The document discusses the requirements for effective BYOD (Bring Your Own Device) security scanning. It states that BYOD security scanning must be able to identify vulnerabilities, configuration issues, and sensitive data on devices regardless of location. It outlines five key requirements for BYOD security scanning solutions: 1) Integrate with existing business technologies, 2) Not require scheduled scans, 3) Support mobile devices through native apps, 4) Not require device credentials, and 5) Be cloud-based to scan devices anywhere. The document emphasizes that legacy scanning is insufficient for securing mobile endpoints and a new approach is needed to address BYOD challenges.

1. !
!
!!!!!!!!!!!!!!!!!!!!
!
!
!
!
BYOD%Security%Scanning:!!
What%You%Need%To%Know!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
iScan!Online,!Inc.!
19111!N!Dallas!Parkway!
Suite!200!
Dallas,!TX!75287!
www.iscanonline.com!
+1.214.276.1150!
! !

2. !
BYOD!Security!Scanning!What!You!Need!To!Know! !
Copyright!©!2013!iScan!Online,!Inc.!
2!
!
!
Introduction*
When!the!early!history!of!the!21st!century!is!written,!two!dominant!technology!trends!will!stand!out.!
One!is!the!move!to!the!cloud,!empowered!by!virtualization.!The!other!will!be!how!Bring!Your!Own!
Device!(BYOD)!ushered!in!the!postVPC!era,!the!consumerization!of!IT!and!Shadow!IT!systems!built!and!
used!without!organizational!approval.!While!BYOD!offers!many!positive!productivity!and!communication!
benefits,!it!also!is!the!source!of!nightmares!which!keep!many!IT!and!security!administrators!up!at!night.!
!
There!is!no!doubt!that!BYOD!has!swept!over!the!workplace!like!a!tsunami.!A!recent!study!by!Cisco!1
!
showed!that!95%!of!organizations!use!BYOD!in!some!form!or!another.!This!is!an!overwhelming!statistic!
that!shows!BYOD!has!reached!well!beyond!critical!mass.!!!
!
At!the!beginning!of!the!BYOD!movement,!IT!management!simply!forbid!users!to!access!corporate!
resources!with!personally!owned,!unmanaged!devices.!Eventually!the!IT!security!industry!responded!
with!solutions,!which!allowed!IT!managers!to!embrace!BYOD!rather!than!just!forbidding!it.!
Unfortunately,!too!many!of!these!solutions!are!little!more!than!PC!solutions!reVskinned!for!enterprise!
mobility.!!!
!
Given!that!today,!95%!of!organizations!allow!BYOD!devices,!the!threat!and!risk!to!corporate!data!and!
applications!continues!to!grow!exponentially.!While!all!types!of!mobile!devices!and!operating!systems!
could!be!targeted,!those!with!the!greatest!market!share!tend!to!attract!the!greatest!number!of!attacks.!
For!this!reason,!along!with!its!open!nature,!Google’s!Android!system!is!attracting!a!lot!of!attention.!!!
!
There!are!already!documented!attacks!against!Android!2
.!!It!is!not!that!Android!is!inherently!less!secure!
than!other!mobile!systems,!its!very!popularity!makes!it!a!bigger!target!for!malware.!Most!security!
experts!predict!a!rough!time!ahead!as!the!pace!and!severity!of!Android!and!other!mobile!security!
threats!increase!over!the!coming!months!and!years.!
!
What*is*at*stake?*
Some!observers!casually!dismiss!the!threat!of!BYOD!security!breaches.!After!all,!while!most!phones!and!
tablets!are!accessing!email!and!cloud!services,!they!have!limited!exposure!to!internal!corporate!
networks.!!But!the!threat!is!in!fact!very!real.!!The!factors!that!are!driving!adoption!of!BYOD!are!also!
driving!accessibility!by!these!devices!to!all!corporate!resources.!!More!and!more!internal!programs!and!
applications!are!being!updated!with!frontVend!mobile!app!components!and!made!available!to!users!of!
BYOD!devices.!!!
!
The!whole!notion!of!a!corporate!“castle”!surrounded!by!a!fortified!perimeter!is!growing!quainter!and!
more!obsolete!every!day.!It!is!not!just!devices!that!are!mobile—people!are!increasingly!mobile.!BYOD!
has!set!employees!free,!to!work!and!interact!with!an!organizations!network!from!any!place!and!at!any!
time.!To!empower!these!employees,!organizations!must!allow!employee!owned!devices!access!to!
corporate!assets.!
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1
!http://newsroom.cisco.com/release/854754/Cisco-Study-IT-Saying-Yes-To-BYOD!
2
!http://www.networkworld.com/news/2013/032713-new-malware-shows-android-has-268140.html!

3. !
BYOD!Security!Scanning!What!You!Need!To!Know! !
Copyright!©!2013!iScan!Online,!Inc.!
3!
Once!these!devices!are!allowed!to!access!corporate!data,!they!consequentially!pose!a!risk!and!become!a!
high!value!vector!for!attack.!In!today’s!world!of!sophisticated!threats!like!Advanced!Persistence!Threats!
(APT)!and!mobile!endpoint!attacks,!larger!network!breaches!typically!start!with!a!toehold!gained!
through!a!single!device.!Once!they!have!compromised!a!single!device,!attackers!can!use!that!device!to!
attack!and!infiltrate!other!devices!on!the!network.!Any!compromised!device!may!contain!valuable!assets!
itself!or!may!open!a!path!to!other!devices!and!corporate!data.!
!
Another!potential!security!risk!is!the!data!stored!on!the!BYOD!device!itself.!Whether!it!is!found!in!copies!
of!email!sent!to!others,!in!attachments!to!emails!received,!or!in!documents!or!contact!information,!
there!is!almost!inevitably!personally!identifiable,!confidential!information!stored!on!the!typical!BYOD!
device.!
!
This!means!that!no!matter!how!much!security,!process!and!policy!are!in!place!to!protect!corporate!
networks,!the!weakest!link!may!very!well!be!in!the!pocket!or!purse!of!a!corporate!employee.!
!
Existing*BYOD*Security*Solutions*
Today’s!BYOD!security!solutions!typically!fall!into!two!primary!categories,!antiVmalware!and!mobile!
device!management!(MDM).!It!may!help!to!examine!both!of!these.!
!
In!regards!to!antiVmalware!on!BYOD!devices,!it!is!still!very!much!like!antiVmalware!on!PCs.!There!are!
virus!detection!engines,!white!listing,!black!listing,!DLP,!and!other!technologies!built!into!antiVmalware!
suites.!Unfortunately,!these!complex!apps!can!impact!mobile!device!performance!while!not!necessarily!
making!the!user!or!organization!any!safer.!!Traditional!antiVvirus!firms!as!well!as!some!new!mobileVonly!
companies!are!offering!these!host!based!antiVmalware!suites.!Yet!at!a!time!when!many!in!the!security!
industry!are!saying!that!PC!antiVvirus!and!antiVmalware!are!all!but!useless,!these!same!pundits!continue!
to!push!antiVmalware!software!as!a!viable!solution!for!mobile!devices.!
!
MDM!appeared!initially!to!be!the!killer!application!needed!to!make!BYOD!safe!for!the!workplace.!It!
offered!the!hope!that!BYOD!devices!could!meet!corporate!policies,!allowing!IT!groups!to!enforce!
configuration!standards!and!maintain!compliance.!Many!MDM!solutions!also!provide!remote!device!
security!functions,!including!remote!lock,!remote!wipe!and!remote!location.!
!
While!antiVmalware!and!MDM!BYOD!solutions!are!important,!neither!can!deliver!the!opportunistic,!onV
demand!scanning!capabilities!needed!to!provide!worldVclass!security!in!a!mobile!enterprise!
environment.!To!gain!true!clarity!into!the!state!of!an!organizations!BYOD!security!and!risk!posture,!it!
may!help!to!understand!the!details!and!requirements!of!BYOD!scanning.!!
!!
BYOD*Security*Scanning*–*What*is*it?*
Scanning!has!been!part!of!the!security!toolbox!for!a!long!time,!and!most!organizations!understand!the!
importance!of!assessing!the!vulnerability!posture!of!devices!and!networks!by!scanning!both!internally!
and!externally.!But!what!exactly!is!BYOD!security!scanning?!!!
!
BYOD!Security!Scanning!is!the!ability!to!identify!and!assess!any!endpoint!device!for!vulnerabilities,!
secure!configurations!or!unprotected!data!at!rest,!regardless!of!where!the!device!is!physically!located!or!
how!it!is!accessing!corporate!data!and!applications.!!Existing!scanning!technologies!are!great!for!static!
networks!where!devices!are!not!onVthe–go!such!as!printers,!routers!or!servers.!However,!legacy!

4. !
BYOD!Security!Scanning!What!You!Need!To!Know! !
Copyright!©!2013!iScan!Online,!Inc.!
4!
network!scanning!solutions!have!little!or!no!ability!to!assess!tablets,!smartphones,!laptops!or!other!
devices!as!they!dynamically!access!the!network,!applications!and!data.!
!
!
The!demands!of!security,!risk!and!compliance!management!require!BYOD!security!scanning!to!do!more!
than!look!for!common!vulnerabilities.!As!stated!earlier,!scanning!for!secure!configurations!and!
identifying!confidential!data!such!as!primary!account!number!(PAN)!credit!card!data!or!personal!health!
information!(PHI)!are!also!mandatory!for!BYOD!security!scanning.!
!
The!world!of!mobile!connectivity!introduces!new!challenges!for!identifying!risks,!threats,!and!achieving!
compliance.!This!mobile!world!also!requires!that!scanning!technologies!adapt!to!today’s!networks.!It!is!
not!practical!or!technologically!sound!to!deploy!appliances!and!complex!software!in!an!attempt!to!
secure!BYOD!devices!and!other!endpoints!that!are!mobile!and!not!static.!!
!
BYOD*Security*Scanning*–*The*5*Requirements**
What!should!an!organization!look!for!in!a!robust!Bring!Your!Own!Device!Security!Scanning!solution?!
These!are!the!requirements!of!an!enterpriseVclass!BYOD!scanning!system.!
1. Integrates*With*Your*Business*
Many!organizations!have!spent!millions!of!dollars!acquiring!and!developing!technology!to!
support!remote!and!mobile!workers.!These!solutions!range!from!web!applications!to!traditional!
IT!management!for!computing!devices.!To!ensure!seamless!and!effective!scanning,!BYOD!
security!scanning!solutions!should!provide!out!of!the!box!integration!with!these!existing!
business!technologies!to!initiate!the!scanning!process.!Some!examples!of!these!solutions!are:!!
• Endpoint!Management!solutions!
• Remote!Monitoring!and!Management!
• Single!SignVon!
• Web!Application!Portals!
• Email!and!Calendaring!Applications!
2. Schedule*Not*Required*
Because!BYOD!implies!that!employees!are!free!to!move!on!and!off!the!network!on!their!own!
schedule,!it!also!means!that!security!scanning!technologies!cannot!depend!on!network!locations!
or!scheduled!times.!Scans!must!be!triggered!by!events!rather!than!by!IP!address!ranges!and!
specific!points!in!time.!
According!to!Cisco’s!IBSG!2012!
BYOD!report,!47%!of!employees!
are!considered!“mobile!
workers”!but!60%!of!employees!
use!a!mobile!device!for!work.!

5. !
BYOD!Security!Scanning!What!You!Need!To!Know! !
Copyright!©!2013!iScan!Online,!Inc.!
5!
3. Support*Mobile*Devices*with*Native*Apps*
There!is!no!reliable!way!to!assess!a!smartphone!or!tablet!without!the!presence!of!a!native!app!
on!the!device.!Providing!a!native!app!assures!that!the!results!derived!from!the!scan!are!accurate!
and!upVtoVdate.!To!ensure!global!distribution!and!conformity!to!any!operating!system!API!
restrictions,!native!device!apps!should!be!distributed!via!the!device!type’s!authorized!
application!store.!
4. No*Credentials*Required*
Because!of!the!“Y”!in!BYOD,!it!is!virtually!guaranteed!that!IT!departments!will!not!have!
administrative!access!to!these!devices.!This!presents!serious!challenges!for!most!security!
assessment!technologies.!Any!solution!that!delivers!BYOD!security!scanning!should!provide!
scanning!without!requiring!administrative!credentials!on!the!device.!The!scan!process!should!
execute!as!part!of!normal!user!operation!and!should!not!prompt!the!user!for!privilege!escalation!
or!interfere!with!their!normal!work.!
5. Built*For*The*Cloud*
There!are!many!types!of!mobile!workers!and!BYOD!situations,!and!many!home!office!and!
remote!personnel!may!never!actually!connect!directly!to!the!corporate!network.!However,!
these!devices!need!to!be!assessed!no!matter!where!they!are!located.!BYOD!security!scanning!
solutions!should!provide!the!ability!to!assess!devices!from!the!cloud,!allowing!organizations!to!
secure!those!devices!regardless!of!their!location!or!network!connection.!
!
!
!
iScan*Online*Delivers*BYOD*Security*Scanning*
The!BYOD!phenomenon!is!revolutionizing!vulnerability!
scanning!in!the!enterprise!environment.!IT!administrators!
who!traditionally!scheduled!vulnerability!scanning!during!off!
hours,!now!find!those!routine!scans!are!missing!many!of!the!
actual!endpoints!that!access!their!corporate!data!and!
applications.!Because!many!devices!are!not!on!the!network!
when!scans!are!performed!or!the!scanning!technology!
doesn’t!assess!the!particular!type!of!device,!or!because!
administrative!credentials!are!required—the!devices!will!be!
missed!by!previousVgeneration!assessment!and!remediation!
efforts.!
!
The!consequences!can!be!dire.!The!2012!Verizon!Breach!
Report!indicates!that!60%!of!all!compromised!assets!were!user!owned!devices.!Fortunately,!these!types!
of!breaches!are!avoidable!with!proper!vulnerability!detection!and!remediation!of!user!owned!devices.!
!
Just!as!BYOD!ushered!in!more!dynamic!and!adaptive!ways!of!computing,!iScan!Online!delivers!scanning!
technology,!which!can!be!deployed!in!a!dynamic,!easy!and!cost!effective!manner.!iScan!Online!works!in!
the!way!that!users!work,!and!provides!visibility!in!to!the!security,!compliance!and!risk!posture!of!their!
devices.!

6. !
BYOD!Security!Scanning!What!You!Need!To!Know! !
Copyright!©!2013!iScan!Online,!Inc.!
6!
iScan*Online*Device*Support*
!
iScan!Online!supports!scanning!Android!and!Apple!iOS!mobile!devices!via!
native!mobile!apps!which!are!distributed!through!Google!Play!and!the!
iTunes!App!store.!The!iScan!Online!native!mobile!apps!provide!
vulnerability!scanning,!configuration!assessment,!data!discovery!and!
remote!management!of!devices!including!remote!lock,!remote!wipe!and!
geoVlocation.!!!
!
Scanning!of!traditional!laptops,!servers!and!workstations!are!also!
accomplished!with!iScan!Online!via!a!browser!plugin.!Scanning!Windows!
and!OS!X!systems!through!a!web!browser!is!a!simple!affordable!solution!
that!can!be!integrated!into!to!any!website!or!web!application,!or!
distributed!to!users!via!email!and!calendar!invitations.!!
!
!
!
iScan!Online!also!provides!a!command!line!interface!(CLI)!or!command!
line!scanner!for!scanning!Mac!OSX!and!Windows!laptops,!desktops!and!
servers.!The!command!line!scanner!can!be!used!as!a!simple!integration!
point!with!many!monitoring!and!management!tools.!
!
!
!
!
!
!
!
!
*
*
*
! *
Expert*Tip*#1*
Implementing!iScan!Online’s!Native!Mobile!App,!browser!plugin!and!command!line!scanner!
addresses!BYOD!Security!Requirements!#3!&!#4.!

7. !
BYOD!Security!Scanning!What!You!Need!To!Know! !
Copyright!©!2013!iScan!Online,!Inc.!
7!
*
iScan*Online*BYOD*Security*Scan*Types*
*
Vulnerability*Scan*
Detects!known!vulnerabilities!in!the!operating!system!and!installed!applications.!
Configuration*Scan*
Examines!the!local!settings!of!devices!to!detect!common!configuration!issues!such!as!password!settings,!
network!configuration,!running!services,!antiVmalware!status!and!others.!!
Data*Discovery*Scan*
Data!discovery!scans!can!be!configured!to!search!for!a!wide!variety!of!data,!such!as!unencrypted!
cardholder!data!and!social!security!numbers!among!other!person!identifiable!information!(PII).!!
!
All!scan!types!can!be!initiated!via!the!iScan!Online!cloud!console!regardless!of!device!type!or!physical!
location.!!
!
iScan!Online!provides!an!optional!selfVservice!scanning!feature!which!allows!device!users!to!initiate!
scans,!view!the!results!of!the!scan!on!the!device,!and!take!steps!to!remediate!any!findings.!!The!selfV
service!scanning!feature!helps!improve!security!awareness!and!education!among!mobile!device!users,!
and!ultimately!reduces!overall!risk!for!corporate!data!and!applications.!
*

8. !
BYOD!Security!Scanning!What!You!Need!To!Know! !
Copyright!©!2013!iScan!Online,!Inc.!
8!
Managing*BYOD*Security*Scanning*
Today,!many!organizations!must!manage!devices,!scans!and!compliance!across!the!globe.!iScan!Online’s!
multiVtenant!cloud!console!provides!management!of!devices,!reporting,!analysis,!remote!scan,!remote!
lock,!remote!wipe!and!geolocation!on!a!global!scale.!!
!
!
!
! *
Expert*Tip*#2*
iScan!Online’s!Scan!cloud!architecture!and!management!console!addresses!BYOD!Security!
Requirement!#5.!

9. !
BYOD!Security!Scanning!What!You!Need!To!Know! !
Copyright!©!2013!iScan!Online,!Inc.!
9!
Out*Of*The*Box*Scanning*
iScan!Online!provides!out!of!the!box!integration,!including!templates!and!examples!for!a!variety!of!
systems!management,!remote!management!and!office!productivity!solutions!including:!
!
1. Microsoft!Active!Directory!
2. LogMeIn!
3. Kaseya!
4. Web!Applications!
5. Email!/!Calendaring!
!
!
!
*
*
Opportunity*Knocks*
iScan!Online!BYOD!scans!are!not!based!on!the!outdated!limitations!of!network!discovery,!IP!addresses!
or!time!schedules—but!on!the!natural!opportunities!to!assess!a!device.!These!opportunities!present!
themselves!based!on!the!types!of!devices!and!scan!deployment!strategies!selected!by!the!organization.!
Consider!these!deployment!strategies:!
!
• Using!iScan!Online’s!web!application!methodology,!devices!can!be!assessed!during!the!web!app!
authentication!process.!
• Using!iScan!Online’s!email!/!calendaring!templates,!users!could!simply!be!reminded!to!visit!a!
URL!to!initiate!a!scan.!
• Using!iScan!Online’s!JavaScript!templates,!scanning!can!be!integrated!into!web!content!filtering!
or!other!proxy!based!solutions!
!
These!scan!deployment!strategies!highlight!iScan!Online’s!opportunistic!approach!to!scanning.!This!
allows!devices!to!be!identified!and!assessed!as!they!are!accessing!corporate!resources,!not!just!based!on!
a!schedule!or!block!of!IP!addresses.!
!
!
Expert*Tip*#3*
iScan!Online’s!out!of!the!box!integrations!addresses!BYOD!Security!Requirement!#1.!
Expert*Tip*#4*
iScan!Online’s!opportunistic!approach!addresses!BYOD!Security!Requirement!#2.!

10. !
BYOD!Security!Scanning!What!You!Need!To!Know! !
Copyright!©!2013!iScan!Online,!Inc.!
10!
*
Conclusion*
Analyst!reports!and!press!articles!continue!to!announce!the!“Death!of!the!PC”.!In!the!first!quarter!of!
2013,!IDC!reported!that!PC!Shipments!had!fallen!14%,!the!biggest!drop!since!IDC!began!tracking!
shipment!data!in!1994.!
!
Given!this!shift,!it!is!clear!that!organizations!are!adopting!BYOD!to!reduce!costs!by!replacing!traditional!
desktop!and!laptop!computers!with!lower!cost!smartphones!and!tablets.!Unfortunately!these!userV
owned!devices!go!largely!ignored!by!traditional!assessment!and!security!solutions!and!present!
significant!challenges!to!maintaining!a!secure!operational!environment.!!
!
iScan!Online!has!completely!reVimagined!security!scanning!for!a!BYOD!world!and!delivered!an!innovative!
solution!to!address!today’s!enterpriseVclass!BYOD!scanning!requirements.!
!
Register!now!for!a!free!14!day!trial!of!iScan!Online!at!http://www.iscanonline.com!
!
*
*
*
About*iScan*Online,*Inc.*
iScan!Online,!Inc.!is!a!provider!of!BYOD!security!scanning!solutions!for!addressing!the!security!
assessment!of!mobile!devices!and!remote!workers.!iScan!Online!offers!customers!the!ability!to!scan!
anyone,!anytime!and!anywhere!with!an!internet!connection!and!browser.!
!
Changing!the!paradigm!of!vulnerability!assessments!to!address!the!changing!needs!of!today's!mobile!
workforce,!iScan!Online!delivers!its!scanning!services!through!a!series!of!browserVbased!technologies,!
native!mobile!apps!and!cloud!solutions.!!
!
iScan!Online!is!the!first!and!only!vendor!to!perform!PAN,!PCI!and!Vulnerability!scanning!without!
installing!complex!software!or!the!need!for!hardware.!iScan!Online!currently!supports!Microsoft!
Windows,!Apple!OS!X,!Android!and!Apple!iOS!mobile!devices.!
!
!
!
!!