An interesting news story caught my eye on the BBC website. It highlighted how police in the United Kingdom are mystified as to how smartphones and tablets that have been seized from criminals and suspected criminals are being remotely wiped while being held within police custody. The story made me think about how incident response teams should deal with computer security incidents relating to Bring Your Own Device (BYOD) devices such as smartphones and tablets.

The growth in the use of mobile devices by employees is becoming more widespread across many organizations. In his blog post “State of BYOD and Mobile Security Report: Latest Insights, Trends and Stats” , Yishay Yovel raises a number of interesting points from a survey conducted within the Information Security Group on LinkedIn. The items that struck me most were that over 60 percent of those surveyed say their organization tolerates employees using personal devices to access corporate data such as email and documents. While these statistics highlight how improved technology can enable workers to be more productive, we also need to accept that this technology has introduced a new level of risk into the organization. Not least of which is how an organization should gear up its incident response capabilities should an investigation involve mobile devices.

In the traditional approach to incident response one of the key steps in that process is to capture a forensically sound image of the device. This is often done by taking physical control of the computer in question, isolating it from the network and then using forensic software to capture the required evidence from the computer.

With BYOD, one of the key issues is whether or not the organization will have access to the mobile device. After all, it is the employee’s personal device and the organization may have no legal rights to seize or access it. This is where good planning regarding the organization’s BYOD policy comes into play.

Even if the organization can seize and access the mobile device there are a number of key considerations that we can learn from the UK police forces.

Just because you have physical control of the device does not mean you have logical control of it. Most mobile devices have many ways to connect to various networks such as the mobile phone network over which data and commands can be transmitted, the device may be configured to connect to the Internet using WiFi networks and many devices will have Bluetooth enabled on them. So it is essential to ensure that all connectivity for the device is turned off before conducting any investigations. For good measure the device should be sealed in a Faraday bag or cage. If there is no Faraday bag or cage available the device could be stored in a microwave until one becomes available.

Most mobile devices are connected to the cloud and are configured to automatically back up data to the cloud. So while you may have physical control of the mobile device you may not have complete control over your data. There is also the risk that the information you may rely on in court could be modified in the cloud and when the mobile device next synchronizes with the cloud, the data stored on the device could be modified or overwritten.

There are a number of security and privacy apps available that are designed to securely wipe a device should it not be accessed by the device owner within a certain period, or if it cannot connect to the Internet within a specific time period. It is important when examining the device to be able to identify such Apps and take actions to circumvent them or to gather the data required before the App operates as it is designed to.

BYOD can bring many benefits to an organization, but it also changes the landscape for incident response. Make sure to regularly review the tools, technology, processes, training and skills available to your incident response team to ensure they can meet those challenges.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…