Mobile Experience and Security - A Delicate Balance

Jeff Keller, CISA, CIA, CFSASVP/Senior Audit Director, Technology, Projects, Due Diligence

2

Admin Items

� Please put phones on vibrate

� Please take calls outside the room

� Participation is HIGHLY encouraged

3

Agenda

� Introduction

� Mobile History

� Risks & Vulnerabilities

� Mitigating Risk

� BYOD

� Questions

4

Introduction

� This session will focus on the increasing use, risks and mitigants.

� Not intended to be the “be-all, end-all” course on mobile security.

� Give you some things to consider and ponder how you balance security with end user and customer needs.

� Myself, Senior Audit Director, North American top 10 bank, 20+ years experience in audit and financial services.

5

Mobile History

� Over the past 15 to 20 years, there has been significant technology advances in mobile devices ranging from the brick phone, to more compact personal cell phone, to personal data assistants (PDAs) and ultimately to the smartphones of today.

� The original worry of most companies during this revolution was the security of voice data…. Soon morphing into the larger worry of corporate data traversing the frequencies.

� These devices and advances in capabilities have extended the boundaries of the office. This has blurred the lines of where your network starts and stops.

� These devices also have huge storage capabilities, the data (not just traffic) can now be “at rest” on devices that can be easily lost.

� Reminiscent of the early days of RAS and online business content

6

Mobile History

� Simple voice data

� Not a large adoption rate

� Not in the hands of every employee in the country

� More of a novelty

How it used to be……

7

Mobile History

� No longer just voice traffic

� Huge adoption rate

� Many employees now use

� Most view as a key tool in their business arsenal

� Great for productivity

� Large increase in risks

� Now need to think about how your customers access your business

How it is now ……

8

Mobile History

Evolution of Mobile DevicesEY – Insights on IT Risk / Jan 2012

“When the first BlackBerry smartphone was

released in the early 2000s, corporations

recognized the benefits of remote email and

calendar access and began providing

smartphones with network access to a large

percentage of their workforce, effectively

establishing the idea of 24-hour connectivity.

The popularity of smartphones extended beyond

business users with the release of Apple’s iPhone

and later devices running Android, BlackBerry,

Windows Mobile and Windows Phone 7 operating

systems. Features expanded beyond just email

and web browsing; mobile devices now have the

ability to take photos, run custom applications,

view rich content websites with Flash and

JavaScript, connect to

other devices and networks wirelessly, establish

virtual private network (VPN) connections, and act

as data traffic conduits for other devices (known

as tethering).”

9

Mobile History

Evolution of Mobile DevicesEY – Insights on IT Risk / Jan 2012

“With the increase in mobile device capabilities

and subsequent consumer adoption, these

devices have become an integral part of how

people accomplish tasks, both at work and in their

personal lives. Although improvements in

hardware and software have enabled more

complex tasks to be performed on mobile devices,

this functionality has also increased the

attractiveness of the platform as a target for

attackers.”

10

Risks & Vulnerabilities

Market Share

Source: comScore Reports June 2013

11

Risks & Vulnerabilities

12

Risks & Vulnerabilities

� Key Risk Considerations

Stolen or Lost Devices

Data Loss / Breach

Exposure of Corporate network to Malware

Communication Interception

13

Risks & Vulnerabilities

� Stolen & Lost Devices

A lost or stolen device can create significant exposures if it’s not properly locked down and equipped to wipe sensitive data.

Exposes company to potential access to sensitive corporate, employee, or customer data.

Can result in the legal, regulatory and reputational issues (anyone recall the data breach issues of the past 10 years on the network side??)

14

Risks & Vulnerabilities

� Data Loss / Breach

Human nature – Mobile users tend to downplay the risk associated with smartphones and think there is little or no risk

Insecure architecture rollouts or non-management of the environment, no standard builds

Open nature of application development on the Android platform has introduced vulnerabilities commensurate with what is found on the PC platforms

Devices can now store a significant amount of data

15

Risks & Vulnerabilities

� Exposure of Corporate network to Malware

Mobile malware may not be a significant threat today, however the growth in adoption in most companies and some insecurities in certain platforms will drive the criminals down the same path we went down at the beginning of the dot com era.

Given the potential financial gains for these criminals (access to personal financial data and the ability to intercept financial transactions as devices increasingly become the platform of choice for mobile transactions), it is likely that mobile devices will become the next malware frontier.

Corporate networks are now at risk as users’ devices become infected with malware, and those devices become entry points.

16

Risks & Vulnerabilities

� Communication Interception

Communication interception is a threat to any device that connects to a network, and mobile devices are no exception.

The advantage that smartphones have is that their communications are often encrypted over cell networks, requiring would-be hackers to have specialized equipment and tools to listen to the conversations between the device and cell towers. However, this encryption can be broken and the methodology to do so is well documented and publicly available.

Wi-Fi connections of smartphones also pose a communication interception threat. With most smartphones currently containing Wi-Fi capabilities, the risk of Wi-Fi sniffing and interception is an increasingly prevalent risk.

17

Risks & VulnerabilitiesRecent Examples

In news that will no doubt be of great concern to owners of HTC smartphones, a security team is claiming to have uncovered a "massive security vulnerability" in HTC Android devices that allows any application with Internet access to gain access to private data, including user accounts, email addresses, GPS location, text message data and phone numbers. The vulnerability is said to affect HTC smartphones running the latest version of HTC's software, including the EVO 3D, EVO 4G, Thunderbolt, and others.

The reported vulnerability, which has left those who discovered it - Justin Case, Trevor Eckhart and Artem Russakovskii from Android Police -speechless, involves a suite of logging tools included in recent HTC modifications to the Android operating system in EVO and Thunderbolt models that collect a stack of information on the user's phone. But not only do the modifications collect a swathe of information, they also allow nefarious types to send that data to wherever on the Internet they like.

GizMag.comDarren QuickOctober 2, 2011

18

Risks & VulnerabilitiesRecent Examples

19

Risks & VulnerabilitiesRecent Examples

Of 108 new malicious programs for mobile devices identified in 2012, Symantec found, 103 – more than 95%)- targeted Android devices. Just one mobile threat targeted Apple’s iOS operating system during the same period.

If you assumed that was because Android was the operating system with the most exploitable vulnerabilities, you would be wrong. In fact, just the opposite is true.

It’s Apple’s iOS that was the source of almost all the documented mobile application vulnerabilities among the mobile platforms Symantec monitored, including Android, iOS, Blackberry, Windows Mobile and the like. iOS accounted for 387 of 415 documented vulnerabilities across all mobile platforms – a bit more than 93 percent, found.

Source: Symantec Corp.’s Internet Security Threat Report (ISTR) for 2012

20

Mitigating Risk

So, what can we do? Did we learn from the past??

� Main areas of focus to address these issues:

1. Robust Polices, Procedures & Standards

2. Employee Security Awareness Program

3. Secure the Device

4. Secure the Data

5. Secure the Applications

21

Mitigating Risk

� Robust Policies, Procedures & Standards

Create/have a strong mobile strategy. • An effective strategy must clearly specify where corporate data is permitted to reside: on the device, on the network, on a public cloud service, or some combination of the three.

• Classify the types of information that can be exchanged between the device and the corporate network.

Create and implement an IT policy that governs usage and ensures employees understanding which is aligned with the mobile strategy.• Assesses applications that are appropriate for the company needs

• Explicit guidance on management of the mobile deployment• Create secure builds – and do not allow exceptions. • Perform technical security assessments on mobile devices and the supporting infrastructure

• Continually Monitor for new threats

22

Mitigating Risk

� Employee Security Awareness Program

Leverage your company’s existing security awareness program

• Clearly articulate the security risks associated with smartphones

• Make sure employees understand acceptable use policies

• Limit employee’s abilities to install applications

• Provide appropriate training where necessary

• Encourage healthy skepticism

23

Mitigating Risk

� Secure the Device

Remote Locking enabled

Enforce Device Encryption

Enforce Password Security

Ensure OS levels are up to date

Enforce policies consistent with other endpoints

Secure Build enforced for all users

Anti-Malware (not that prevalent yet)

Perform periodic technical security assessments

24

Mitigating Risk

� Secure the Data

Remote Locking enabled

Enforce Device Encryption

Enforce Password Security

Enable remote data wiping (or selective wipe)

Strong IDM (levering corporate)

Tie into DLP plans

Centralized Security Management Solution

Limit data that can be stored on mobile device

25

Mitigating Risk

� Secure the Mobile Applications

Have an Enterprise Application Store

Enforce App Scanning and certification

Maintain control of applications that can be installed

Centralized Security Management Solution

Train application developers in secure coding (ring a bell??)

Assess classic threats against web based applications and infrastructure

26

BYOD

� Bring Your Own Device

Quickly gaining in popularity in the corporate world.

“Consumerization” of IT making this possible

Potential cost savings for the company

Employee gets to use their own personal device; with a dual benefit of empowering the employee leading to better productivity

Certainly Security risks, but easy to manage using existing technologies

27

BYOD

Bring Your Own Device

� Citrix “Global BYO Index”

Almost all—92 percent—of the companies surveyed reported that some workers are already using non-company-issued computing devices for work-related tasks. Those surveyed indicated that around 28 percent of the workforce is already using non-company-issued computing devices for work-related tasks, and this percentage is expected to rise to 35 by mid-2013.

Almost half of all companies surveyed (44 percent) already have some sort of formal BYO policy in place. Nearly every company (94 percent) expects to have a BYO policy by mid-2013, 81 percent of which are expected to apply this policy company-wide.

Of the companies that currently do not see workers using personal devices in the workplace, three quarters (74 percent) expect them to be in common use in their organizations within two years.

28

BYOD

Bring Your Own Device

29

BYOD

30

BYOD

31

BYOD

32

BYOD

33

BYOD

34

BYOD

35

BYOD

36

BYOD

37

BYOD

38

BYOD

39

BYOD

40

BYOD

41

BYOD

42

Questions?

Remember – Balance security needs with user needs.

“Security is inversely proportionate to convenience”