• No results found

BYOD and Mobile Device Dependency

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "BYOD and Mobile Device Dependency"

Copied!
28
0
0

Loading.... (view fulltext now)

Download now ( 28 Page )

Full text

(1)

BYOD and Mobile Device

Dependency

Thursday, November 8, 2012

(2)

• Partner, IT Advisory Services at Weaver

• Provides security, IT audit (GRC), security and process improvement consulting services

• Service delivery methodology coordinator for Weaver’s IT Advisory Services

• Over 14 years experience in IT auditing and consulting (PwC, KPMG, Weaver)

• Partner at Weaver since 2007

• Advisory committee oversight of Weaver’s IT function

• BS/MS in engineering (not a CPA) • CISSP since 2005, CISA since 2004

• Member, AICPA and participant on multiple AICPA ITEC Task Forces

(3)

Presenters

Shohn Trojacek, CISSP

• PivotPoint Solutions

– Information Systems Consultant

– Formerly Responsible for infrastructure operations, administration, security, budgeting, governance internally.

• Over 12 years experience in information security

• Significant experience in security assessments over technical infrastructure

(4)

Mobile Security Topics

• Background on Mobile Technology Risk in 2012 • Major Threat Vectors

and Mitigation Strategies

• Steps for IT Auditors to Consider

• Conclusions and Discussion

(5)

Background

• Much of the concern today around mobile device security is

comingled with the “BYOD” concept

• Inherent contradictions between users’ wants and enterprise security

(6)

The Culture of Mobile Computing

Anywhere, Anytime!

• Local devices with storage and processing capability • Establishing a secure remote connection with

appropriate remote authentication • Cloud usage and integration

• Internet connectivity and bandwidth improvements • Corporate culture – work-life balance

• Reduced geographic boundaries for employment and recruiting

• Expectations of extended hours and project deadlines • Application dependency for personal and business

(7)

Perceptions of Mobile in the

Workplace

(8)

Consequences of a Mobile Breach

(9)

What Data Do We Lose?

• Email (including attachments received) • Text Messages • Pictures / images • Contacts • Saved files • Browsing history • Geo location

(10)

Primary Threat Vectors for

Mobile Devices

1. Users 2. Physical access 3. Wireless communication 4. Malware

(11)

1. Users are a Source of Risk

• Inherent contradiction

between how we want to use these devices (for

everything) and the concept of security

• Different devices present different risks to users • Alarming statistics about

individual users and security

(12)

1. Mitigation of User Risk

• User education about the risks involved with mobile security

• Realistic policies

regarding BYOD and mobile device security • Use technology to help

enforce policies – i.e. Mobile Device

Management

http://www.amazon.com/Mobile-Device-

(13)

2. Physical Access

• “Outside of the perimeter”

• Must assume device

access will be attempted by non-authorized user • Prone to being stolen or

lost

• Circumventing

(14)

Billion Dollar Phone Bill

(15)

2. Physical Access Risk

Mitigation

• The following must be enabled on the device:

– Password / PIN

(preferably password) – Device encryption

• Permitted devices should support “remote wipe” features

• Users must be taught not to disable or modify these

features

(16)

3. Wireless Threats

• Open / public Wi-Fi creates risk for the

integrity of the session – Man in the Middle

Attacks

(17)

3. Wireless Risk Mitigation

• Users must be educated about how to use public Wi-Fi and what poses a threat

• Corporate applications and services should

require VPN or SSL • Consider one-time

(18)

4. Malware as a Threat

• Malware is an increasing issue (statistics)

• Android vs. iOS

• Other platforms (RIM, Nokia / Windows)

• Methods of spreading (app store vs. drive by) • Users and trust

(19)
(20)
(21)

4. Malware Mitigation

• Download software and files only from trusted / known sources

• Educate users and make resources available to

them to combat malware • Anti-virus / Anti-malware • “Phone within a phone” • Mobile Device

(22)

Planning Forward

• Organizations should consider evaluating the following:

– Modifications to the

internal risk assessment – Reviewing mobile

computing policies and procedures

– Assessing MDM

– Understanding exceptions to policy

(23)

Risk Assessment

• Build questions about mobile technology into the risk assessment

process

• Target risk assessment questions to the areas described in this

presentation, but also

consider new and evolving areas

(24)

Review Mobile Policies and

Procedures

• Evaluate written policies and procedures regarding BYOD,

device capability requirements, acceptable use, etc.

• Assess the adequacy of policies for addressing the most

significant risks from a mobile computing perspective

• Do policies give you the right to audit user settings?

(25)

Mobile Device Management

• Does the organization have MDM capability beyond MS Exchange ActiveSync?

• Has the organization evaluated other MDM tools?

• How effective are ActiveSync and/or other MDM tools at enforcing policies?

• Is the MDM tool compatible

with all devices in the network? • Can users easily circumvent

(26)

Exceptions to Policy

• Don’t forget about this guy! • Exceptions to policy are

likely to come from some of mobile computing’s most prized targets

• Evaluate the

reasonableness of

exceptions based on the risk associated with the data they have access to

(27)

Final Remarks

• Don’t forget about the criticality of user

education with mobile security – evaluating the adequacy of

ongoing user education is paramount

• Don’t be afraid to evaluate settings on some users’ devices, even in a BYOD world!

(28)

Discussion & Demonstration

Brian J. Thomas, CISA, CISSP 713.800.1050 [email protected] Twitter: @IT_Risk Shohn Trojacek, CISSP

713.594.7503

References

Download now ( PDF - 28 Page - 1.14 MB )

Related documents

Vision on Mobile Security and BYOD BYOD Seminar

An enterprise mobility strategy establishes a framework to guide business, technology, architecture, process and resource decisions made while rolling out mobile apps and devices.

Anchorage Service Area

community health aides, emergency medical, itinerant dental and optometry, telemedicine, elder services, and alcohol and mental health services to the Native residents of

STRATEGY: DEBATING POLITICS WITHIN AND AT A DISTANCE FROM THE STATE

So, the alternative was then not to build a political party to take state power, or to participate in the state, but to build, firstly, bottom-up, democratic organs of “

Euchlorocystis gen. nov and Densicystis gen. nov., Two New Genera of Oocystaceae Algae from High-altitude Semi-saline Habitat (Trebouxiophyceae, Chlorophyta)

The Oocystaceae family, with the type genus Oocystis, is generally considered to be a kind of common freshwa- ter coccal microalgae with the distinctive morphology of oval or

Taxation by Auction: Fund-Raising by 19th Century Indian Guilds

compare the auction mechanism to conventional forms of taxation and show that under certain conditions, not only will a majority of the guild members prefer to be taxed via the

Audit Rotation: Impact on Accountants, Firms & India Inc?

I think the capability of the audit firm whomsoever it is is very critical in a going concern to move from one audit firm to another audit firm because there is a history in a

The Judgements of Nativities

For the causes andoccasions of death, look at the ASC and its lord, and the Part of Death and itslord, and the 4th sign with its lord, and the good or evil planets that are

Túlélőkönyv programozóknak.2011.

Arról is gondoskodott, hogy tisztában legyek vele, milyen leszúrásban volt része a területi vezetőktől, és mi­ lyen kínos volt neki azt mondani, hogy töltsék vissza