august 2013 isaca geek week robert morella · august 2013 isaca geek week robert morella ......
TRANSCRIPT
IT Audit strategies, policies, and techniques
for mobile phone platforms
August 2013
ISACA Geek Week
Robert Morella MBA, CISA, CGEIT, CISSP
1
Been there done that:
IT Systems
IT Architecture / Governance
IT Security
Cybercrime Investigator
IT Auditor
ISACA QAT
Geek Ham Radio/Electronics/Car Stuff/Etc, Etc.
2
Where we are today
Major Threats
Data, the only thing that matters
Device Classification
MDTLRP
(Mobile Device Theft Loss Response Plan)
Some Simple Ideas to Reduce Risk
3
Long long time ago: Palm OS 1996
RIM Blackberry 1999
Windows Mobile 2000 Phone 2010
iPhone 2007
Android ~2008
Newer, Better, Faster, More Secure?
4
Dark Ages: Blackberry, Blackberry, Blackberry
Middle Ages: Two phone era
Modern Times: Rise of the MDM Machines
MDM: Mobile Device Managers
5
MDM is all about wrappers and boxes
Containers (boxes inside boxes)
Device controls / policies may vary
MDM Examples:
Airwatch, Good for Enterprise, MobileIron, Symantec, Cirix. IBM, Zenprise, RIM BES, (about 140 vendors)
6
Stuff Outside the box
Google Drive / Dropbox
iCloud
Personal Email
Apps
VNC / RDP
EasyShare
Location Tracking
Voice Recording
8
1) Web and Network based Attacks
Malicious Web page exploits vulnerable client
2) Mobile Malware
iPhoneOS.Ikee worm
Android.Pjapps threat
3) Social Engineering Attacks
Certificate update email
Fake login pages, SMS and email scams
9
4) Resource Abuse
Spam emails, SMS, or DOS attacks from compromised devices
Target websites or carrier voice or data network.
5) Data Loss
Exfiltration of data from device or network, either unintentional or malicious.
Device Theft, removal of SIM/SD card
Data stores can include PCs and Cloud backups used for devices
10
Use of personal email for business
Unencrypted Backups, or No backups
Weak passwords
Passwords on device (email, note app)
Jailbroken Devices
Use of Cloud Data Services
Insert Bad Practice Here ________
Photographing documents
Audio recordings
Leaving device on dash, in bars, etc.
12
96% of lost SmartPhones were accessed by those who found it.
50% of those who found an app labeled as allowing remote access, ran that app
60% tried to read email, social media
80% tried to read corporate info such as files labeled as HR Salaries or HR Cases
Intentionally lost 50 Smartphones in five cities, Wash DC, Los Angeles, San Francisco, and Ottawa Canada. Phones were loaded with fake apps and surveillance software
13
Wall off the data
Physical/Logical Controls
Access controls
Authorization/Authentication
Data classification
Implement appropriate security controls
Which of the above is more complex with respect to the XLS file your CIO emailed to him/her self?
16
Mobile Devices are parts of your database
As auditors we need to think beyond the device
Think about what DATA each functional area MIGHT put on their mobile device, not what they should put on the device.
Think about the impact if that data were left on the street, in a car, or in a bar. On a plane, or in a train..
Same conversation has to happen for cloud, of course!
18
Mobile devices, just like cloud, means our old ways of looking at data controls need a refresh
Data Lifecycle
What, Who, Where
How data is used
What business processes do the data support?
19
Three mobile devices: CEO, Auditor, AP Clerk
It gets stolen, (or left in car, or in a bar…..)
Which one do you worry about the most?
20
Divide users into groups based on risk profile
Divide users into groups based on data classification
All mobile users are not the same
Build security controls relevant to risk
May be overkill for small shops
21
Level I devices:
Senior executives
Network administrators
IT Security
Level II devices:
Marketing Reps
Financial Accounting
HR
Level III devices:
Internal Audit, Janitorial Staff, etc.
22
Strong Controls/procedures for Level I devices:
All policies must be set
Maybe cannot be personal device?
Each device personally validated by IT
Each device is personally supported by IT
23
Work with data classified as confidential
Use device operationally or informationally
Transfer data files using cloud services
Use mobile device for root access to systems
Device in scope for SOX?
24
No PII, HIPAA, Non-public data
No stepping stones to other breach
Device Classification may help with sleep!!
25
DR plan?
What do you do when the phone of a top exec gets stolen?
Is there a real plan, or just a vague idea?
MDTLRP
Mobile Device Theft Loss Response Plan
(I made that up)
26
OK, pop quiz, without lookine at your phone
It's Superbowl Sunday, you left your phone at the bar, or on your car.
You need to report it stolen: who do you call?
Controls to prevent fake reporting
A significant attack would be if an attacker reported the mobile devices stolen for a large number of executives. Reporting it stolen is one way to wipe someone’s data.
27
How (hopefully you have another phone)
Where is the number stored?
24 hour help desk?
You know the serial number of your phone?
You know every app that has a password on your phone?
28
Provide a business card or laminated card, in case of lost or stolen, call this #
Maybe leave space to write important passwords (kidding, don’t do this)
Part of DR / BCP plan too?
30
1) Report phone as stolen to carrier
2) Report to IT security, who initiates remote wipe
3) Reset passwords for everything
4) Obtain new phone
31
32
While this seems obvious, the call to the carrier is only to
prevent misuse of voice/data service.
You NEED cellular access to wipe the device, so having the
phone deactivated by the carrier would potentially be an issue,
unless the carrier’s have a way around this.
Phone-stolen test
What if phone is stolen intentionally as part of a more persistent attack?
Monitor email addresses on phone?
Track phone numbers on phone? Look for Social Engineering Attacks
Monitor connection attempts to network resources
Multiple failed logins on VPN account stored on stolen phone are not just a coincidence
Put credit watch on, in case of possible exposed PII?
33
Buy a Gift card, put number unencrypted on phone, if it gets used, device has been breached.
Email system is a database:
Show emails from cloud services?
CSP may provide/block emails to your domain?
If policy is ‘no cloud services’ then explain this email for dropbox password reset.
Create server (in cloud) leave IP and login credentials unencrypted on device. If connection happens, you got breached.
34
So as Auditors, how do we put arms around this?
Data Controls, or lack therof
Device Classification , or lack therof
Security controls tailored to each?
35
Ask?
1) Survey users to identify Level I from II and III
2) Collect data as part of audit of functional area
3) Consider impact to overall controls over data
36
Sample Mobile Device Survey Questions
1) Please list the type (make, model, etc.) of mobile device(s) you use for business purposes.
2) What business functions do you perform using your mobile device(s)?
a) e‐mail__
b) calendar ___
c) connect to servers____
d) connect to workstation to transfer files ___
e) connect to enterprise systems,____
37
Find out who your worst user is and what they are doing or attempting to do with their phone…the whole policy is for them!
Does your policy address everything he/she does?
Trust yet verify
Email data mining
Emails from cloud services to your mail servers
Expense reports for cloud services through AP
38
Simple web-based and/or video training
Lost/stolen procedures
Best practices, recommended settings
How to identify signs of malware
Make folks aware that BYOD device is now part of policy
39
40
Device security checkup Optional for II and III
Mandatory for level I)
Test that remote detection works
Test that remote wipe works
Look for risky apps
Device self service saves cost, but boosts risks
Where we are today
Major Threats
Data, the only thing that matters
Device Classification
MDTLRP
(Mobile Device Theft Loss Response Plan)
Some Simple Ideas to Reduce Risk
41