Panagiotis Droukas CISA, CRISC, CGEIT, COBIT 5 … · Panagiotis Droukas CISA, CRISC, CGEIT, COBIT 5 ... PIN for the SIM card as well as a ... CISA, CRISC, CGEIT, COBIT 5 Accredited

Enhancing Mobile Device Security: A Management Perspective Panagiotis Droukas CISA, CRISC, CGEIT, COBIT 5 Accredited Trainer ISACA Athens Chapter

• Mobile device impact on business and society

• Threats, vulnerabilities and associated risk

• Mobile security governance

• Mobile security management

• Q&A

Agenda

2 Panagiotis Droukas | ISACA Athens Chapter

A quick poll before we begin

• How many mobile devices do you carry with you?

• Do you use them for business / personal purposes or both?

• What will happen if you loose one of your devices?

• What kind of protection do you apply to your data?


How many mobile devices do I carry with me? • I have a laptop mainly for work purposes, like

drafting BoG/ECB documents, checking my business e-mail and connecting to the corporate intranet through a VPN connection

• I also have a 5’’ smartphone that allows me to browse my personal e-mails and browse the internet

• Finally, I have a 7’’ tablet that allows me to browse the Internet, read books and also take family photos


Do I use them for business or personal purposes or both? • My laptop is used primarily for business purposes

• My smartphone is used for personal and business phone calls. Many SMS contain business information, some photos are taken from business meetings and some work e-mails are forwarded to my Gmail account (e.g. hotel vouchers, electronic tickets, contact info, etc.)

• My tablet contains personal books but also some regulations, directives and unclassified material I use at work


What will happen if I loose one of my devices? • My laptop is running Windows 7 Enterprise with

BitLocker status ON. It also has a 10 - character password with complexity rules

• My Android phone has an encrypted file system, a PIN for the SIM card as well as a different PIN for the device

• Finally, my Android tablet doesn’t have an encrypted file system, only a PIN for the device


What will happen if I loose one of my devices? (cont.) • The loss of one of the said devices could have been

devastating to the security of my company and for my personal security, safety, and privacy.

• In many ways, these devices are a backdoor into my personal and professional life that could have given a thief or a hacker everything required to hijack my finances, my identity, or compromise the security and safety of my home and workplace


Smartphone shipments (m. units)


Estimated global IP traffic per month (in exabytes)






• Q&A

Agenda


Mobile devices in context


Mobile device connectivity

GSM = Global System for Mobile Communications, GPRS/EDGE = General Packet Radio Services/Enhanced Data rates for GSM Evolution, LTE = Long Term Evolution, WLAN = wireless local area network, NFC = near field communications.


Mobile device timeline


Source: Securing Mobile Devices, ISACA

Did you know?

• Popular applications (apps) such as Twitter or Facebook require more than ten critical privileges on mobile OSs, including changing data, changing configurations, and initiating or interrupting cellular calls.

• Logs for most mobile OSs contain extremely detailed data. When the device crashes, the data for the last four weeks will be sent to the telecom provider over the air.


Did you know? (cont.)

• User opt-out is difficult or impossible on an increasing number of mobile apps.

• One app simply states to the user that some fairly critical permission is needed and presents no more than an “OK” button. The only way to get back is to forcibly shut down the app.

• Authentication is often effected using the mobile device telephone number (subscriber identity module [SIM] card one-time tokens) and application features.


Mobile vulnerabilities, threat & risk



Mobile vulnerabilities, threat & risk (cont.)







• Q&A

Agenda


Mobile security governance

• Data and information stored on mobile devices are subject to various governance provisions at the enterprise level, as is the way in which users approach telephony and email

• Enterprises need to achieve a balance between their business interests and users’ rights to use devices freely and productively

• When users are permitted to bring their own devices or mobile hardware and software providers take an open approach that may create a security risk


Standardized Enterprise Solutions • For many enterprises, centralized and standardized

device policies have been a strategic priority for many years, including mobile devices

• As an example, BlackBerry (BB) units were highly popular during the mid-2000s as a result of their centralized management and control through the BlackBerry Enterprise Server (BES)

• All mobile devices are into the sphere of control of the enterprise, including Hardware (front and back end), OS, Applications, Data and information, User Administration and Systems management


Components of a standardized mobile enterprise solution


BlackBerry device life cycle



Components of a BYOD solution


BYOD device life cycle



The case study of Intel • In January 2010 Intel implemented a new

program allowing employees to use their own handheld devices on the job.

• Employee response was overwhelmingly positive, with more than 3,000 employees signing up in the first month. As of September 2010, their computing environment included more than 20,000 handhelds, and about 6,500 of these are employee-owned with access to corporate information.


The case study of Intel (cont.) • Ten years ago Intel employees came to work to use

great technology. Now, with the battery of consumer devices available, they often have better PCs and printers at home than they do at work.

• It is relatively easy to verify and enforce which applications are running on corporate-owned handheld devices. With personal devices, this process is not so straightforward because employees have the right to install any applications they choose.


The case study of Intel (cont.) • Intel has identified certain minimum security

specifications for handheld devices that provide a level of information security that allows to test, control, update, disconnect, remote wipe and enforce policy: Two-factor authentication required to push email

Secure storage using encryption

Security policy setting and restrictions

Secure information transmittal to and from Intel


The case study of Intel (cont.) Remote wipe capability

Some firewall and intrusion detection system (IDS) capabilities on the server side of the connection

Patch management and enforcement software for security rules

The ability to check for viruses from the server side of the connection, although the device itself may not have antivirus software


Combined device life cycle



Privacy considerations for BYOD







• Q&A

Agenda


Layers of existing security controls

32 Panagiotis Droukas | ISACA Athens Chapter Source: Securing Mobile Devices, ISACA

Lines of defense


Potential barriers


Enterprise and end-user relationships



ICT controls to manage mobile risks


Holistic mobile security management


1. Principles, Policies and Frameworks


2. Processes


3. Organizational Structures


3. Organizational Structures (cont.)


3. Organizational Structures (cont.)


4. Culture, ethics and behavior


5. Information


• The central asset to be protected as part of mobile device security is information.

• This includes both data and incidental information that is generated by using the mobile device, such as location or voice connection profiles.

• Much of the information stored on, and generated by, a mobile device allows insights into who the user is, what the user may be doing for a job, and where the user lives and works, to name just a few items.

6. Services, Infrastructure and Applications


• Many of the management activities and security controls found on a single device will be aggregated to the organizational level with an overarching device management system (often called MDM).

• In addition to the MDM, there are other central management activities related to security, such as identity and access management (IAM), malware protection (including attacks and intrusions), security testing and monitoring, and incident response.

7. People, skills and competences


47

Q&A Panagiotis Droukas CISA, CRISC, CGEIT, COBIT 5 Accredited Trainer ISACA Athens Chapter Massalias 22 106-80 Athens [email protected]

Documents

Panagiotis Droukas CISA, CRISC, CGEIT, COBIT 5 … · Panagiotis Droukas CISA, CRISC, CGEIT, COBIT 5 ... PIN for the SIM card as well as a ... CISA, CRISC, CGEIT, COBIT 5 Accredited