an introduction on design and implementation on byod and mobile security
Post on 21-Oct-2014
238 views
DESCRIPTION
Agenda: What are mobile devices? Mobile device threads BYOD BYOD Pros and Cons 4 Steps to design BYOD: BYOD Strategy Mobile Hacking techniques demo: Android Phone Mobile Application Security Laptop Pendrives BYOD or BYOA How to Secure the data storages and transportationTRANSCRIPT
Sina Manavi 13Feb 2014
BYOD AND MOBILE SECURITY
My name is Sina Manavi ,
Master of Computer Security and Digital Forensics
CEH and CHFI Certificate Holder
Contact : [email protected]
ABOUT ME
• What are mobile devices?• Mobile device threads• BYOD• BYOD Pros and Cons • 4 Steps to design BYOD:• BYOD Strategy• Mobile Hacking techniques
demo:
1. Android Phone
2. Mobile Application Security
3. Laptop
4. Pendrives
AGENDA
• BYOD or BYOA• How to Secure the data
storages and transportation
WHAT ARE MOBILE DEVICES?
• Unauthorized Access• Infected Machine • Unreliable Application• Camera ? !• Media Storages • Mobile Phones • Internet Surfing• Network Access• Cloud ?
THREATS
• Malware• Synchronization• Phishing or SMiShing• Malicious Links or Websites
Using the personally owned mobile devices such as smart phones, IPad, Tablets , laptop, thumb drives to access organization network and corporate data such as databases, organizational software, emails…etc.
BYOD?!!!
• Cost effective:
• No need to buy lots of PC, Tablets
• Technology familiarity:• Apple users are more comfortable with apples likewise windows user are
more likely to use windows applications
• Flexibility:• Employees don’t need to carry both their personal devices and their work
needs, they can work whenever wherever they need while they have access to all data needed
BYOD PROS
Cost for employee:
• Not everybody has such devices,
• Increase usage and transportation may lead to quicker depreciation
• Repairing, upgrading or any possible accident would be under employee responsibility which is not very pleasant
BYOD CONS
Different devices:
different OS, application and quality level, which brings difficulties in managing them.
Security:
Normally companies spend a lot amount of money to buy firewalls, Anti-viruses, original application which as yearly supports and maintenance. Which employees cant afford such prices himself
BYOD CONS
Security:
while PODs contain corporate data, it can bring security risk of data leackage
Privacy issue for employee, PODs should be accessible on demand for the organization whenever they need to investigate, they might not be happy to surf internet or perform their routine daily life with that device (e.g instant messaging, calls, social networking, web browsing ,personal images….)
• What happens if an employee leave?!!!!!!!!!!
BYOD CONS (CONT…)
• Information and Communication Techonology devices ( Owned by Organization) (ICT)
• Personally Owned Device (POD)
ICT AND POD
1. Know your businesses and regulatory
2. Creating a protocol Foundation
3. Legal Right and responsibility
4. Security Concerns
4 STEPS TO DESIGN BYOD
• What does the company seek to gain from BYOD?• What unique divisions does the organization have?• What information and applications need to be accessed
by each division?• What level of security will be applied to this information?• What are the data-usage requirements for each division?
STEP 1: KNOW YOUR BUSINESSES AND
REGULATORY
Sourcing: Where did the device or softwares come from? Was it a preferred vendor or some random source?
Supporting devices: what if one individual employee uses very unknown device ?should the IT team be able to support all type of devices and vendors ?
Bandwidth: allocating bandwidth to employees based on their activity and requirement related to his responsibility at work. (high speed bandwidth for downloading?)
Business support vs. personal support: supporting all type of application although they are not related to organization routines? For financial department is it necessary to support Photoshop or 3D MAX? or Does multimedia design team need to support specific hardware?
Device Lost: what strategy do you need for a lost device? Wiping the device remotely? Detach it from network or known devices?
STEP 2: CREATING A PROTOCOL FOUNDATION
• Responsibility
The BYOD policy should determine who is responsible to protect data on the device?
• Privacy:
How much access can organization have to the private files of the employees
• Regulation and rights
Different countries and companies have their own regulation and rights
STEP 3: LEGAL RIGHT AND RESPONSIBILITY
• Device:
what kind of device , OS and hardware is accessible for organization.
• Security:
In what level security and risk are needed for each device and employee.
• Application management:
What application can be installed on the device, and assign proper level of control based on the employee requirement to perform her job
• Data access
Data access should be allocated based in a proper way, no need to give access of financial or human resource department to nonrelated departments.
STEP 4: SECURITY CONCERNS
• Individual user can only use the POD, if it has configuration and software installed with the right privilege, otherwise they just can use guest internet or network which has no access to the corporation network.
• Each POD has to have specific registered digital certificate, and it shouldn’t be copy from one POD to another POD, although devices blonge to one person
BYOD POLICY
• POD should be utilized with appropriate for of userID, Passwords and authentication devices.
• Organization has the right to investigate and control its information and device functionality, backup, retrieve, modify and deleting the corporation data , without permission of owner or user POD
BYOD STRATEGY
• All PODs should have proper Antivirus according to the Administrator management policy
• Synchronize the created or modified valuable corporate data on the POD using corporate network or using secure removable media
• All the data should be transfer through the network or media storages in encrypted form for instance :
Network (SSl or VPN)
Storage Media ( using like TrueCrypt)
BYOD STRATEGY
As organization may need to investigate the POD on demand based on the reasonable expectation, the possibility of gaining access to the personal data is high, users should be advice to store their private data in different directory with a clear name such as “private” or “personal”
BYOD STRATEGY
Before any video/audio recording inside organization should be confirmed with management Installing application on PODs should be under control of the management (such as Email Client, social networks, web browser…etc.)
Employees and administrators should be educated and aware of risks and vulnerabilities of the PODs
BYOD STRATEGY
Data that are not allowed to be stored, process, create on PODs:
• Classified secret files or above
• Highly valuable or sensitive information
• Big data such as 1Gb of corporate data on POD
BYOD STRATEGY
These strategies and policy may be different in different organization due to organization nature and functionality
BYOD STRATEGY
1- Identify the risk elements that BYOD introduces with a research group
2- Decide how to enforce policies for devices connecting to your network
3- Build a project plan to include these capabilities: Remote device management
Application control
Policy compliance and audit reports
Data and device encryption
Augmenting cloud storage security
Wiping devices when retired
Revoking access to devices when end-user relationship changes from employee to guest
Revoking access to devices when employees are terminated by the company
BYOD SECURITY PLAN STEPS
4- Evaluation from each department chose number of users to see the
feedbacks
BYOD SECURITY PLAN STEPS
• Using hacking tools such Cain and Able • Wireshark for network sniffing • Bruteforce tools for password cracking • Sql injection or cookie injector tools for compromising
the organization database or website authentication.• Virtualization application for Anti-Forensics activity
• Demo Now
MOBILE HACKING DEVICE HACKING TECHNIQUES DEMO: LAPTOP
• Using personal data storage for backuping or running personal application or data
• Running USB live tools such as Backtrack , Helix, or • Live CD/DVD OS which has illegal tools such as
Dropbox, google Drive,….for accessing the or stealing data.
• Usually USB or live CD/DVD tools can be utilized for Anti-Forensics activity
• Personal VPN to hide their activity
• Demo …… now
MOBILE HACKING DEVICE HACKING TECHNIQUES DEMO: MEDIA STORAGE
• Bring Your Own Device = Bring Your Own Application• Downloading unknown applications or downloading
application from untrusted appstores such as cracked tools can brings malwares as a gift to the organization.
• Employees show be limited in downloading application which is beyond the BYOD policy list
• Mobile phones should not be rooted or jailbreak• Application should be download from trusted app
markets such as official Apple app-store or google Play or Microsoft app-store.
BYOD OR BYOA
• all the data storages must encrypt corporate data• Just legitimate user can leave organization with
corporation data• All data transfer through network should be encrypted
via SSL or VPN which belongs to organization
HOW TO SECURE DATA ON BYOD
MOBILE APPLICATION SECURITY
• Network Spoofer / Dsicovery [Need root access]• Shark for root ( like Wireshark on PC) [Need root access]
• TcpDump• Ettercap • dSploit• dDoS tool for Mobile Devices• Bluetooth Cloning • DroidShip • etc
MOBILE HACKING DEVICE HACKING TECHNIQUES DEMO: ANDROID
PHONE
Demo stealing file from android phone…
ANDROID HACKING
Whats your opinion about BYOD?• Do you think BYOD increase the IT and security cost • Brings more risk to organization• Data leakage • Data lost• Stealing data
NOW MY QUESTION?
ANY QUESTION?