Security in the Enterprise for Smart Glasses

Pete Wassell

@AUGMATE #AWE2016

Impact of Mobile

Employee Security Stats• 87% say careless employees are a greater threat to

security than cybercriminals, up from 72% in 2012

• Employee actions have the highest impact on vulnerability of mobile data

• 63% say employees likely contributed to recent high-profile security breaches

• 92% say employee behaviors could have made a difference in preventing high-profile security breaches

• 56% are managing business data on employee-owned personal devices, up from 37% in 2013

Mobile security incidents very expensive

• 79% report mobile security incidents in the past year

• 52% of large companies say cost of mobile security incidents last year exceeded $500,000

• 45% of businesses with less than 1000 employees reported mobile security incident costs exceeding $100,000

• 49% cite Android as platform with greatest perceived security risk (up from 30% last year), compared to Apple, Windows Mobile, and Blackberry

• 66% say careless employees greater security risk than cybercriminals

Wearable Security Stats• 69 percent of wearable device owners say they forego

login credentials, such as PINs, passwords, fingerprint scanners and voice recognition, to access their devices.

• 56 percent of wearable owners use their devices to access business apps such as Box, Slack, Trello, Dropbox, Salesforce, Google Docs, Microsoft Office or a combination of those.

• 42 percent of wearable owners cite identity theft as their top security concern when it comes to their devices.

• Lack of IT management and device control comes in second (34 percent) and a general increase in breaches of sensitive work data or information comes in third (22 percent).

From the article: Unmanaged wearables infiltrating the enterprise

Forrester Forecastfor Smart Glasses

Key Takeaways:

Over 14 Million US Workers Will Use Smart Glasses By 2025. The smart glasses market is real and tangible for enterprises: About 8% of all US workers will use smart glasses in their jobs by 2025.

Security Vulnerabilities• SQL injection

• Phishing

• Buffer overflow attacks

• Cross-site request forgery

Wearable Security Threats• Bluetooth sniffers can

pickup unencrypted data

• DTE [Data Terminal Equipment], which is hackable.

• A malicious firmware update could also compromise a paired mobile device such as a smartphone or laptop

Wearable Hardware• The data collected and stored on your mobile device can

be worth 10 times the value of a credit card on the black market.

• Choose a device that has location and remote-lock capabilities, so the device can be erased should it be lost or stolen.

• Another key tip is to enable a password to protect your device.

• Whenever possible, use biometric authentication such as your fingerprint or face recognition — you’ll likely find it easier than using a password while providing even stronger protection.

read the license agreementsread the license agreements

Privacy and Personal Wearables in a Corporate Environment

• Companies give you a discount on health insurance if you wear a device.

• Heart rate data can reveal a range of personal activities – not just hitting the treadmill after work.

• What about: Customer Data?

• UL is creating standard for wearable privacy and security

AR Enterprise Architecture from AREA

1. Transport Mechanism

2. Application Service

3. Wearables

4. Integration of AR application to the enterprise system.

HIPAA Advice• No shared accounts

• Auto-logout, similar to screen savor with password

• Encryption for both transmission & storage of data

• Verification of unaltered data transmission & data storage

• Authentication of access

• Defined rotocols for wifi and bluetooth

IEEE Advice• Strong password and password reset policies

• 15-minute forced re-authentication when devices are idle

• Strong authentication of identity

• Prevent users from changing identity without re-authentication”

• Authenticate the wearable during the pairing process.

How businesses can reduce security and privacy risks?

Have you established information security and privacy policies for the use of wearable computing devices within your organization? No? What are you waiting for? Research shows that one in five Americans owns and uses some type of wearable.

How can businesses reduce security and privacy risks?

Collecting Data:

• When they are using a wearable to collect information in any way, employees and contractors should be required employees to notify those in their immediate vicinity that they are doing so, and direct them to respect and follow the requests to not include those around them, or anything within their work areas, in their data collection activities.

• Otherwise, do not allow employees or contractors to use wearables to collect videos, still images, audio recordings, or other types of information that is about the business, customers, patients, or employees.

How businesses can reduce security and privacy risks? • Obtain data breach insurance

or cyber liability insurance

• Patched network with the latest security updates

• Have a privacy policy

• Set up wearable devices and any associated online accounts with obscure user names and unique passwords, all of which should be hard to guess.

Seven ways to manage and secure business wearables1. WDM [Wearable Device Management] policy

2. Application blacklists to disable wearable-specific apps

3. No authentication = No access

4. Implement biometrics, proximity and geofencing

5. Analyze network traffic

6. Use wireless intrusion prevention systems (WIPS)

7. Use WDM to assess and enroll devices, provision security policies, applications and data containers, and apply actions such as find and wipe when business wearables are lost or stolen

AREA Advice• There are many existing models and lessons to leverage for

AR security measures

• Examine and documenting security measures upfront

• Undertake a thorough audit of their IT and security infrastructure

• AR developers and providers need to work directly with end users and customer security teams

• Considering “security by design” or building security into design is critical.

Security Training

• Training Budget

• Training via solution providers

• Reinforce training once per year

To minimize wearable technology security issues

• Custom security levels

• Remote erase feature

• Bluetooth encryption

• Cloud security

More Ways to Secure Wearables

• Additional layers of security

• Data classification

• Staying up-to-date

• Educating employees on rules

Augmate AdviceHire a security expert

Remote Device Management Control Devices from Web Application

Security kiosk mode prevents unintended usage of devices

Prevent theft by remotely locking device

Restrict device usage to Wi-Fi and Bluetooth based geofences

Audit applications to detect modifications installed on device

Ensure latest software is delivered to device

Respond quickly to security vulnerabilities

Infrastructure Protecting Transferring Data

Immutable infrastructure for our web, API, and data ingest

Managed database with periodic backups

Multi-factor authentication to access Augmate infrastructure

Segmented access keys to limit access between cloud resources

HTTPS encryption everywhere using only strong protocols (TLS)

Per-organization isolation of all data

Android Device Level

Custom ROM to harden security and privacy

Privileged shim that only communicates with our OTA updater

APK Encryption In Transfer and at Rest

Wifi Credential Encryption In Transfer and at Rest

Database Level Guarding Your Most Valuable Asset

SQL injection prevention

SQL level multi-tenancy

Periodic backups and point-in-time recovery

Out of the cloud?

Thank You

@AUGMATE #AWE2016