BYOD: Device Control in the

Wild, Wild, West

September 25th, 2012

About the Speaker• Chief Security Officer, Q2ebanking

• Former CIO for multi-billion financial institution

• 13 years industry exp. in Information Technology & Security

• CISSP® (Certified Information Systems Security Professional)

• Published & quoted in American Banker, ABA Banking Journal, BankInfoSecurity.com, CIO Magazine, ComputerWorld, Credit Union Times

• Speaker/evangelist - InfoSec World, Innotech, ComputerWorld SNW, BAI PaymentsConnect, regional banking conferences

Agenda• Changing mobile landscape

• Drivers behind BYOD(evice)

• Considering threat agents

• Implementing a BYOD program• policies, technologies, privacy

• Summary & QA

Mobile Tidal Wave• 300,000

• 1.2 billion

• 8 trillion

• 35 billion

• 86.1 billion

• 1.1 billion

apps developed in 3 years

mobile web users

SMS messages sent last year

value of apps downloaded

mobile payments made in 2011

mobile banking customers (2015)

BYOD: Bring Your Own Device

formally advocates use of personal or non-company issued equipment to accessing corporate resources & data obligates IT to ensure jobs can be performed with an accept- able level of security

Business Benefits• Cut operating costs by eliminating support

- Operating system support

- Application support

- Access support

• Reduce device hardware costs & procurement

• Remove productivity barriers (flexible work styles)

• Extend applications to offsite/traveling employees

• Increase employee satisfaction through programs

• On-demand, whenever, wherever, multiple channels

BYOR(isk)• Understand the risks

being introduced

• Industry is coming to terms with security concerns that exist around unsecured mobile devices/smartphones

• Conduct a risk assessment to identify address the different threat agents

Protect What?

From whom? or what?

and How?

BYOD presents a NEW problem...

...well, not really

The “Human” Problem• Increased use of social media, coupled with the ubiquity of

ecommerce, has fueled growth in socially engineered schemes waged for financial gain

• According to the Anti-Phishing Working Group, there are presently about 30,000 to 35,000 unique phishing campaigns every month, each targeting hundreds of thousands to millions of email users

• Anytime a user is asked to make a voluntary decision, phishing schemes will work, because humans are easy to manipulate

➡ this a social problem, not a technical problem.

Do you really believe that you control your

endpoints?

Device Control• How many of you have local admin rights on

your computer?

• How many of you are able to take your computer and browse the Internet freely away from the network?

• How many of you disallow PST files - do prevent users from taking data?

• How many of you are doing mobile device management?

How do you manage a device that you don’t control?

Get out in FrontReactive approaches result in ad hoc programs

Are you prepared to answer this question from your CEO:

“what security did we have on the device when he lost it?”

Understand your Data

• How sensitive is your data?

• How is your sensitive data used?

• What compliance and/or regulations exist?

What are you protecting?

Focus Group: Computer Security

Jailbreaking Devices• Why? for functionality or to

get paid apps for free

• “Jailbreaking” or “rooting destroys the security model

• Jailbreaking techniques leave the device with a standard root password that may grant admin-level access to an app...(and attacker or malware)

• Convenience at the sake of security

Mobile Malware

Mobile Malware• Researchers identify

first instance of mobile malware in 2004

• More than 80 infected apps have been removed from Google Play since 2011

• Android malware has infected more than 250,000 users

ex. Gozi

QR Codes• QR codes surfacing

containing malicious links

• First case confirmed by Kaspersky Labs last year - mobile malware used to send premium SMS messages

http://siliconangle.com/blog/2011/10/21/infected-qr-malware-surfaces-on-smartphones-apps/

Which one is evil?

Not the Device• Over focused on the

endpoint and device

• ...it’s the data stupid!

• Data in motion (network)

• Data presentation (application)

• Data at rest (data stores/shares)

Establish Policies• Will a formal agreement between the institution and the

BYOD user (EULA) specify allowed activities and the consequences for breaking the agreement?

• Create policies before procuring devices

• Do your BYOD policies address? • the use of consumer apps

• services such as cloud storage > Box.net, Dropbox, SpiderOak, Evernote, SkyDrive, iCloud

• Communicate the privacy policy to employees and make it clear what data you can & cannot collect from their mobile devices

MDM Solutions• What are you trying to protect

• Address four key areas: 1) standardization of service, not device

• consistent set of security controls across different platforms while providing the same level of service

2) common delivery methods3) intelligent access controls - role, group, etc.4) data containment

• encryption• partitioning• sandboxing

Questions to Consider• Which devices will be supported?

• What is the risk profile of the employee/group using the devices?

• Does the institution have the ability to require and install applications to the device(s), such as remote wipe and/or virus/malware software?

• Can the institution require a “business only secure partition” on the mobile device? 

• Mandatory or will the organization bend for certain users?

• What happens if the device is compromised?  Will your institution be able to perform any forensics?

• When should we say no?

Balancing User Privacy• Is ‘sandboxing’ or ‘partitioning’ sufficient

to maintain separate personas?

• Is there a reasonable expectation of privacy?

✓should the organization be able to read messages?

✓should the organization be able to perform a full wipe of the device?

• State specific privacy laws (ex CA/MA) may prevent corporations from even viewing non-corporate data

Policy + Technology• Policies alone not sufficient - Technology ensures enforcement

• Many solutions, but requirements should include:

✓simple self-enrollment --> complexity increases non-compliance

✓over-the-air updating

✓ability to selectively wipe data on the device

• corporate apps, email, and documents must be protected by IT if the employee decides to leave the organization

✓management of the OS patch/update process

✓reporting & alerting --> devices that are non-compliant

COMPLIANCE

Legal Issues• Big question surrounds legal issues -- agreements

between employees and employer -- and placing a company-owned agent on an employee’s handset

• It’s the start of whole new relationship between mobile device users, in dual roles as individual consumer and employee, and the company for which they work.

• Unresolved questions?

• e-discovery, Culpability, Liability

• ex: combined mailboxes

Summary• Understand the mobile landscape of your device

population

• Policies and procedures should reflect the allowable usage and the breadth and depth of security and control settings

• Consider how BYOD policies can be tested and validated to ensure that security and controls have been successfully implemented

• Threat landscape is continuously changing

• Risk assessments should be performed regularly to identify threats and vulnerabilities

Thank Youif “?” >= then

response_variable = ‘answer‘

else

response_variable = ‘thankyou’

end if;