Mobile Device Management



Similar documents
Guideline on Safe BYOD Management

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

Addressing NIST and DOD Requirements for Mobile Device Management

Addressing NIST and DOD Requirements for Mobile Device Management (MDM) Essential Capabilities for Secure Mobility.

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

Mobile First Government

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Norton Mobile Privacy Notice

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

BYOD: End-to-End Security

Secure Your Mobile Workplace

Hands on, field experiences with BYOD. BYOD Seminar

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

EndUser Protection. Peter Skondro. Sophos

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Mobile Security: Threats and Countermeasures

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

10 Quick Tips to Mobile Security

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

White Paper. Data Security. The Top Threat Facing Enterprises Today

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Kaspersky Security for Mobile Administrator's Guide

BYOD Guidance: BlackBerry Secure Work Space

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Data Protection Act Bring your own device (BYOD)

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Izplatītākie mobilo iekārtu lietošanas riski, kas apdraud organizācijas datu un informācijas sistēmu drošību Raivis Kalniņš 2015, Riga

Tutorial on Smartphone Security

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

Securing mobile devices in the business environment

Technical Standards for Information Security Measures for the Central Government Computer Systems

Kony Mobile Application Management (MAM)

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

10 best practice suggestions for common smartphone threats

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Kaspersky Security 10 for Mobile Implementation Guide

Kaspersky Security for Mobile

Enterprise Apps: Bypassing the Gatekeeper

Mobile Device Management:

The Hidden Dangers of Public WiFi

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

BYOD THE SMALL BUSINESS GUIDE TO BRING YOUR OWN DEVICE

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

ONE Mail Direct for Mobile Devices

Control Issues and Mobile Devices

Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

The Incident Response Playbook for Android and ios

BYPASSING THE ios GATEKEEPER

Conducting a Risk Assessment for Mobile Devices

Course: Information Security Management in e-governance

Endpoint protection for physical and virtual desktops

The Cloud App Visibility Blindspot

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Chris Boykin VP of Professional Services

Cyber Self Assessment

The Benefits of SSL Content Inspection ABSTRACT

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

If you can't beat them - secure them

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

CHECK POINT Mobile Security Revolutionized. [Restricted] ONLY for designated groups and individuals

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Mobile Device Management for CFAES

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Feature List for Kaspersky Security for Mobile

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Ensuring the security of your mobile business intelligence

National Cyber Security Month 2015: Daily Security Awareness Tips

Jim Donaldson, M.S., MPA, CHC, CIPP/US, CISSP. Director of Compliance, Chief Privacy and Information Security Officer. Pensacola, Florida

Protecting Android Mobile Devices from Known Threats

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

ENTERPRISE MOBILITY USE CASES AND SOLUTIONS

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

Security and Compliance challenges in Mobile environment

Security Best Practices for Mobile Devices

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

Supplier Information Security Addendum for GE Restricted Data

Transcription:

1. Introduction Mobile Device Management This document introduces security risks with mobile devices, guidelines for managing the security of mobile devices in the Enterprise, strategies for mitigating threats of mobile devices in the Enterprise, challenges of Bring Your Own Device (BYOD) program, and policies to address the security risks and challenges of BYOD. 2. Security Risks with Mobile Devices The security risks associated with using mobile devices include the following: 1) Device hardware and OS vulnerabilities Mobile device and Operating systems can have vulnerabilities susceptible to security breaches by hackers as well as malware attacks. Such attacks can cause unauthorized data access by hackers, degrade or shut down system performance. According to Marble s Mobile Security Lab, the Apple ios and Android mobile operating systems are comparably risky though they expose users to different threats [1]. A team of researchers recently discovered three serious vulnerabilities in cross-app resource sharing protocols on Apple's desktop and mobile platforms which were used to steal data such as passwords and secret authentication keys [2]. The risk of jailbreaking ios and the risk of rooting Android devices are similar[1]. Jailbreaking ios is a hacking process that removes hardware restrictions on ios, permitting root access to the ios file system and manager, and allowing the download of applications unavailable through office Apple App Store [3, 4]. Rooting an android device gives the hacker access to the root, i.e., administrative permissions [5]. 2) Mobile malware According to CYREN s security report for 2013, Android operating system had on average 5,768 malware attacks daily over a 6-month period. [6] There are a variety of mobile malware. Examples of mobile malware include: (1) Trojans that send short message service (SMS) messages to premium rate number; (2) background calling applications that make long distance calls; (3) key logging applications; (4) worms that infects the devices and spread to other devices listed in the address book; (5)spyware that monitors device communication. Spyware could be remotely controlled by cyber criminals [7]. When hacker compromises a mobile device, the hacker can illegally watch and impersonate the user, participate in dangerous botnet activities, capture the user s personal data, and steal money[8]. 3) Mobile application security risks Due to poor implementation, various security vulnerabilities exist in legitimate mobile apps. Common vulnerabilities in mobile apps include sensitive data leakage, unsafe sensitive data storage, unsafe sensitive data transmission, hardcoded passwords/keys, etc. [9]. Zhou, Y. and Jing, X. found that two types of vulnerabilities passive content leak and content pollution exist in large number of apps on various android markets [10]. The passive content leak vulnerability refers to leaking private in-app information to any other apps without any

dangerous permission. The content pollution vulnerability refers to manipulating securitysensitive in-app settings or configurations that may cause undesirable side effects such as blocking all incoming phone calls or SMS messages. Recently, Jin X., et. al at Syracuse University discovered that HTML5-based mobile apps are at the risk of malicious code injection Cross Device Scripting Attacks [11, 12]. 4) Using unsecure connection Mobile devices connected to insecure network such as free Wi-Fi network at an airport or a hotel are susceptible to eavesdropping and man-in-the-middle (MITM) attacks [7]. 5) Device lost or stolen The portability of mobile device leads to the very common incidence of loss or theft of mobile devices. The loss or theft of mobile devices jeopardize the device users person data, such as pre-connected email accounts, calendar events, personal photos, social media accounts, contacts, etc. The loss of a mobile device used for work related functions can also expose intellectual property, sensitive employee and customer information, and other corporate assets [7]. 3. Guidelines for managing the security of mobile devices in the Enterprise National Institute of Standards and Technology (NIST) published Guidelines for Managing the Security of Mobile Devices in the Enterprise [13]. The guidelines are described below: 1) Organizations should have a mobile device security policy that defines the types of resources in the organization that may be accessed via mobile devices. the types of mobile devices that are permitted to access organization s resources. the degree of access of different classes of mobile devices, such as organization issued devices and personally owned devices. the requirements for mobile device management technologies such as the administration of the organization s centralized mobile device management servers, the updating of policies in the servers, etc. 2) System threat models for mobile devices and resources accessed through the mobile devices should be developed. This involves identifying resources, feasible threats, vulnerabilities, analyzing attack likelihood and impacts, and determining where security controls need to be improved or added. 3) Organizations should consider the services provided by mobile device solutions, and select those needed for their environment. Mobile device solutions provide the following categories of services: General policy. Services that enforce enterprise security policies on the mobile device, such as restricting access to hardware and software, managing wireless network interfaces, detecting and reporting policy violation. Data communication and storage. Services that support strongly encrypted data communication and storage, device wiping, and wiping device remotely. User and device authentication. Services that include device/user authentication, resetting forgotten passwords remotely, automatically locking idle devices, and remotely locking devices.

Applications. Services that restrict the app store that may be used, the applications that may be installed, permissions assigned to the applications, installing and updating applications, the use of synchronization services, etc. This category of services also include verifying digital signature on applications, and distributing the organization s applications from a dedicated mobile application store. 4) A pilot mobile device solution needs to be implemented and tested before putting the solution to production. 5) Organization issued mobile device should be fully secured before being used 6) Mobile device security should be regularly maintained. Maintenance processes include the following: checking for and deploying upgrades and patches, ensuring that the clocks of mobile device infrastructure components are synced to a common time source, reconfiguring access control features as needed, detecting and documenting anomalies, keeping an active inventory of mobile devices and their users and applications, revoking access to or deleting an application, wiping devices before reissuing them to other users periodically perform assessments to confirm what mobile device policies, processes, and procedures are being followed properly 4. Threats of Mobile Devices and Mitigation Strategies Threats and vulnerabilities in the Enterprise and mitigation strategies are listed in Table 1 [13]. Threats and Vulnerabilities Mitigation Strategies Lack of physical security control Require authentication before gaining access lost or stolen devices to the device or organization s resources Malicious parties attempt to recover accessible through the device sensitive data from the acquired mobile Encrypt the device s storage or not store device, or access organization s remote sensitive data on mobile devices resources using the device User training and awareness to reduce Use of untrusted mobile devices Restriction on security, OS, etc. could be bypassed through jailbreaking and rooting Use of untrusted network Eavesdropping Man-in-the-Middle attacks insecure physical security practices Restrict or prohibit BYOD devices Fully secure organization-issued devices, monitor and address deviations from secure state For BYOD devices, run organization s software in a secure, isolated sandbox on the mobile device, or use device integrity scanning applications Use VPN Use mutual authentication mechanism to verify the identities of both endpoints before transmitting data Prohibit use of insecure Wi-Fi networks

Use of untrusted applications User can download untrusted third party mobile device application User can access untrusted web-based applications through the device s built-in browsers Interact with other systems Connect a personally-owned mobile device to an organization-issued laptop Connect an organization-issued mobile device to personally-owned laptop Connect an organization-issued mobile device to a remote backup service Connect any mobile device to an untrusted charging station Risk of storing organization s data to unsecured location, and malware transmission Use of untrusted content Malicious QR codes could direct mobile devices to malicious websites Disable network interfaces that are not needed Prohibit all installation of third-party applications allow installation of approved applications only verify that applications only receive the necessary permissions implement a secure sandbox that isolates the organization s data and applications from all other data and applications on the mobile device perform a risk assessment on each third-party application before permitting its use on organization s mobile device prohibit or restrict browser access force mobile device traffic through secure web gateways, HTTP proxy servers, or other intermediate devices to assess URLs before allowing access Use a separate browser within a secure sandbox for browser-based access related to organization Implement security controls on organizationissued mobile device restricting what devices it can synchronize with Implement security controls on organizationissued computer restricting the connection of mobile devices block use of remote backup services or configure the mobile devices not to use such services Do not connect mobile devices to unknown charging devices Prevent mobile devices to exchange data with each other through logical or physical means Educate users not to access untrusted content with any mobile devices used for work Have applications (e.g., QR readers) display the unobfuscated content (e.g., the URL) and allow users to accept or reject it before proceeding Use secure web gateways, HTTP proxy servers, etc. to validate URLs before allowing access

Use of location services Attackers could correlate location information with other sources about who the user associates with and the kinds of activities they perform in particular locations Restrict peripheral use on mobile devices (e.g., disabling camera use) to prevent QR code reading Disable location service Prohibit use of location services for particular applications such as social networking or photo applications Turn off location services when in sensitive areas Opt out of Internet connection location services whenever possible 4. Bring Your Own Device (BYOD) BYOD refers to the strategy that allows people to use their own devices for work [14]. The benefits of BYOD include [15]: Cost savings. The cost of organization-issued devices could be reduced. Productivity gains. Employees can work more effectively outside of the office, are more likely to spend more time on work related activities. Operational flexibility. Employees can carry out their work function away from their desk. Employee satisfaction. Allowing employees to use devices that they enjoy using increases the satisfaction they derive from job. In addition to the security risks discussed in the above sections, BYOD has the following challenges: Privacy issues. Mobile Device Management (MDM) system used to manage and monitor BYODs may require accessing and/or processing of personal data. This may raise concerns on employees data privacy rights. Employee consent should be obtained before MDM is deployed to manage employee owned devices [15]. Employee s personal data may be lost if device data needs to be wiped. Cost issues. Organizations need to decide whether there is any reimbursement for the employee owned devices and data/voice usage. Additional cost for implementing MDM and for handling the support of BYOD users may incur. Organizations also need to assess tax implications for reimbursement [16]. There are three technological approaches to implementing BYOD program [16]: Virtualization: provide remote access to computing resources. No data is stored on the personal devices, and no organization s application is processed on personal devices. Walled garden: Organization s data or application processing are contained in a secure application that is segregated from personal data; Limited separation: Organization s data and/or application processing are comingled with personal data and/or application processing, but policies are enacted to ensure minimum security controls.

Enabling completely device-independent computing through desktop virtualization, accessed through a SSL VPN and supplemented by a secure file sync and sharing service is recommended as the ideal approach to BYOD [14]. 5. Policies for Addressing BYOD Security and Privacy Risks Organizations need to have policies that address BYOD security and privacy risks. Policies could include [38] the following: Acceptable use policy for email, Internet, mobile device, etc. Security policies such as mobile, encryption, password, anti-virus, etc. Wireless access policy Remote access policy Remote working policies Privacy policies Employee code of conduct Incident response policies Typically, policies for BYOD should address the following [14]: Eligibility. Specify who in the organization is allowed to use personal devices Allowed devices. Determine and mandate minimum specifications for OS and application support, performance and other device-specific criteria. Desktop virtualization eliminates these considerations. Service availability. The specific services the organization wants to make available on BYO devices Rollout. Provide guidance to employees when rolling out BYOD. Teach employees about responsibilities like how data is allowed to be accessed, used, and stored, etc. Cost sharing. Defines whether the organization will provide full or partial stipends towards the personal devices. Also define who will pay for network access outside the organization firewall. Security and compliance. Use desktop virtualization instead of installing apps directly on the device. Disable printing or access to client-side storage. Ensure antivirus/antimalware is installed and updated. Use network access control (NAC)to authenticate people connecting to the network and check for updated antivirus and security patches, or allow access to virtualized desktop using VPN, encryption, mechanism to terminate access to data and apps from BYO device if device is lost or stolen, or employee leaves the organization Device support and maintenance. Specify how various support and maintenance tasks will be addressed and paid for. The BYOD Working Group has assembled 5 sample policies which could help IT leaders to develop policies for a BYOD program [16]. These sample policies are: Policy and guidelines for government-provided mobile device usage Bring your own device policy and rules of behavior Mobile information technology device policy Wireless communication reimbursement program Portable wireless network access device policy

The BYOD Working Group has also developed three case studies to highlight the successful efforts of BYOD programs at several government agencies [16]. References: [1] Marble security. (2014) Marble Labs report: Apple ios and Android mobile devices equally vulnerable to attacks. Retrieved on July 3, 2015 from: http://www.marblesecurity.com/2014/06/17/marble-mobile-security-labs-report-apple-ios-andandroid-mobile-devices-equally-vulnerable-to-attacks/ [2] Apple Insider, Serious ios, OS X flaws lead to password theft in wide ranging security study. Retrieved on July 19, 2015 from http://appleinsider.com/articles/15/06/17/serious-ios-osx-flaws-lead-to-password-theft-in-wide-ranging-security-study [3] Mike Keller. Geek 101: What Is Jailbreaking?. Geek Tech. PCWorld. February 13, 2012. Retrieved on July 19, 2015 from http://www.techhive.com/article/249091/geek_101_what_is_jailbreaking_.html [4] Charlie Miller, et al. ios Hacker s Handbook. John Wiley & Sons. 2012. pp. 309 310. ISBN 9781118228432. [5]ITCSE.com, Rooting: Advantages and Disadvantages, April 5, 2014. Retrieved on July 19, 2015 from http://unbrick.itcse.com/rooting-advantages-disadvantages/ [6]Collett, S. Five new threats to your mobile device security, retrieved on July 19, 2015 from http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobiledevice-security.html [7] Juniper Networks, Inc. Mobile device security emerging threats, essential strategies. Retrieved on July 19, 2015 from http://www.advantel.com/wp-content/uploads/2013/11/mobile-device-security-emergyingthreats-essential-strategies.pdf [8] Svajcer, v. (2014) Sophos mobile security threat report, Launched at Mobile World Congress, 2014. Retrieved on July 19, 2015 from http://i.crn.com/bestofbreed/sophos-mobile-security-threat-report.pdf [9].Wysopal, C. Defending behind the device: mobile application risks, RSAconference 2012. Retrieved on July 19, 2015, from http://www.rsaconference.com/writable/presentations/file_upload/ht2-108.pdf [10] Zhou, Y & Jiang, X. Detecting passive content leaks and pollution in Android applications. Retrieved on July 19, 2015 from http://yajin.org/papers/ndss13_contentscope.pdf [11] Greenberg, A. (2014), Smartphones at risk of malicious code injection through HTML5- based apps. SC Magazine. Retrieved on July 19, 2015, from http://www.scmagazine.com/smartphones-at-risk-of-malicious-code-injection-through-html5- based-apps/article/340513/ [12]Jin, X., Luo, T.,Tsui, D. G., Du, W. Code injection attacks on HTML5-based mobile apps. Retrieved on July 19, 2015, from http://www.cis.syr.edu/~wedu/research/paper/code_injection_most2014.pdf [13] Souppaya, M. & Scarfone, K. Guidelines for managing and securing mobile devices in the enterprise. 2013. Retrieved on July 19, 2015 from http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf [14] Citrix.com, Best practices to make BYOD, CYOD, and COPE simple and secure. Retrieved on July 19, 2015 from

https://www.citrix.com/content/dam/citrix/en_us/documents/oth/byod-best-practices.pdf [15]Boxx.com, The legal risks of Bring Your Own Device (BYOD). Retrieved on July 19 th, 2015 from http://www.bloxx.com/downloads/resources/_bloxx_whitepaper_legal_risks_byod.pdf [16] CIO council, Bring Your Own Device A toolkit to support federal agencies Implementing Bring Your Own Device (BYOD) programs. Retrieved on July 19, 2015 from https://cio.gov/wpcontent/uploads/downloads/2012/09/byod-toolkit.pdf

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information