Mobile Device Deployments-The Security Dangers of Technology on the Go

Transcription

1 Mobile Device Deployments-The Security Dangers of Technology on the Go Presented by Mark Bell, PMP, CISSP, CISA, CHSS OM03 Friday, 10/25/2013 3:45 PM - 5:00 PM

2 Mobile Device Deployments Is Your Organization More Empowered or Endangered? October 2013 Mark Bell EVP, Operations 2012 Digital Defense, Inc. Confidential Agenda About the Speaker About Digital Defense What is a Mobile Device? Mobile Device Usage In Employee Populations So Is It Really That Dangerous Out There? Protecting Your Company What Can You do to Manage the Risk? Public Use 2 1

3 About the Speaker Mark Bell, PMP, CISSP, CISA, CHSS Responsibilities include delivery of vulnerability assessments, penetration testing, Payment Card Industry (PCI) Approved Scanning Vendor (ASV) services, social engineering and risk assessments. Retired United States Air Force Former Senior Network Security Engineer with the 92nd Information Operations Squadron, Air Force Information Operations Center Master of Science degree in Information Assurance from Norwich University, Bachelor of Science in Computer Science from Hawaii Pacific University Certified as a Project Management Professional (PMP), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified HIPAA Security Specialist (CHSS) Public Use 3 About Digital Defense Founded in 1999, Digital Defense, Inc., is the premier provider of managed security risk assessment solutions protecting billions in assets for small businesses to Fortune companies in over 65 countries. Verticals Served: Legal Financial Healthcare Railways Technology Public Use 4 2

4 What Is A Mobile Device? A mobile device (also known as a handheld device, handheld computer or simply handheld) is a pocketsized computing device, typically having a display screen with touch input and/or a miniature keyboard. Smartphones and PDAs are popular amongst those who require the assistance and convenience of certain aspects of a conventional computer, in environments where carrying one would not be practical. Source: Public Use 5 Examples of Mobile Devices Public Use 6 3

5 Examples of Mobile Devices Public Use 7 Mobile Device Usage In Employee Populations Public Use 8 4

6 Ownership Statistics As of May 2013: 91% of American adults have a cell phone 56% of American adults have a smartphone 28% of cell owners own an Android; 25% own an iphone; 4% own a Blackberry 34% of American adults own a tablet computer Source: Public Use 9 Home & Work Are Blending Source: _infographic_Mobile-User-is-Always-On_FINAL.jpg?download=1 Public Use 10 5

7 Mobile Device Usage On The Rise Source: Public Use 11 What Are Employees Using? Smartphones: The Go To Device Handheld Without Phone Netbook Tablet Feature Phone Desktop Laptop Smartphone 42% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Source: Public Use 12 6

8 Why Are They Using Mobile Devices? Nearly 60% of all consumers say it improves their productivity to take conference calls and use collaboration tools from their personal devices. Source: Public Use 13 BYOD: Employee View Let s Me Do My Job Better I Like The Flexibility Want A Single Phone For Work And Home Source: Public Use 14 7

9 Who Wants BYOD? Younger Workers Lead The Way! 45% 40% 42% 35% 30% 25% 20% 15% 10% 5% 0% Source: Public Use 15 The Greatest Driver for BYOD Everyone Wants Their NOW! Sales Force Automation Line of Business Apps Social Media Task & Project Management Office Applications Instant Messaging Calendar Contacts Web Browser 86% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Source: Public Use 16 8

10 So Is It Really That Dangerous Out There? Public Use 17 Yes It Is! Check Point 2013 Mobile Device Security Survey 79% of the respondents reported mobile security incidents in the past year 52% of large companies say cost of mobile security incidents last year exceeded $500,000 45% of businesses with less than 1000 employees reported mobile security incident costs exceeding $100,000 49% cite Android as platform with greatest perceived security risk (up from 30% last year), compared to Apple, Windows Mobile, and Blackberry 66% say careless employees greater security risk than cybercriminals Public Use 18 9

11 Bans Don t Work! BYOD alert: Confidential Data On Personal Devices Think you're safe if you have a policy prohibiting BYOD to begin with? Guess again. According to a Microsoft study, 67 percent of people use personal devices at work, regardless of the office's official BYOD policy -- so even if it's prohibited, there's a good chance employees (particularly millennials, who have a reputation for feeling entitled to more relaxed IT policies as a result of their college experiences -- are working with personal devices anyway. Source: Public Use 19 Where You re Exposed Device Loss/Theft Data Breach Malicious Applications Ownership Issues Public Use 20 10

12 Device Loss/Theft Users asleep on smartphone security and data loss. People who lose their smartphones at the pub may think the phone password can save them from embarrassment, but more often than not, they forget about the media or memory card, according to Ty Miller, chief technology officer at IT security consultancy Pure Hacking. "People don't really think about securing media cards on phones," Mr Miller said. "From a consumers' point of view, they just enjoy the storage of the media card." Why? It s just a phone. IT takes care of protecting my . It has a password on it. Source: Public Use 21 My Employees Are Careful! In the last six months alone, the nine-nation survey of leading taxi companies in Australia, Denmark, Finland, France, Germany, Norway, Sweden, Great Britain, and the U.S. indicated tens of thousands of digital devices were left behind inadvertently. The U.S. company polled in the survey, a major Chicago cab company, reported the highest number of losses per taxi of all firms studied, both in mobile phones (3.42 per cab) and PDAs/Pocket PCs (0.86 per cab). Based on the large size of the Chicago company's fleet, the statistics indicate a staggering 85,619 mobile phones, 21,460 PDAs/Pocket PCs, and 4,425 laptops left in the firm's licensed cabs during the six months covered in the study. Only London, with 0.21 laptop PCs lost per cab versus the Chicago firm's 0.18, was higher in any category. Source: CheckPoint Technologies Study Public Use 22 11

13 Data Breach Data breaches from mobile devices could lead to identity theft. Nearly 40% of organizations in the study had a data breach resulting from a lost or stolen mobile device, including tablet computers, smartphones and USB drives that contained confidential or sensitive data. Ponemon Institute Study Why? Users fail to understand the types of data stored on the device? Users are careless with the device. Remember, it s just a phone. Source: Public Use 23 Malicious Applications Malicious applications are exposing your company to risk. Symantec said 2012 saw a 58 percent increase in mobile malware families compared to Fifty nine percent of all mobile malware to-date was discovered in Symantec Internet Security Report It s my phone, I can load apps if I want! It was made by XYZ vendor, so it must be safe. Source: Public Use 24 12

14 Device Ownership Issues Wipeout: When Your Company Kills Your iphone A few weeks ago, Amanda Stanton's iphone suddenly went black. Everything was gone all her contacts, photos and even the phone's ability to make calls. Someone in the IT department had sent out what's called a "remote wipe," a kind of auto-destruct command that's delivered by . The wipe was done by mistake, and Stanton wouldn't have been surprised to see this kind of remote control on a company phone. But this iphone was hers. Why? Who really owns the phone? Who really owns the data on the phone? Source: Public Use 25 Protecting Your Company Public Use 26 13

15 What Most Companies Do Buy Technology Issue Policy To Staff Monitor Employees Public Use 27 What Companies Should Do Evaluate Risk Implement Policies & Procedures Buy Technology Public Use 28 14

16 But XYZ Said MDM Is All I Need! Gartner MDM Magic Quadrant 2012 With all of the MDM solutions available, how would you know which is right for you if you don t know what you are trying to protect? Public Use 29 Remember: MDM Is Not Foolproof Devices What if the solution doesn t support all of the models/makers that your staff is using? What if management wants iphones and staff wants Windows Mobile? App Stores How well does the MDM solution protect you against malicious apps / app stores? Does the solution allow you to have a corporate app store that contains only approved apps? Public Use 30 15

17 Start With A Risk Assessment Basic Questions That Need To Be Asked & Answered Why are we introducing the devices into our network? How are the devices connecting to the corporate network? What data will the devices have access to once introduced? What types of devices should we allow? Who should get access to corporate resources via a mobile device? What would our exposure be if a device was lost or stolen? Will all employees be able to participate? If not, why? Public Use 31 Let s Review One Item What Data Are You Trying To Protect? Client information How Are the Devices Connecting to the Corporate Network Putting Client Data At Risk? 3G/4G? What risks are they being exposed to by other users? Wireless? Will users be passing anything over the network in clear text? What happens if they multi-home their laptop with a mobile device hotspot? VPN? Not all VPNs work with all mobile devices. Multiple VPNs the answer? Will the VPN force the routing of personal traffic via the corporate network? OWA? Forces you to expose your Exchange Server to the Internet. You need to understand the risks of each before you can even think of writing your first policy. Public Use 32 16

18 What About Policies? Develop AFTER Your Risk Assessment! Address, at a Minimum Who furnishes the device? Is the employee reimbursed for any part of their phone or phone bill? (This can get VERY sticky!) Can the employee use the phone for personal use? Can the employee load applications from outside sources? If so, which? Who will decide? What should the employee do if the device is lost or stolen? What should IT do to protect the organization? Public Use 33 Example Policies App Store Usage Device Backup Joint Usage Policy (Personal/Corporate) Acceptable Use Media Card Usage Device Destruction & Replacement Lost & Stolen Devices Allowable Devices Use of Encryption Mobile Device Passwords Location Service Usage Overseas Travel with Mobile Devices Public Use 34 17

19 Protecting the Device Passwords & Patterns Most mobile devices support passwords, however some do not allow passwords that exceed four characters or passwords that meet corporate passwords standards. Many devices will allow the user to disable the password or change it to meet their needs (easier). Avoid swipe patterns (Android devices) as they can be easily compromised. Avoid facial and voice recognition technologies and they can be easily bypassed. Public Use 35 Protecting the Device Encryption (Device & Media) Most modern mobile devices support the encryption of user data on the device. Passwords PIN Some devices may not allow you to encrypt removable media (SD cards, etc.). If they are allowed this could be a potential risk. Some devices allow for encryption of certain data sets and as such may leave other more critical data unprotected. Public Use 36 18

20 Protecting the Device Firewalls Some devices are made available with built-in firewalls, some are not. Make sure you know which you are dealing with prior to deploying. Anti-Virus / Anti-Malware While still rare, mobile device anti-virus/antimalware packages are becoming more mainstream. Sophos and Lookout both offer packages for Android devices. Public Use 37 Recovery After Loss Remote Wiping Most devices will allow IT to remote wipe the device and erase all of the stored information, including data stored on removable storage. Ensure employees know that their data will be lost as well. Remote Discovery & Recovery Many devices now link to services that allow IT to remotely monitor the location of the device. Google and Apple both offer free services that, if allowed, make it easy to discover lost phones. Most MDM solutions have the same capabilities. Public Use 38 19

21 Protect Your Data Backups Make sure you are aware that employees may be backing up to icloud, Google Drive, Windows SkyDrive, or their own computer. These backups may contain very sensitive data that could be exposed to unauthorized persons. Make sure your MDM solution addresses this pre-deployment. Public Use 39 In Closing Mobile Devices can be a great asset to most organizations IF they are deployed in a consistent fashion. Think of mobile devices as just another type of personal computing device and protect them accordingly. Public Use 40 20

22 Questions? Follow Us On Twitter Like Us On Facebook Read Our Blog on Blogger Public Use 41 21