Mobile Device Security - TxDPS · 5.13.2 Mobile Device Management (MDM) 1. CJI is only transferred between CJI authorized applications and storage areas of the device. 2. MDM with

Mobile Device Security

1

CJIS SECURITY POLICY OVERVIEW

2


3


Mobile Device Categorization

FORM FACTOR

Large Form Factor – vehicle mount or a carrying case and include a monitor with attached keyboard (MDTs/Laptops)

Medium Form Factor – vehicle mount or portfolio sized carry case that typically consist of a touch screen without attached keyboard (Tablets)

Small Form Factor –intended for carry in a pocket or ‘holster’ attached to the body (Smartphones) 4


Operating System (OS)

Full-feature OS – Windows, Linux/Unix, Apple OSX

Limited-feature OS – iOS, Android, BlackBerry

5



Tablet Devices Medium form factor Limited feature OS

Pocket/Handheld Mobile Device

Small form factor Limited feature OS

Laptop Devices Large form factor Full featured OS

Three categories based on two characteristics

6



Mobile Device Connectivity

Three (3) different types based on two (2) technologies

WiFi only – always on (i.e. tablet, laptop)

WiFi primary plus Cell “on demand” (i.e. tablet/laptop with extra capability)

Cell primary (always on) plus WiFi “on demand” (i.e. smartphone)

7


5.13.2 Mobile Device Management (MDM) • No devices with unauthorized changes (rooted or

jailbroken) • Centralized oversight of configuration control, application

usage, and device protection and recovery [if so desired by the agency]

• Minimum MDM controls when allowing CJI access from cell/smart phones and tablet devices

Mobile Device Management

8


5.13.2 Mobile Device Management (MDM) 1. CJI is only transferred between CJI authorized

applications and storage areas of the device.

2. MDM with centralized administration capable of at least: i. Remote locking of device ii. Remote wiping of device iii. Setting and locking device configuration iv. Detection of “rooted” and “jailbroken” devices v. Enforce folder or disk level encryption


9


5.13.2 Mobile Device Management (MDM)

2. MDM with centralized administration capable of at least (continued): vi. Application of mandatory policy settings on device vii. Detection of unauthorized configurations viii. Detection of unauthorized software or applications ix. Ability to determine location of agency controlled device x. Prevention of unpatched devices from accessing CJI or

CJI systems xi. Automatic device wiping after a specified number of failed

access attempts


10


Section 5.9.1 Physically Secure Location

• “A physically secure location is a facility, a criminal justice conveyance, or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect CJI and associated information systems.”

11


12

PHYSICAL SECURITY

13

PHYSICAL SECURITY

COMPENSATING CONTROLS for AA

• Applies only to smartphones and tablets • Possession of agency issued device is a

required part of control • Additional requirements • Compensating Controls are temporary • CSO approval and support required

• * MDM is already required

14


COMPENSATING CONTROLS for AA

• Meet the intent of the CJIS Security Policy AA requirement

• Provide a similar level of protection or security as the original AA requirement

• Not rely upon existing requirements for AA as compensating controls

15


5.5.6.1 Personally Owned Information Systems • Not authorized to access CJI unless terms and

conditions are specified.

• When personally owned mobile devices (i.e. bring your own device [BYOD]) are authorized, they shall be controlled in accordance with the requirements in Policy Area 13: Mobile Devices.

16


17


5.13.9.1 Local Device Authentication • For devices authorized to access CJI

• Meet the requirements in Section 5.6.2.1

Standard Authenticators

• Unlock the device for use

18


Solution Example

Agency Network Agency Issued Device 19


SANS SEC575: Mobile Device Security & Ethical Hacking Takeaways

• MDM – must have, even rudimentary • Application Management – malware/virus

protection • WiFi Considerations – just say no, unless

absolutely required, cell service more secure • Backend is Bigger Target – device not so much • No Rooting/Jailbreaking – breaks inherent

security features 20


21


Cloud Computing

What is Cloud Computing?

22

• Defined by the CJIS Security Policy as: A distributed computing model that permits on-demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services), software, and information.

CLOUD COMPUTING

What is Cloud Computing?

Infrastructure • Cabling • HVAC • Physical Security 23

Platform/OS • Windows • Linux/Unix • Apple

Software • CAD/RMS • Email • Productivity

CLOUD COMPUTING

Service Models

Cloud Service Models

24


Benefits of Cloud Computing

Reduced Budgets Improved Efficiency

Disaster Recovery Service Consolidation

CLOUD COMPUTING

Security Concerns with Cloud Computing

• Privileged user access

• Regulatory compliance

• Data location

• Data segregation

• Encryption key management

• Recovery

• Investigative support

• Long-term viability

CLOUD COMPUTING

What Does the Cloud Actually Look Like?

CLOUD COMPUTING

What Does the Cloud Actually Look Like?

CLOUD COMPUTING

A More Realistic Cloud Diagram

On-premise environment

CLOUD COMPUTING

30

How will the Cloud Service Provider help meet the CJIS Security Policy requirements?

CLOUD COMPUTING

[email protected]

How do I choose a cloud service provider?


mailto:[email protected]

32 https://www.fedramp.gov


How do I choose a cloud service provider?

What does it all mean?

33

Determine what services you can technically virtualize.

• Email • RMS • CAD • Other CJI applications • Legacy systems

Consider the Policy impact at each level of cloud services. • Infrastructure • Platform/OS • Software/Applications


Delineation of Responsibility/Governance in Cloud Computing

34

What does it all mean?


Section 5.10.1.5 Cloud Computing

• Only two specific “shall” requirements: “The metadata derived from CJI shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided.”

35


36

Advanced Authentication


What is authentication? • The process of verifying a claimed identity • Determining if the subject is really who he/she claims to be

Based on at least one of the following three factors: • Something a person knows (password, passphrase, PIN) • Something a person has (smart card, token, key, swipe card, badge) • Something a person is (fingerprint, voice, retina/iris characteristics)

Strong, or two-factor, authentication contains two (distinct) out of three of these methods.


Section 5.6 Policy Area 6: Identification and Authentication



Implementing AA • Standard authenticators: something you know, have, are

o Password o PIN As standard authenticator – meet password attributes

In conjunction with token – meet PIN attributes

For local device authentication – minimum 6 digits

What is advanced authentication (AA)?

• The process of requiring more than a single factor of authentication

What is the difference between AA and two-factor authentication?

• Advanced authentication, as described in the CJIS Security Policy, allows for the use of risk-based authentication (RBA) methods. • Two-factor authentication, as described in the NIST standards, does not include RBA as an acceptable method of authentication.



When is AA required?

• “Dependent upon the physical, personnel, and technical security controls associated with the user location.” (Section 5.6.2.2.1)

o When outside a physically secure location

o When inside a physically secure location (Section 5.9) where the technical controls (Section 5.5 and 5.10) have not been implemented

o At the point of CJI access

o Don’t forget about Compensating Controls




Required: When requesting access to

unencrypted CJI from outside the boundaries of a physically secure location (e.g., remote access)

OR Inside a physically secure

location where the technical security requirements have not been met

Not Required: When requesting access to CJI

from within the boundaries of a physically secure

AND The technical security

requirements have been met

OR The user has indirect access to

CJII


#1Can request’s physical originating location be

determined?

#2Does request originate from within a physically secure

location?

#3Are all required technical

controls implemented at this location or at controlling

agency?

Yes

No

No

Yes

No

Incoming CJI Access Request

Advanced Authentication Required

Yes

Advanced Authentication Not Required

See Figure 10

08/04/2014Figure 9

#1Can request’s physical originating location be

determined?

#4Does request originate

from an agency-controlled user device?

Incoming CJI Access Request

See Figure 9

Advanced Authentication Not Required

No

#5Is the agency managed

user device associated with and located within a

Criminal Justice Conveyance?

Yes

Yes

No or Unknown

Advanced Authentication Required

10/06/2015Figure 10

#6Is the user device an agency-issued and

controlled smartphone or tablet?

#7Does the agency-issued

smartphone or tablet have CSO-approved compensating

controls implemented?

No No

Yes

Yes

Yes

Go To Figure 9 Step #3

No




• AA is used to provide additional assurance the user is who they claim to be. – Authorized User?

• AA provides additional security beyond the typical user identification (e.g., user ID) and authentication (e.g., password). – Provide Increased Assurance of User Identity – Non-repudiation – Lower Risk for Data Exfiltration


Why Advanced Authentication?


• AA can be achieved via: – Two factor authentication using biometric systems, user-based

public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens,

OR – Using a Risk-based Authentication (RBA) solution that includes a

software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions.


How is AA Achieved?



Implementing AA

• Each individual’s identity shall be authenticated at either the local agency, CSA, SIB or Channeler level.

• The authentication strategy shall be part of the agency’s audit for policy compliance. – The credentials used for determining CJI access

will be audited for CJIS Security Policy compliance.

QUESTIONS?

Jeff Campbell FBI CJIS Assistant Information Security

Officer CJIS Information Assurance Unit

[email protected]



Documents

Mobile Device Security - TxDPS · 5.13.2 Mobile Device Management (MDM) 1. CJI is only transferred between CJI authorized applications and storage areas of the device. 2. MDM with