Securing the Mobile Workforce Joey Peloquin Director, Mobile Security Dan Thormodsgaard VP, Solution Architecture
Agenda Enterprise Mobility Trends Mobile Security Threats Managing Enterprise Mobility FishNet Mobile Security offerings Q & A
Enterprise Mobility Trends
What s Happening? The Consumerization of Enterprise Mobility Personal mobile devices are rapidly evolving into business devices Employees forward corporate email & files to personal accounts. They routinely disregard IT security standards. They adopt whichever device satisfies BOTH personal and work needs.
Employee Behavior is Changing A wide variety of device models are entering the business domain, creating havoc for IT organizations Use Managed Diversity to Support Endpoint Devices May 2010, Ken Dulaney Mobile users are experiencing new levels of personal productivity. They are frustrated in their levels of business productivity. They need their work life to co exist with their home life. They are looking to consolidate the number of devices they carry. They will use their own devices, even if requests for support are not met.
Companies struggle with how to Adapt 75% of Forrester enterprise survey respondents indicated user demand for support of devices on multiple platforms. Five Year Forecast for Enterprise Smartphone Marketshare, January 13, 2010 Companies should leverage personal productivity in the workplace. IT solutions should focus on regulating access and behavior rather than devices. Compliance should enhance mobility, not restrict it.
New Wave of Change: Consumerization of IT Computing Cycles in Perspective (from Morgan Stanley) 1,000,000 100,000 Mobile Internet Devices/Users (MM in Log Scale) Desktop Internet 10,000 10B+ Units?? 1,000 PC 1B+ Units/ Users 100 100M Units Minicomputer 10 10M Units Mainframe 1 1M Units 1960 1980 2000 2020 The desktop internet ramp was just a warm up act for what we re seeing happen on the mobile internet. The pace of mobile innovation is unprecedented, I think, in world history. Mary Meeker, Morgan Stanley April 2010
What Mobile Consumerization Means for the Enterprise Multiple Types of Devices and Providers Multiple Device Owners Personal Devices Used for Work Activities/Work Devices Used for Personal Activities (BYOD) User s implored to download applications and store data User s demand to use devices to fullest potential
Enterprise Mobility 2.0: Enterprise App Evolution Enterprise and LOB Apps Basic Services Customer Facing Apps Web and Social Media
Customer Challenges and Dynamics Increase Productivity Sales Staff, IT Staff, Executives, Doctors/Nurses, Support Staff, Attorneys, Government Agencies Executives and business owners are dictating technology decisions iphone, ipad, Android, etc IT management has to come up with a solution Applications Moving beyond Email/Contacts/Calendars and extending access to corporate data through native and web apps Sales tools delivering rich content Technology has been deployed without understanding the risk
Security is the #1 Concern Nearly 30% of companies experienced a breach due to unauthorized mobile device use. Q1 Enterprise and SMB Survey, 2009 - Forrester Research Companies with a complex, disparate infrastructure face more challenges attaining end to end security. You need to separate enterprise data from personal data. You must deny rogue devices access to the network. Your IT administrator should retain centralized control.
Mobile Security Threats Loss / Theft Phishing Malware Backups
Security Threats: Loss / Theft Keylogging /User/Library/Keyboard/dynamic text.dat
Security Threats: Loss / Theft Pboard /User/Library/Caches/com.apple.UIKit.pboard
Security Threats: Loss / Theft Plists /User/Applications/<GUID>/Library/Preferences
Security Threats: Loss / Theft Plists /User/Applications/<GUID>/Library/Preferences
Security Threats: Loss / Theft Chat sessions in the clear
Security Threats: Loss / Theft JPMC sigh
Security Threats: Loss / Theft Data Handling: Now, that s how it s done!
Security Threats: Phishing Mobile Web, Mobile Apps Not developed with same scrutiny as proper web Email links are bad mkay Mix HTTP/S Internet facing Insecure use of sld domains iphish: Phishing Vulnerabilities on Consumer Electronics Yuan Niu, Francis Hsu, Hao Chen
ios MSIL Sgold AndroidOS Win Mobile Python Symbian J2ME Security Threats: Malware 2 1 4 2 4 3 15 7 54 16 60 5 311 74 613 45 Variants Families The MM revolution started principally in 2004 with the release of the Cabir.A worm, SymbianOS. Some MM were released before this date, but it was Cabir and the release of its source code that caused an explosion of new MM to emerge. Ken Dunham, Mobile Malware Attacks and Defense 0 200 400 600 800 http://www.securelist.com/en/analysis/204792168/mobile_malware_evolution_an_overview_part_4
Security Threats: Malware Got root? 2004: Cabir.A, source, SymbianOS 2008: Trojan.iPhone.A, ios 2009: Ikee, ios, worm 2009: Dutch 5 Ransom 2009: iphone/privacy.a, trojan, Python 2009: Ikee.B/Duh, ios, worm/botnet 2010: Geinimi, Android, trojan/worm 2011: HongTouTou, Android, trojan 2011: DroidDream, Android, trojan 2011: Zitmo (ZeuS variant), RIM, trojan
Security Threats: Malware Malicious Apps ios Android MogoRoad Storm8 Aurora Faint Handy Light Spider Man Falling Down Super History Eraser Super Guitar Solo Collected personal info and made sales calls Harvested telephone numbers, millions of d/l Contact list uploaded to developer s server Secret configuration enabled tethering DroidDream root device, steal IMSI/IMEI, APK DroidDream root device, steal IMSI/IMEI, APK DroidDream root device, steal IMSI/IMEI, APK DroidDream root device, steal IMSI/IMEI, APK
Security Threats: Desktops itunes Backups Should you allow backups on unmanaged assets? Force Encryption? Backup location Mac /Users/<username>/Library/Application Support/MobileSync/Backup Windows XP C:\Documents and Settings\user\Application Data\Apple Computer\MobileSync\Backup Vista / Windows 7 C:\Users\user\AppData\Roaming\Apple Computer\MobileSync\Backup Extract unencrypted files through the following: iphone Backup Decoder Python Script http://mac.softpedia.com/get/iphone Applications/Tools Utilities/iPhone Backup Decoder.shtml Or, for the lazy, GUI tool http://supercrazyawesome.com/
Security Threats: Desktops itunes Backups
Managing Enterprise Mobility Mobile Security 10 Steps Mobile Application Security Mobile Device Management and Technology
10 Steps to Securing the Mobile Workforce 1 2 3 4 5 6 7 8 9 10 Update your Security Policy to address securing the Mobile Workforce Security Awareness Training for Mobile Workforce Users Mobile Device provisioning process and inventory asset management Strong Authentication for Mobile Device access Centralize Security Policy Manage Process & Tools Whole Disk Encryption or File Level Encryption Endpoint Security Tools Device lockdown and remote wipe capabilities Access logging and file integrity monitoring with centralize log repository Data leakage controls and logging
Update Your Security Policy Element Description Authentication Loss / Theft Device Support Encryption Backup / Restore Storage Cards Acceptable Use Enforcement How often a password must be changed. How many invalid tries are allowed before the device is disabled. Strong authentication using two factor or certificates. Lost or stolen device are remotely wiped and disabling of the device over a defined period of time. Define what devices are supported by the institution/organization i.e. Blackberry, Mac/PC s. Sensitive data must be encrypted or devices is encrypted with WDE. If a device could be lost or stolen, there should be a defined procedure for backing up and restoring the data to another device. Storage cards are a convenient way to expand memory, but they're also portable and thus a security risk. Do you ban them? Or, encrypt them? A good security policy needs to set limits on what users can install on their devices and what is acceptable use. Consequences if there is violation of the policy.
Security Awareness Training People generally try to do the right thing, they may not know what they are doing is wrong and how it may impact the company/institution The risks associated with using, transmitting, and storing electronic information How to reduce the risks to confidentiality, integrity, and availability (CIA) of data The roles and responsibilities of each community member in protecting Corporate data and systems
Mobile Application Security
3 Enterprise Mobile Strategies Three predominant ways to isolate corporate data from personal data on mobile devices: Sandboxing it in a secure container Good Technologies Sybase (Afaria) Excitor Touchdown, Whisper Systems (Android encryption) Managing the native environment through a trusted approach that checks for policy compliance AirWatch Juniper (Smobile) McAfee (Trust Digital) MobileIron Zenprise Hosting it in a data center or public cloud and making it accessible via a desktop virtualization client Citrix VMware
Interesting Mobile Security Technologies Enterproid The Divide platform by Enterproid gives mobile professionals a new way to use their smartphones for both work and personal life. With multiple profile support, great productivity apps out of the box and complete personal and IT cloud management, Divide is the next generation solution for enterprise mobility. http://www.enterproid.com/features.html Simplified streamlines the effort of deploying cloud identity and access management for mobile devices. http://www.symplified.com/index.html Mobile Active Defense SaaS approach to Mobile Device Management & Compliance http://www.mobileactivedefense.com/solutions/en terprise edition/
Strong Authentication SecureAuth www.multifa.com RSA- soft tokens or KeyFobs Safenet (Aladdin, SafeWord) Entrust- Bingo Cards PhoneFactor PKI Certificates, MS, RSA, Entrust
Network Access Solutions Endpoint compliance check to ensure that devices are compliant before allowing them to gain access to the network (NAC). NAC Solutions: Bradford Networks Cisco NAC Forescout Great Bay Juniper UAC Symantec
Remote Access Systems Endpoint compliance check to ensure that devices are compliant before allowing them to gain access to the network (NAC). SSL VPN solutions providing value: SSL VPN Solutions: Juniper JUNOS Pulse Citrix Receiver F5 Edge Portal Check Point Mobile Cisco Any Connect
FishNet Security Mobile Security Offerings
FishNet Mobile Security Service Offerings Mobile Security Roadmap Mobile Application Security Enterprise Vulnerability and Risk Assessment Mobile Security Awareness Training Mobile Forensics MDM Implementation MDM Proof of Concept