BYOD: End-to-End Security Alen Lo MBA(CUHK), BSc(HKU), CISA, CCP, CISSP, CISM, CEH IRCA Certified ISMS Lead Auditor, itsmf ISO 20000 Auditor Principal Consultant i-totalsecurity Consulting Limited alenlo@n2nsecurity.com
Agenda BYOD Revisited Security Risk Analysis A Holistic Control Approach
Bring Your Own Device (BYOD) Permitting the use of personally-owned mobile devices to access an organization s networks, applications and data The most popular business apps are email, calendar, and contact management
Traditional Mobile Computing vs. BYOD Components Clients Network Connectivity Data Storage Security Mechanism Operating Systems Traditional Mobile Computing Organization Provided Notebook Computers On Demand (Wired, Wi-Fi, 3G) Organization Owned IT Infrastructure VPN, Explicit Authentication, Endpoint Security Windows, Linux, Mac OS X BYOD Staff Owned Smartphones, Tablets Always On (3G, 4G, Wi-Fi) 3 rd Party Owned Cloud Storage Implicit Authentication, Application Dependent Android, ios, BlackBerry, Windows, Bada, Symbian
A Typical Architecture Client Side DMZ Other Servers Server Side Internet MDM Server Mobile Device External Firewall Secure Email Gateway Internal Firewall Mobile Email Front-End Server Back-End Email Servers
Client Side Security Issues Loss and Theft of Mobile Devices Shoulder Surfing Use of Untrusted Mobile Devices (Jailbroken or Rooted) Use of Untrusted or Unsecured Networks Use of Applications Created by Unknown Parties Interaction with Other Systems (for data synchronization and storage) Use of Untrusted Content (e.g. QR Code) Use of Location Services 6
apkdeveloper hosted Android Malwares in Google Play 7
Mobile Application Security Issues Insecure Data Storage Weak Server Side Controls Insufficient Transport Layer Protection Client Side Injection Poor Authorization and Authentication Improper Session Handling Security Decisions via Untrusted Inputs Side Channel Data Leakage Broken Cryptography Sensitive Information Disclosure
BYOD Security Considerations
BYOD Security Considerations Establish a BYOD Policy Review the Information Handling Procedure Control the Mobile Device Cycle Conduct Security Test Regularly Integrate into the Employment Life Cycle Secure the Mobile Device Configuration
Establish BYOD Policy Acceptable Uses and Privacy Types of mobile devices and OS versions allowed Mandatory and prohibited applications for each device Groups of employees allowed to use these devices Service plan and device costs Baseline security measures Risks, Liabilities and Disclaimers
Review the Information Handling Procedure Examples Store on Mobile Device Stored on Cloud Storage Send over Internet Disposal Public --- --- --- --- Internal Use Recommend Encrypted Recommend Encrypted Recommend Encrypted Recommend Wiping Confidential Require Strong Encryption Prohibited Require Strong Encryption Required Wiping
Control the Mobile Device Cycle #1 Set device security Create app blacklists/whitelists, restrict device resources Configure Enrollment and Provision Implement security policies Distribute apps and remove prohibited apps Locate and map lost device Remotely lock and wipe data and installed apps Secure
Control the Mobile Device Cycle #2 Over-the-air distribution of software and policy changes Backup and restore BYOD device data Support Monitor and report Inventory devices and software versions Log of all sensitive BYOD activities Identify inactive devices Fully or selectively wipe devices Decommission
Secure the Mobile Device Configuration Passcodes length, age, composition, history Maximum failed attempts Progressive passcode timeout Allow / disallow camera Allow / disallow web browsing Remote and Local wipe Full Disk Encryption Anti-malware defenses
Mobile Device Quarantine Patch levels for OSs and apps Required security software is active and current, i.e., antivirus, firewall, full-disk encryption, etc. Device is not jailbroken (Apple) or rooted (Android) Presence of unapproved devices
Integrate into Employment Life Cycle Acknowledge of BYOD Policy before on broad Device Enrollment and Decommissioning during recruitment, transfer and termination Return of organization owned mobile devices
Conduct Security Test Regularly Information Gathering Gaining Access Static Analysis Dynamic Analysis Reconnaissance and mapping Vulnerability Scan and Control Exploitation Analyze raw mobile source code, decompiled or disassembled code Assess the Mobile App s local interprocess communication surface, analyze the local file system, assess remote service dependencies
Questions and Answers