BYOD and Mobile Device Dependency

Size: px

Start display at page:

Download "BYOD and Mobile Device Dependency"

Theodora Ball
8 years ago
Views:

1 BYOD and Mobile Device Dependency Thursday, November 8, 2012 Brian Thomas, CISA, CISSP & Shohn Trojacek, CISSP

2 Brian Thomas, CISA, CISSP Partner, IT Advisory Services at Weaver Provides security, IT audit (GRC), security and process improvement consulting services Service delivery methodology coordinator for Weaver s IT Advisory Services Over 14 years experience in IT auditing and consulting (PwC, KPMG, Weaver) Partner at Weaver since 2007 Advisory committee oversight of Weaver s IT function BS/MS in engineering (not a CPA) CISSP since 2005, CISA since 2004 Member, AICPA and participant on multiple AICPA ITEC Task Forces

3 Presenters Shohn Trojacek, CISSP PivotPoint Solutions Information Systems Consultant Formerly Responsible for infrastructure operations, administration, security, budgeting, governance internally. Over 12 years experience in information security Significant experience in security assessments over technical infrastructure

4 Mobile Security Topics Background on Mobile Technology Risk in 2012 Major Threat Vectors and Mitigation Strategies Steps for IT Auditors to Consider Conclusions and Discussion

5 Background Much of the concern today around mobile device security is comingled with the BYOD concept Inherent contradictions between users wants and enterprise security

6 The Culture of Mobile Computing Anywhere, Anytime! Local devices with storage and processing capability Establishing a secure remote connection with appropriate remote authentication Cloud usage and integration Internet connectivity and bandwidth improvements Corporate culture work-life balance Reduced geographic boundaries for employment and recruiting Expectations of extended hours and project deadlines Application dependency for personal and business usage

7 Ponemon Institute, 2012 Global Study on Mobility Risks Perceptions of Mobile in the Workplace

8 Ponemon Institute, 2012 Global Study on Mobility Risks Consequences of a Mobile Breach

9 What Data Do We Lose? (including attachments received) Text Messages Pictures / images Contacts Saved files Browsing history Geo location

10 Primary Threat Vectors for Mobile Devices 1. Users 2. Physical access 3. Wireless communication 4. Malware

11 1. Users are a Source of Risk Inherent contradiction between how we want to use these devices (for everything) and the concept of security Different devices present different risks to users Alarming statistics about individual users and security

12 1. Mitigation of User Risk Security-Dummies- Science/dp/ #_ User education about the risks involved with mobile security Realistic policies regarding BYOD and mobile device security Use technology to help enforce policies i.e. Mobile Device Management

13 2. Physical Access Outside of the perimeter Must assume device access will be attempted by non-authorized user Prone to being stolen or lost Circumventing authentication controls

14 Source: Lookout Security Billion Dollar Phone Bill

15 2. Physical Access Risk Mitigation The following must be enabled on the device: Password / PIN (preferably password) Device encryption Permitted devices should support remote wipe features Users must be taught not to disable or modify these features Mobile Device Management

16 3. Wireless Threats Open / public Wi-Fi creates risk for the integrity of the session Man in the Middle Attacks Session Jacking

17 3. Wireless Risk Mitigation Users must be educated about how to use public Wi-Fi and what poses a threat Corporate applications and services should require VPN or SSL Consider one-time password generators

18 4. Malware as a Threat Malware is an increasing issue (statistics) Android vs. ios Other platforms (RIM, Nokia / Windows) Methods of spreading (app store vs. drive by) Users and trust

19 In the News Android

20 In the News Android

21 4. Malware Mitigation Download software and files only from trusted / known sources Educate users and make resources available to them to combat malware Anti-virus / Anti-malware Phone within a phone Mobile Device Management

22 Planning Forward Organizations should consider evaluating the following: Modifications to the internal risk assessment Reviewing mobile computing policies and procedures Assessing MDM Understanding exceptions to policy

23 Risk Assessment Build questions about mobile technology into the risk assessment process Target risk assessment questions to the areas described in this presentation, but also consider new and evolving areas

24 Review Mobile Policies and Procedures Evaluate written policies and procedures regarding BYOD, device capability requirements, acceptable use, etc. Assess the adequacy of policies for addressing the most significant risks from a mobile computing perspective Do policies give you the right to audit user settings?

25 Mobile Device Management Does the organization have MDM capability beyond MS Exchange ActiveSync? Has the organization evaluated other MDM tools? How effective are ActiveSync and/or other MDM tools at enforcing policies? Is the MDM tool compatible with all devices in the network? Can users easily circumvent policy?

26 Exceptions to Policy Don t forget about this guy! Exceptions to policy are likely to come from some of mobile computing s most prized targets Evaluate the reasonableness of exceptions based on the risk associated with the data they have access to

27 Final Remarks Don t forget about the criticality of user education with mobile security evaluating the adequacy of ongoing user education is paramount Don t be afraid to evaluate settings on some users devices, even in a BYOD world!

28 Discussion & Demonstration Shohn Trojacek, CISSP Brian J. Thomas, CISA, CISSP

White Paper. Data Security. The Top Threat Facing Enterprises Today

White Paper. Data Security. The Top Threat Facing Enterprises Today White Paper Data Security The Top Threat Facing Enterprises Today CONTENTS Introduction Vulnerabilities of Mobile Devices Alarming State of Mobile Insecurity Security Best Practices What if a Device is