CMP71001 Cybersecurity Assignment 2: BYOD Risk and Security
VerifiedAdded on 2022/11/10
|10
|2414
|209
Report
AI Summary
This cybersecurity report, prepared as a consultation for an organization, focuses on addressing security concerns arising from the implementation of a Bring Your Own Device (BYOD) policy. The report begins by assessing the risks associated with BYOD, particularly concerning the security of the organization's information system. It then explores certificate-based authentication as a potential solution to mitigate these risks, comparing it to traditional password-based authentication. Furthermore, the report addresses the threat of phishing, providing guidelines for recognizing and minimizing phishing attacks. The analysis includes a detailed breakdown of the organization's information system components, a discussion on the benefits and drawbacks of certificate-based authentication, and practical advice for users to avoid phishing scams. The report concludes with a summary of the analyses, emphasizing the importance of proactive measures in reducing cyber threats within the organization's system, offering valuable insights for enhancing the overall security posture. This report fulfills the requirements of a cybersecurity assignment for CMP71001, focusing on practical applications of cybersecurity principles.
Running head: CYBERSECURITY
CYBERSECURITY
Name of the Student:
Name of the University:
Author Note:
CYBERSECURITY
Name of the Student:
Name of the University:
Author Note:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1CYBERSECURITY
Table of Contents
Introduction................................................................................................................................2
Discussion..................................................................................................................................2
BYOD Risk Assessment........................................................................................................2
Certificate-based Authentication............................................................................................4
Anti-phishing guideline..........................................................................................................5
Conclusion..................................................................................................................................7
References..................................................................................................................................8
Table of Contents
Introduction................................................................................................................................2
Discussion..................................................................................................................................2
BYOD Risk Assessment........................................................................................................2
Certificate-based Authentication............................................................................................4
Anti-phishing guideline..........................................................................................................5
Conclusion..................................................................................................................................7
References..................................................................................................................................8
2CYBERSECURITY
Introduction
User authentication within systems is the cornerstone for security of computers for
many years. Idea of password and user-id method is used in the system which is cost efficient
and effective to maintain shared secret among user and computer system. Authentication
system based on password is used currently by the organization for controlling access to
information system of the organization. However, recent Bring Your Own Device (BYOD)
policy’s implementation to the system has raised few security concerns (Farash & Attari
2014). BYOD policy is set of rules which governs level of support of IT department for
systems owned by employee. The line among organization owned and personal data will get
changed and the devices which are connected to the organization is showing new security
issues.
Discussion
BYOD Risk Assessment
Information system of an organization consists of a set of different components that
deals with organizing and collecting information and data. Information system of the
organization depends on the following five essential components:
Computer Hardware: It is a physical technology which works with data. The
hardware’s size can be as small as smartphones which can be kept inside a pocket or
as big as supercomputer. With rise of Internet of Things (IoT), from which any
devices from small appliances to vehicles would be able in receiving and transmitting
data.
Computer Software: Software’s role is making decisions of the actions of hardware.
Software are of two types: application software and system software. Application
Introduction
User authentication within systems is the cornerstone for security of computers for
many years. Idea of password and user-id method is used in the system which is cost efficient
and effective to maintain shared secret among user and computer system. Authentication
system based on password is used currently by the organization for controlling access to
information system of the organization. However, recent Bring Your Own Device (BYOD)
policy’s implementation to the system has raised few security concerns (Farash & Attari
2014). BYOD policy is set of rules which governs level of support of IT department for
systems owned by employee. The line among organization owned and personal data will get
changed and the devices which are connected to the organization is showing new security
issues.
Discussion
BYOD Risk Assessment
Information system of an organization consists of a set of different components that
deals with organizing and collecting information and data. Information system of the
organization depends on the following five essential components:
Computer Hardware: It is a physical technology which works with data. The
hardware’s size can be as small as smartphones which can be kept inside a pocket or
as big as supercomputer. With rise of Internet of Things (IoT), from which any
devices from small appliances to vehicles would be able in receiving and transmitting
data.
Computer Software: Software’s role is making decisions of the actions of hardware.
Software are of two types: application software and system software. Application
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3CYBERSECURITY
software is used for performing specific tasks. The major system software is operating
system which manages the operations of hardware.
Telecommunications: The hardware are connected together by this component for
forming a network. Networks are crucial for establishing connections between
systems within the organization (Ogie 2015).
Data Warehouses and Databases: Database is location where data is stored and
fetched by querying using criteria. All the data of an organization is stored in data
warehouse. Data warehouses and databases are quite essential for an organization.
Human Resources: Information system’s most essential component is human
resource. People are required for running system and procedures which they follow so
that knowledge of huge data warehouses and databases can be used for learning and
interpreting of the incidents from the past (Ogie 2015).
Components of Organizational Information System Rank (Crucial-wise)
Computer Hardware 4
Computer Software 2
Telecommunications 5
Data Warehouses and Databases 3
Human Resources 1
Bring Your Own Device (BYOD) is a policy used in organization which authorizes
workers in bringing their own personal devices such as laptops, mobiles and tablets for
connecting with the corporate network (Chang, Ho & Chang 2014). Employees can access
applications and confidential data of the organization as well as corporate mails.
software is used for performing specific tasks. The major system software is operating
system which manages the operations of hardware.
Telecommunications: The hardware are connected together by this component for
forming a network. Networks are crucial for establishing connections between
systems within the organization (Ogie 2015).
Data Warehouses and Databases: Database is location where data is stored and
fetched by querying using criteria. All the data of an organization is stored in data
warehouse. Data warehouses and databases are quite essential for an organization.
Human Resources: Information system’s most essential component is human
resource. People are required for running system and procedures which they follow so
that knowledge of huge data warehouses and databases can be used for learning and
interpreting of the incidents from the past (Ogie 2015).
Components of Organizational Information System Rank (Crucial-wise)
Computer Hardware 4
Computer Software 2
Telecommunications 5
Data Warehouses and Databases 3
Human Resources 1
Bring Your Own Device (BYOD) is a policy used in organization which authorizes
workers in bringing their own personal devices such as laptops, mobiles and tablets for
connecting with the corporate network (Chang, Ho & Chang 2014). Employees can access
applications and confidential data of the organization as well as corporate mails.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4CYBERSECURITY
BYOD might be fascinating business model, However there exists several security
risks related with it. Data security is the major concern for the organization. As workforce is
more reliable on smartphones, data leakage has increased. Smartphones and tablets are
weakest when related to data security. One of the security challenges of BYOD is keeping
corporate and personal data within same device. One of the biggest threats is malware to
smartphones which is unknowingly installed by user, which means malware could attack the
network of the organization (Astani, Ready & Tessema 2013). Security breaches can occur if
a worker’s device is stolen or lost. Using external Wi-Fi with no proper security protocols can
make the device more vulnerable for attacks.
Certificate-based Authentication
Authentication is a method in verifying identity of a user. Certificate-based
authentication is the digital certificate’s use for identifying device, machine or user before
giving access of network, resource or application. Users are allowed in securely accessing a
server through exchange of digital certificate, rather than using user-id and password which
means a client is not providing user-id and password to server that helps in prevention of
man-in-the-middle (MITM) attacks, keystroke logging and phishing among common other
problems of password-based authentication (Turkanović, Brumen & Hölbl 2014). For user
authentication, deployment of this authentication is deployed often with traditional methods
like user-id and password. Certificate–based authentication’s one differentiator is unlike few
solutions which work only for users like biometrics and one-time passwords, same solution
could be used to all endpoints such as devices, IoT and users.
Maximum certificate-based solutions come today with platform of cloud-based
management that makes it easy to administrators for issuing certificates for new workers,
revoke certificates in case when employee is leaving the organization and renew certificate.
There is a tradeoff among costs burdened to end users and increasing security. Certificates
BYOD might be fascinating business model, However there exists several security
risks related with it. Data security is the major concern for the organization. As workforce is
more reliable on smartphones, data leakage has increased. Smartphones and tablets are
weakest when related to data security. One of the security challenges of BYOD is keeping
corporate and personal data within same device. One of the biggest threats is malware to
smartphones which is unknowingly installed by user, which means malware could attack the
network of the organization (Astani, Ready & Tessema 2013). Security breaches can occur if
a worker’s device is stolen or lost. Using external Wi-Fi with no proper security protocols can
make the device more vulnerable for attacks.
Certificate-based Authentication
Authentication is a method in verifying identity of a user. Certificate-based
authentication is the digital certificate’s use for identifying device, machine or user before
giving access of network, resource or application. Users are allowed in securely accessing a
server through exchange of digital certificate, rather than using user-id and password which
means a client is not providing user-id and password to server that helps in prevention of
man-in-the-middle (MITM) attacks, keystroke logging and phishing among common other
problems of password-based authentication (Turkanović, Brumen & Hölbl 2014). For user
authentication, deployment of this authentication is deployed often with traditional methods
like user-id and password. Certificate–based authentication’s one differentiator is unlike few
solutions which work only for users like biometrics and one-time passwords, same solution
could be used to all endpoints such as devices, IoT and users.
Maximum certificate-based solutions come today with platform of cloud-based
management that makes it easy to administrators for issuing certificates for new workers,
revoke certificates in case when employee is leaving the organization and renew certificate.
There is a tradeoff among costs burdened to end users and increasing security. Certificates
5CYBERSECURITY
usage is quite easy to end users (Li et al 2013). After the installation of certificate, there is
nothing that can be done. Many enterprise solutions support the certificate-based
authentication already. Public key infrastructure (PKI) standard is leveraged for building the
certificate-based authentication. Stronger security is offered by certificate-based
authentication by authenticating mutual both the server and the client, using trusted party
during TLS handshake. Certificate consists of multiple fields like CN name, expiry date, and
san name. Depending on the policies and organization, different fields are used for encoding
the user-id. For identifying the user, configuration of couchbase is done for arsing one or
many more fields and extracting the user (Hummen et al 2013). This can be done with the use
of prefix, delimiter and path. The prefix provides the beginning of user-id, the delimiter
finishes the user-id and the path demonstrates from which part of the certificate, the user-id is
fetched.
The major advantage in using certificate-based authentication is it can be more
scalable. Administrators do not need to trust separate public keys. Also, the access of users to
many servers is controlled by publishing lists for certificate revocation for CA. As scalability
is more in certificate-authentication, authentication can be managed better for large to
medium scenarios. If an employee leaves the organization, it is not required in deleting the
public keys of the employee from each server in which he has authority in revoking the
rights. Instead the certificate of that employee is revoked simply by the CA of the
organization. From the point of view of a user, having trust on few number of CAs and
depending on them to access other entity’s credibility can be easier than needing to confirm
every remote entity’s identity manually (Verma, Kumar & Sinha 2016). Distribution of
public keys and validation of fingerprints when updating or creating key pairs is not needed.
Higher or same security level is provided than compared with password-based authentication.
Disadvantage of certificate-based authentication is the public-key infrastructure is required
usage is quite easy to end users (Li et al 2013). After the installation of certificate, there is
nothing that can be done. Many enterprise solutions support the certificate-based
authentication already. Public key infrastructure (PKI) standard is leveraged for building the
certificate-based authentication. Stronger security is offered by certificate-based
authentication by authenticating mutual both the server and the client, using trusted party
during TLS handshake. Certificate consists of multiple fields like CN name, expiry date, and
san name. Depending on the policies and organization, different fields are used for encoding
the user-id. For identifying the user, configuration of couchbase is done for arsing one or
many more fields and extracting the user (Hummen et al 2013). This can be done with the use
of prefix, delimiter and path. The prefix provides the beginning of user-id, the delimiter
finishes the user-id and the path demonstrates from which part of the certificate, the user-id is
fetched.
The major advantage in using certificate-based authentication is it can be more
scalable. Administrators do not need to trust separate public keys. Also, the access of users to
many servers is controlled by publishing lists for certificate revocation for CA. As scalability
is more in certificate-authentication, authentication can be managed better for large to
medium scenarios. If an employee leaves the organization, it is not required in deleting the
public keys of the employee from each server in which he has authority in revoking the
rights. Instead the certificate of that employee is revoked simply by the CA of the
organization. From the point of view of a user, having trust on few number of CAs and
depending on them to access other entity’s credibility can be easier than needing to confirm
every remote entity’s identity manually (Verma, Kumar & Sinha 2016). Distribution of
public keys and validation of fingerprints when updating or creating key pairs is not needed.
Higher or same security level is provided than compared with password-based authentication.
Disadvantage of certificate-based authentication is the public-key infrastructure is required
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6CYBERSECURITY
for it. This could rise initial deployment’s cost in few environments in comparison with
password-based authentication.
Anti-phishing guideline
Phishing is a fraudulent attempt for obtaining sensitive information like user-ids,
passwords, details of debit and credit card by claiming themselves as electronic
communication’s trustworthy entity. Users are asked for entering personal details at fake
website that looks similar with a legitimate site. Phishing is techniques of social engineering
that is being used for deceiving users. Users are lured often which looks like being from
trusted parties like auction sites, social websites, IT administrators or processors of online
payment. Phishing is made by sending emails, for stealing personal information (Almomani
et al 2013). Best way for protecting information from phishing is learning in recognizing
phish. Phishing email are sent from poplar organizations and personal information is asked.
Phishing emails asks users for clicking a link which takes the user to a website where private
data is requested. Few of the things which can be observed in the phishing email are:
Generic addressing: Phishing emails usually are sent within large batches. For saving
time, non-specific names are used by internet criminals, so there is no need to type all
names of the recipients and sending emails individually.
Forged link: Even there is a name of the link, still it is not necessary that the links are
of real organizations. If the mouse is rolled over the link to see if it is same with the
email. If there exists a discrepancy, the link should not be opened (Na, Kim & Lee
2014). Also, providing personal information to websites beginning with “https” is safe
as “s” in the “https” means secure. If there is no “https”, the link should not be
opened.
Sense in Urgency: Internet users asks users in providing personal data quickly. They
do it for making user think something occurred which needs the user to act quicker
for it. This could rise initial deployment’s cost in few environments in comparison with
password-based authentication.
Anti-phishing guideline
Phishing is a fraudulent attempt for obtaining sensitive information like user-ids,
passwords, details of debit and credit card by claiming themselves as electronic
communication’s trustworthy entity. Users are asked for entering personal details at fake
website that looks similar with a legitimate site. Phishing is techniques of social engineering
that is being used for deceiving users. Users are lured often which looks like being from
trusted parties like auction sites, social websites, IT administrators or processors of online
payment. Phishing is made by sending emails, for stealing personal information (Almomani
et al 2013). Best way for protecting information from phishing is learning in recognizing
phish. Phishing email are sent from poplar organizations and personal information is asked.
Phishing emails asks users for clicking a link which takes the user to a website where private
data is requested. Few of the things which can be observed in the phishing email are:
Generic addressing: Phishing emails usually are sent within large batches. For saving
time, non-specific names are used by internet criminals, so there is no need to type all
names of the recipients and sending emails individually.
Forged link: Even there is a name of the link, still it is not necessary that the links are
of real organizations. If the mouse is rolled over the link to see if it is same with the
email. If there exists a discrepancy, the link should not be opened (Na, Kim & Lee
2014). Also, providing personal information to websites beginning with “https” is safe
as “s” in the “https” means secure. If there is no “https”, the link should not be
opened.
Sense in Urgency: Internet users asks users in providing personal data quickly. They
do it for making user think something occurred which needs the user to act quicker
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7CYBERSECURITY
(Chaudhry, Chaudhry & Rittenhouse 2016). The faster the information is provided to
them, the faster another victim is targeted by them.
There are several ways from becoming victim of phishing attack. Many phishing emails
begin as “Dear Customer”, so those emails should be avoided. Anti-phishing toolbars should
be customized in internet browsers. These toolbars run quick checks on websites which are
being visited and compared with known phishing websites. If the website is malicious, an
alert will be provided by the toolbar. Security patches for popular browsers are released every
time (Burns, Durcikova & Jenkins 2013). The browsers are required to be up-to-date. High-
quality firewalls are used which act as buffers among the user, outside intruders and user’s
system. Firewalls reduce odds of phishers infiltrating the network.
Conclusion
The organization is using currently password-based authentication system for
controlling user access to organization’s information system. However, recent
implementation of BYOD policy has raised few security concerns. The risks of
implementation of BYOD policy in information system is analysed. After assessing BYOD
policy’s risks, organization used certificate-based authentication in place of password-based
authentication. Working principles of certificate-based authentication are analysed and
compared with password-based authentication. After analysing, phishing is figured as one of
the threats faced by the organization. The characteristics of phishing are discussed and the
steps for minimizing phishing attack is discussed. These analyses will help for addressing
emerging risks and reducing cyber threats in the system of the organization.
(Chaudhry, Chaudhry & Rittenhouse 2016). The faster the information is provided to
them, the faster another victim is targeted by them.
There are several ways from becoming victim of phishing attack. Many phishing emails
begin as “Dear Customer”, so those emails should be avoided. Anti-phishing toolbars should
be customized in internet browsers. These toolbars run quick checks on websites which are
being visited and compared with known phishing websites. If the website is malicious, an
alert will be provided by the toolbar. Security patches for popular browsers are released every
time (Burns, Durcikova & Jenkins 2013). The browsers are required to be up-to-date. High-
quality firewalls are used which act as buffers among the user, outside intruders and user’s
system. Firewalls reduce odds of phishers infiltrating the network.
Conclusion
The organization is using currently password-based authentication system for
controlling user access to organization’s information system. However, recent
implementation of BYOD policy has raised few security concerns. The risks of
implementation of BYOD policy in information system is analysed. After assessing BYOD
policy’s risks, organization used certificate-based authentication in place of password-based
authentication. Working principles of certificate-based authentication are analysed and
compared with password-based authentication. After analysing, phishing is figured as one of
the threats faced by the organization. The characteristics of phishing are discussed and the
steps for minimizing phishing attack is discussed. These analyses will help for addressing
emerging risks and reducing cyber threats in the system of the organization.
8CYBERSECURITY
References
Almomani, A., Gupta, B.B., Atawneh, S., Meulenberg, A. and Almomani, E., 2013. A survey
of phishing email filtering techniques. IEEE communications surveys & tutorials, 15(4),
pp.2070-2090.
Astani, M., Ready, K. and Tessema, M., 2013. BYOD Issues and strategies in organizations.
Issues in Information Systems, 14(2).
Burns, M.B., Durcikova, A. and Jenkins, J.L., 2013, January. What kind of interventions can
help users from falling for phishing attempts: a research proposal for examining stage-
appropriate interventions. In 2013 46th Hawaii International Conference on System Sciences
(pp. 4023-4032). IEEE.
Chang, J.M., Ho, P.C. and Chang, T.C., 2014. Securing byod. IT Professional, 16(5), pp.9-
11.
Chaudhry, J.A., Chaudhry, S.A. and Rittenhouse, R.G., 2016. Phishing attacks and defenses.
International Journal of Security and Its Applications, 10(1), pp.247-256.
Farash, M.S. and Attari, M.A., 2014. An efficient client–client password-based authentication
scheme with provable security. The Journal of Supercomputing, 70(2), pp.1002-1022.
Hummen, R., Ziegeldorf, J.H., Shafagh, H., Raza, S. and Wehrle, K., 2013, April. Towards
viable certificate-based authentication for the internet of things. In Proceedings of the 2nd
ACM workshop on Hot topics on wireless network security and privacy (pp. 37-42). ACM.
Li, X., Ma, J., Wang, W., Xiong, Y. and Zhang, J., 2013. A novel smart card and dynamic ID
based remote user authentication scheme for multi-server environments. Mathematical and
Computer Modelling, 58(1-2), pp.85-95.
References
Almomani, A., Gupta, B.B., Atawneh, S., Meulenberg, A. and Almomani, E., 2013. A survey
of phishing email filtering techniques. IEEE communications surveys & tutorials, 15(4),
pp.2070-2090.
Astani, M., Ready, K. and Tessema, M., 2013. BYOD Issues and strategies in organizations.
Issues in Information Systems, 14(2).
Burns, M.B., Durcikova, A. and Jenkins, J.L., 2013, January. What kind of interventions can
help users from falling for phishing attempts: a research proposal for examining stage-
appropriate interventions. In 2013 46th Hawaii International Conference on System Sciences
(pp. 4023-4032). IEEE.
Chang, J.M., Ho, P.C. and Chang, T.C., 2014. Securing byod. IT Professional, 16(5), pp.9-
11.
Chaudhry, J.A., Chaudhry, S.A. and Rittenhouse, R.G., 2016. Phishing attacks and defenses.
International Journal of Security and Its Applications, 10(1), pp.247-256.
Farash, M.S. and Attari, M.A., 2014. An efficient client–client password-based authentication
scheme with provable security. The Journal of Supercomputing, 70(2), pp.1002-1022.
Hummen, R., Ziegeldorf, J.H., Shafagh, H., Raza, S. and Wehrle, K., 2013, April. Towards
viable certificate-based authentication for the internet of things. In Proceedings of the 2nd
ACM workshop on Hot topics on wireless network security and privacy (pp. 37-42). ACM.
Li, X., Ma, J., Wang, W., Xiong, Y. and Zhang, J., 2013. A novel smart card and dynamic ID
based remote user authentication scheme for multi-server environments. Mathematical and
Computer Modelling, 58(1-2), pp.85-95.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9CYBERSECURITY
Na, S.Y., Kim, H. and Lee, D.H., 2014. Prevention schemes against phishing attacks on
internet banking systems. International Journal of Advances in Soft Computing & Its
Applications, 6(1).
Ogie, R., 2015. Bring your own device: an overview of risk assessment. IEEE Consumer
Electronics Magazine, 5(1), pp.114-119.
Turkanović, M., Brumen, B. and Hölbl, M., 2014. A novel user authentication and key
agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet
of Things notion. Ad Hoc Networks, 20, pp.96-112.
Verma, U.K., Kumar, S. and Sinha, D., 2016, March. A secure and efficient certificate based
authentication protocol for MANET. In 2016 International Conference on Circuit, Power
and Computing Technologies (ICCPCT) (pp. 1-7). IEEE.
Na, S.Y., Kim, H. and Lee, D.H., 2014. Prevention schemes against phishing attacks on
internet banking systems. International Journal of Advances in Soft Computing & Its
Applications, 6(1).
Ogie, R., 2015. Bring your own device: an overview of risk assessment. IEEE Consumer
Electronics Magazine, 5(1), pp.114-119.
Turkanović, M., Brumen, B. and Hölbl, M., 2014. A novel user authentication and key
agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet
of Things notion. Ad Hoc Networks, 20, pp.96-112.
Verma, U.K., Kumar, S. and Sinha, D., 2016, March. A secure and efficient certificate based
authentication protocol for MANET. In 2016 International Conference on Circuit, Power
and Computing Technologies (ICCPCT) (pp. 1-7). IEEE.
1 out of 10
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.