Generic Digital Forensic Readiness Model for BYOD using Honeypot Technology Victor R. Kebande Nickson M. Karie, H.S. Venter Information & Computer Security Architecture Research(ICSA) Lab
[email protected]
,
[email protected]
2016, Durban, South Africa 11th-13th May
Introduction The proliferation and mobility trends of digital devices has seen a significant realization of Bring Your Own Device (BYOD) which is a phenomenon that allows employees in an organizational enterprise network to access computing resources through their personal mobile devices irrespective of the location.
Cost-Effectiveness of BYOD • Increased accessibility of personal digital devices in daily business activities. • Reduced hardware maintenance and spending • Reduced software licensing device maintenance ***IT self-sufficiency and comfortability among employees. ***
BYOD Projections & Predictions • International Data Corporation (IDC) --of the 480 million devices that will be shipped in 2016, 65 per cent will be used by BYOD for enterprise mobility .
• Gartner-half of the world’s companies will enforce BYOD by 2017 and companies will no longer provide computing devices to employees. •
Juniper Research -employee-owned devices as part of BYOD will increase to a scale of one billion globally by 2018, although same research shows that 80% of the consumer and these devices will remain unprotected
Shortcomings • The development of this technology faces security challenges due to lack of a proactive security model with Digital Forensic capability that is able to plan and prepare before Potential Security Incidents occur in an organization that has enforced BYOD
DF & DFR • DF-science of Investigation (Reactive) •
•
scientifically proven methods to acquire, examine, identify, analyse and present digital evidence from digital sources that may have reliable information to prove or disprove a hypothesis about a security incident. Forensics has a legal connotation
• DFR-Incident Preparedness(Proactive) •
capability of achieving preparedness by a way of maximizing an environment’s ability to collect digital evidence while minimizing the cost of conducting a Digital Forensic Investigation (DFI) during post-event response
So How can we achieve DFR
?
• Define the business scenarios • Determine the Evidence Collection Requirement • Collecting and retaining credible information • Planning the Response; • Protecting the Evidence • Accelerate Investigation
ISO/IEC 27043: 2015 • Standard covers information technology, security techniques, incident investigation principles and processes.(Proposed in ICSA Lab) • is an umbrella standard for high-level concepts of DF investigation.
Classes of Digital investigations Readiness process class
Initialization process class
Concurrent process class
Acquisitive process class
Investigative process class
Honeypot • Decoy that is put on a network to lure attackers. • Delude attackers who are trying to intrude a network into having to trust it is a legitimate system running full services. • Communicating network of honeypot builds a Honeynet. • information that is related to the attack is collected as an activity which may be used to reconstruct the events if there is need for an investigation.
Proposed DFRM-4-BYOD Model The model is meant to harvest, digitally preserve potential digital evidence based on the digital forensic readiness processes and guidelines that have been highlighted in the ISO/IEC 27043: 2015 standard.
Proposed DFRM-4-BYOD Model
• Uses Honeypot as a Forensic Agent that can collect PDE that can be used as admissible evidence in creating a hypothesis that can be used to prove or disprove an incident in a court of law.
High-level View
BYOD Management • BYOD Management-Lay
what an organization aims to protect and how control of applications will be done.
• BYOD Technology-Represents
different techniques on how the
BYOD devices are registered, configured, controlled and managed.
• Honeyd Agent-Honeyed agent is the honeypot technology that is used to (Delude) & capture the PDE from potential attackers.
• People-Users of BYOD devices • Forensic Readiness-Proactive • Digital Forensic Readiness-Reactive
Detailed DFRM-4-BYOD • Detailed DFRM- 4 -BYOD
BYOD Management • Provisioning control services • control, configure and provide services within an organization • authorized to run a service using a specific device that is connected to BYOD network • administrators are able to exercise rights over all aspects of BYOD devices • trusted platform is set for user’s activity to be monitored based on legal considerations
BYOD Technology
• • • •
Fine grained BYOD policies pre-incident planning Honeyed Agent and DFR process
Forensic Readiness • Monitoring, • Honeyed logging, • Digital preservation • Forensic database. (The general information collected through these logs include: Packet destination, IP address, source, arrival time, protocol used, OS and biometrics used in case.)
Digital Forensic Investigation • Initialization • acquisitive • investigative processes
Sequences of Execution in BYOD Environment
Conclusion • lack of a proactive security model with DF capability that is able to plan and prepare before potential security incidents occurs in BYOD environment. • Authors proposed a generic model with a DFR capability in a BYOD environment that contributes to the body of knowledge.