This document discusses threats to corporate information from bring your own device (BYOD) policies and the challenges this poses for digital forensics investigations. It defines the internal and external threat contexts for BYOD, including trusted employees and outsiders. A STRIDE-based threat model is used to analyze how threats could lead to information disclosure or contamination. The analysis shows databases are primary targets and how proactive forensics is needed if they are compromised through BYOD threats. Future work aims to define evidence requirements to support investigations in BYOD environments.

1. Bring Your Own Disclosure
Analysing BYOD Threats to Corporate Information
Denys A. Flores, Farrukh Qazi & Arshad Jhumka
TrustCom 2016 – Tianjin, China
August 25th, 2016

2. Topics
Research Background
Related Work
The BYOD Threat to Corporate Information
The BYOD Challenge to Digital Forensics
Analysing BYOD Threats: Methodology
Conclusions

3. Research Background…
During data breaches, databases are the primary targets and also a great
challenge for forensic investigations.
DB Forensics applies digital forensic approaches to gather suitable digital
evidence related to database activity for presentation in a court of law [1] –
evidence may be stored in different sources.
DB Forensics has received very little research attention [2].
Generating trustworthy digital evidence by ensuring Chain of Custody
(evidence possession, authenticity and provenance) during the investigation
life cycle.

4. Research Background…
Reactive DB Forensics Proactive DB Forensics
DB reconstruction and recovery – reactive
controls [3]
Analyse logged activity (audit stage) of
suspicious events – proactive controls
Traditional imaging and file carving [4][5]
eDiscovery - digital evidence from multiple
trusted distributed sources
Admissibility may be challenged [2] Requires a forensically ready environment
Time-consuming when dealing with short
incident-response time
Relatively shorter than reactive techniques
Traditional Digital Forensic techniques may not be suitable for DB
Forensics [15].

5. Related Work
Previous work on mitigating BYOD Threats has not considered
security and digital forensics issues.
Mobile Device Management (MDM) solutions [6] provide
mobile device access control, but do not prevent/monitor
information access and misuse (i.e. disclosure and
contamination).
STRIDE-based Threat Models have already been applied for
supporting digital forensic readiness initiatives [14] without
analysing threat interaction.
Our research provides a baseline for understanding the
environment in which proactive digital forensics initiatives may
be deployed [16], considering internal and external threat
interactions in the BYOD context.

6. The BYOD Threat to Corporate Information
Bring-Your-Own-Device (BYOD), or Dual-Use Devices is a growing
trend encouraged by some organisations.
Increases employee productivity and accessibility to corporate
information assets (including databases) from anywhere at anytime.
Security concerns regarding monitoring and controlling employee
mobile device access to information assets [6]
BYOD – Bring Your Own Disclosure??

7. The BYOD Challenge to Digital Forensics
Sometimes trusted insiders (employees) misuse credentials to access corporate
information assets, such as databases, from uncontrolled devices.
In BYOD, digital evidence is distributed in different locations and collected in various
electronic media [7].
Incidents related to information misuse (disclosure and contamination) [8][9] require
proper event identification to associate actions with actors.
Accountability is a security characteristic for forensics and auditing purposes [10].
When there is an incident there is someone accountable for it!

8. The BYOD Challenge to Digital Forensics
BYOD is a source of a vast amount of digital evidence [11].
When corporate-owned relatively easy to handle.
Insider activity has been overlooked as only outsider attacks
are seen as relevant [12].
Malicious/naive insider actions must be controlled [13] to
avoid corporate information disclosure [9] and
contamination [8].
In BYOD, there is uncontrolled mobile device activity [6]
In BYOD controlling and monitoring
evidence sources => device ownership issues

9. Analysing BYOD Threats: Methodology
Define external and internal threat contexts where information misuse
in BYOD may lead to forensic investigations.
Determining a STRIDE-based BYOD Threat Model for determining
potential threats to corporate information.
Analyse threat interactions from inside and outside the corporate
perimeter.

10. Defining the BYOD External/Internal Threat Context
Actor Carrier Target Example
Cybercriminals
known as
Outsiders
Naïve employee
BYOD activity
Corporate
Information
An employee can disclose
corporate information in
unsecure/untrusted Outsider
Locations.
An employee can download
malicious applications that
retrieves corporate information
and send it back to the Outsider
Trusted
employees
known as
Insiders
Unauthorised
mobile activity
Credential
Misuse
An employee can misuse his/her
database credentials to disclose or
contaminate information.

11. Defining the BYOD External/Internal Threat Context
External Internal
Actor Cybercriminals (outsiders) Trusted employees (insiders)
Threats
• Malware
• Phishing
• Social Engineering
• Malicious Mobile Apps.
• Insecure Wireless
Networks
• Fake Certificate
Authorities
• DoS
• Uncontrolled Devices
• Device Misconfiguration
• Unauthorised Information Sharing in
Personal Clouds
• Mixture of Personal and Corporate
Information
• Lost/Stolen/Unlinked Devices
• Device Ownership
BYOD exposes information assets (including databases) to
External and Internal Threat Contexts

12. Determining a STRIDE-based BYOD Threat Model
Trust Boundaries Represents Interacts With
A. Internet Trust Boundary (ITB) Lower-Trust Insider Activity
Personal Cloud
Mobile App Stores
CPTB
B. Business Core Trust Boundary (BCTB) Higher-Trust Insider Activity
Relational Database
Audit Repository
C. Corporate Perimeter Trust Boundary (CPTB) Internal/External Insider Interaction
ITB-located Mobile Client
CPTB

13. Analysing Threat Interactions
Threats were analysed using relevant research literature and security
reports.
Analysis showed that corporate information is either contaminated or
disclosed.
Particularly in databases, which are primary targets during data
breaches.
If databases are compromised, then proactive digital forensic
investigations are required

14. Analysing Threat Interactions
BYOD Threats causing Information Contamination

15. Analysing Threat Interactions
BYOD Threats causing Information Disclosure

16. Conclusions
Future work towards protecting corporate information (in databases) from
unauthorised disclosure and contamination, using proactive approaches.
Regarding information contamination, control and monitor actions that can
compromise information integrity, introducing repudiation issues when disabling
logging and auditing repositories.
Regarding information disclosure, control malicious insider activity such as credential
misuse to access sensitive information. E.g. DB credential misuse.
Current undergoing work analysing chain of custody and evidence requirements to
define the notion of evidence possession, authenticity and provenance in BYOD
environments.

17. Thank You!

18. Denys A. Flores
PhD Student
Department of Computer Science
University of Warwick
email: d.flores-armas@warwick.ac.uk
web: go.warwick.ac.uk/dflores
twitter: @denys_flores
Sponsors

19. References
[1]Fowler, K. (2007). SQL Server Database Forensics. [Online] Available at: http://ubm.io/1WuG9Il
[2]Hauger, W., Olivier, M. (2015). The state of Database Forensic research. In IEEE Information Security for South Africa (ISSA)
[3]Fasan, O., Olivier, M. (2012). On Dimensions of Reconstruction in Database Forensics, In Seventh International Workshop on Digital
Forensics & Incident Analysis.
[4]Fowler, K. (2008). SQL Server Forensic Analysis. Addison-Wesley Professional, Boston
[5]Litchfield, D. (2007-2011). Papers on Oracle Forensics. Available at: http://www.davidlitchfield.com/security.htm
[6]Sobers, A. (2015). BYOD and the Mobile Enterprise – Organisational challenges and solutions to adopt BYOD. [Online]. Available at:
http://bit.ly/1Z8ZkG2
[7]Attoe, R. (2016). Chapter 6 - Digital forensics in an eDiscovery world, In Digital Forensics, edited by John Sammons, Syngress,
Boston, Pp. 85-98
[8]Downer, K. and Bhattacharya, M. (2016). BYOD security: A new business challenge. [Online] Available at: http://bit.ly/1O08xJY
[9]Pohlmann, N. et al. (2015). Bring your own device for authentication (BYOD4A)–the Xign–System. In Information Security Solutions
Europe (ISSE) 2015 Conference. Springer, 2015, pp. 240–250.
[10]Stallings, W. (2011). Network Security Essentials, 4th edition, New York, US; Prentice-Hall
[11]Francis, K. and Larson, M. (2015). Digital Forensics in the Mobile, BYOD, and Cloud Era. [Online]. Available at:
http://bit.ly/1T9TxdY
[12]Pavlou, K. et al. (2012). Achieving Database Information Accountability in the Cloud. [Online] Available at: http://bit.ly/1WuGzyh
[13]Densham, B. (2015). Three cyber-security strategies to mitigate the impact of a data breach. In Network Security, vol. 2015, 2015,
pp. 5–8. [Online] Available at: http://bit.ly/1Wv9CQJ
[14]Lourida, K., et al. (2013). Assessing database and network threats in traditional and cloud computing. [Online]. Available at:
http://wrap.warwick.ac.uk/65197/
[15]Khanuja, H. (2014). Role of metadata in forensic analysis of database attacks, In IEEE International Advance Computing
Conference (IACC).
[16]Henry, P. et al (2013). The SANS Survey of Digital Forensics and Incident Response. [Online]. Available at: http://bit.ly/1SDdomv