![Page 1: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/1.jpg)
Auditing moving targets: Smartphones & tablets in government
– or –
John Bullock, BSc, CISSP, CISA, CRISC, GICSPSenior IT Audit SpecialistOffice of the Auditor General of [email protected] / ca.linkedin.com/in/jb00seven
a CISO‐turned‐auditor'stake on mobile devices
![Page 2: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/2.jpg)
2/29 PNIAF 2017‐03‐17
• mobile device audit gotchas• cybersecurity & privacy insights specific to mobile• perspective of both security practitioner & auditor
• mobile device enthusiast• audit enthusiast
what's in it for me
what's in it for you
![Page 3: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/3.jpg)
everything!
We use them for …
why mobile devices?
3/29 PNIAF 2017‐03‐17
![Page 4: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/4.jpg)
watch, alarm clock, personal planner, social calendar, …organizersdiary, camera, video camera, audio recorder, …life recorders
calculator, GPS navigation, compass, address book, dictionary, barcode scanner…
productivity
music player, game console, radio, TV, remote control, …entertainment
books, comics, recipes, magazines, newspapers, …reading
flashlight, measuring tape, level, magnifier, telescope, …tools
from 99 things replaced by smartphones
4/29 PNIAF 2017‐03‐17
![Page 5: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/5.jpg)
And it’s always increasing
5/29 PNIAF 2017‐03‐17
![Page 6: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/6.jpg)
↑ functionality = ↑ risk
why an audit?
6/29 PNIAF 2017‐03‐17
![Page 7: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/7.jpg)
risk factors: size
• small size → high number of devices lost or stolen
"One in 10 smartphone users have had their phones stolen"http://www.wired.com/2014/12/where‐stolen‐smart‐phones‐go/
For lost‐but‐returned devices, more than 90% of the good Samaritans snooped before returning themhttp://www.informationweek.com/mobile/lose‐your‐smartphone‐finders‐will‐snoop‐through‐it/d/d‐id/1103354
7/29 PNIAF 2017‐03‐17
![Page 8: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/8.jpg)
where thefts occur
loss & theft• 2.1m stolen• 3.1m lost(stats taken from a 2015 US report)
8/29 PNIAF 2017‐03‐17
![Page 9: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/9.jpg)
• tendency to use simple passwords due to the lack of a physical keyboard (or a very small keyboard)
risk factors: keyboards/passwords
9/29 PNIAF 2017‐03‐17
![Page 10: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/10.jpg)
• frequent model changes mean devices quickly become unsupported (can't get security updates)
risk factors: lack of support
10/29 PNIAF 2017‐03‐17
![Page 11: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/11.jpg)
• evolving operating systems provide opportunities for malware (malicious software)
risk factors: malware
New mobile malware tripled in 2015. Growth continued in 2016 with Ransomware (which blocks access until a user pays a sum of money) as the latest flavour.https://www.scmagazineuk.com/kaspersky‐finds‐significant‐growth‐of‐mobile‐malware‐in‐2015/article/531116/
11/29 PNIAF 2017‐03‐17
![Page 12: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/12.jpg)
how to start the audit?
12/29 PNIAF 2017‐03‐17
![Page 13: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/13.jpg)
![Page 14: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/14.jpg)
names/words matter
• flash drive?• laptop?• tablet?
Name of audit: MDM or MMD?• Mobile Device Management is a product
What is a mobile device?
• Management of Mobile Devices • allowed for Policies, Procedures, Standards, Guidelines, and Practices.
• dumb (i.e. feature) phone, cell phone, smartphone?
14/29 PNIAF 2017‐03‐17
![Page 15: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/15.jpg)
What's in scope?
What's out of scope?
![Page 16: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/16.jpg)
scoping
• small input area (strong passwords more difficult)• dramatically higher loss/theft risk• immature security measures for OS/device
Think: What's different?
The big question: laptop/tablet/smartphone
• not laptops (we know how to easily secure them, even if we don't)
• not flash drives, not even Chromebooks
16/29 PNIAF 2017‐03‐17
smartphones & tablets with mobile specific OS
![Page 17: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/17.jpg)
scoping
Yes?• May need to examine personal devices. Talk to a lawyer.
• Whew. Examine controls to prevent, detect and remediate existence of BYOD devices.
Depends on whether official BYOD program or not
The awkward question: BYOD
No?
17/29 PNIAF 2017‐03‐17
![Page 18: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/18.jpg)
scoping
• location information (current/past GPS coordinates, and Wi‐Fi and Bluetooth connection histories
The following are largely personal privacy issues:The easy question: privacy
• resources constrained• coordinated audit w/ Privacy Commissioner investigation!
• photographs• app behaviour (Best Flashlight & contacts)• performance data (telemetry)• voice commands
18/29 PNIAF 2017‐03‐17
we scoped it out
![Page 19: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/19.jpg)
scoping
• phishing• mobile banking
Solution? Think, is it different on mobile?• largely "NO"• but be prepared to justify your decisions again & again
Other questions:
19/29 PNIAF 2017‐03‐17
![Page 20: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/20.jpg)
lines of enquiry
1. strategic planning activities
2. full lifecycle management of devices
3. security controls
4. monitoring, logging, incident management
20/29 PNIAF 2017‐03‐17
![Page 21: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/21.jpg)
No audit plan survives contact with the auditee.~ Helmuth von Moltke, with apologies
21/29 PNIAF 2017‐03‐17
![Page 22: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/22.jpg)
risk gotchas
• "Why does X matter? We/they can do remote wipe.
• "It's unreasonable for us/them to have to type a passcode several times a day."
• infatuated with technology
• mobile devices are the Most Personal Computers. Ever!
Cause:
• "Doesn't the fact that a smartphone is a tracking devicecause security issues?"
• confusing privacy and security / seeing only risk, not benefits
22/29 PNIAF 2017‐03‐17
![Page 23: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/23.jpg)
inventory gotcha
23/29 PNIAF 2017‐03‐17
Devices billed by carrier
Deviceson MDM
unknown devices
•unofficial channels used to purchase•some BYOD
• feature phones• some smartphones w/o security settings
• jail‐broken/rooted•BYOD•deliberately unmanaged?
wellmanaged
![Page 24: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/24.jpg)
Special considerations
24/29 PNIAF 2017‐03‐17
![Page 25: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/25.jpg)
Top 15 tips guide
• we published a Mobile Devices: Tips for Security & Privacy document and released it the same day as our report
• a collaboration with the Officer of the Information and Privacy Commissioner's office (OIPC).
• designed to be used by everyone – work or personal, BC or anywhere else
• 10 security‐related tips, 5 privacy‐related; all in (correct) priority order
25/29 PNIAF 2017‐03‐17
![Page 26: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/26.jpg)
1. Password protect your device2. Lock your screen3. Encrypt it4. Limit password attempts5. Use anti‐malware software6. Don't jailbreak or root your
device7. Be choosy with apps8. Limit app permissions9. Keep software up‐to‐date10. Limit location information11. Review voice commands12. Promptly report lost/stolen
devices13. Bluetooth, Wi‐Fi, NFC14. Safely dispose of your device15. Consider using Find My
Phone
26/29
Summary of Mobile Devices: Tips for Security & Privacy
![Page 27: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/27.jpg)
marketingDownloads
Report 560Tips 248
Social media impressions*
LinkedIn909 (lock your screen – #2)
Facebook871 (password protect your device – #1)
Twitter288 (use anti‐malware – #5)
* from "Tips" promotion 2017‐Jan
27/29 PNIAF 2017‐03‐17
![Page 28: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/28.jpg)
Special considerationsconclusion
• we feel we provided value (to auditee and citizens)
• gov't responded promptly to some findings (best dayever!)
• collaboration with the OIPC was win/win
28/29 PNIAF 2017‐03‐17
![Page 29: Auditing moving targets · 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your](https://reader036.vdocument.in/reader036/viewer/2022071211/602331b0a942c9621815989d/html5/thumbnails/29.jpg)
Special considerationsquestions?
John Bullock, BSc, CISSP, CISA, CRISC, GICSPSenior IT Audit SpecialistOffice of the Auditor General of [email protected]+1 250 419 6214
29/29 PNIAF 2017‐03‐17