Mobile Device Deployments-The Security Dangers of Technology on the Go

(1)

Mobile Device Deployments-The

Security Dangers of Technology

on the Go

Presented by

Mark Bell, PMP, CISSP, CISA, CHSS

OM03

Friday, 10/25/2013

3:45 PM - 5:00 PM

(2)

Mobile Device Deployments

Is Your Organization More Empowered or Endangered? October 2013 Mark Bell EVP, Operations

Public Use 2

Agenda

• About the Speaker

• About Digital Defense

• What is a Mobile Device?

• Mobile Device Usage In Employee Populations

• So Is It Really That Dangerous Out There?

• Protecting Your Company

(3)

About the Speaker

• Mark Bell, PMP, CISSP, CISA, CHSS

– Responsibilities include delivery of vulnerability assessments, penetration testing, Payment Card Industry (PCI) Approved Scanning Vendor (ASV) services, social engineering and risk assessments.

– Retired United States Air Force

• Former Senior Network Security Engineer with the 92nd Information Operations Squadron, Air Force Information Operations Center

– Master of Science degree in Information Assurance from Norwich University, Bachelor of Science in Computer Science from Hawaii Pacific University

– Certified as a Project Management Professional (PMP), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified HIPAA Security Specialist (CHSS)

Public Use 4

About Digital Defense

• Founded in 1999, Digital Defense, Inc., is the

premier provider of managed security risk

assessment solutions protecting billions in

assets for small businesses to Fortune

companies in over 65 countries.

• Verticals Served:

– Legal – Financial – Healthcare – Railways – Technology

(4)

What Is A Mobile Device?

A mobile device (also known as a handheld device,

handheld computer or simply handheld) is a

pocket-sized computing device, typically having a display

screen with touch input and/or a miniature keyboard.

Smartphones and PDAs are popular amongst those

who require the assistance and convenience of certain

aspects of a conventional computer, in environments

where carrying one would not be practical.

Source: http://en.wikipedia.org/wiki/Mobile_device

Public Use 6

(5)

Examples of Mobile Devices

Public Use 8

Mobile Device Usage

In Employee Populations

(6)

Ownership Statistics

• As of May 2013:

– 91% of American adults have a cell phone

–

56% of American adults have a

smartphone

– 28% of cell owners own an Android; 25% own

an iPhone; 4% own a Blackberry

–

34% of American adults own a tablet

computer

Source: http://pewinternet.org/Commentary/2012/February/Pew-Internet-Mobile.aspx

Public Use 10

Home & Work Are Blending

Source: http://mms.businesswire.com/media/20130730006180/en/377542/5/ 2013_infographic_Mobile-User-is-Always-On_FINAL.jpg?download=1

(7)

Mobile Device Usage On The Rise

Source: http://readwrite.com/2013/03/26/intel-byod-by-the-numbers#awesm=~oi1z5jSoDvPtiN

Public Use 12

What Are Employees Using?

42% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Smartphone Laptop Desktop Feature Phone Tablet Netbook Handheld Without Phone

Smartphones: The Go To Device

(8)

Why Are They Using Mobile Devices?

Nearly 60% of all consumers say it improves their productivity to take conference calls and use collaboration tools from their personal devices.

Source: http://www.accenture.com/us-en/Pages/insight-2013-consumer-electronics-products-services-usage-graphic.aspx

Public Use 14

BYOD: Employee View

Let’s Me Do My Job

Better

I Like The Flexibility

Want A Single Phone

For Work And Home

(9)

Who Wants BYOD?

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 18-24 25-34 35-49 50-64 65+ 42%

Younger Workers Lead The Way!

Source: http://blog.magicsoftware.com/2013/01/the-state-of-byod-2013-devices.html

Public Use 16

The Greatest Driver for BYOD

86% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Email Web Browser Contacts Calendar Instant Messaging Office Applications Task & Project Management Social Media Line of Business Apps Sales Force Automation

Everyone Wants Their E-Mail…NOW!

(10)

So Is It Really That Dangerous

Out There?

Public Use 18

Yes…It Is!

• Check Point 2013 Mobile Device Security Survey

– 79% of the respondents reported mobile security incidents in the past year

– 52% of large companies say cost of mobile security incidents last year exceeded $500,000

– 45% of businesses with less than 1000 employees reported

mobile security incident costs exceeding $100,000

– 49% cite Android as platform with greatest perceived security risk (up from 30% last year), compared to Apple, Windows Mobile, and Blackberry

– 66% say careless employees greater security risk than

cybercriminals

(11)

Bans Don’t Work!

• BYOD alert: Confidential Data On Personal

Devices

– Think you're safe if you have a policy prohibiting BYOD to begin with? Guess again. According to a

Microsoft study, 67 percent of people use personal

devices at work, regardless of the office's official BYOD policy -- so even if it's prohibited, there's a

good chance employees (particularly millennials, who have a reputation for feeling entitled to more relaxed IT policies as a result of their college experiences --are working with personal devices anyway.

Source: http://www.cbsnews.com/8301-505143_162-57601024/byod-alert-confidential-data-on-personal-devices/

Public Use 20

Where You’re Exposed

Device

Loss/Theft

Device

Loss/Theft

Data

Breach

Data

Breach

Malicious

Applications

Malicious

Applications

Ownership

Issues

Ownership

Issues

(12)

Device Loss/Theft

• Users asleep on smartphone security and data

loss.

“People who lose their smartphones at the pub may think the phone password can save them from embarrassment, but more often than not, they forget about the media or memory card, according to Ty Miller, chief technology officer at IT security consultancy Pure Hacking. "People don't really think about securing media cards on phones," Mr Miller said. "From a consumers' point of view, they just enjoy the storage of the media card."

• Why?

–It’s just a phone.

–IT takes care of protecting my e-mail.

–It has a password on it.

Source: http://www.theaustralian.com.au/australian-it/users-asleep-on-smartphone-security-and-data-loss/story-e6frgakx-1226037450099

Public Use 22

My Employees Are Careful!

• In the last six months alone, the nine-nation survey of leading taxi

companies in Australia, Denmark, Finland, France, Germany, Norway, Sweden, Great Britain, and the U.S. indicated tens of thousands of digital devices were left behind inadvertently. The U.S. company polled in the

survey, a major Chicago cab company, reported the highest number of losses per taxi of all firms studied, both in mobile phones (3.42 per cab) and PDAs/Pocket PCs (0.86 per cab).

• Based on the large size of the Chicago company's fleet, the statistics

indicate a staggering 85,619 mobile phones, 21,460 PDAs/Pocket PCs,

and 4,425 laptops left in the firm's licensed cabs during the six months covered in the study. Only London, with 0.21 laptop PCs lost per cab versus the Chicago firm's 0.18, was higher in any category.

(13)

Data Breach

• Data breaches from mobile devices could lead to

identity theft.

“Nearly 40% of organizations in the study had a data breach resulting from a lost or stolen mobile device, including tablet computers, smartphones and USB drives that contained confidential or sensitive data.”… Ponemon Institute Study

• Why?

–Users fail to understand the types of data stored on the device?

–Users are careless with the device. Remember, it’s just a phone.

Source: http://breakinggov.com/2012/03/22/negligent-employees-cause-most-data-breaches-mobile-is-key-fact/

Public Use 24

Malicious Applications

• Malicious applications are exposing your

company to risk.

“Symantec said 2012 saw a 58 percent increase in mobile malware families compared to 2011. Fifty nine percent of all mobile malware to-date was discovered in 2012.” …

Symantec Internet Security Report

– It’s my phone, I can load apps if I want!

– It was made by XYZ vendor, so it must be safe.

(14)

Device Ownership Issues

• Wipeout: When Your Company Kills Your

iPhone

“A few weeks ago, Amanda Stanton's iPhone suddenly went black. Everything was gone — all her contacts, photos and even the phone's ability to make calls. Someone in the IT

department had sent out what's called a "remote wipe," a kind of auto-destruct command

that's delivered by e-mail. The wipe was done by mistake, and Stanton wouldn't have been surprised to see this kind of remote control on a company phone. But this iPhone was hers.”

• Why?

–Who really owns the phone?

–Who really owns the data on the phone?

Source: http://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphone

Public Use 26

(15)

What Most Companies Do

Monitor Employees

Issue Policy To Staff

Buy Technology

Public Use 28

What Companies Should Do

Buy Technology

Implement Policies & Procedures

Evaluate Risk

(16)

But XYZ Said MDM Is All I Need!

With all of the MDM solutions available, how would you know which is right for you if you don’t know what you are trying to protect?

Gartner MDM Magic Quadrant 2012

Public Use 30

Remember: MDM Is Not Foolproof

• Devices

– What if the solution doesn’t support all of the models/makers that your staff is using?

– What if management wants iPhones and staff wants Windows Mobile?

• App Stores

– How well does the MDM solution protect you against malicious apps / app stores?

– Does the solution allow you to have a “corporate app store” that contains only approved apps?

(17)

Start With A Risk Assessment

• Basic Questions That Need To Be Asked & Answered

– Why are we introducing the devices into our network? – How are the devices connecting to the corporate network? – What data will the devices have access to once

introduced?

– What types of devices should we allow?

– Who should get access to corporate resources via a mobile device?

– What would our exposure be if a device was lost or stolen? – Will all employees be able to participate? If not, why?

Public Use 32

Let’s Review One Item

• What Data Are You Trying To Protect?

– Client information

• How Are the Devices Connecting to the Corporate Network Putting Client Data At Risk?

– 3G/4G?

• What risks are they being exposed to by other users? – Wireless?

• Will users be passing anything over the network in clear text?

• What happens if they multi-home their laptop with a mobile device hotspot? – VPN?

• Not all VPNs work with all mobile devices. Multiple VPNs the answer? • Will the VPN force the routing of personal traffic via the corporate network? – OWA?

• Forces you to expose your Exchange Server to the Internet.

(18)

What About Policies?

• Develop AFTER Your Risk Assessment!

• Address, at a Minimum…

– Who furnishes the device?

– Is the employee reimbursed for any part of their phone or phone bill? (This can get VERY sticky!)

– Can the employee use the phone for personal use? – Can the employee load applications from outside

sources? If so, which? Who will decide?

– What should the employee do if the device is lost or stolen?

– What should IT do to protect the organization?

Public Use 34

Example Policies

• App Store Usage

• Device Backup

• Joint Usage Policy (Personal/Corporate)

• Acceptable Use

• Media Card Usage

• Device Destruction & Replacement

• Lost & Stolen Devices

• Allowable Devices

• Use of Encryption

• Mobile Device Passwords

• Location Service Usage

(19)

Protecting the Device

• Passwords & Patterns

– Most mobile devices support passwords, however some do not allow passwords that exceed four characters or passwords that meet corporate passwords standards. – Many devices will allow the user to disable the password

or change it to meet their needs (easier).

– Avoid swipe patterns (Android devices) as they can be easily compromised.

– Avoid facial and voice recognition technologies and they can be easily bypassed.

Public Use 36

Protecting the Device

• Encryption (Device & Media)

– Most modern mobile devices support the encryption of user data on the device.

• Passwords • PIN

– Some devices may not allow you to encrypt removable media (SD cards, etc.). If they are allowed this could be a potential risk.

– Some devices allow for encryption of certain data sets and as such may leave other more critical data

(20)

Protecting the Device

• Firewalls

– Some devices are made available with built-in

firewalls, some are not. Make sure you know

which you are dealing with prior to deploying.

• Anti-Virus / Anti-Malware

– While still rare, mobile device

anti-virus/anti-malware packages are becoming more

mainstream.

– Sophos and Lookout both offer packages for

Android devices.

Public Use 38

Recovery After Loss

• Remote Wiping

– Most devices will allow IT to remote wipe the device and erase all of the stored information, including data stored on removable storage.

– Ensure employees know that their data will be lost as well.

• Remote Discovery & Recovery

– Many devices now link to services that allow IT to remotely monitor the location of the device.

– Google and Apple both offer free services that, if allowed, make it easy to discover lost phones. Most MDM solutions have the same capabilities.