Mobile Experience and Security - A Delicate Balance Jeff Keller, CISA, CIA, CFSA SVP/Senior Audit Director, Technology, Projects, Due Diligence
Admin Items Please put phones on vibrate Please take calls outside the room Participation is HIGHLY encouraged 2
Agenda Introduction Mobile History Risks & Vulnerabilities Mitigating Risk BYOD Questions 3
Introduction This session will focus on the increasing use, risks and mitigants. Not intended to be the be-all, end-all course on mobile security. Give you some things to consider and ponder how you balance security with end user and customer needs. Myself, Senior Audit Director, North American top 10 bank, 20+ years experience in audit and financial services. 4
Mobile History Over the past 15 to 20 years, there has been significant technology advances in mobile devices ranging from the brick phone, to more compact personal cell phone, to personal data assistants (PDAs) and ultimately to the smartphones of today. The original worry of most companies during this revolution was the security of voice data. Soon morphing into the larger worry of corporate data traversing the frequencies. These devices and advances in capabilities have extended the boundaries of the office. This has blurred the lines of where your network starts and stops. These devices also have huge storage capabilities, the data (not just traffic) can now be at rest on devices that can be easily lost. Reminiscent of the early days of RAS and online business content 5
Mobile History How it used to be Simple voice data Not a large adoption rate Not in the hands of every employee in the country More of a novelty 6
Mobile History How it is now No longer just voice traffic Huge adoption rate Many employees now use Most view as a key tool in their business arsenal Great for productivity Large increase in risks Now need to think about how your customers access your business 7
Mobile History Evolution of Mobile Devices EY Insights on IT Risk / Jan 2012 When the first BlackBerry smartphone was released in the early 2000s, corporations recognized the benefits of remote email and calendar access and began providing smartphones with network access to a large percentage of their workforce, effectively establishing the idea of 24-hour connectivity. The popularity of smartphones extended beyond business users with the release of Apple s iphone and later devices running Android, BlackBerry, Windows Mobile and Windows Phone 7 operating systems. Features expanded beyond just email and web browsing; mobile devices now have the ability to take photos, run custom applications, view rich content websites with Flash and JavaScript, connect to other devices and networks wirelessly, establish virtual private network (VPN) connections, and act as data traffic conduits for other devices (known as tethering). 8
Mobile History Evolution of Mobile Devices EY Insights on IT Risk / Jan 2012 With the increase in mobile device capabilities and subsequent consumer adoption, these devices have become an integral part of how people accomplish tasks, both at work and in their personal lives. Although improvements in hardware and software have enabled more complex tasks to be performed on mobile devices, this functionality has also increased the attractiveness of the platform as a target for attackers. 9
Risks & Vulnerabilities Market Share Source: comscore Reports June 2013 10
Risks & Vulnerabilities 11
Risks & Vulnerabilities Key Risk Considerations Stolen or Lost Devices Data Loss / Breach Exposure of Corporate network to Malware Communication Interception 12
Risks & Vulnerabilities Stolen & Lost Devices A lost or stolen device can create significant exposures if it s not properly locked down and equipped to wipe sensitive data. Exposes company to potential access to sensitive corporate, employee, or customer data. Can result in the legal, regulatory and reputational issues (anyone recall the data breach issues of the past 10 years on the network side??) 13
Risks & Vulnerabilities Data Loss / Breach Human nature Mobile users tend to downplay the risk associated with smartphones and think there is little or no risk Insecure architecture rollouts or non-management of the environment, no standard builds Open nature of application development on the Android platform has introduced vulnerabilities commensurate with what is found on the PC platforms Devices can now store a significant amount of data 14
Risks & Vulnerabilities Exposure of Corporate network to Malware Mobile malware may not be a significant threat today, however the growth in adoption in most companies and some insecurities in certain platforms will drive the criminals down the same path we went down at the beginning of the dot com era. Given the potential financial gains for these criminals (access to personal financial data and the ability to intercept financial transactions as devices increasingly become the platform of choice for mobile transactions), it is likely that mobile devices will become the next malware frontier. Corporate networks are now at risk as users devices become infected with malware, and those devices become entry points. 15
Risks & Vulnerabilities Communication Interception Communication interception is a threat to any device that connects to a network, and mobile devices are no exception. The advantage that smartphones have is that their communications are often encrypted over cell networks, requiring would-be hackers to have specialized equipment and tools to listen to the conversations between the device and cell towers. However, this encryption can be broken and the methodology to do so is well documented and publicly available. Wi-Fi connections of smartphones also pose a communication interception threat. With most smartphones currently containing Wi-Fi capabilities, the risk of Wi-Fi sniffing and interception is an increasingly prevalent risk. 16
Risks & Vulnerabilities Recent Examples In news that will no doubt be of great concern to owners of HTC smartphones, a security team is claiming to have uncovered a "massive security vulnerability" in HTC Android devices that allows any application with Internet access to gain access to private data, including user accounts, email addresses, GPS location, text message data and phone numbers. The vulnerability is said to affect HTC smartphones running the latest version of HTC's software, including the EVO 3D, EVO 4G, Thunderbolt, and others. The reported vulnerability, which has left those who discovered it - Justin Case, Trevor Eckhart and Artem Russakovskii from Android Police - speechless, involves a suite of logging tools included in recent HTC modifications to the Android operating system in EVO and Thunderbolt models that collect a stack of information on the user's phone. But not only do the modifications collect a swathe of information, they also allow nefarious types to send that data to wherever on the Internet they like. GizMag.com Darren Quick October 2, 2011 17
Risks & Vulnerabilities Recent Examples 18
Risks & Vulnerabilities Recent Examples Of 108 new malicious programs for mobile devices identified in 2012, Symantec found, 103 more than 95%)- targeted Android devices. Just one mobile threat targeted Apple s ios operating system during the same period. If you assumed that was because Android was the operating system with the most exploitable vulnerabilities, you would be wrong. In fact, just the opposite is true. It s Apple s ios that was the source of almost all the documented mobile application vulnerabilities among the mobile platforms Symantec monitored, including Android, ios, Blackberry, Windows Mobile and the like. ios accounted for 387 of 415 documented vulnerabilities across all mobile platforms a bit more than 93 percent, found. Source: Symantec Corp. s Internet Security Threat Report (ISTR) for 2012 19
Mitigating Risk So, what can we do? Did we learn from the past?? Main areas of focus to address these issues: 1. Robust Polices, Procedures & Standards 2. Employee Security Awareness Program 3. Secure the Device 4. Secure the Data 5. Secure the Applications 20
Mitigating Risk Robust Policies, Procedures & Standards Create/have a strong mobile strategy. An effective strategy must clearly specify where corporate data is permitted to reside: on the device, on the network, on a public cloud service, or some combination of the three. Classify the types of information that can be exchanged between the device and the corporate network. Create and implement an IT policy that governs usage and ensures employees understanding which is aligned with the mobile strategy. Assesses applications that are appropriate for the company needs Explicit guidance on management of the mobile deployment Create secure builds and do not allow exceptions. Perform technical security assessments on mobile devices and the supporting infrastructure Continually Monitor for new threats 21
Mitigating Risk Employee Security Awareness Program Leverage your company s existing security awareness program Clearly articulate the security risks associated with smartphones Make sure employees understand acceptable use policies Limit employee s abilities to install applications Provide appropriate training where necessary Encourage healthy skepticism 22
Mitigating Risk Secure the Device Remote Locking enabled Enforce Device Encryption Enforce Password Security Ensure OS levels are up to date Enforce policies consistent with other endpoints Secure Build enforced for all users Anti-Malware (not that prevalent yet) Perform periodic technical security assessments 23
Mitigating Risk Secure the Data Remote Locking enabled Enforce Device Encryption Enforce Password Security Enable remote data wiping (or selective wipe) Strong IDM (levering corporate) Tie into DLP plans Centralized Security Management Solution Limit data that can be stored on mobile device 24
Mitigating Risk Secure the Mobile Applications Have an Enterprise Application Store Enforce App Scanning and certification Maintain control of applications that can be installed Centralized Security Management Solution Train application developers in secure coding (ring a bell??) Assess classic threats against web based applications and infrastructure 25
BYOD Bring Your Own Device Quickly gaining in popularity in the corporate world. Consumerization of IT making this possible Potential cost savings for the company Employee gets to use their own personal device; with a dual benefit of empowering the employee leading to better productivity Certainly Security risks, but easy to manage using existing technologies 26
BYOD Bring Your Own Device Citrix Global BYO Index Almost all 92 percent of the companies surveyed reported that some workers are already using non-company-issued computing devices for work-related tasks. Those surveyed indicated that around 28 percent of the workforce is already using noncompany-issued computing devices for work-related tasks, and this percentage is expected to rise to 35 by mid-2013. Almost half of all companies surveyed (44 percent) already have some sort of formal BYO policy in place. Nearly every company (94 percent) expects to have a BYO policy by mid-2013, 81 percent of which are expected to apply this policy company-wide. Of the companies that currently do not see workers using personal devices in the workplace, three quarters (74 percent) expect them to be in common use in their organizations within two years. 27
BYOD Bring Your Own Device 28
BYOD 29
BYOD 30
BYOD 31
BYOD 32
BYOD 33
BYOD 34
BYOD 35
BYOD 36
BYOD 37
BYOD 38
BYOD 39
BYOD 40
BYOD 41
Questions? Remember Balance security needs with user needs. Security is inversely proportionate to convenience 42