Upload
buiquynh
View
237
Download
2
Embed Size (px)
Citation preview
Enhancing Mobile Device Security: A Management Perspective Panagiotis Droukas CISA, CRISC, CGEIT, COBIT 5 Accredited Trainer ISACA Athens Chapter
• Mobile device impact on business and society
• Threats, vulnerabilities and associated risk
• Mobile security governance
• Mobile security management
• Q&A
Agenda
2 Panagiotis Droukas | ISACA Athens Chapter
A quick poll before we begin
• How many mobile devices do you carry with you?
• Do you use them for business / personal purposes or both?
• What will happen if you loose one of your devices?
• What kind of protection do you apply to your data?
3 Panagiotis Droukas | ISACA Athens Chapter
How many mobile devices do I carry with me? • I have a laptop mainly for work purposes, like
drafting BoG/ECB documents, checking my business e-mail and connecting to the corporate intranet through a VPN connection
• I also have a 5’’ smartphone that allows me to browse my personal e-mails and browse the internet
• Finally, I have a 7’’ tablet that allows me to browse the Internet, read books and also take family photos
4 Panagiotis Droukas | ISACA Athens Chapter
Do I use them for business or personal purposes or both? • My laptop is used primarily for business purposes
• My smartphone is used for personal and business phone calls. Many SMS contain business information, some photos are taken from business meetings and some work e-mails are forwarded to my Gmail account (e.g. hotel vouchers, electronic tickets, contact info, etc.)
• My tablet contains personal books but also some regulations, directives and unclassified material I use at work
5 Panagiotis Droukas | ISACA Athens Chapter
What will happen if I loose one of my devices? • My laptop is running Windows 7 Enterprise with
BitLocker status ON. It also has a 10 - character password with complexity rules
• My Android phone has an encrypted file system, a PIN for the SIM card as well as a different PIN for the device
• Finally, my Android tablet doesn’t have an encrypted file system, only a PIN for the device
6 Panagiotis Droukas | ISACA Athens Chapter
What will happen if I loose one of my devices? (cont.) • The loss of one of the said devices could have been
devastating to the security of my company and for my personal security, safety, and privacy.
• In many ways, these devices are a backdoor into my personal and professional life that could have given a thief or a hacker everything required to hijack my finances, my identity, or compromise the security and safety of my home and workplace
7 Panagiotis Droukas | ISACA Athens Chapter
• Mobile device impact on business and society
• Threats, vulnerabilities and associated risk
• Mobile security governance
• Mobile security management
• Q&A
Agenda
10 Panagiotis Droukas | ISACA Athens Chapter
Mobile device connectivity
GSM = Global System for Mobile Communications, GPRS/EDGE = General Packet Radio Services/Enhanced Data rates for GSM Evolution, LTE = Long Term Evolution, WLAN = wireless local area network, NFC = near field communications.
12 Panagiotis Droukas | ISACA Athens Chapter
Mobile device timeline
13 Panagiotis Droukas | ISACA Athens Chapter
Source: Securing Mobile Devices, ISACA
Did you know?
• Popular applications (apps) such as Twitter or Facebook require more than ten critical privileges on mobile OSs, including changing data, changing configurations, and initiating or interrupting cellular calls.
• Logs for most mobile OSs contain extremely detailed data. When the device crashes, the data for the last four weeks will be sent to the telecom provider over the air.
14 Panagiotis Droukas | ISACA Athens Chapter
Did you know? (cont.)
• User opt-out is difficult or impossible on an increasing number of mobile apps.
• One app simply states to the user that some fairly critical permission is needed and presents no more than an “OK” button. The only way to get back is to forcibly shut down the app.
• Authentication is often effected using the mobile device telephone number (subscriber identity module [SIM] card one-time tokens) and application features.
15 Panagiotis Droukas | ISACA Athens Chapter
Mobile vulnerabilities, threat & risk
16 Panagiotis Droukas | ISACA Athens Chapter
Source: Securing Mobile Devices, ISACA
Mobile vulnerabilities, threat & risk (cont.)
17 Panagiotis Droukas | ISACA Athens Chapter
Source: Securing Mobile Devices, ISACA
• Mobile device impact on business and society
• Threats, vulnerabilities and associated risk
• Mobile security governance
• Mobile security management
• Q&A
Agenda
18 Panagiotis Droukas | ISACA Athens Chapter
Mobile security governance
• Data and information stored on mobile devices are subject to various governance provisions at the enterprise level, as is the way in which users approach telephony and email
• Enterprises need to achieve a balance between their business interests and users’ rights to use devices freely and productively
• When users are permitted to bring their own devices or mobile hardware and software providers take an open approach that may create a security risk
19 Panagiotis Droukas | ISACA Athens Chapter
Standardized Enterprise Solutions • For many enterprises, centralized and standardized
device policies have been a strategic priority for many years, including mobile devices
• As an example, BlackBerry (BB) units were highly popular during the mid-2000s as a result of their centralized management and control through the BlackBerry Enterprise Server (BES)
• All mobile devices are into the sphere of control of the enterprise, including Hardware (front and back end), OS, Applications, Data and information, User Administration and Systems management
20 Panagiotis Droukas | ISACA Athens Chapter
Components of a standardized mobile enterprise solution
21 Panagiotis Droukas | ISACA Athens Chapter
BlackBerry device life cycle
22 Panagiotis Droukas | ISACA Athens Chapter
Source: Securing Mobile Devices, ISACA
BYOD device life cycle
24 Panagiotis Droukas | ISACA Athens Chapter
Source: Securing Mobile Devices, ISACA
The case study of Intel • In January 2010 Intel implemented a new
program allowing employees to use their own handheld devices on the job.
• Employee response was overwhelmingly positive, with more than 3,000 employees signing up in the first month. As of September 2010, their computing environment included more than 20,000 handhelds, and about 6,500 of these are employee-owned with access to corporate information.
25 Panagiotis Droukas | ISACA Athens Chapter
The case study of Intel (cont.) • Ten years ago Intel employees came to work to use
great technology. Now, with the battery of consumer devices available, they often have better PCs and printers at home than they do at work.
• It is relatively easy to verify and enforce which applications are running on corporate-owned handheld devices. With personal devices, this process is not so straightforward because employees have the right to install any applications they choose.
26 Panagiotis Droukas | ISACA Athens Chapter
The case study of Intel (cont.) • Intel has identified certain minimum security
specifications for handheld devices that provide a level of information security that allows to test, control, update, disconnect, remote wipe and enforce policy: Two-factor authentication required to push email
Secure storage using encryption
Security policy setting and restrictions
Secure information transmittal to and from Intel
27 Panagiotis Droukas | ISACA Athens Chapter
The case study of Intel (cont.) Remote wipe capability
Some firewall and intrusion detection system (IDS) capabilities on the server side of the connection
Patch management and enforcement software for security rules
The ability to check for viruses from the server side of the connection, although the device itself may not have antivirus software
28 Panagiotis Droukas | ISACA Athens Chapter
Combined device life cycle
29 Panagiotis Droukas | ISACA Athens Chapter
Source: Securing Mobile Devices, ISACA
Privacy considerations for BYOD
30 Panagiotis Droukas | ISACA Athens Chapter
Source: Securing Mobile Devices, ISACA
• Mobile device impact on business and society
• Threats, vulnerabilities and associated risk
• Mobile security governance
• Mobile security management
• Q&A
Agenda
31 Panagiotis Droukas | ISACA Athens Chapter
Layers of existing security controls
32 Panagiotis Droukas | ISACA Athens Chapter Source: Securing Mobile Devices, ISACA
Lines of defense
33 Panagiotis Droukas | ISACA Athens Chapter Source: Securing Mobile Devices, ISACA
Potential barriers
34 Panagiotis Droukas | ISACA Athens Chapter Source: Securing Mobile Devices, ISACA
Enterprise and end-user relationships
35 Panagiotis Droukas | ISACA Athens Chapter
Source: Securing Mobile Devices, ISACA
5. Information
44 Panagiotis Droukas | ISACA Athens Chapter
• The central asset to be protected as part of mobile device security is information.
• This includes both data and incidental information that is generated by using the mobile device, such as location or voice connection profiles.
• Much of the information stored on, and generated by, a mobile device allows insights into who the user is, what the user may be doing for a job, and where the user lives and works, to name just a few items.
6. Services, Infrastructure and Applications
45 Panagiotis Droukas | ISACA Athens Chapter
• Many of the management activities and security controls found on a single device will be aggregated to the organizational level with an overarching device management system (often called MDM).
• In addition to the MDM, there are other central management activities related to security, such as identity and access management (IAM), malware protection (including attacks and intrusions), security testing and monitoring, and incident response.
47
Q&A Panagiotis Droukas CISA, CRISC, CGEIT, COBIT 5 Accredited Trainer ISACA Athens Chapter Massalias 22 106-80 Athens [email protected]