IT Audit strategies, policies, and techniques

for mobile phone platforms

August 2013

ISACA Geek Week

Robert Morella MBA, CISA, CGEIT, CISSP

Rob.morella@gmail.com

1

Been there done that:

IT Systems

IT Architecture / Governance

IT Security

Cybercrime Investigator

IT Auditor

ISACA QAT

Geek Ham Radio/Electronics/Car Stuff/Etc, Etc.

2

Where we are today

Major Threats

Data, the only thing that matters

Device Classification

MDTLRP

(Mobile Device Theft Loss Response Plan)

Some Simple Ideas to Reduce Risk

3

Long long time ago: Palm OS 1996

RIM Blackberry 1999

Windows Mobile 2000 Phone 2010

iPhone 2007

Android ~2008

Newer, Better, Faster, More Secure?

4

Dark Ages: Blackberry, Blackberry, Blackberry

Middle Ages: Two phone era

Modern Times: Rise of the MDM Machines

MDM: Mobile Device Managers

5

MDM is all about wrappers and boxes

Containers (boxes inside boxes)

Device controls / policies may vary

MDM Examples:

Airwatch, Good for Enterprise, MobileIron, Symantec, Cirix. IBM, Zenprise, RIM BES, (about 140 vendors)

6

7

MDM container

email

calendar

MDM container

File share

messaging

Stuff Outside the box

Google Drive / Dropbox

iCloud

Personal Email

Apps

VNC / RDP

EasyShare

Location Tracking

Voice Recording

8

1) Web and Network based Attacks

Malicious Web page exploits vulnerable client

2) Mobile Malware

iPhoneOS.Ikee worm

Android.Pjapps threat

3) Social Engineering Attacks

Certificate update email

Fake login pages, SMS and email scams

9

4) Resource Abuse

Spam emails, SMS, or DOS attacks from compromised devices

Target websites or carrier voice or data network.

5) Data Loss

Exfiltration of data from device or network, either unintentional or malicious.

Device Theft, removal of SIM/SD card

Data stores can include PCs and Cloud backups used for devices

10

6) Data Integrity

Deleting or encrypting for ransom user data

11

Use of personal email for business

Unencrypted Backups, or No backups

Weak passwords

Passwords on device (email, note app)

Jailbroken Devices

Use of Cloud Data Services

Insert Bad Practice Here ________

Photographing documents

Audio recordings

Leaving device on dash, in bars, etc.

12

96% of lost SmartPhones were accessed by those who found it.

50% of those who found an app labeled as allowing remote access, ran that app

60% tried to read email, social media

80% tried to read corporate info such as files labeled as HR Salaries or HR Cases

Intentionally lost 50 Smartphones in five cities, Wash DC, Los Angeles, San Francisco, and Ottawa Canada. Phones were loaded with fake apps and surveillance software

13

Implement MDM

Say No

Create Policy

Train Users

More than that?

14

Device?

Network?

Data?

15

Wall off the data

Physical/Logical Controls

Access controls

Authorization/Authentication

Data classification

Implement appropriate security controls

Which of the above is more complex with respect to the XLS file your CIO emailed to him/her self?

16

Data Inventory

Data Classification

What

Data Ownership, Authorization

Who

Data Location

Where

17

Mobile Devices are parts of your database

As auditors we need to think beyond the device

Think about what DATA each functional area MIGHT put on their mobile device, not what they should put on the device.

Think about the impact if that data were left on the street, in a car, or in a bar. On a plane, or in a train..

Same conversation has to happen for cloud, of course!

18

Mobile devices, just like cloud, means our old ways of looking at data controls need a refresh

Data Lifecycle

What, Who, Where

How data is used

What business processes do the data support?

19

Three mobile devices: CEO, Auditor, AP Clerk

It gets stolen, (or left in car, or in a bar…..)

Which one do you worry about the most?

20

Divide users into groups based on risk profile

Divide users into groups based on data classification

All mobile users are not the same

Build security controls relevant to risk

May be overkill for small shops

21

Level I devices:

Senior executives

Network administrators

IT Security

Level II devices:

Marketing Reps

Financial Accounting

HR

Level III devices:

Internal Audit, Janitorial Staff, etc.

22

Strong Controls/procedures for Level I devices:

All policies must be set

Maybe cannot be personal device?

Each device personally validated by IT

Each device is personally supported by IT

23

Work with data classified as confidential

Use device operationally or informationally

Transfer data files using cloud services

Use mobile device for root access to systems

Device in scope for SOX?

24

No PII, HIPAA, Non-public data

No stepping stones to other breach

Device Classification may help with sleep!!

25

DR plan?

What do you do when the phone of a top exec gets stolen?

Is there a real plan, or just a vague idea?

MDTLRP

Mobile Device Theft Loss Response Plan

(I made that up)

26

OK, pop quiz, without lookine at your phone

It's Superbowl Sunday, you left your phone at the bar, or on your car.

You need to report it stolen: who do you call?

Controls to prevent fake reporting

A significant attack would be if an attacker reported the mobile devices stolen for a large number of executives. Reporting it stolen is one way to wipe someone’s data.

27

How (hopefully you have another phone)

Where is the number stored?

24 hour help desk?

You know the serial number of your phone?

You know every app that has a password on your phone?

28

Credit card number inventory

The phone number to call is in your phone

29

Provide a business card or laminated card, in case of lost or stolen, call this #

Maybe leave space to write important passwords (kidding, don’t do this)

Part of DR / BCP plan too?

30

1) Report phone as stolen to carrier

2) Report to IT security, who initiates remote wipe

3) Reset passwords for everything

4) Obtain new phone

31

32

While this seems obvious, the call to the carrier is only to

prevent misuse of voice/data service.

You NEED cellular access to wipe the device, so having the

phone deactivated by the carrier would potentially be an issue,

unless the carrier’s have a way around this.

Phone-stolen test

What if phone is stolen intentionally as part of a more persistent attack?

Monitor email addresses on phone?

Track phone numbers on phone? Look for Social Engineering Attacks

Monitor connection attempts to network resources

Multiple failed logins on VPN account stored on stolen phone are not just a coincidence

Put credit watch on, in case of possible exposed PII?

33

Buy a Gift card, put number unencrypted on phone, if it gets used, device has been breached.

Email system is a database:

Show emails from cloud services?

CSP may provide/block emails to your domain?

If policy is ‘no cloud services’ then explain this email for dropbox password reset.

Create server (in cloud) leave IP and login credentials unencrypted on device. If connection happens, you got breached.

34

So as Auditors, how do we put arms around this?

Data Controls, or lack therof

Device Classification , or lack therof

Security controls tailored to each?

35

Ask?

1) Survey users to identify Level I from II and III

2) Collect data as part of audit of functional area

3) Consider impact to overall controls over data

36

Sample Mobile Device Survey Questions

1) Please list the type (make, model, etc.) of mobile device(s) you use for business purposes.

2) What business functions do you perform using your mobile device(s)?

a) e‐mail__

b) calendar ___

c) connect to servers____

d) connect to workstation to transfer files ___

e) connect to enterprise systems,____

37

Find out who your worst user is and what they are doing or attempting to do with their phone…the whole policy is for them!

Does your policy address everything he/she does?

Trust yet verify

Email data mining

Emails from cloud services to your mail servers

Expense reports for cloud services through AP

38

Simple web-based and/or video training

Lost/stolen procedures

Best practices, recommended settings

How to identify signs of malware

Make folks aware that BYOD device is now part of policy

39

40

Device security checkup Optional for II and III

Mandatory for level I)

Test that remote detection works

Test that remote wipe works

Look for risky apps

Device self service saves cost, but boosts risks

Where we are today

Major Threats

Data, the only thing that matters

Device Classification

MDTLRP

(Mobile Device Theft Loss Response Plan)

Some Simple Ideas to Reduce Risk

41

Thanks!

42