A page for BYOD

[MrVaughan]

All of the resources out there on BYOD security are all for the employer. We should add a page with considerations for regular users.

What are the implications of using my personal device at work? What do the MDM's do and how do they impact my use / safety? What will my employer be able to see?

[arvinddoraiswamy]

@MrVaughan Hope this starts things off.

https://github.com/SecurityInnovation/Security-Best-Practices/wiki/Bring-your-own-device-%28BYOD%29

[astenwick]

Although I agree with everything Arvind wrote, there is no suggestion to not connect your phone to the office network at all. This is a real alternative and it is exactly what I do. Why not just use cellular data while at the office since I'm working from my laptop anyways?

[arvinddoraiswamy]

Hmm i'd swear I wrote something like that Anna. If not, shd be there...and yes we shd just use cellular data.

On 10/08/2015 09:03 AM, Anna wrote:

Although I agree with everything Arvind wrote, there is no suggestion to not connect your phone to the office network at all. This is a real alternative and it is exactly what I do. Why not just use cellular data while at the office since I'm working from my laptop anyways?

— Reply to this email directly or view it on GitHub https://github.com/SecurityInnovation/Security-Best-Practices/issues/30#issuecomment-146593390.

[MrVaughan]

I like the content Arvind has provided, thank you. I think I'll have to write some formatting / document style guides as with all the other pages I tried to stick to a reasonably consistent formatting (although it fluctuates depending on the amount of content).

At a minimum I would like all pages to adhere to the following format:

Info: [optional] Background info a reader may need to understand the issues Anecdotes [something for later]: Eventually I'd like to add a hacker story from all of our collective past experiences to connect with readers on an emotional / personal level. Threats: List or description of threats affect this particular issue Security Best Practices: List of best practices to prevent/mitigate the above threats Additional Resources [optional]: Urls and description to addition resources (choose strong legitimate sources where possible) Recommended Products: [optional] [To add at a later date] - Proven products that we can recommend, some auditing will need to be done on each product. How To's: [optional][To add at a later date] - Technical step by step on how to setup a particular config / tool.

[MrVaughan]

I've deleted the page for the time being until I can review / edit it to meet the same format. I am pasting the content here then we can revisit. There may be some publicity / release of this site and I don't want an unfinished paged up for the moment.

Content: Read this OR this depending on which phone you're using.

If you connect your device to the office network, you're connecting it to every single business asset that your company owns. If your device gets compromised by whoever and however, it could be used as a pivot point into the entire business. And you could be blamed. You've been warned. Now if you still want to connect it..

It isn't okay to open random attachments on your phone any-time. When connected to your office network (which is mostly through wireless) this is even more true.

Keep as little official data on it as possible. Work on it and delete the content if you can.

Use application-specific passwords (LINK) for your Gmail accounts if you use one. Which mostly you do.

Don't install Angry Birds 5.0 on your office device. It doesn't make sense. At all. Keep it official.

Your organization probably has the right to monitor every single keystroke or click on your device. They own it. And you probably can't sue them if they do. You probably signed some fancy form with a million clauses when you joined. Behave responsibly.