ONE DEVICE TO RULE THEM ALL! 1993 2013 1 AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014 2 1
AGENDA Mobile Devices / Smart Devices Implementation Models Risks & Threats Audit Program Q&A Resources 3 WHAT ARE MOBILE DEVICES TODAY? Primary features: Wireless network interface for internet access. Local built-in (non-removable) data storage. Operating system that is not a full-fledged desktop/laptop operating system. Apps available through multiple methods. Built-in features for synchronizing local data. Optional features: Wireless personal area network interfaces (e.g., Bluetooth). Cellular network interfaces. GPS (Global Positioning System) Digital camera. Microphone. Storage SP 800-124 4 2
WHAT ARE MOBILE/SMART DEVICES? 5 MICHIGAN S ENVIRONMENT 6 3
BENEFITS OF MOBILE DEVICES Increased workforce productivity. Improved customer service. Improved turnaround times for problem resolution. Increased business process efficiency. Employee retention. In 2014 the average number of connected devices per knowledge worker will reach an average of 3.3 devices - Cisco 7 IMPLEMENTATION MODELS Traditional Bring Your Own Device (BYOD) Corporately Owned, Personally Enabled (COPE) 8 4
BYOD TRENDING WITH USERS 9 BYOD TRENDING WITH EMPLOYERS BYOD in the Enterprise-A Holistic Approach, ISACA JOURNAL, Volume 1, 2013 10 5
BYOD ISACA IMPLEMENTATION CONSIDERATIONS The key word for BYOD implementation is LIMIT: LIMIT number of supported device models to the most secure ones. LIMIT number of users which are allowed to BYOD. LIMIT number of applications and data available for BYOD. 11 MOBILE THREATS/RISKS Lack of User Knowledge Malicious Apps Data Leakage 12 6
LACK OF USER KNOWLEDGE SECURING THE DEVICE 9 in 10 Americans use their smartphones for work. 40% don t password protect their smartphones. 51% of Americans connect to unsecured wireless networks on their smartphone. 48% don t disable Bluetooth discoverable mode. CISCO 2013 Study 13 LACK OF USER KNOWLEDGE THREAT ANALYSIS 14 7
MALICIOUS APPS WHAT S TRENDING? GAO September 2012 Report found that: Mobile malware grew by 155% in 2011. 3 out of 10 Android owners are likely to encounter a threat on their device each year as of 2011. And it just keeps growing!!! 15 MALICIOUS APPS WHAT CAN THEY DO? Once your device has been infected, attackers can: send location, send contact info, send and read SMS messages, place phone calls, silently download files, open the browser and more... 16 8
MALICIOUS APPS WHAT ARE THEY DOING? SYMANTEC Internet Security Threat Report 2014 17 MALICIOUS APPS WHEN GOOD APPS GO BAD 1) A legitimate developer creates an application. 3) A malicious developer repackages the application with a malware. 5) A user downloads the application containing the malware. 2 The developer uploads the application to a website. 4) The malicious developer uploads the application to a third-party app store where users can download it for free. 6) The malicious developer can control the phone remotely and access the user's sensitive information including address book, e-mails, text messages, location, files, and also place calls. Better Implementation of Controls for Mobile Devices Should Be Encouraged [GAO-12-757] page 19 18 9
MALICIOUS APPS CAN YOU TRUST YOUR APP STORE? Aug 28, 2014 Microsoft Removes 1,500 Fake Apps From Windows Store 19 MALICIOUS APPS Android APPS WEBROOT - Mobile Threat Report 2014 20 10
MALICIOUS APPS ios (Apple) APPS WEBROOT - Mobile Threat Report 2014 21 MICHIGAN S ENVIRONMENT 22 11
MICHIGAN S ENVIRONMENT 23 The fundamental issue underlying protecting information on mobile devices is data leakage. DATA LEAKAGE ITS ALL ABOUT THE DATA If users didn t copy sensitive information to their phones, laptops, thumb drives, and other devices, controlling for breaches would be much simpler. 24 12
REGULATORY COMPLIANCE Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standards (PCI-DSS) Freedom of Information Act (FOIA) Privacy Laws 25 MOBILE SECURITY SOLUTIONS Mobile Device Management Systems (MDM) Enterprise Sandbox Mobile Antivirus Secure Browser Data Loss Prevention (DLP) 26 13
MDM SYSTEMS MONITOR AND CONTROL Example of MaaS360 Dashboard 27 MDM SYSTEMS UNDERSTAND YOUR ENVIRONMENT Example of MaaS360 Reports 28 14
MICHIGAN S ENVIRONMENT 29 MOBILE DEVICE SECURITY AUDIT WOULD YOU LIKE TO TAKE A SURVEY? Validate MDM Data Device make/model Operating system version Understand the Environment How devices are used Who owns the devices What data is accessed and stored on devices Sent to all Mobile Device users (~10,000 in total) 50% started, 43% finished 30 15
MOBILE DEVICE SECURITY AUDIT TELL ME HOW YOU REALLY FEEL 31 MOBILE DEVICE SECURITY AUDIT Audit Objectives: To assess the effectiveness of DTMB's efforts to establish a governance structure and provide guidance regarding mobile device security. To assess the effectiveness of DTMB s efforts to design, implement, and enforce the secure configuration of mobile devices. To assess the effectiveness of DTMB's efforts to ensure that only authorized devices access the State's information technology resources. 32 16
AUDIT PROGRAMS ISACA Mobile Computing Security Audit/Assurance Program (2010) BYOD Audit /Assurance Program (2012) SANS Mobile Device Security Checklist CIS ios & Android Benchmarks 33 AUDIT PROGRAMS ISACA Mobile Security: Policies Risk Management Device Management Training Access Controls Stored Data Malware Avoidance Secure Transmission BYOD: Policies Risk Management Device Management Training Device Layer Security Legal Tech. & User Support Governance 34 17
POLICIES Audit Objective: Policies have been defined and implemented to assure protection of enterprise assets. Policy Definition Control: Policies have been defined to support a controlled implementation of mobile devices. 35 RISK MANAGEMENT Audit Objective: Management processes assure that risks associated with mobile computing are thoroughly evaluated and that mobile security risk is minimized. Risk Assessments Control: Risk assessments are performed prior to implementation of new mobile security devices, and a continuous risk monitoring program evaluates changes in or new risks associated with mobile computing devices. Risk Assessment Governance Control: The executive sponsor is actively involved in the risk management of mobile devices. 36 18
DEVICE MANAGEMENT Audit Objective 1: Mobile devices are managed and secured according to the risk of enterprise data loss. Tracking Control: Mobile devices containing sensitive enterprise data are managed and administered centrally. -------------------------------- Audit Objective 2: Mobile devices are managed and secured according to the risk of enterprise data loss. Provisioning/De-provisioning Control: Mobile devices containing sensitive enterprise data are set up for each user according to their job description and managed as their job function changes or they are terminated. 37 TRAINING Audit Objective: Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them. Mobile Computing Awareness Training Control: Mobile computing awareness training is ongoing and is based on the sensitive nature of the mobile computing devices assigned to the employee or contractor. ---------------- Audit Objective: Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them. Mobile Computing Awareness Governance Control: Mobile computing awareness includes processes for management feedback to understand the usage and risks identified by device users. 38 19
ACCESS CONTROLS Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss. Access Control: Access control rules are established for each mobile device type, and the control characteristics address the risk of data loss. 39 STORED DATA Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss. Encryption Control: Encryption technology protects enterprise data on mobile devices and is administered centrally to prevent the loss of information due to bypassing encryption procedures or loss of data due to misplaced encryption keys. 40 20
STORED DATA Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss. Data Transfer Control: Data transfer policies are established that define the types of data that may be transferred to mobile devices and the access controls required to protected sensitive data. ----------------- Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss. Data Retention Control: Data retention polices are defined for mobile devices and are monitored and aligned with enterprise data retention policies, and data retention is executed according to policy. 41 MALWARE AVOIDANCE Audit Objective: Mobile computing will not be disrupted by malware nor will mobile devices introduce malware into the enterprise. Malware Technology Control: Malware prevention software has been implemented according to device risk. 42 21
SECURE TRANSMISSION Audit Objective: Sensitive enterprise data are protected from unauthorized access during transmission. Secure Connections Control: Virtual private network (VPN), Internet Protocol Security (IPSec), and other secure transmission technologies are implemented for devices receiving and/or transmitting sensitive enterprise data. 43 BYOD AUDIT PROGRAM WHY OH WHY DIDN T I TAKE THE BLUE PILL? Legal Audit Objective: BYOD procedures comply with legal requirements and minimize the organization s exposure to legal actions. Tech. & User Support Audit Objective: A help desk or similar support function has been established to process technical and user issues. Governance Audit Objective: BYOD is subject to oversight and monitoring by management. 44 22
POTENTIAL AUDIT ISSUES IDENTIFIED Governance Structure Roles & Responsibilities Policies & Procedures Device Configuration Encryption Password requirements Patch Management MDM Enrollment Inventory Decentralized 45 Questions C. Robert Kern II, C.I.S.A. Principal IT Audit Supervisor State of Michigan Office of the Auditor General 201 N Washington Sq Suite 600 Lansing, MI 48913 (517) 334-8050 ext. 1247 rkern@audgen.michigan.gov 46 23
RESOURCES BankInfoSecurity, BYOD: Get Ahead of the Risk, Intel CISO: Policy, Accountability Created Positive Results, January 2012 Center for Internet Security (CIS) Apple ios 6 Benchmark v1.0.0 Center for Internet Security (CIS) Apple ios 7 Benchmark v.1.0.0 Center for Internet Security (CIS) Google Android 2.3 Benchmark v.1.1.0 47 RESOURCES Center for Internet Security (CIS) Google Android 4 Benchmark v.1.0.0 Digital Services Advisory Group and Federal Chief Information Officers Council, Bring Your Own Device, A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs, August 2012 Gartner, Gartner Says Consumerization Will Drive At Least Four Mobile Management Styles, November 2011 Gartner, Magic Quadrant for Mobile Device Management, May 2012 48 24
RESOURCES ISACA BYOD audit/assurance program ISACA esymposium BYOD Opportunities and Risks Securing Mobile Devices and Remote Access Technology in your Enterprise ISACA Mobile Computing Security Audit/Assurance Program (Oct 2010) ISACA Securing mobile devices using COBIT 5 for information security 49 RESOURCES ISACA Securing Mobile Devices White Paper Marble Security National Institute of Standards and Technology, Special Publication 800-124 Revision 1 (Draft), Guidelines for Managing and Securing Mobile Devices in the Enterprise, July 2012 National Institute of Standards and Technology, Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011 50 25
RESOURCES NIST Special Publication 800-124: Guidelines on Cell Phone and PDA Security SANS Mobile Device Security Checklist 51 26