>_AYSOLI SECURITY HUB
THREAT AREA

Mobile Work (BYOD)

Bring Your Own Device (BYOD) massively increases your organization's flexibility but introduces a multitude of devices into your ecosystem that you do not directly control.

The Challenge

A private device is a black box. You must ensure that corporate data is protected without violating your employees' privacy. The focus here is on app security rather than device control.

Your Strategy

  • Isolation: Use MAM policies to isolate company data in encrypted containers and prevent screenshots.
  • Connectivity: Use Trusted Certificate Profiles to provide Wi-Fi and VPN access automatically and securely.
  • Compliance: Grant access only to devices that have not been tampered with (no root/jailbreak).

STRIDE-LM Design Risks

SpoofingS-MOB-01

Unmanaged Device Access

Access via untrusted or compromised private devices.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-MOB-01

Personal App Data Leakage

Exfiltration of company data via private cloud backups or apps.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Initial Access
T1456

Exploitation for Privilege Escalation (Mobile)

ATT&CK

Exploiting OS vulnerabilities on mobile devices.

Mitigated by
Device Compliance PoliciesBaseline ProtectionLow
CIS: 4.1NIST: PR.AC-7OWASP: A01:2021
T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
Persistence
T1534

Internal Spearphishing

ATT&CK

Targeted phishing via internal communication channels.

Mitigated by
Trusted Certificate ProfilesBaseline ProtectionLow
CIS: 12.7NIST: PR.AC-3
Credential Access
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Trusted Certificate ProfilesBaseline ProtectionLow
CIS: 12.7NIST: PR.AC-3
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
T1517

Access Notifications (Mobile)

ATT&CK

Intercepting MFA codes and sensitive content from push notifications.

Mitigated by
Device Compliance PoliciesBaseline ProtectionLow
CIS: 4.1NIST: PR.AC-7OWASP: A01:2021
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
Jailbreak & Root DetectionBaseline ProtectionLow
CIS: 5.1NIST: PR.IP-1OWASP: A01:2021
Discovery
T1418

Software Discovery (Mobile)

ATT&CK

Identifying installed apps to find vulnerabilities.

Mitigated by
Mobile Application Management (MAM)Baseline ProtectionLow
CIS: 13.3NIST: PR.DS-1
App Protection - Screen Capture BlockBaseline ProtectionLow
CIS: 13.3NIST: PR.DS-1
Remote Wipe (Selective)Baseline ProtectionLow
CIS: 4.10NIST: PR.PT-2
Jailbreak & Root DetectionBaseline ProtectionLow
CIS: 5.1NIST: PR.IP-1OWASP: A01:2021
Incident Response Playbook (BYOD Security Incident)Baseline ProtectionLow
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1NIST: RC.RP-1
Collection
T1430

Location Tracking

ATT&CK

Unauthorized tracking of the physical location of the device.

Mitigated by
Remote Wipe (Selective)Baseline ProtectionLow
CIS: 4.10NIST: PR.PT-2
Incident Response Playbook (BYOD Security Incident)Baseline ProtectionLow
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1NIST: RC.RP-1
T1432

Access Contact List (Mobile)

ATT&CK

A malicious app accessing the device address book.

Mitigated by
Mobile Application Management (MAM)Baseline ProtectionLow
CIS: 13.3NIST: PR.DS-1
App Protection - Screen Capture BlockBaseline ProtectionLow
CIS: 13.3NIST: PR.DS-1
Remote Wipe (Selective)Baseline ProtectionLow
CIS: 4.10NIST: PR.PT-2
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Incident Response Playbook (BYOD Security Incident)Baseline ProtectionLow
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1NIST: RC.RP-1
Command & Control
T1437

Standard Application Layer Protocol (Mobile)

ATT&CK

Using legitimate network protocols to disguise C2 communication on mobile devices.

Mitigated by
Mobile Application Management (MAM)Baseline ProtectionLow
CIS: 13.3NIST: PR.DS-1
Device Compliance PoliciesBaseline ProtectionLow
CIS: 4.1NIST: PR.AC-7OWASP: A01:2021
Jailbreak & Root DetectionBaseline ProtectionLow
CIS: 5.1NIST: PR.IP-1OWASP: A01:2021
Exfiltration
T1567

Exfiltration Over Web Service

ATT&CK

Data leakage via legitimate web interfaces.

Mitigated by
Mobile Application Management (MAM)Baseline ProtectionLow
CIS: 13.3NIST: PR.DS-1
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Incident Response Playbook (BYOD Security Incident)Baseline ProtectionLow
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1NIST: RC.RP-1

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
Mobile Work (BYOD) | IT Security Checklist for SMEs · AYSOLI Security Hub