Generic Digital Forensic Readiness Model for BYOD ...

Download PDF
67 downloads 1205 Views 449KB Size Report
Comment
Information & Computer Security Architecture. Research(ICSA) ... security model with Digital Forensic capability that is able to plan and prepare before Potential ...
Generic Digital Forensic Readiness Model for BYOD using Honeypot Technology Victor R. Kebande Nickson M. Karie, H.S. Venter Information & Computer Security Architecture Research(ICSA) Lab

[email protected]

, [email protected]

2016, Durban, South Africa 11th-13th May

Introduction The proliferation and mobility trends of digital devices has seen a significant realization of Bring Your Own Device (BYOD) which is a phenomenon that allows employees in an organizational enterprise network to access computing resources through their personal mobile devices irrespective of the location.

Cost-Effectiveness of BYOD • Increased accessibility of personal digital devices in daily business activities. • Reduced hardware maintenance and spending • Reduced software licensing device maintenance ***IT self-sufficiency and comfortability among employees. ***

BYOD Projections & Predictions • International Data Corporation (IDC) --of the 480 million devices that will be shipped in 2016, 65 per cent will be used by BYOD for enterprise mobility .

• Gartner-half of the world’s companies will enforce BYOD by 2017 and companies will no longer provide computing devices to employees. •

Juniper Research -employee-owned devices as part of BYOD will increase to a scale of one billion globally by 2018, although same research shows that 80% of the consumer and these devices will remain unprotected

Shortcomings • The development of this technology faces security challenges due to lack of a proactive security model with Digital Forensic capability that is able to plan and prepare before Potential Security Incidents occur in an organization that has enforced BYOD

DF & DFR • DF-science of Investigation (Reactive) •



scientifically proven methods to acquire, examine, identify, analyse and present digital evidence from digital sources that may have reliable information to prove or disprove a hypothesis about a security incident. Forensics has a legal connotation

• DFR-Incident Preparedness(Proactive) •

capability of achieving preparedness by a way of maximizing an environment’s ability to collect digital evidence while minimizing the cost of conducting a Digital Forensic Investigation (DFI) during post-event response

So How can we achieve DFR

?

• Define the business scenarios • Determine the Evidence Collection Requirement • Collecting and retaining credible information • Planning the Response; • Protecting the Evidence • Accelerate Investigation

ISO/IEC 27043: 2015 • Standard covers information technology, security techniques, incident investigation principles and processes.(Proposed in ICSA Lab) • is an umbrella standard for high-level concepts of DF investigation.

Classes of Digital investigations Readiness process class

Initialization process class

Concurrent process class

Acquisitive process class

Investigative process class

Honeypot • Decoy that is put on a network to lure attackers. • Delude attackers who are trying to intrude a network into having to trust it is a legitimate system running full services. • Communicating network of honeypot builds a Honeynet. • information that is related to the attack is collected as an activity which may be used to reconstruct the events if there is need for an investigation.

Proposed DFRM-4-BYOD Model The model is meant to harvest, digitally preserve potential digital evidence based on the digital forensic readiness processes and guidelines that have been highlighted in the ISO/IEC 27043: 2015 standard.

Proposed DFRM-4-BYOD Model

• Uses Honeypot as a Forensic Agent that can collect PDE that can be used as admissible evidence in creating a hypothesis that can be used to prove or disprove an incident in a court of law.

High-level View

BYOD Management • BYOD Management-Lay

what an organization aims to protect and how control of applications will be done.

• BYOD Technology-Represents

different techniques on how the

BYOD devices are registered, configured, controlled and managed.

• Honeyd Agent-Honeyed agent is the honeypot technology that is used to (Delude) & capture the PDE from potential attackers.

• People-Users of BYOD devices • Forensic Readiness-Proactive • Digital Forensic Readiness-Reactive

Detailed DFRM-4-BYOD • Detailed DFRM- 4 -BYOD

BYOD Management • Provisioning control services • control, configure and provide services within an organization • authorized to run a service using a specific device that is connected to BYOD network • administrators are able to exercise rights over all aspects of BYOD devices • trusted platform is set for user’s activity to be monitored based on legal considerations

BYOD Technology

• • • •

Fine grained BYOD policies pre-incident planning Honeyed Agent and DFR process

Forensic Readiness • Monitoring, • Honeyed logging, • Digital preservation • Forensic database. (The general information collected through these logs include: Packet destination, IP address, source, arrival time, protocol used, OS and biometrics used in case.)

Digital Forensic Investigation • Initialization • acquisitive • investigative processes

Sequences of Execution in BYOD Environment

Conclusion • lack of a proactive security model with DF capability that is able to plan and prepare before potential security incidents occurs in BYOD environment. • Authors proposed a generic model with a DFR capability in a BYOD environment that contributes to the body of knowledge.