MOBILE SECURITY - isaca

redlemonbalmΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

52 εμφανίσεις

MOBILE SECURITY

Balancing Risks and Controls in a Bring Your Own Device Environment

Agenda


Current State of Mobile Devices and Security


Risks and Benefits


Controls


Policies and Procedures


Data
Security


Application
Security


Device Security


Infrastructure Security


Tools, Techniques, and Resources


Recommendations


MDM Policy Considerations


Q&A



Current State of Mobile Devices


Mobile Device Deployment


90 % of
enterprises
have
already deployed mobile
devices, with smartphones being most widely
deployed (Gartner
,
Inc.)


1.2
billion smartphones will enter the market over the
next 5
years

(ABI Research)


By 2015 mobile app development projects will
outnumber native PC projects by a ratio of
4
-
to
-
1
(Forbes)


74% of companies allow some sort of BYOD
usage
(Forbes)



Security Posture


90
% have disabled auto
-
lock on tablets, 75% have
disabled it on
smartphones
(Forbes
)


Less
than 10% of organizations are “fully aware” of
the devices accessing their
network (Forbes)


34% store sensitive data such as bank account
information and passwords on their phone (Motorola)


55% have found a “work around” to send work email
and documents to their personal devices
(Motorola
)


48% have used their mobile devices to log on to an
unsecured network
(Motorola
)




Current State of Mobile Security

Risks and Benefits


Why can’t I use my own device?


Why should I carry two devices?


䑥癩捥

灲ef敲敮捥e⡩(桯湥h


䅮摲潩搩


“Special” Executive Requests


䍯浰C瑩瑩t攠慤a慮t慧e


䕭灬Ey敥e獡瑩tf慣a楯i


䙬e硩扩汩瑹t慮搠c潮v敮楥湣e


䥮捲敡獥搠灲潤畣瑩癩瑹o


䑥捲敡獥搠獵灰潲琠s潳瑳t⡩(
properly implemented)

Employee View / Benefits

Enterprise View / Risks


Loss of control


䑥癩捥 獥捵物瑹

o
Lost or stolen devices

o
Protection of company data

o
Malware

o
Control circumvention (e.g.,
jail broken/rooted devices)


䥮捲敡獥搠獵灰潲s

c潳瑳


R敧畬ut潲礠䍯浰汩慮捥

Controls
-

Policies and Procedures


Authentication


Device lifecycle


Lost or stolen devices


Jailbroken / rooted Devices


Application installation restrictions


Regulatory compliance


Application
d
evelopment
s
tandards


End user agreements


Awareness and training

Controls
-

Data
Security


Data encryption


In storage


I
n transit


Data Collection, Retention and Usage


Secure methods are utilized to collect, store, and use data


Data collection is compliant with legal regulations or other
governing laws


D
ata collection and usage is appropriate and
commensurate with established user agreements


Data retention practices are executed in accordance with
company policies


Personal and business data

Controls
-

Application
Security


Application configuration


Change
and
release
m
anagement


Compliance
and
vulnerability management


Access controls

Controls
-

Device
Security


Device passcode


Inactivity Lock


Antivirus


Patch Management


Mobile Device Management (MDM)

Controls
-

Device
Security


Provisioning practices


Factory reset


Mobile device backups


Configuration


Only
authorized mobile devices are permitted
access to internal company wireless
networks


Only
authorized mobile devices (e.g., non
-
jailbroken) are permitted access to company
resources

Controls
-

Infrastructure Security


Infrastructure configuration


Compliance
and
vulnerability
m
anagement


Firewall / Intrusion Detection configuration


Antivirus


Virtual Private Networks


Deployment architecture


Tools and Techniques


Jailbroken/Rooted
Devices


Windows, Android, Blackberry
-

SDK


Backup Tools
-

Titanium
Backup, iTunes etc.


Oxygen Forensic Plist Viewer


Plist Explorer


Java Decompiler


JD GUI


SQLite Database Browser


Charles Proxy


ZAProxy

Resources


NIST


Guidelines for Managing and Securing Mobile Devices


Foundstone


Mobile
Application Security
Testing


Penetration
Testing for iPhone / iPad
Applications


Penetration
Testing Android
Applications


OWASP


Mobile Security Project


Top Ten Mobile Risks


Top Ten Mobile Controls


Security Testing Guide


Emulators

Android

BlackBerry

iOS

Nokia

Windows
Mobile

Recommendations


Develop mobile
d
evice
p
olicies
and
p
rocedures


Enforce authentication controls


Encrypt and protect data on devices


Deploy a MDM solution


White / Black list applications


Monitor firmware updates

Recommendations
-

continued


Encrypt
communications


Monitor mobile devices within the network


Threat intelligence


Develop secure mobile application
development practices


Secure supporting infrastructure



MDM Policy Considerations

Category

Policy

Device Passcode

Rooted

/ Jailbroken Devices

Passcode on Mobile Device

Alphanumeric in Passcode

Passcode Length

Number of Special Characters in Password

Maximum Passcode Age

Allowed Idle Time Before Auto
-
Lock

Password History

Number of Failed Passcode Attempts Before Device is Locked

Number of Failed Passcode Attempts Before All Data Is Erased

MDM Policy Considerations

Category

Policy

Device Functionality

Installation of Applications

Use of Camera

Screen Capture

OS Version

Hardware Encryption Status

Remote Wipe

Siri (iPhone only,

Locked or Unlocked)

Enroll

/ Delete MDM Solution

Allow diagnostic data to be sent

Untrusted TLS Prompt (When disabled, device will automatically reject
untrusted HTTPS certificates without prompting the user)

MDM Policy Considerations

Category

Policy

Device
Functionality

SIM

Changes

Monitor Roaming Data Usage

Device

Antivirus

Device Firewall

Device Connectivity to the MDM Servers

Compliance

Restricted Applications (App Blacklist)

Allowed Applications (App Whitelist)

Required Applications

MDM Policy Considerations

Category

Policy

Applications

Allow/Disallow Use of Market

Auto Fill in Browsers

JavaScript on Websites

Website

Pop
-
ups

Backup

Cloud Backup

Contacts

Sync

Document Sync

Photo Stream Sync

Q&A

Balancing Risks and Controls in a
BYOD Environment