Valid concerns about mobile security and how to address them Ins5tute of Management Consultants and Advisers Dublin, 19 th June 2013 Mathieu.gorge@vigitrust.com www.vigitrust.com Thursday 20 June 13 (c) VigiTrust 2003-2013 1
Today s PresentaAon SeCng the Scene Defining Mobility BYOD & ApplicaAon Security two key Mobility topics Right now Preparing for Security Enabled Mobility 2013-2015 Outlook Q&A (c) VigiTrust 2003-2013
About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & elearning Online training for management and staff COMPLIANCE, READINESS & VALIDATION Comprehensive online programs to achieve and maintain compliance SECURITY & GRC SERVICES Professional services to enable and support your compliance process The 5 Pillars of Security Framework Physical Security; People Security; Data Security; IT Security; Crisis Management
5 Pillars of Security Framework Chief Security Officer Project leader for all Security Related Matters PHYS. Sec PPL Sec DATA Sec INFRA Sec CRISIS Mgt PHYSICAL SECURITY PEOPLE SECURITY DATA SECURITY INFRASTRUCTURE SECURITY CRISIS MANAGEMENT Access to Building Physical Assets IT Hardware Vehicle Fleet Permanent & Contract Staff Partners 3 rd Party Employees Visitors Special Events Security Trade Secrets Employee Data Database Customer Data Networks Remote Sites Remote Users Application Security Website Intranet Documentation & Work Procedures Emergency Response Plans Business Continuity Plans Disaster Recovery Plans Opera>ons Manager, Security Staff HR, Security Staff HR, IT Team & Manager IT Team & Manager Opera>ons Manager, IT Team, HR Best Practice Security Framework for Enterprise
Existing elearning Portfolio US esec Portfolio US Existing EMEA esec Portfolio EMEA - Existing HIPAA NERC-CIP 101 MA 201 Understanding Data Breach Notification Requirements Data Protection Fundamentals Credit Card Security Introduction to PCI DSS Banking & Fraud Green IT & Security ISO IT & SDLC Security During M&A Process GEN. esec Portfolio Generic Training - Existing TECH. esec Portfolio Technical Training - Existing Info Security 101 Mobility & Security Security of Social Networks Cloud Computing & Security 101 Physical Security for Good Logical Security Secure Coding for PCI DSS Introduction to Secure Printing Log Management & Security Wireless Security
Mathieu Gorge CEO & Founder, VigiTrust European PCI DSS Roadshow (Disclaimer: Outside Reviewer) Thursday 20 June 13 (c) VigiTrust 2003-2013
SeCng the scene
A Few Telling Security Facts & Figures Veracode Security Survey During our iniaal analysis of mobile applicaaons we found that 91% of the top mobile apps unnecessarily expose a user s personally idenafiable informaaon Despite this, most mobile users and businesses aren t aware of the risk these apps pose to their organizaaon Gartner 2013 Mobile compuang raises new security concerns in an increasingly mobile world, where devices may be employee- owned, frequently changed, and used for both personal and business purposes ABI Research Mobility Survey OpportuniAes for Services ABI Research esamates that mobile security services will total $1.88 billion by the end of 2013 network security, managed security and professional services are set to become the biggest categories for business- to- business mobile security Vendors such as AdapAve Mobile and F- Secure are well- placed to consolidate their posiaon for carrier- grade security soluaons Players offering highly- innovaave soluaons in niche markets include Aujas Networks (India) with professional services and Zimperium (Israel) for mobile IDS/UTM The role of consultants & security professionals is key to balancing mobility opportuniaes vs security challenges Thursday 20 June 13 (c) VigiTrust 2003-2013 8
Security Challenges associated with Mobile Devices & Mobile applica>ons roll outs Technical Security Challenges Malware Smisphing Bluesnarfing Data leakage Data Loss who is responsible (device owner, app provider, operator, user)? Usage Security challenges ApplicaAons on the mobile device which ones? Geoloca>on Social media is going mobile major risks for the organizaaon Managing the Blur btw private & personal life on private & corporate devices Opera>onal security challenges Business ConAnuity what happens if personal devices are lost? Who pays to replace the device in the case of BYOD Legal challenges Data ProtecAon Act Compliance ediscovery challenges (c) VigiTrust 2003-2013 9
Security Challenges associated with Mobile Applica>ons How secure is the mobile app? Security by design? Benchmarked against OWASP & SANS? Mobile App Web TesAng? Does the Mobile App impact on data security? Answer is always yes but to what extent? Is the app sending data back to a corporate network and/or Cloud? Where is the data kept? For how long? Etc Data ProtecAon ConsideraAons Social media App? Major risks for the organizaaon because of SNs architectures Managing the Blur btw private & personal life on private & corporate devices Payment via Mobile App? PCI DSS consideraaons (c) VigiTrust 2003-2013 10
Policies must Focus on what mobile devices allow users to do and what is deemed acceptable View / Access Corporate Data See e- mails View/answer/save/delete Access corporate files View/access Modify/save/delete? Access corporate ERP/CRM Files Basic access Limited interacaon Full access (some func+onality tends to be lost in any case) VPN based access to DMZs Internet Browsing Sending Pictures E.g. Some US banks accept picture copies of checks sent in by mail or MMS The odd phone call All of the above must be made clear to users in an AUP! Thursday 20 June 13 (c) VigiTrust 2003-2013 11
Best prac>ces to address BYOD security challenges Classifica>on is key Data classifica>on What data should really be seen/accessed/processed on mobile devices Device Classifica>on Phones Smart Phones (Blackberry/iPhones/Androids) Tablets/iPads User Classifica>on Who needs a mobile device What do they need it for and what is the business jus+fica+on? Policies & Procedures AUP & Associated iniaal and yearly refresher Training OperaAonal Procedures What do you next then? Policies & procedures: draw up a list of P&Ps in place @ your org. Technical SoluAons: update your network diagram + pen test include BYOD as assets Awareness Training: idenafy in- scope employees and start the educaaon process Consider Implemen>ng a Concierge Service Contract amendments btw Employers/employees Thursday 20 June 13 (c) VigiTrust 2003-2013 12
BYOD - Recommended Reading 3 US Federal Government BYOD Case Studies with some interes>ng sta>s>cs Equal Employment Opportunity Commission 75% never used got supplied device to make calls case study on BYOD cost savings Alcohol and Tobacco Tax and Bureau - developed a USB device that turns old desktops/laptops into a thin client State of Delaware - Reimbursement Plan Links to Good informa>on for your IT & legal teams to consider Bring- your- own- device (BYOD) and legal/regulatory compliance Top 10 consumerizaaon and BYOD Aps of 2012 (ISC) 2 2013 Global InformaAon Security Workforce Study FTC Mobile Privacy Disclosures focus on Apps Security www.sophos.com - Mobile Security Toolkit Upcoming VigiTrust events: PCI DSS One Day Workshops (IT SoluAons), RSA Security Conference, European PCI DSS Roadshow www.vigitrust.com Thursday 20 June 13 (c) VigiTrust 2003-2013 13
Technical Solu>ons typically required for Tradi>onal Security AnA- Virus / AnA- Spam Firewalls & VPNs IDS/IPS Web Filtering / Mail Filtering IM monitoring File Integrity SIEM Central Log soluaons Asset Management PSD Mgt/Control EncrypAon At rest, in transit, in use Bad News: All the above should and does apply to Mobile Security Good News: It s really not rocket science! (c) VigiTrust 2003-2013
Security & GRC Process SOX ISO 27000 series EU Data Protec>on PCI DSS HIPAA Others Regulatory, Legal & Corporate Governance Frameworks Policies & Procedures Education, Security & Awareness Self- Governed Pre- Assessment Security Blueprint for Remediation Work Network & Hardware Security Pen- Tes>ng & Applica>on Security Official Assessors & Auditors Specialized Skills Transfer Step 1 Step 2 Step 3 Step 5 Step 4 (c) VigiTrust 2003-2013
Corporate Culture & Risk Management The overall Picture Corporate Values Corporate Ecosystem Risk Management & Safeguards Residual Risk Surface which needs to be managed by your Organiza>on Risk Management Strategy for Internal and/or external Risk Management Teams DPA, PCI DSS & ISO 27001 compliance
Outlook for 2013-2015 in the Mobility industry & spheres Every business is Going Mobile For good reasons commercial opportuni>es For the wrong reasons Because my compe>tor has a mobile app so I need one too regardless of security concerns New Internet of Things According to NPD Group US 5.7 internet enabled devices in the home Your own mobile Internet enabled ecosystem must be kept secure Mobility & Security Two sides of the same coin Especially as regards payments Fraud is up in cash less payments Prepaid NFC - Contactless Very ligle implementable guidance available from PCI DSS but this will change as security associa>ons are taking over ISACA ISSA (c) VigiTrust 2003-2013
Best Prac>ces Designing & Depoying Secured Mobile Fleets & Apps What first steps can you take? Remember the five accredita>on process steps Educa>on Pre- assessment (internal) Remedia>on Actual Assessment Con>nuous compliance Mix of 3 key elements Policies & procedures Technical Solu>ons Awareness Training What do you next then? Policies & procedures: draw up a list of P&Ps in place @ your org. Technical Solu>ons: update your network diagram + App pen test Awareness Training: iden>fy in- scope employees and start the educa>on process (c) VigiTrust 2003-2013
Valid concerns about mobile security and how to address them Dublin, 19 th June 2013 Mathieu.gorge@vigitrust.com hgp://www.linkedin.com/in/mgorge www.vigitrust.com Thursday 20 June 13 (c) VigiTrust 2003-2013 19
Changes to Data ProtecAon in the EU Not a direcave but a single regulaaon in the EU HarmonizaAon at European level but with challenges Applies to companies based outside in the EU if personal data is handled abroad by companies that are acave in the EU and offer services to EU ciazens Right to be forgoren Controllers responsibiliaes Policies & procedures Staff Training Data processing impact assessment If any data is likely to present risks to individuals Security Both processor and controllers must put security measures in place Data Breach NoAficaAon Within 24 hours of noacing the breach Data Portability (service providers) & Data Transfers Data ProtecAon Officers Thursday 20 June 13 (c) VigiTrust 2003-2013 20
Intersec>on between PCI DSS compliance and the DPA Need for appropriate levels of security Compliance with PCI DSS should enable compliance with key provisions of the DPA ICO in the UK made an example of Lush (Lush Cosme>cs Ltd) "This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all Ames For online retailers, the PCI DSS is clearly now best pracace Adherence to the PCI DSS should ensure compliance with the security obligaaons under the Act Undertaking from Lush requires them to only store minimum amount of payment data necessary to receive payments, and keep for no longer than necessary. Clear Overlap between DPA & PCI DSS Requirements: Informa>on security policies Under the new data protecaon laws, policies and processes will be key, as transparency takes centre stage Protect Personal Data PHI, CHD, PII EncrypAon of personal data will avoid the need to contact every data subject in the event of a breach Privacy by Design Personal data should only be processed for the specific purpose for which it was collected, and not to be retained beyond the minimum necessary both in terms of amount and Ame (c) VigiTrust 2003-2013