Mobile Experience and Security - A Delicate Balance. Jeff Keller, CISA, CIA, CFSA SVP/Senior Audit Director, Technology, Projects, Due Diligence

Similar documents
Securing Today s Mobile Workforce

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Mobility, Security Concerns, and Avoidance

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

October 2016 Issue 07/16

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

2018 Mobile Security Report

Securing Health Data in a BYOD World

Say Yes to BYOD How Fortinet Enables You to Protect Your Network from the Risk of Mobile Devices WHITE PAPER

Google Identity Services for work

Blackjacking. Daniel Hoffman. Security Threats to BlackBerry Devices, PDAs, and Cell Phones in the Enterprise. Wiley Publishing, Inc.

Mobile Security Overview Rob Greer, VP Endpoint Management and Mobility Product Management Dave Cole, Sr. Director Consumer Mobile Product Management

IC B01: Internet Security Threat Report: How to Stay Protected

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

EM L01 Introduction to Mobile

Five Tips to Mastering Enterprise Mobility

Securing Office 365 with MobileIron

Six steps to control the uncontrollable

Zimperium Global Threat Data

Trinity Multi Academy Trust

Bring Your Own Device (BYOD) Best Practices & Technologies

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

6 Vulnerabilities of the Retail Payment Ecosystem

Best Practices Guide to Electronic Banking

BYOD. Transformation. Joe Leonard Director, Secure Networks. April 3, 2013

Information Security Controls Policy

BYOD WORK THE NUTS AND BOLTS OF MAKING. Brent Gatewood, CRM

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

As Enterprise Mobility Usage Escalates, So Does Security Risk

XenApp, XenDesktop and XenMobile Integration

A Mobile Security Checklist: The Top Ten Threats to Your Enterprise Today. White Paper

Protecting Health Information

CISO View: Top 4 Major Imperatives for Enterprise Defense

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Combating Cyber Risk in the Supply Chain

Trend Micro Guide and solution to help embrace Consumerization and BYOD. James Walker EMEA Product Marketing Manager 26 September 2012

Maximize your move to Microsoft in the cloud

To the Designer Where We Need Your Help

Securing the SMB Cloud Generation

Effective Strategies for Managing Cybersecurity Risks

2016 BITGLASS, INC. mobile. solution brief

Mobile Devices prioritize User Experience

U.S. State of Cybercrime

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

Make security part of your client systems refresh

ENTERPRISE MOBILITY TRENDS

Microsoft 365 Security & Compliance For Small- and Mid-Sized Businesses

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

BRING YOUR OWN DEVICE: POLICY CONSIDERATIONS

Multilayered technology, machine learning and human expertise working together to provide comprehensive security for all platforms.

Best Practices in Securing a Multicloud World

Mobile Security / Mobile Payments

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Secure Access for Microsoft Office 365 & SaaS Applications

Next Generation Privilege Identity Management

Good Technology State of BYOD Report

MOBILE SECURITY OVERVIEW. Tim LeMaster

Information Security BYOD Procedure

Say Goodbye to Enterprise IT: Welcome to the Mobile First World. Sean Ginevan, Senior Director, Strategy Infosecurity Europe

MARCH Secure Software Development WHAT TO CONSIDER

Bring Your Own Device

What is a mobile protection product?

In(sta)Security: Managing the BYOD Risk. Davi Ottenheimer flyingpenguin

Phil Schwan Technical

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

The State of the Trust Gap in 2015

UNLOCKED DOORS RESEARCH SHOWS PRINTERS ARE BEING LEFT VULNERABLE TO CYBER ATTACKS

Information Security Controls Policy

Multilayered technology, machine learning and human expertise working together to provide comprehensive security for all platforms.

Security Using Digital Signatures & Encryption

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

How to Build a Culture of Security

Kaspersky Small Office Security 5. Product presentation

Cyber Security. June 2015

Quick Heal Mobile Device Management. Available on

SAP Runs SAP: Using Afaria to Provision, Manage, and Secure Employees Mobile Devices

BYOD: BRING YOUR OWN DEVICE.

mhealth SECURITY: STATS AND SOLUTIONS

Purchase Intentions Spring 2013 EMEA

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

A Guide to Closing All Potential VDI Security Gaps

Securing Enterprise or User Brought mobile devices

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

The Etihad Journey to a Secure Cloud

Symantec Endpoint Protection Family Feature Comparison

Shadow IT in the Enterprise

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

Enterprise Mobility Management Buyers Guide

PROTECTION SERVICE FOR BUSINESS. Datasheet

Securing Institutional Data in a Mobile World

CHANGING FACE OF MOBILITY RAISES THE STAKES FOR ENDPOINT DATA PROTECTION

Mobile Security Trends in the Workplace

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

Google on BeyondCorp: Empowering employees with security for the cloud era

SECURE DATA EXCHANGE

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Why is Office 365 the right choice?

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Transcription:

Mobile Experience and Security - A Delicate Balance Jeff Keller, CISA, CIA, CFSA SVP/Senior Audit Director, Technology, Projects, Due Diligence

Admin Items Please put phones on vibrate Please take calls outside the room Participation is HIGHLY encouraged 2

Agenda Introduction Mobile History Risks & Vulnerabilities Mitigating Risk BYOD Questions 3

Introduction This session will focus on the increasing use, risks and mitigants. Not intended to be the be-all, end-all course on mobile security. Give you some things to consider and ponder how you balance security with end user and customer needs. Myself, Senior Audit Director, North American top 10 bank, 20+ years experience in audit and financial services. 4

Mobile History Over the past 15 to 20 years, there has been significant technology advances in mobile devices ranging from the brick phone, to more compact personal cell phone, to personal data assistants (PDAs) and ultimately to the smartphones of today. The original worry of most companies during this revolution was the security of voice data. Soon morphing into the larger worry of corporate data traversing the frequencies. These devices and advances in capabilities have extended the boundaries of the office. This has blurred the lines of where your network starts and stops. These devices also have huge storage capabilities, the data (not just traffic) can now be at rest on devices that can be easily lost. Reminiscent of the early days of RAS and online business content 5

Mobile History How it used to be Simple voice data Not a large adoption rate Not in the hands of every employee in the country More of a novelty 6

Mobile History How it is now No longer just voice traffic Huge adoption rate Many employees now use Most view as a key tool in their business arsenal Great for productivity Large increase in risks Now need to think about how your customers access your business 7

Mobile History Evolution of Mobile Devices EY Insights on IT Risk / Jan 2012 When the first BlackBerry smartphone was released in the early 2000s, corporations recognized the benefits of remote email and calendar access and began providing smartphones with network access to a large percentage of their workforce, effectively establishing the idea of 24-hour connectivity. The popularity of smartphones extended beyond business users with the release of Apple s iphone and later devices running Android, BlackBerry, Windows Mobile and Windows Phone 7 operating systems. Features expanded beyond just email and web browsing; mobile devices now have the ability to take photos, run custom applications, view rich content websites with Flash and JavaScript, connect to other devices and networks wirelessly, establish virtual private network (VPN) connections, and act as data traffic conduits for other devices (known as tethering). 8

Mobile History Evolution of Mobile Devices EY Insights on IT Risk / Jan 2012 With the increase in mobile device capabilities and subsequent consumer adoption, these devices have become an integral part of how people accomplish tasks, both at work and in their personal lives. Although improvements in hardware and software have enabled more complex tasks to be performed on mobile devices, this functionality has also increased the attractiveness of the platform as a target for attackers. 9

Risks & Vulnerabilities Market Share Source: comscore Reports June 2013 10

Risks & Vulnerabilities 11

Risks & Vulnerabilities Key Risk Considerations Stolen or Lost Devices Data Loss / Breach Exposure of Corporate network to Malware Communication Interception 12

Risks & Vulnerabilities Stolen & Lost Devices A lost or stolen device can create significant exposures if it s not properly locked down and equipped to wipe sensitive data. Exposes company to potential access to sensitive corporate, employee, or customer data. Can result in the legal, regulatory and reputational issues (anyone recall the data breach issues of the past 10 years on the network side??) 13

Risks & Vulnerabilities Data Loss / Breach Human nature Mobile users tend to downplay the risk associated with smartphones and think there is little or no risk Insecure architecture rollouts or non-management of the environment, no standard builds Open nature of application development on the Android platform has introduced vulnerabilities commensurate with what is found on the PC platforms Devices can now store a significant amount of data 14

Risks & Vulnerabilities Exposure of Corporate network to Malware Mobile malware may not be a significant threat today, however the growth in adoption in most companies and some insecurities in certain platforms will drive the criminals down the same path we went down at the beginning of the dot com era. Given the potential financial gains for these criminals (access to personal financial data and the ability to intercept financial transactions as devices increasingly become the platform of choice for mobile transactions), it is likely that mobile devices will become the next malware frontier. Corporate networks are now at risk as users devices become infected with malware, and those devices become entry points. 15

Risks & Vulnerabilities Communication Interception Communication interception is a threat to any device that connects to a network, and mobile devices are no exception. The advantage that smartphones have is that their communications are often encrypted over cell networks, requiring would-be hackers to have specialized equipment and tools to listen to the conversations between the device and cell towers. However, this encryption can be broken and the methodology to do so is well documented and publicly available. Wi-Fi connections of smartphones also pose a communication interception threat. With most smartphones currently containing Wi-Fi capabilities, the risk of Wi-Fi sniffing and interception is an increasingly prevalent risk. 16

Risks & Vulnerabilities Recent Examples In news that will no doubt be of great concern to owners of HTC smartphones, a security team is claiming to have uncovered a "massive security vulnerability" in HTC Android devices that allows any application with Internet access to gain access to private data, including user accounts, email addresses, GPS location, text message data and phone numbers. The vulnerability is said to affect HTC smartphones running the latest version of HTC's software, including the EVO 3D, EVO 4G, Thunderbolt, and others. The reported vulnerability, which has left those who discovered it - Justin Case, Trevor Eckhart and Artem Russakovskii from Android Police - speechless, involves a suite of logging tools included in recent HTC modifications to the Android operating system in EVO and Thunderbolt models that collect a stack of information on the user's phone. But not only do the modifications collect a swathe of information, they also allow nefarious types to send that data to wherever on the Internet they like. GizMag.com Darren Quick October 2, 2011 17

Risks & Vulnerabilities Recent Examples 18

Risks & Vulnerabilities Recent Examples Of 108 new malicious programs for mobile devices identified in 2012, Symantec found, 103 more than 95%)- targeted Android devices. Just one mobile threat targeted Apple s ios operating system during the same period. If you assumed that was because Android was the operating system with the most exploitable vulnerabilities, you would be wrong. In fact, just the opposite is true. It s Apple s ios that was the source of almost all the documented mobile application vulnerabilities among the mobile platforms Symantec monitored, including Android, ios, Blackberry, Windows Mobile and the like. ios accounted for 387 of 415 documented vulnerabilities across all mobile platforms a bit more than 93 percent, found. Source: Symantec Corp. s Internet Security Threat Report (ISTR) for 2012 19

Mitigating Risk So, what can we do? Did we learn from the past?? Main areas of focus to address these issues: 1. Robust Polices, Procedures & Standards 2. Employee Security Awareness Program 3. Secure the Device 4. Secure the Data 5. Secure the Applications 20

Mitigating Risk Robust Policies, Procedures & Standards Create/have a strong mobile strategy. An effective strategy must clearly specify where corporate data is permitted to reside: on the device, on the network, on a public cloud service, or some combination of the three. Classify the types of information that can be exchanged between the device and the corporate network. Create and implement an IT policy that governs usage and ensures employees understanding which is aligned with the mobile strategy. Assesses applications that are appropriate for the company needs Explicit guidance on management of the mobile deployment Create secure builds and do not allow exceptions. Perform technical security assessments on mobile devices and the supporting infrastructure Continually Monitor for new threats 21

Mitigating Risk Employee Security Awareness Program Leverage your company s existing security awareness program Clearly articulate the security risks associated with smartphones Make sure employees understand acceptable use policies Limit employee s abilities to install applications Provide appropriate training where necessary Encourage healthy skepticism 22

Mitigating Risk Secure the Device Remote Locking enabled Enforce Device Encryption Enforce Password Security Ensure OS levels are up to date Enforce policies consistent with other endpoints Secure Build enforced for all users Anti-Malware (not that prevalent yet) Perform periodic technical security assessments 23

Mitigating Risk Secure the Data Remote Locking enabled Enforce Device Encryption Enforce Password Security Enable remote data wiping (or selective wipe) Strong IDM (levering corporate) Tie into DLP plans Centralized Security Management Solution Limit data that can be stored on mobile device 24

Mitigating Risk Secure the Mobile Applications Have an Enterprise Application Store Enforce App Scanning and certification Maintain control of applications that can be installed Centralized Security Management Solution Train application developers in secure coding (ring a bell??) Assess classic threats against web based applications and infrastructure 25

BYOD Bring Your Own Device Quickly gaining in popularity in the corporate world. Consumerization of IT making this possible Potential cost savings for the company Employee gets to use their own personal device; with a dual benefit of empowering the employee leading to better productivity Certainly Security risks, but easy to manage using existing technologies 26

BYOD Bring Your Own Device Citrix Global BYO Index Almost all 92 percent of the companies surveyed reported that some workers are already using non-company-issued computing devices for work-related tasks. Those surveyed indicated that around 28 percent of the workforce is already using noncompany-issued computing devices for work-related tasks, and this percentage is expected to rise to 35 by mid-2013. Almost half of all companies surveyed (44 percent) already have some sort of formal BYO policy in place. Nearly every company (94 percent) expects to have a BYO policy by mid-2013, 81 percent of which are expected to apply this policy company-wide. Of the companies that currently do not see workers using personal devices in the workplace, three quarters (74 percent) expect them to be in common use in their organizations within two years. 27

BYOD Bring Your Own Device 28

BYOD 29

BYOD 30

BYOD 31

BYOD 32

BYOD 33

BYOD 34

BYOD 35

BYOD 36

BYOD 37

BYOD 38

BYOD 39

BYOD 40

BYOD 41

Questions? Remember Balance security needs with user needs. Security is inversely proportionate to convenience 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback