Mobile Experience and Security - A Delicate Balance
Jeff Keller, CISA, CIA, CFSASVP/Senior Audit Director, Technology, Projects, Due Diligence
2
Admin Items
� Please put phones on vibrate
� Please take calls outside the room
� Participation is HIGHLY encouraged
3
Agenda
� Introduction
� Mobile History
� Risks & Vulnerabilities
� Mitigating Risk
� BYOD
� Questions
4
Introduction
� This session will focus on the increasing use, risks and mitigants.
� Not intended to be the “be-all, end-all” course on mobile security.
� Give you some things to consider and ponder how you balance security with end user and customer needs.
� Myself, Senior Audit Director, North American top 10 bank, 20+ years experience in audit and financial services.
5
Mobile History
� Over the past 15 to 20 years, there has been significant technology advances in mobile devices ranging from the brick phone, to more compact personal cell phone, to personal data assistants (PDAs) and ultimately to the smartphones of today.
� The original worry of most companies during this revolution was the security of voice data…. Soon morphing into the larger worry of corporate data traversing the frequencies.
� These devices and advances in capabilities have extended the boundaries of the office. This has blurred the lines of where your network starts and stops.
� These devices also have huge storage capabilities, the data (not just traffic) can now be “at rest” on devices that can be easily lost.
� Reminiscent of the early days of RAS and online business content
6
Mobile History
� Simple voice data
� Not a large adoption rate
� Not in the hands of every employee in the country
� More of a novelty
How it used to be……
7
Mobile History
� No longer just voice traffic
� Huge adoption rate
� Many employees now use
� Most view as a key tool in their business arsenal
� Great for productivity
� Large increase in risks
� Now need to think about how your customers access your business
How it is now ……
8
Mobile History
Evolution of Mobile DevicesEY – Insights on IT Risk / Jan 2012
“When the first BlackBerry smartphone was
released in the early 2000s, corporations
recognized the benefits of remote email and
calendar access and began providing
smartphones with network access to a large
percentage of their workforce, effectively
establishing the idea of 24-hour connectivity.
The popularity of smartphones extended beyond
business users with the release of Apple’s iPhone
and later devices running Android, BlackBerry,
Windows Mobile and Windows Phone 7 operating
systems. Features expanded beyond just email
and web browsing; mobile devices now have the
ability to take photos, run custom applications,
view rich content websites with Flash and
JavaScript, connect to
other devices and networks wirelessly, establish
virtual private network (VPN) connections, and act
as data traffic conduits for other devices (known
as tethering).”
9
Mobile History
Evolution of Mobile DevicesEY – Insights on IT Risk / Jan 2012
“With the increase in mobile device capabilities
and subsequent consumer adoption, these
devices have become an integral part of how
people accomplish tasks, both at work and in their
personal lives. Although improvements in
hardware and software have enabled more
complex tasks to be performed on mobile devices,
this functionality has also increased the
attractiveness of the platform as a target for
attackers.”
12
Risks & Vulnerabilities
� Key Risk Considerations
Stolen or Lost Devices
Data Loss / Breach
Exposure of Corporate network to Malware
Communication Interception
13
Risks & Vulnerabilities
� Stolen & Lost Devices
A lost or stolen device can create significant exposures if it’s not properly locked down and equipped to wipe sensitive data.
Exposes company to potential access to sensitive corporate, employee, or customer data.
Can result in the legal, regulatory and reputational issues (anyone recall the data breach issues of the past 10 years on the network side??)
14
Risks & Vulnerabilities
� Data Loss / Breach
Human nature – Mobile users tend to downplay the risk associated with smartphones and think there is little or no risk
Insecure architecture rollouts or non-management of the environment, no standard builds
Open nature of application development on the Android platform has introduced vulnerabilities commensurate with what is found on the PC platforms
Devices can now store a significant amount of data
15
Risks & Vulnerabilities
� Exposure of Corporate network to Malware
Mobile malware may not be a significant threat today, however the growth in adoption in most companies and some insecurities in certain platforms will drive the criminals down the same path we went down at the beginning of the dot com era.
Given the potential financial gains for these criminals (access to personal financial data and the ability to intercept financial transactions as devices increasingly become the platform of choice for mobile transactions), it is likely that mobile devices will become the next malware frontier.
Corporate networks are now at risk as users’ devices become infected with malware, and those devices become entry points.
16
Risks & Vulnerabilities
� Communication Interception
Communication interception is a threat to any device that connects to a network, and mobile devices are no exception.
The advantage that smartphones have is that their communications are often encrypted over cell networks, requiring would-be hackers to have specialized equipment and tools to listen to the conversations between the device and cell towers. However, this encryption can be broken and the methodology to do so is well documented and publicly available.
Wi-Fi connections of smartphones also pose a communication interception threat. With most smartphones currently containing Wi-Fi capabilities, the risk of Wi-Fi sniffing and interception is an increasingly prevalent risk.
17
Risks & VulnerabilitiesRecent Examples
In news that will no doubt be of great concern to owners of HTC smartphones, a security team is claiming to have uncovered a "massive security vulnerability" in HTC Android devices that allows any application with Internet access to gain access to private data, including user accounts, email addresses, GPS location, text message data and phone numbers. The vulnerability is said to affect HTC smartphones running the latest version of HTC's software, including the EVO 3D, EVO 4G, Thunderbolt, and others.
The reported vulnerability, which has left those who discovered it - Justin Case, Trevor Eckhart and Artem Russakovskii from Android Police -speechless, involves a suite of logging tools included in recent HTC modifications to the Android operating system in EVO and Thunderbolt models that collect a stack of information on the user's phone. But not only do the modifications collect a swathe of information, they also allow nefarious types to send that data to wherever on the Internet they like.
GizMag.comDarren QuickOctober 2, 2011
19
Risks & VulnerabilitiesRecent Examples
Of 108 new malicious programs for mobile devices identified in 2012, Symantec found, 103 – more than 95%)- targeted Android devices. Just one mobile threat targeted Apple’s iOS operating system during the same period.
If you assumed that was because Android was the operating system with the most exploitable vulnerabilities, you would be wrong. In fact, just the opposite is true.
It’s Apple’s iOS that was the source of almost all the documented mobile application vulnerabilities among the mobile platforms Symantec monitored, including Android, iOS, Blackberry, Windows Mobile and the like. iOS accounted for 387 of 415 documented vulnerabilities across all mobile platforms – a bit more than 93 percent, found.
Source: Symantec Corp.’s Internet Security Threat Report (ISTR) for 2012
20
Mitigating Risk
So, what can we do? Did we learn from the past??
� Main areas of focus to address these issues:
1. Robust Polices, Procedures & Standards
2. Employee Security Awareness Program
3. Secure the Device
4. Secure the Data
5. Secure the Applications
21
Mitigating Risk
� Robust Policies, Procedures & Standards
Create/have a strong mobile strategy. • An effective strategy must clearly specify where corporate data is permitted to reside: on the device, on the network, on a public cloud service, or some combination of the three.
• Classify the types of information that can be exchanged between the device and the corporate network.
Create and implement an IT policy that governs usage and ensures employees understanding which is aligned with the mobile strategy.• Assesses applications that are appropriate for the company needs
• Explicit guidance on management of the mobile deployment• Create secure builds – and do not allow exceptions. • Perform technical security assessments on mobile devices and the supporting infrastructure
• Continually Monitor for new threats
22
Mitigating Risk
� Employee Security Awareness Program
Leverage your company’s existing security awareness program
• Clearly articulate the security risks associated with smartphones
• Make sure employees understand acceptable use policies
• Limit employee’s abilities to install applications
• Provide appropriate training where necessary
• Encourage healthy skepticism
23
Mitigating Risk
� Secure the Device
Remote Locking enabled
Enforce Device Encryption
Enforce Password Security
Ensure OS levels are up to date
Enforce policies consistent with other endpoints
Secure Build enforced for all users
Anti-Malware (not that prevalent yet)
Perform periodic technical security assessments
24
Mitigating Risk
� Secure the Data
Remote Locking enabled
Enforce Device Encryption
Enforce Password Security
Enable remote data wiping (or selective wipe)
Strong IDM (levering corporate)
Tie into DLP plans
Centralized Security Management Solution
Limit data that can be stored on mobile device
25
Mitigating Risk
� Secure the Mobile Applications
Have an Enterprise Application Store
Enforce App Scanning and certification
Maintain control of applications that can be installed
Centralized Security Management Solution
Train application developers in secure coding (ring a bell??)
Assess classic threats against web based applications and infrastructure
26
BYOD
� Bring Your Own Device
Quickly gaining in popularity in the corporate world.
“Consumerization” of IT making this possible
Potential cost savings for the company
Employee gets to use their own personal device; with a dual benefit of empowering the employee leading to better productivity
Certainly Security risks, but easy to manage using existing technologies
27
BYOD
Bring Your Own Device
� Citrix “Global BYO Index”
Almost all—92 percent—of the companies surveyed reported that some workers are already using non-company-issued computing devices for work-related tasks. Those surveyed indicated that around 28 percent of the workforce is already using non-company-issued computing devices for work-related tasks, and this percentage is expected to rise to 35 by mid-2013.
Almost half of all companies surveyed (44 percent) already have some sort of formal BYO policy in place. Nearly every company (94 percent) expects to have a BYO policy by mid-2013, 81 percent of which are expected to apply this policy company-wide.
Of the companies that currently do not see workers using personal devices in the workplace, three quarters (74 percent) expect them to be in common use in their organizations within two years.
Top Related