Top 8 Steps for Effective Mobile Security

Similar documents
BYOD in the Enterprise

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

BYOD: End-to-End Security

Going Beyond Mobile Device Management - Leveraging NAC for Mobile Devices

A Taste of SANS SEC575 Part I: Invasion of the Mobile Phone Snatchers

Addressing NIST and DOD Requirements for Mobile Device Management

Kaspersky Security for Mobile

Tom Schauer TrustCC cell

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

Mobile Security Standard

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

Enterprise Mobility Management

White Paper. Data Security. journeyapps.com

Frequently Asked Questions & Answers: Bring Your Own Device (BYOD) Policy

BYOD Guidance: BlackBerry Secure Work Space

Guideline on Safe BYOD Management

DEPLOYMENT. ASSURED. SEVEN ELEMENTS OF A MOBILE TEST STRATEGY. An Olenick & Associates White Paper

SysAid MDM User Guide for Android

[BRING YOUR OWN DEVICE POLICY]

White Paper. Data Security. The Top Threat Facing Enterprises Today

Mobile Security & BYOD Policy

trends and audit considerations

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

Fear and Loathing in BYOD

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

Supplier Information Security Addendum for GE Restricted Data

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

Enterprise Apps: Bypassing the Gatekeeper

How To Protect Your Mobile Devices From Security Threats

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

Mobile Device Management for CFAES

Addressing NIST and DOD Requirements for Mobile Device Management (MDM) Essential Capabilities for Secure Mobility.

Security and Privacy Considerations for BYOD

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Managing and Securing the Mobile Device Invasion IBM Corporation

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

BYPASSING THE ios GATEKEEPER

Sample Mobile Device Security Policy

Yes MAM: How Mobile Device Management Plus Mobile Application Management Protects and Addresses BYOD

STRONGER AUTHENTICATION for CA SiteMinder

MDM User Guide June 2012

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

Enabling Seamless & Secure Mobility in BYOD, Corporate-Owned and Hybrid Environments

Cyber Security. John Leek Chief Strategist

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

Sophos Mobile Control Administrator guide. Product version: 3

Compliance Rule Sets in MaaS360

Mobile First Government

Ensuring the security of your mobile business intelligence

Secure Your Mobile Workplace

Hands on, field experiences with BYOD. BYOD Seminar

Android vs. Apple ios Security Showdown Tom Eston

10 Smart Ideas for. Keeping Data Safe. From Hackers

Manage Mobile Devices

Practical Attacks against Mobile Device Management (MDM) Michael Shaulov, CEO Daniel Brodie, Security Researcher Lacoon Mobile Security

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Mobility Challenges & Trends The Financial Services Point Of View

Guidance End User Devices Security Guidance: Apple ios 7

The ForeScout Difference

Managing Mobility in the BYOD Era:

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

Simplifying the Challenges of Mobile Device Security

SysAid MDM User Guide for ios

APPLE & BUSINESS. ios ENTERPRISE SECURITY ENTERPRISE NEEDS CONFIGURATION PROFILES

NSW Government. Mobile Device & Application Framework. Version 1.0

ios Enterprise Deployment Overview

Weak Spots in Enterprise Mobility Management Dennis Schröder

Deploying iphone and ipad Mobile Device Management

Windows Operating Systems. Basic Security

Chris Boykin VP of Professional Services

CHOOSING AN MDM PLATFORM

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

AirWatch for Android Devices

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

Security and Compliance challenges in Mobile environment

Absolute Manage MDM. John Wu Systems Engineer

ADDING STRONGER AUTHENTICATION for VPN Access Control

ForeScout MDM Enterprise

Transcription:

Top 8 Steps for Effective Mobile Security Larry Pesce With thanks to Chris Crowley and Joshua Wright Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 1

Outline Three Truths About Mobile Security Community Development Project Top 8 Mobile Security Steps Moving Forward Conclusion and Q&A Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 2

Poll - Support What is the state of mobile support in your organization? No mobile device support Support for corporate mobile devices Evaluating BYOD support Full support BYOD Don t know Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 3

Mobile Device Security Is Hard "ios 6 Jailbroken in First 24 Hours" IBM bans the use of Siri on its network over data privacy fears "SMSZombie" Malware Infects 500,000 Android Users In China Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 4

Mobile Security Is Confusing Yahoo CEO No Longer Considers BlackBerry a Smartphone What is the point of this app? Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 5

Vendors All Have Something To Say About Mobile Security Mobile Security from AT&T Symantec Mobile Security Whitepaper SAP: Mobility, Security Concerns, and Avoidance IBM Mobile Enterprise: Manage and Secure Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 6

Outline Three Truths About Mobile Security Community Development Project Top 8 Mobile Security Steps Moving Forward Conclusion and Q&A Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 7

Develop the SANS Top Mobile Security Steps Guide Develop a guide to help organizations with the most important steps Make it practical and actionable Identify which steps require a lot of work, and which can be done quickly Organized by the overall security benefit Concise language for administrators and management Make it free and available to everyone Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 8

Traditionally, SANS Does This Well Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 9

For Several Reasons Unbiased opinions without the aim to sell a vendor product Consensus steps that are the product of community involvement Not one person's ideas, but based on actual successes and failures Designed as actionable, practical steps to actually solve a problem Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 10

Poll - Guidance Would you be interested in a mobile security guide? YES/NO Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 11

History Part 1 Josh Wright started drafting the outline and content for the "Top N Mobile Security Steps" Solicited individual advice and comments from a small group of mobile experts Representing many different organizations Lots of editing and content development, initial definition of 10 critical steps Asked for wider review from the SANS Advisory Board list Forty-Four (44!) reviewers returned substantial feedback and comments Josh managed the editing process, and consensus discussion to integrate everything Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 12

It Was Good At 25 pages, guide was unwieldy Advice was solid, but difficult to articulate specifically For example: "Develop Policies to Guide Use" Great advice, but subject to interpretation, and difficult to implement The initial guide was useful, but not great. It was another PDF to download, skim, and never read. Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 13

A Revised Plan of Action! Each step must be readily actionable for most organizations Must include detailed, illustrated examples for each step Identify the areas that are being exploited, and tell people how to fix them Consolidate steps into the most important actions for organizations Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 14

Outline Three Truths About Mobile Security Community Development Project Top 8 Mobile Security Steps Moving Forward Conclusion and Q&A Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 15

Top 8 Mobile Device Security Steps (for people who are serious about mobile security) 1. Enforce Device Passcode Authentication 2. Monitoring Mobile Device Access and Use 3. Patching Mobile Devices 4. Prohibit Unapproved Third-Party Application Stores 5. Disable Developer Debug Access 6. Evaluate Application Security Compliance 7. Prepare an Incident Response Plan for Lost or Stolen Mobile Devices 8. Implement Management and Operational Support Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 16

Poll - Passcodes What is the minimum standard of device passcodes enforced in your organization? No passcode enforcement Numeric PIN Alphanumeric passcode Complex passcode Biometric passcode Don t know Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 17

#1: Device Passcode Use Regardless of enterprise owned or BYOD, all devices must use a passcode Selection of passcode influenced by sensitivity of data stored on the device Convenient email? Minimal passcode. PII? Substantial passcode. Must balance acceptable use requirements with security needs Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 18

Passcode Requirements Minimal Security Strong Security Very Strong Security Min. Length 4 characters 6 characters 8 characters Complexity numeric only 2 alpha, 2 numeric characters 2 alpha, 2 numeric, 2 special characters Maximum Age Indefinite 1 year 180 days Passcode History 0 passcodes 4 passcodes 8 passcodes Auto-Lock Timer 15 minutes 10 minutes 3 minutes Maximum Failed Attempts 10 failed passcode attempts before wipe Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 19 8 failed passcode attempts before wipe 4 failed passcode attempts before wipe

#2: Monitoring Mobile Device Access and Use Organizations must monitor and record the types and versions of mobile devices in use MDM is helpful, but will not characterize unmanaged devices Leverage multiple data sources, including server logging Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 20

iphlogparse.ps1 www.willhackforsushi.com/code/iphlogparse.ps1 Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 21

Poll Upgrades What is your mobile device upgrade plan/policy? Don t have one Upgrade before 2 years Upgrade every 2 years As time and budget allow Up to the BYOD users (at will) Don t know Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 22

#3: Patching Mobile Devices Using your device monitoring data, patch mobile devices at least quarterly This was a contentious issue in consensus review: Not so terrible for ios Very hard for Android, Windows Phone, and BlackBerry Typical lack of support; Android Fragmentation Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 23

Update Monitoring Identify when new updates are available Apple security-announce list (bit.ly/lmpofh) Android Security Discussion Group (bit.ly/vwygor) Watch for retired devices Apple doesn't officially announce retired devices; Wikipedia Recognize that Android devices have a reduced product life with security fixes, and therefore a greater overall cost Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 24

Poll Jailbreak/Root Do you allow use of jailbroken/rooted mobile devices in your organization? Yes No Unsure I don t know what jailbroken/rooted devices are Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 25

#4: Prohibit Unapproved Third- Party App Stores The primary source of mobile malware is from third-party app stores Android: Unofficial stores and "Unknown sources" configuration setting ios: Jailbroken devices Prohibit these devices from accessing company resources Detect rooted/jailbroken devices with MDM, manual auditing Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 26

Android Non-Market App Control Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 27

#5: Disable Developer Debug Access Android USB debugging allows a local attacker to bypass security controls Unlock or bypass device passcode Install unauthorized applications with any permissions Retrieve sensitive data Execute vulnerabilities to root a device Cannot use an MDM to control this setting (not a feature of Android OS) Not on by default for most vendors Commonly turned on with custom ROMs Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 28

USB Debug Universal Exploit mobisec $./RunMe.sh Please connect device with ADB-Debugging enabled now... Pushing busybox... Pushing su binary... Pushing Superuser app Pushing ric If all is successful i will tell you, if not this shell will run forever. Running... Successful, going to reboot your device! Waiting for device to show up again... Copying files to it's place... You can close all open command-prompts now! After reboot all is done! Have fun! mobisec $ adb shell shell@android:/ $ su shell@android:/ # grep psk /data/misc/wifi/wpa_supplicant.conf psk="l0ng@nd0bscur3p455s0rd" shell@android:/ # "adb restore" symlink exploit by Bin4ry, overwriting /boot/local.prop to gain root access. Relies on USB Debug privileges to exploit Android 4.1 and earlier. Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 29

Poll - Application Evaluation Do you evaluate mobile device applications in use for your organization (network, RE, pentesting, etc)? YES/NO Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 30

#6: Evaluate App Security Compliance Many of the risks associated with mobile hinge on application security Applications on mobile devices should be evaluated to identify weaknesses, information disclosure Alternative: Container-based MAM systems, which must be evaluated independently Manual and automated analysis systems available for app security checking Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 31

iauditor Command-line ios static and dynamic analysis tool; requires jailbroken device. Still limited functionality, but promising for in-depth analysis. Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 32

Droidbox Command-line analysis tool for Android. Limited coverage (currently only 2.1) depends on TaintDroid for analysis. Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 33

Mercury Framework Unprivileged app installed on Android to assess other apps. Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 34

Poll Incident Response What is the status of your mobile device Incident Response (IR) plan? No overall IT security IR plan Only an overall plan, but no mobile A combined IT security/mobile IR plan A dedicated mobile IR plan Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 35

#7: Prepare an Incident Response Plan Users will lose devices, or devices will be stolen Organizations must prepare for this incident to reduce the negative impact Minimize local device data exposure Educate users about device loss reporting React with planned steps to a device loss event Evaluate requirements for data breach notification Review incident handling and improve process Step-by-Step checklist provided; must be augmented with org-specific policy steps Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 36

#8: Engage Management and Operational Support Non-technical step, but vitally important for thorough mobile security Appoint a mobile device security evangelist Adopt an MDM platform Identify your supported device baseline Develop mobile use policies Leverage network architecture to stop misuse Implement regular penetration tests Top 8 guide details considerations and recommendations for each step Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 37

Outline Three Truths About Mobile Security Community Development Project Top 8 Mobile Security Steps Moving Forward Conclusion and Q&A Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 38

Moving Forward Second round of consensus feedback is currently being integrated Final proofing and layout design Watch for announcements on SANS NewsBites, and Twitter Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 39

There Is Always Room For Improvement We can use your help! We are always receptive to suggestions for improvement in the guide If you have some cycles to submit feedback, please contact me If you have stories about problems or solutions, I want to hear them! Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 40

Outline Three Truths About Mobile Security Community Development Project Top 8 Mobile Security Steps Moving Forward Conclusion and Q&A Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 41

Conclusion Implementing the Top 8 Mobile Security Steps will significantly improve mobile security Based on the consensus opinions of respected experts in the field without motivation to sell you a product Please contact me if you want to contribute to the project for a draft copy of the guide Public availability to be announced shortly Thank you for attending! Larry Pesce larry@inguardians.com @haxorthematrix Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 42

Resources Apple security-announce list: bit.ly/lmpofh Android Security Discussion Group: bit.ly/vwygor SANS SCORE Project: sans.org/score MS Exchange ios Log Parsing: bit.ly/xuykdg SANS NewsBites: sans.org/newsletters/newsbites iauditor: bit.ly/oja96s Android "adb restore" exploit: bit.ly/r4jxaq This presentation: http://bit.ly/tpk0tx Questions? Top 8 Steps for Effective Mobile Security 2012 Chris Crowley/Joshua Wright 43

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information