Upload
others
View
16
Download
0
Embed Size (px)
Citation preview
Mobile Device Security
1
CJIS SECURITY POLICY OVERVIEW
2
CJIS SECURITY POLICY OVERVIEW
3
CJIS SECURITY POLICY OVERVIEW
Mobile Device Categorization
FORM FACTOR
Large Form Factor – vehicle mount or a carrying case and include a monitor with attached keyboard (MDTs/Laptops)
Medium Form Factor – vehicle mount or portfolio sized carry case that typically consist of a touch screen without attached keyboard (Tablets)
Small Form Factor –intended for carry in a pocket or ‘holster’ attached to the body (Smartphones) 4
CJIS SECURITY POLICY OVERVIEW
Operating System (OS)
Full-feature OS – Windows, Linux/Unix, Apple OSX
Limited-feature OS – iOS, Android, BlackBerry
5
Mobile Device Categorization
CJIS SECURITY POLICY OVERVIEW
Tablet Devices Medium form factor Limited feature OS
Pocket/Handheld Mobile Device
Small form factor Limited feature OS
Laptop Devices Large form factor Full featured OS
Three categories based on two characteristics
6
Mobile Device Categorization
CJIS SECURITY POLICY OVERVIEW
Mobile Device Connectivity
Three (3) different types based on two (2) technologies
WiFi only – always on (i.e. tablet, laptop)
WiFi primary plus Cell “on demand” (i.e. tablet/laptop with extra capability)
Cell primary (always on) plus WiFi “on demand” (i.e. smartphone)
7
CJIS SECURITY POLICY OVERVIEW
5.13.2 Mobile Device Management (MDM) • No devices with unauthorized changes (rooted or
jailbroken) • Centralized oversight of configuration control, application
usage, and device protection and recovery [if so desired by the agency]
• Minimum MDM controls when allowing CJI access from cell/smart phones and tablet devices
Mobile Device Management
8
CJIS SECURITY POLICY OVERVIEW
5.13.2 Mobile Device Management (MDM) 1. CJI is only transferred between CJI authorized
applications and storage areas of the device.
2. MDM with centralized administration capable of at least: i. Remote locking of device ii. Remote wiping of device iii. Setting and locking device configuration iv. Detection of “rooted” and “jailbroken” devices v. Enforce folder or disk level encryption
Mobile Device Management
9
CJIS SECURITY POLICY OVERVIEW
5.13.2 Mobile Device Management (MDM)
2. MDM with centralized administration capable of at least (continued): vi. Application of mandatory policy settings on device vii. Detection of unauthorized configurations viii. Detection of unauthorized software or applications ix. Ability to determine location of agency controlled device x. Prevention of unpatched devices from accessing CJI or
CJI systems xi. Automatic device wiping after a specified number of failed
access attempts
Mobile Device Management
10
CJIS SECURITY POLICY OVERVIEW
Section 5.9.1 Physically Secure Location
• “A physically secure location is a facility, a criminal justice conveyance, or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect CJI and associated information systems.”
11
CJIS SECURITY POLICY OVERVIEW
12
PHYSICAL SECURITY
13
PHYSICAL SECURITY
COMPENSATING CONTROLS for AA
• Applies only to smartphones and tablets • Possession of agency issued device is a
required part of control • Additional requirements • Compensating Controls are temporary • CSO approval and support required
• * MDM is already required
14
CJIS SECURITY POLICY OVERVIEW
COMPENSATING CONTROLS for AA
• Meet the intent of the CJIS Security Policy AA requirement
• Provide a similar level of protection or security as the original AA requirement
• Not rely upon existing requirements for AA as compensating controls
15
CJIS SECURITY POLICY OVERVIEW
5.5.6.1 Personally Owned Information Systems • Not authorized to access CJI unless terms and
conditions are specified.
• When personally owned mobile devices (i.e. bring your own device [BYOD]) are authorized, they shall be controlled in accordance with the requirements in Policy Area 13: Mobile Devices.
16
CJIS SECURITY POLICY OVERVIEW
17
CJIS SECURITY POLICY OVERVIEW
5.13.9.1 Local Device Authentication • For devices authorized to access CJI
• Meet the requirements in Section 5.6.2.1
Standard Authenticators
• Unlock the device for use
18
CJIS SECURITY POLICY OVERVIEW
Solution Example
Agency Network Agency Issued Device 19
CJIS SECURITY POLICY OVERVIEW
SANS SEC575: Mobile Device Security & Ethical Hacking Takeaways
• MDM – must have, even rudimentary • Application Management – malware/virus
protection • WiFi Considerations – just say no, unless
absolutely required, cell service more secure • Backend is Bigger Target – device not so much • No Rooting/Jailbreaking – breaks inherent
security features 20
CJIS SECURITY POLICY OVERVIEW
21
CJIS SECURITY POLICY OVERVIEW
Cloud Computing
What is Cloud Computing?
22
• Defined by the CJIS Security Policy as: A distributed computing model that permits on-demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services), software, and information.
CLOUD COMPUTING
What is Cloud Computing?
Infrastructure • Cabling • HVAC • Physical Security 23
Platform/OS • Windows • Linux/Unix • Apple
Software • CAD/RMS • Email • Productivity
CLOUD COMPUTING
Service Models
Cloud Service Models
24
CJIS SECURITY POLICY OVERVIEW
Benefits of Cloud Computing
Reduced Budgets Improved Efficiency
Disaster Recovery Service Consolidation
CLOUD COMPUTING
Security Concerns with Cloud Computing
• Privileged user access
• Regulatory compliance
• Data location
• Data segregation
• Encryption key management
• Recovery
• Investigative support
• Long-term viability
CLOUD COMPUTING
What Does the Cloud Actually Look Like?
CLOUD COMPUTING
What Does the Cloud Actually Look Like?
CLOUD COMPUTING
A More Realistic Cloud Diagram
On-premise environment
CLOUD COMPUTING
30
How will the Cloud Service Provider help meet the CJIS Security Policy requirements?
CLOUD COMPUTING
How do I choose a cloud service provider?
CJIS SECURITY POLICY OVERVIEW
32 https://www.fedramp.gov
CJIS SECURITY POLICY OVERVIEW
How do I choose a cloud service provider?
What does it all mean?
33
Determine what services you can technically virtualize.
• Email • RMS • CAD • Other CJI applications • Legacy systems
Consider the Policy impact at each level of cloud services. • Infrastructure • Platform/OS • Software/Applications
CJIS SECURITY POLICY OVERVIEW
Delineation of Responsibility/Governance in Cloud Computing
34
What does it all mean?
CJIS SECURITY POLICY OVERVIEW
Section 5.10.1.5 Cloud Computing
• Only two specific “shall” requirements: “The metadata derived from CJI shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided.”
35
CJIS SECURITY POLICY OVERVIEW
36
Advanced Authentication
CJIS SECURITY POLICY OVERVIEW
What is authentication? • The process of verifying a claimed identity • Determining if the subject is really who he/she claims to be
Based on at least one of the following three factors: • Something a person knows (password, passphrase, PIN) • Something a person has (smart card, token, key, swipe card, badge) • Something a person is (fingerprint, voice, retina/iris characteristics)
Strong, or two-factor, authentication contains two (distinct) out of three of these methods.
CJIS SECURITY POLICY OVERVIEW
Section 5.6 Policy Area 6: Identification and Authentication
CJIS SECURITY POLICY OVERVIEW
Section 5.6 Policy Area 6: Identification and Authentication
Implementing AA • Standard authenticators: something you know, have, are
o Password o PIN As standard authenticator – meet password attributes
In conjunction with token – meet PIN attributes
For local device authentication – minimum 6 digits
What is advanced authentication (AA)?
• The process of requiring more than a single factor of authentication
What is the difference between AA and two-factor authentication?
• Advanced authentication, as described in the CJIS Security Policy, allows for the use of risk-based authentication (RBA) methods. • Two-factor authentication, as described in the NIST standards, does not include RBA as an acceptable method of authentication.
CJIS SECURITY POLICY OVERVIEW
Section 5.6 Policy Area 6: Identification and Authentication
When is AA required?
• “Dependent upon the physical, personnel, and technical security controls associated with the user location.” (Section 5.6.2.2.1)
o When outside a physically secure location
o When inside a physically secure location (Section 5.9) where the technical controls (Section 5.5 and 5.10) have not been implemented
o At the point of CJI access
o Don’t forget about Compensating Controls
CJIS SECURITY POLICY OVERVIEW
Section 5.6 Policy Area 6: Identification and Authentication
CJIS SECURITY POLICY OVERVIEW
Required: When requesting access to
unencrypted CJI from outside the boundaries of a physically secure location (e.g., remote access)
OR Inside a physically secure
location where the technical security requirements have not been met
Not Required: When requesting access to CJI
from within the boundaries of a physically secure
AND The technical security
requirements have been met
OR The user has indirect access to
CJII
Section 5.6 Policy Area 6: Identification and Authentication
#1Can request’s physical originating location be
determined?
#2Does request originate from within a physically secure
location?
#3Are all required technical
controls implemented at this location or at controlling
agency?
Yes
No
No
Yes
No
Incoming CJI Access Request
Advanced Authentication Required
Yes
Advanced Authentication Not Required
See Figure 10
08/04/2014Figure 9
#1Can request’s physical originating location be
determined?
#4Does request originate
from an agency-controlled user device?
Incoming CJI Access Request
See Figure 9
Advanced Authentication Not Required
No
#5Is the agency managed
user device associated with and located within a
Criminal Justice Conveyance?
Yes
Yes
No or Unknown
Advanced Authentication Required
10/06/2015Figure 10
#6Is the user device an agency-issued and
controlled smartphone or tablet?
#7Does the agency-issued
smartphone or tablet have CSO-approved compensating
controls implemented?
No No
Yes
Yes
Yes
Go To Figure 9 Step #3
No
CJIS SECURITY POLICY OVERVIEW
Section 5.6 Policy Area 6: Identification and Authentication
CJIS SECURITY POLICY OVERVIEW
• AA is used to provide additional assurance the user is who they claim to be. – Authorized User?
• AA provides additional security beyond the typical user identification (e.g., user ID) and authentication (e.g., password). – Provide Increased Assurance of User Identity – Non-repudiation – Lower Risk for Data Exfiltration
Section 5.6 Policy Area 6: Identification and Authentication
Why Advanced Authentication?
CJIS SECURITY POLICY OVERVIEW
• AA can be achieved via: – Two factor authentication using biometric systems, user-based
public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens,
OR – Using a Risk-based Authentication (RBA) solution that includes a
software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions.
Section 5.6 Policy Area 6: Identification and Authentication
How is AA Achieved?
CJIS SECURITY POLICY OVERVIEW
Section 5.6 Policy Area 6: Identification and Authentication
Implementing AA
• Each individual’s identity shall be authenticated at either the local agency, CSA, SIB or Channeler level.
• The authentication strategy shall be part of the agency’s audit for policy compliance. – The credentials used for determining CJI access
will be audited for CJIS Security Policy compliance.
QUESTIONS?
Jeff Campbell FBI CJIS Assistant Information Security
Officer CJIS Information Assurance Unit