getting a grip on mobile devices
DESCRIPTION
Getting a Grip on Mobile Devices. Last year thousands of travellers left personal items in London taxi cabs. 27 toilet seats. 4 sets of false teeth. 3 dogs. 2 babies. 1 cat. 1 pheasant. Funeral ashes. A dead body. Over 50,000 mobile computing devices. devices can hold. 10k photos. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/1.jpg)
Getting a Grip Getting a Grip on Mobile on Mobile DevicesDevices
![Page 2: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/2.jpg)
Last year thousands of Last year thousands of travellers left personal travellers left personal items in London taxi cabs items in London taxi cabs
![Page 3: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/3.jpg)
27 toilet seats27 toilet seats
![Page 4: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/4.jpg)
4 sets of false teeth 4 sets of false teeth
![Page 5: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/5.jpg)
3 dogs 3 dogs
![Page 6: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/6.jpg)
2 babies 2 babies
![Page 7: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/7.jpg)
1 cat 1 cat
![Page 8: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/8.jpg)
1 pheasant 1 pheasant
![Page 9: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/9.jpg)
Funeral ashes Funeral ashes
![Page 10: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/10.jpg)
A dead bodyA dead body
![Page 11: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/11.jpg)
Over 50,000 mobile Over 50,000 mobile computing devicescomputing devices
![Page 12: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/12.jpg)
devices can hold devices can hold
10k 10k photosphotos
200k 200k docsdocs
100k 100k emailsemails
![Page 13: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/13.jpg)
10% capacity = 10% capacity =
+50m +50m photos photos
+1B docs+1B docs
+500M +500M emailsemails
![Page 14: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/14.jpg)
That's a lot of That's a lot of information!information!
![Page 15: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/15.jpg)
““73% of London businesses 73% of London businesses surveyed allowed employees to surveyed allowed employees to
bring their own device to work for bring their own device to work for processing commercial processing commercial information in 2013.”information in 2013.”
Poneman Survey February 2014
![Page 16: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/16.jpg)
How do you Get a How do you Get a Grip on that?Grip on that?
![Page 17: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/17.jpg)
Business Challenges Business Challenges
![Page 18: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/18.jpg)
Our ChallengesOur Challenges
![Page 19: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/19.jpg)
Our Risks Our Risks
![Page 20: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/20.jpg)
HISTORY Lesson HISTORY Lesson
![Page 21: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/21.jpg)
History 101History 101
![Page 22: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/22.jpg)
What’s Your Definition ?What’s Your Definition ?
![Page 23: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/23.jpg)
Is it Definitive ?Is it Definitive ?
• Copiers• Faxes• Scanners• Telephones• Coffee machines
• Any device with memory capability that can be carried out.
![Page 24: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/24.jpg)
Top 10 Mobile Risks Top 10 Mobile Risks
1. Loss2. Theft3. Malware 4. Stealth installs5. Data interception 6. Direct attack 7. Call hi-jacking8. VPN hi-jacking9. Session hi-jacking10. Device hi-jacking
![Page 25: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/25.jpg)
Risk Du JourRisk Du Jour
![Page 26: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/26.jpg)
How do you Get a How do you Get a Grip on that?Grip on that?
![Page 27: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/27.jpg)
Step 1Step 1
Quantify the Quantify the ProblemProblem• Stop.• First measure the problem• Conduct a survey• How many devices? Running what applications? • Processing, storing, transmitting: what data?• Conduct a treat / risk assessment• Draft Asset Register• Draft Risk Register
![Page 28: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/28.jpg)
What’s the threat?
![Page 29: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/29.jpg)
Quantify Quantify
If the definition of a threat is the "expressed potential" for a "harmful event" to happen to your business.
"What mobile device events would "What mobile device events would be harmful to your business? be harmful to your business?
![Page 30: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/30.jpg)
What Applies?What Applies?
![Page 31: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/31.jpg)
Step 2Step 2
Draft policies Draft policies • Device ownership• Device liability• Acceptable devices• Acceptable use• Acceptable applications• Minimum device security requirements• Where to report lost/stolen devices• Security Awareness Program
![Page 32: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/32.jpg)
Consider…Consider…
• Mandating use of PINs to access devices• Mandating use of complex passwords to
access applications• Set max number of password failures • Set max days of non-use lock out• Specify password change interval• Prevent password reuse via password history• Set screen-lock
![Page 33: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/33.jpg)
Step 3Step 3
ConfigurationConfiguration
• Firewall• Anti-virus (Malware, Trojans, Spyware)• O/S Updates• Hardening• Back end support servers• VPN dual authentication
![Page 34: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/34.jpg)
• Adding or removing root certs• Configuring WiFi including trusted SSIDs, passwords, etc.• Configuring VPN settings and usage• Blocking installation of additional apps from the
AppStore• Blocking GeoLocation• Blocking use of the iPhone’s camera• Blocking screen captures• Blocking use of the iTunes Music Store• Blocking use of YouTube• Blocking explicit content
Consider…Consider…
![Page 35: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/35.jpg)
35
![Page 36: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/36.jpg)
Step 4Step 4
EncryptionEncryption
• Data• Disk• Document, File & Folder• Laptop• Port & Device Controls• Removable Media &
Device• Email
![Page 37: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/37.jpg)
Layers Layers
• Data• Disk• Document• File & Folder• Client Side• Laptop• Port & Device Controls• Removable Media & Device• Email
![Page 38: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/38.jpg)
Encryption Options Encryption Options
• Data Base Encryption: Application–level encryption of data “at rest” in data base.
• Disk Encryption: Disk-level encryption for all data on the logic or physical drive (user files, swap files, system files, page file).
• Document Encryption: Application-level encryption of data in document format (WORD/ Excel, Notebook).
• File & Folder Encryption: Application-level encryption method.
• Client Side Encryption: Application-level encryption method used by servers to encrypt data on a computer that has connected to them.
![Page 39: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/39.jpg)
OptionsOptions
• Laptop Encryption: Operating system-level encryption method started at boot-up authorisation.
• Port & Device Control: Monitor device usage and file transfer activity. Controls access to laptop ports, devices and wireless networks
• Removable Media & Device Encryption (USB memory, CD, DVD): Read and write encrypted data on media
• Email Encryption: Dual key method securing data in transit from client.
• Email Gateway Encryption: Automatic encryption and decryption of sensitive emails between email gateway and receiver.
![Page 40: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/40.jpg)
Step 5Step 5
Incident responseIncident response
• Included in BC/DR Plan• Back ups• Alternatives: – Find it– Track it– Kill it
![Page 41: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/41.jpg)
![Page 42: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/42.jpg)
How to Get a GripHow to Get a Grip
Quantify the problempoliciesConfiguration Encryption Incident Response
![Page 43: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/43.jpg)
![Page 44: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/44.jpg)
DPA Mobile Security DPA Mobile Security
Device security policy Firewall Anti-virus protection O/S routinely updated Latest patches or security updates installed Access restricted on "need to know" principle No password sharing Encryption of personal information held on devices Regular back-ups Wipe data before disposal of device Anti-spyware protection
![Page 45: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/45.jpg)
PCI Mobile Security PCI Mobile Security
Device user security policy Device labelled and listed on asset register Firewall Dual authentication Encrypted VPN connection Anti-virus protection Anti-spyware protection O/S routinely updated Latest patches or security updates installed Connection subject to testing Access restricted on "need to know" principle No password sharing
![Page 46: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/46.jpg)
ISO Mobile Security ISO Mobile Security Device user security policy Device labelled and listed on asset register Firewall Dual authentication Encrypted VPN connection Anti-virus protection Anti-spyware protection O/S routinely updated Latest patches or security updates installed Connection subject to testing Access restricted on "need to know" principle Device must be password controlled
![Page 47: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/47.jpg)
Minimum ControlsMinimum Controls
Risk assessments Device user security policy Security awareness training Information asset register Device labelled and listed on asset register Firewall Dual authentication Encrypted VPN connection Anti-virus protection Anti-spyware protection O/S routinely updated & randomly audited Latest patches or security updates installed Device must be password controlled
![Page 48: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/48.jpg)
ISACA ISACA PlugPlug
![Page 49: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/49.jpg)
10 Rules Mobile Security 10 Rules Mobile Security
1. If Dr. Evil can run his programs on your mobile device its not your device anymore.
2. If Dr. Evil can make changes to your mobile its not your mobile any more.
3. If Dr. Evil can upload programs to your network from your mobile its not your website anymore.
4. If Dr. Evil can access data entering or exiting your mobile its not your data any more.
5. If Dr. Evil uses your mobile to launch an attack on another network its your problem.
![Page 50: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/50.jpg)
10 Rules10 Rules
6. If Dr. Evil can use your mobile to access your partners network its your problem.
7. If Dr. Evil can physically access your mobile devices on its not your data anymore.
8. More often than not, Mini-Me works for you.9. Dr. Evil knows where you hide your spare
keys. 10. Dr. Evil is always faster and smarter.
![Page 51: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/51.jpg)
Take the problem in Take the problem in handhand
![Page 52: Getting a Grip on Mobile Devices](https://reader036.vdocument.in/reader036/viewer/2022062322/56814655550346895db36da5/html5/thumbnails/52.jpg)
26 Dover Street 26 Dover Street
LondonLondon
United KingdomUnited Kingdom
W1S 4LYW1S 4LY
+44 (0)20 3586 1025+44 (0)20 3586 1025
www.riskfactory.comwww.riskfactory.com
A different perspective fromA different perspective from