Embed Size (px)
Citation preview
Mobile Policy
OverviewSecurity Risks with Mobile
DevicesGuidelines for Managing the
Security of Mobile Devices in the Enterprise
Threats of Mobile Devices and Mitigation Strategies
Bring Your Own Device (BYOD)Policies for BYODCase Studies
Security Risks with Mobile DevicesDevice hardware and OS
vulnerabilities
Mobile Malware
Mobile Application Security Risks
Using unsecure connection
Device lost and stolen
Device Hardware and OS VulnerabilitiesAndroid and iOS are comparably risky
Vulnerabilities were found in cross-app resource sharing protocols on Apple’s desktop and mobile platform◦Exploited to steal data such as password,
and authentication keys
Jailbreaking iOS and Rooting Android devices
Mobile MalwareTrojans that send SMS messages
to premium rate numberBackground calling applications
that make long distance callsKey logging applicationsWormsSpyware
Mobile Application Security RisksCommon vulnerabilities
◦sensitive data leakage◦unsafe sensitive data storage◦unsafe sensitive data transmission◦hardcoded passwords/keys, etc.
HTML5-based mobile apps are at the risk of malicious code injection – Cross Device Scripting Attacks
Guidelines for managing the security of mobile devicesOrganizations should have a mobile device security
policy System threat models for mobile devices and
resources accessed through the mobile devices should be developed.
Organizations should select the services provided by mobile device solutions that meet their needs
A pilot mobile device solution needs to be implemented and tested before putting the solution to production.
Organization issued mobile device should be fully secured before being used
Mobile device security should be regularly maintained
Mobile Device Security Policy Defines the types of resources in the
organization that may be accessed via mobile devices.
Defines the types of mobile devices that are permitted to access organization’s resources.
Defines the degree of access of different classes of mobile devices,◦ organization issued devices vs. personally owned
devices. Defines the requirements for mobile device
management technologies ◦ the administration of centralized mobile device
management servers◦ the updating of policies in the servers, etc.
Services Provided by Mobile Device Solutions General policy.
◦ Enforce enterprise security policies on the mobile device◦ E.g., restricting access to hardware and software, managing wireless
network interfaces, detecting and reporting policy violation. Data communication and storage.
◦ Encrypted data communication and storage, device wiping, and wiping device remotely.
User and device authentication. ◦ E.g., resetting forgotten passwords remotely, automatically locking
idle devices, and remotely locking devices. Applications.
◦ The app store allowed to use, the applications allowed to be installed
◦ Permissions assigned to the applications, installing and updating applications, the use of synchronization services, etc.
◦ Verifying digital signature on applications◦ Distributing the organization’s applications from a dedicated mobile
application store.
Mobile Device Security Maintenancechecking for and deploying upgrades and patchesensuring that the clocks of mobile device
infrastructure components are synced to a common time source,
reconfiguring access control features as neededdetecting and documenting anomalieskeeping an active inventory of mobile devices and
their users and applicationsrevoking access to or deleting an applicationwiping devices before reissuing them to other
usersperiodically perform assessments to confirm
compliance of mobile device policies, processes, and procedures
Threats of Mobile Devices in the EnterpriseLack of physical security controlUse of untrusted mobile devicesUse of untrusted networkUse of untrusted applicationsInteract with other systemsUse of untrusted contentUse of location services
Threats and Mitigation Strategies – (1)
Threat
Lack of physical Security Control
Lost or stolen devices
Attacker recovers data from device, or use device to access organization’s remote resources
Mitigation
Require authentication before gaining access to the device or organization’s resources
Encrypt the device’s storage or not store sensitive data on mobile devices
User training and awareness to reduce insecure physical security practices
Threats and Mitigation Strategies – (2)
Threat
Use of Untrusted Mobile Devices Restriction on
security, OS, etc. could be bypassed through jailbreaking and rooting
Mitigation
Restrict or prohibit BYOD devices
Fully secure organization-issued devices, monitor and address deviations from secure state
For BYOD devices, run organization’s software in a secure, isolated sandbox on the mobile device, or use device integrity scanning applications
Threats and Mitigation Strategies – (3)
Threat
Use of Untrusted Network Eavesdropping
Man-in-the-Middle attacks
Mitigation
Use VPN Use mutual
authentication mechanism to verify the identities of both endpoints before transmitting data
Prohibit use of insecure Wi-Fi networks
Disable network interfaces that are not needed
Threats and Mitigation Strategies – (4)
Threat
Use of Untrusted Applications
User can download untrusted third party mobile device application
User can access untrusted web-based applications through the device’s built-in browsers
Mitigation Prohibit all installation of third-party
applications allow installation of approved
applications only verify that applications only receive the
necessary permissions implement a secure sandbox that
isolates the organization’s data and applications from all other data and applications on the mobile device
perform a risk assessment on each third-party application before permitting its use on organization’s mobile device
prohibit or restrict browser access force mobile device traffic through
secure web gateways, HTTP proxy servers, or other intermediate devices to assess URLs before allowing access
Use a separate browser within a secure sandbox for browser-based access related to organization
Threats and Mitigation Strategies – (5)
Threat
Interact with other systems
Connect a personally-owned mobile device to an organization-issued laptop
Connect an organization-issued mobile device to personally-owned laptop
Connect an organization-issued mobile device to a remote backup service
Connect any mobile device to an untrusted charging station
Risk of storing organization’s data to unsecured location, and malware transmission
Mitigation Implement security controls on
organization-issued mobile device restricting what devices it can synchronize with
Implement security controls on organization-issued computer restricting the connection of mobile devices
block use of remote backup services or configure the mobile devices not to use such services
Do not connect mobile devices to unknown charging devices
Prevent mobile devices to exchange data with each other through logical or physical means
Threats and Mitigation Strategies – (6)
Threat
Use of Untrusted Content
Malicious QR codes could direct mobile devices to malicious websites
Mitigation Educate users not to access
untrusted content with any mobile devices used for work
Have applications (e.g., QR readers) display the unobfuscated content (e.g., the URL) and allow users to accept or reject it before proceeding
Use secure web gateways, HTTP proxy servers, etc. to validate URLs before allowing access
Restrict peripheral use on mobile devices (e.g., disabling camera use) to prevent QR code reading
Threats and Mitigation Strategies – (7)
Threat
Use of Location Services
Attackers could correlate location information with other sources about who the user associates with and the kinds of activities they perform in particular locations
Mitigation
Disable location service Prohibit use of location
services for particular applications such as social networking or photo applications
Turn off location services when in sensitive areas
Opt out of Internet connection location services whenever possible
Bring Your Own Device (BYOD) - Benefits Cost savings. The cost of organization-issued
devices could be reduced.
Productivity gains. ◦ Employees can work more effectively outside of the
office, are more likely to spend more time on work related activities.
Operational flexibility. ◦ Employees can carry out their work function away
from their desk.
Employee satisfaction. ◦ Employees can use devices that they enjoy using
BYOD - Challenges
Privacy issues. ◦ Mobile Device Management (MDM) system may
require accessing/processing of personal data. ◦ Employee consent should be obtained before MDM
is deployed◦ Employee’s personal data may be lost if device
data needs to be wiped.
Cost issues. ◦ Whether reimburse employee-owned devices and
data/voice usage. ◦ Additional cost for implementing MDM and for
handling the support of BYOD users ◦ Tax implications for reimbursement
BYOD – Technological Approaches
Virtualization◦ Provide remote access to computing resources. ◦ No organization’s data/application processing on the
personal devices
Walled garden: ◦ Organization’s data or application processing are
contained in a secure application that is segregated from personal data.
Limited separation: ◦ Organization’s data and/or application processing are
comingled with personal data and/or application processing, but policies are enacted to ensure minimum security controls.
BYOD – Areas that Policies should Address
Eligibility ◦ Who is allowed to use personal devices
Allowed devices◦ Minimum specifications for OS and application support, performance and other
device-specific criteria. ◦ Desktop virtualization eliminates these considerations.
Service availability ◦ The specific services the organization wants to make available on BYO devices
Rollout◦ Teach employees about responsibilities like how data is allowed to be accessed,
used, and stored. Cost sharing.
◦ Whether to provide full or partial stipends towards the personal devices. ◦ Who will pay for network access outside the organization firewall.
Security and compliance. ◦ Use desktop virtualization◦ Disable printing or access to client-side storage.◦ Ensure antivirus/antimalware is installed and updated. ◦ Network access control◦ mechanism to terminate access to data and apps from BYO device if device is
lost or stolen, or employee leaves the organization Device support and maintenance.
◦ how various support and maintenance tasks will be addressed and paid for.
Components of BYOD Policies
Acceptable use policy for email, Internet, mobile device, etc.
Security policies such as mobile, encryption, password, anti-virus, etc.
Wireless access policyRemote access policyRemote working policiesPrivacy policiesEmployee code of conductIncident response policies
Sample Policies
CIO council provided the following sample policies:◦ Policy and guidelines for government-provided mobile
device usage◦ Bring your own device – policy and rules of behavior
◦ Mobile information technology device policy◦ Wireless communication reimbursement program◦ Portable wireless network access device policy
Reference: CIO council, Bring Your Own Device – A toolkit to support federal agencies Implementing Bring Your Own Device (BYOD) programs. https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf
BYOD – Case Studies
The Department of the Treasury’s Alcohol and Tabacco Tax and Trade Bureau (TTB) implemented a virtual desktop
The U.S. Equal Employment Opportunity Commission implemented a BYOD pilot
The State of Delaware implemented BYOD and achieved cost savings
Reference: CIO council, Bring Your Own Device – A toolkit to support federal agencies Implementing Bring Your Own Device (BYOD) programs. https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf
