building a mobile security model
TRANSCRIPT
What to Consider When Building a Mobile Security Model
Who Am I?
• 12+ years in information security
• Experience includes: CounterTack, Security Innovation, Q1 Labs/IBM, Application Security, Inc./TrustWave, Sophos, WAVE Systems
• SecureWorld, Hacker Halted, ISSA, OWASP, Security Meetup’s, Boston Security Conference, OASIS-Montgomery Conference
• Mobile device owner@tmbainjr1
http://www.countertack.com/blog
Agenda
• Mobile security trends
• Figuring out mobile security
• Understanding risks/policy creation
• Developing an adaptive model and best practices
TRENDS
Do We Really Have a Choice?• 84% use the same smartphone for
work and for personal usage.
• 81% of employed adults use at least one personally owned electronic device for business
• 59% use their mobile devices to run line-of-business applications
• 74% of companies allow BYOD usage in some manner
• 1/3 use mobile devices exclusively
--Experian Mobile Security Survey, November 2013 (Harris Interactive)
The Great Mobile Security Debate
• When will the great mobile data breach happen?
• 2017: endpoint breaches will shift to tablets/smartphones.
• Physical vs Virtual
• BYOD/Mobile security policy
• Business vs Security
What are CISO’s concerned with?
Its More About the Data
State of Mobile Security
• Productivity vs. Security
• Rise of mobile campaigns
• More targeted malware
• Volume of usage = increased risk
• End user error
User Perspective on Mobile Security
• 50% of companies have experienced a data breach due to inadequate device security
• 47% don’t have a password on their mobile phone.
• 51% stated their companies couldn’t execute a remote wipe if lost or stolen.
• 49% said mobile security has not been addressed with them by IT.
UNDERSTANDING MOBILE SECURITY ISSUES
Mobile Security Failures
• Inconsistent security policies
• Unmanageable devices
• Minimal number of devices
• Data artifacts existing on disposed devices
• Data leakage
Unique Mobile Security Issues
• Multi-user/single user
• Browsing environment
• Updates/patching
• SSL
• CSRF
• Geolocation
• Apps
Mobile Malware Trends• 98% of all mobile malware
targets Android users
• Kaspersky: 3.4M malware detections on 1.1M devices
• 60% of all attacks are capable of stealing users’ money
• Reported attacks have increased 6X! (from 35K in August 2013 to 242K as of March 2014
Real-time Endpoint Threat Detection and Response14
The Most Popular Mobile MalwareMalware
SMS RiskTool AdWare Trojan
Faketoken
Svpeng
Android Resources
iOS Resources
POLICY, RISK ASSESSMENT & BUILDING AN ADAPTIVE MODEL
BYOD Challenges
• Device turn-over and EOL
• New devices: Default or customized settings?
• How can you know everything about every device?
• App Stores: Approved apps?
• Applications
Mobile Security Policy Checklist
Consider risk scenarios.
Adapt from proven or trustworthy models.
Measure perception.
Understand roles, privileges and what’s in place today.
Get granular with your questions & considerations.
Figure out a strategy for testing your applications.
Policy enforcement.
Raise awareness/required training.
Assess and Validate Risk
Take an inventory of your high-risk applications/mobile applications.
Determine business criticality.
What’s your attack probability?
How do you define the attack surface?
Consider overall business impact.
Where does compliance factor in?
What are the security threats?
Roles and Access Controls• Which departments/groups/individuals have been most
active in developing policies?
• Has there been any previous collaboration between policies and authors?
• Can you identify a potential champion(s) to support the new policy?
• Areas of agreement in commonly implemented controls re: policies?
• Support documents, materials and related policies should be cited in mobile device policy.
Get Granular• How will mobile devices be used?
• Devices assigned to one person or shared?
• Which mobile applications would be used?
• What information is accessible through mobile devices?
• What information will be stored on the mobile devices?
• How will data be shared to/from and between mobile devices?
• Who’s ultimately responsible for mobile devices?
• Will personal activities on company devices be permitted?
• What levels of support are expected?
Know and Define Your Data
Defining Policy• Provide contextual, technical guidelines
• Map to compliance mandates
• Considers criticality of application and data‒ Requirements, activities and level of detail needed will differ
• Have clear exception policies where necessary‒ What if minimum standards can’t be met? What is considered
acceptable? Who approves?
• Includes internally built and third party applications
• Reflects current maturity and skillset of staff‒ The more skilled, the less explicit you need to be with policies
Enforcing Policy• You need management buy-in!
• Broad strategy vs Targeted strategy roll-out
• On-boarding:
‒ Require all device info as part of hiring process
‒ Require policy training up front
• Require training for various departments:
‒ General population receives awareness training
‒ Technical employees receive in-depth training
• Monitor for effectiveness – EX: Deliver training or reminder when employee is out of compliance.
Where are you at? Ad Hoc
Implementation
Technology
People ProcessData
Get to the next level of ‘Repeatable’
• Collect examples
• Present business needs & educate executives
• Create a mobile security policy
• Identify some short and long-term risks/goals
• Make the case simple
Now you are at ‘Repeatable’
Implementation
Technology
People ProcessData
Adaptive Mobile Security
Gartner, 2014, Adaptive Security Model
www.countertack.comBlog: http://www.countertack.com/blogTwitter: @CounterTack, @tmbainjr1
Real-time Endpoint Threat Detection and Response.