries that are present in a particular country need to abide by certain rules and regulations at the federal and state level along with the territory and industry level. Such financial constraints and necessities shall be followed by Aztek in the implementation of BYOD, such as adherence to ASIC guidelines, Intellectual Properties laws etc. The device portfolio will also expand with the BYOD scheme with the inclusion of Smartphones, laptops, tablets etc. from different sources. The current security policy followed at Aztek will require many updates to be done and installed. There may be risks to the devices, information in the devices, applications, systems and databases. There shall be upgrades and security updates that must be installed in the devices and for the applications that are present in the devices to make sure that the security risks specific to device version or application version are avoided. There shall be use and implementation of advanced security plans with controls such as preventive, detective, corrective, deterrent, recovery and compensatory controls. For the protection and safety of data, measures like access control, incident recording and resolution, privacy standards, codes of conduct, use of social media, encryption techniques, anti-denial and anti-malware tools etc. shall be used. These may also include the employee and user awareness along with training sessions on the security practices to be followed.
References
Act (2016). Workplace Privacy Act 2011. [online] Available at: https://www.legislation.act.gov.au/a/2011-4/current/pdf/2011-4.pdf [Accessed 26 Sep. 2017].
Asic (2017). ASIC Home | ASIC – Australian Securities and Investments Commission. [online] Asic.gov.au. Available at: https://asic.gov.au/ [Accessed 26 Sep. 2017].
Beckett, P. (2014). BYOD – popular and problematic. Network Security, 2014(9), pp.7-9.
Blizzard, S. (2015). Coming full circle: are there benefits to BYOD?. Computer Fraud & Security, 2015(2), pp.18-20.
Coe (2011). Telecommunications (Interception and Access) Act 1979. [online] Rm.coe.int. Available at: https://rm.coe.int/1680304330 [Accessed 26 Sep. 2017].
Curran, K., Maynes, V. and Harkin, D. (2015). Mobile device security. International Journal of Information and Computer Security, 7(1), p.1.
Gillies, C. (2016). To BYOD or not to BYOD: factors affecting academic acceptance of student mobile devices in the classroom. Research in Learning Technology, 24(1), p.30357.
Kumar, R. and Singh, H. (2015). A Proactive Procedure to Mitigate the BYOD Risks on the Security of an Information System. ACM SIGSOFT Software Engineering Notes, 40(1), pp.1-4.
Morrow, B. (2012). BYOD security challenges: control and protect your most sensitive data. Network Security, 2012(12), pp.5-8.
Oaic (2014). Chapter 5: APP 5 — Notification of the collection of personal information| Office of the Australian Information Commissioner – OAIC. [online] Oaic.gov.au. Available at: https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-5-app-5-notification-of-the-collection-of-personal-information [Accessed 26 Sep. 2017].
Romer, H. (2014). Best practices for BYOD security. Computer Fraud & Security, 2014(1), pp.13-15.
Singh, M., Sin Siang, S., Ying San, O., Hassain Malim, N. and Mohd Shariff, A. (2014). Security Attacks Taxonomy on Bring Your Own Devices (BYOD) Model. International Journal of Mobile Network Communications & Telematics, 4(5), pp.1-17.
Stoecklin, M., Singh, K., Koved, L., Hu, X., Chari, S., Rao, J., Cheng, P., Christodorescu, M., Sailer, R. and Schales, D. (2016). Passive security intelligence to analyze the security risks of mobile/BYOD activities. IBM Journal of Research and Development, 60(4), pp.9:1-9:13.
Tokuyoshi, B. (2013). The security implications of BYOD. Network Security, 2013(4), pp.12-13.
Yoo, S., Park, K. and Kim, J. (2012). Confidential information protection system for mobile devices. Security and Communication Networks, 5(12), pp.1452-1461.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download