• No results found

Mobile Risk Management

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Mobile Risk Management"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

Mobile Risk Management

Addressing mobile security and compliance

through a mobile risk management strategy

Dan Ford

CSO, Fixmo

[email protected]

@netsecrex

(2)

Introduction

Hello, my name is Dan Ford

And I’m the Chief Security Officer at Fixmo

Expertise in information security and risk

management across public and private

sectors, commercial and regulated

industries

M.S. Information Assurance and

Computer Forensics from Capitol

College / GWU

D.Sc. in IA with a dissertation on

Enterprise Smartphone Security

(3)

Introduction

Agenda at a Glance

1.

Information Security Maturity Model and how it

relates to mobile device security

2.

Mobile Risk Factors and Considerations

3.

Fixmo’s approach to Mobile Risk Management,

best practices and lessons learned

Objective:

Provide a better understanding of the mobile security landscape

and the key considerations for an effective risk management

(4)

Information Security

Maturity Model

Chaos Reactive Compliance Proactive Predictive

Stage-4

Stage-3

Stage-2

Stage-1

Stage-0

• Ad Hoc

• Undocumented

• Unpredictable

• Minimal IT Operations

• Firefighter

• Inventory

• Alert and event management

• Software Patching • Analyze Trends

• Set thresholds

• Automate Patching

• Mature Change Management • Security Policies defined: PCI, SOX, HIPPA, Gov’t • Some Standardization • Risk Awareness Management

• Policies are living documents

• Threat Intelligent

Tool Leverage

Operational Process Engineering

Policy Driven

Mature Processes and Policies

Risk Based Decisions

(5)

Mobile Security

Maturity Model

Chaos Reactive Compliance Proactive Predictive

Stage-4

Stage-3

Stage-2

Stage-1

Stage-0

• Ad Hoc

• Undocumented

• Unpredictable

• Minimal IT Operations

• Firefighter

• Inventory

• Alert and event management

• Software Patching • Analyze Trends

• Set thresholds

• Automate Patching

• Mature Change Management • Security Policies defined: PCI, SOX, HIPPA, Gov’t • Some Standardization • Risk Awareness Management

• Policies are living documents

• Threat Intelligent

BYOD / ActiveSync

Mobile Device Management

Data Protection

Proactive DLP & Prevention

(6)

Mobile Risk:

(7)

Mobile Risk:

Policy

“Ms Cheah said there are numerous elements that needs to be carefully assessed before deploying an official BYOD policy such as; device

procurement; operational cost in device management and support; back end infrastructure capability; software licensing and upgrades; product lifecycle management; network bandwidth and connectivity; application accessibility; funding support; legal ownership and accountability of the device; application and data etc.http://www.governmentnews.com.au/2012/03/13/article/Established-BYOD-policies-needed/JFPUQJZUUL.html

It would be impossible for any organization to anticipate all of the security liabilities associated with BYOD, but there are steps that health

organizations can take to limit their liability. A major step is to create a well-thought out, documented BYOD policy.

http://www.information-management.com/news/BYOD-mobile-policy-risk-governance-health-care-10021951-1.html? zkPrintable=true

The BYOD phenomenon has also created a myriad of legal and technical challenges for enterprises, Hay said. How does an enterprise ensure

standard security best practices are enforced without putting severe restrictions on an employee’s personally owned device? 

http://searchsecurity.techtarget.com/news/2240118190/Mobile-security-BYOD-policy-issues-to-trend-at-RSA-2012-analysts-say

Each organization should seek its own legal advice on how to frame and assess liability variances between BYOD and traditional mobile programs.

(8)

Mobile Risk:

Policy

(9)

Mobile Risk:

Devices & OS’s

0% 15% 30% 45% 60%

Symbian Android iOS Blackberry Windows Mobile Linux Other OS

3Q09 3Q10 3Q11 JAN12

89% of Smartphones purchased in

Q411 were Android or iOS; 6% were

Blackberry.

(10)

Mobile Risk:

Vulnerabilities

TOTAL CVE

167

TOTAL CVE

65

TOTAL CVE

53

Patch Early – Patch Often

(11)

Mobile Risk:

Policy

Devices

(12)

Mobile Risk:

The Apps

iTunes App Store: 500,000 + Apps

25+ billion downloads

Android Market: 400,000 + Apps

8+ billion downloads

Amazon Store: 31,000+ Apps

1+ million downloads

(13)

Mobile Risk:

Policy

Devices

The Apps

(14)

Mobile Risk:

Adversaries

Packet Forging/Spoofing

Password Guessing

Self Replicating Code (WORM) Password

Cracking

Vulnerability Scanning Session Hijacking

Sniffers Self Installing Root Kits

Skill

Intelligent Bots

So

p

h

is

ti

c

a

ti

o

n

Ex

pe

rtis

e R

eq

uire

d

(15)

Mobile Risk:

Policy

Devices

The Apps

Bad Actors

Passwords

(16)

Mobile Risk:

Passwords

0.0 7.5 15.0 22.5 30.0 2003 2007 2011 Apr-16 Average User Netsecrex
(17)

About Fixmo

Mobile Risk Management (MRM)

Mobile security, management, monitoring and reporting to help organizations

mitigate their risks and effectively maintain and prove compliance in an auditable fashion Government Heritage Risk and Compliance Next Generation Mobility

Technology Transfer Program (TTP) and CRADA with

NSA for tamper detection and mobile risk management

Recommended by DoD for BlackBerry and Android deployments – required software for STIG compliance

Focus on risk assessment, compromise detection, data loss prevention, compliance and auditability

Designed for emerging risks of mobile computing and the realities of BYOD and the Consumerization of IT

(18)

Mobile Risk Management Approach

Device and OS Integrity Monitoring,

Compromise Detection, Remediation

Device-Level Policy Enforcement (MDM)

Compliance

Monitoring

Risk Assessment

Auditable

Reporting

Corporate Email, Apps and Data Container-Level Policy Enforcement

Secure Container

Personal

Email, Apps

and Data

Personal Apps

(19)

SafeZone: Secure Workspace

Contained and encrypted corporate workspace

with

(20)

Future Direction

Predictive, transparent and adaptive risk management and data protection

Risk Assessment & Vulnerability Detection Advanced Corporate Data Protection Enhanced Auditable Compliance

Automated risk assessment for quantifying and tracking risk

Advanced on-device integrity engine to:

• Detect and prevent known threats and vulnerabilities

• Detect state changes that may put the device at risk

Centralized risk intelligence and data correlation

Comprehensive solutions for protecting corporate data:

• Device-level, container-level and app-level policy

controls

• Integrity-based access controls and policies

• Corporate data tracking and reporting

• Adaptive policies with advanced situational awareness

Auditable compliance reporting for corporate-owned and

BYOD:

• Continuous monitoring/reporting against compliance rules

• Detailed forensic data tracking on state of devices, apps,

(21)

Mobile Risk Management

Addressing mobile security and compliance

through a mobile risk management strategy

Dan Ford

CSO, Fixmo

[email protected]

@netsecrex

References

Download now ( PDF - 21 Page - 5.26 MB )

Related documents

How To Run An Early Child Development Foundation

The more knowledgeable we become the greater our ability to understand related policy issues and cultural disparities, to develop relationships with experts in the field, both

Policy-based abstention in Brazil’s 2002 presidential election

based abstention, and his definition of indifference and the decision-rule followed by citizens differ from the ones adopted in this paper.. Section 3 describes the data

Electrical Properties of ZnO doped Yttria Stabilized Zirconia

Analyzing all the above X-ray diffraction pattern cubic zirconia phase is conformed w ith reference to code 27-0997 Standard JCPDS. Hence The XRD pattern shows that the

New Complete Market Breadth Indicators

Generally, the primary components used in breadth analysis consist of advances, declines, unchanged, up and down volume, and new highs and lows.. Sometimes total volume is also used,

The Introduction of eco-design for promoting the use of eco-materials : the cork as building material /

This thesis was supported by several specific studies related to the economic characterization of the Iberian cork sector, the environmental assessment of current system for

Sales Tax Treatment of Certain Temporary Facilities Provided at Construction Sites

The scaffolding service is considered a necessary prerequisite to the construction of a capital improvement and, therefore, the subcontractor's separately stated charges to the

Paralelização de laços doacross usando anotações de componentes e probabilidade de Loop-Carried

Loops with high loop-carried probability have better performance when parallelized using BDX or DOAX, because independent regions of the loop can be executed in parallel and only

MAJOR EMPLOYMENT-GENERATING PROJECTS Refundable Tax Credit for Major Employment-Generating Projects

In addition, although Investissement Québec cannot issue an eligibility certificate for an employee of an eligible corporation, for a given period, if it has already issued, for