valid&concernsabout&mobile&security&and&how& … apps... · about vigitrust...

21
Valid concerns about mobile security and how to address them Ins5tute of Management Consultants and Advisers Dublin, 19 th June 2013 Thursday 20 June 13 (c) VigiTrust 20032013 1 [email protected] www.vigitrust.com

Upload: others

Post on 02-Jun-2020

4 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Valid  concerns  about  mobile  security  and  how  to  address  them  

 Ins5tute  of  Management  Consultants  and  Advisers  

 Dublin,  19th  June  2013  

Thursday  20  June  13   (c)  VigiTrust  2003-­‐2013   1  

[email protected]    

www.vigitrust.com  

Page 2: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Today’s  PresentaAon  •  SeCng  the  Scene  –  Defining  Mobility  •  BYOD  &  ApplicaAon  Security  –  two  key  Mobility  topics  Right  now  

•  Preparing  for  Security  Enabled  Mobility  •  2013-­‐2015  Outlook  •  Q&A    

(c) VigiTrust 2003-2013

Page 3: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

About VigiTrust

Compliance as a Service

3 1 2 SECURITY TRAINING & eLEARNING Online training for management and staff

COMPLIANCE, READINESS & VALIDATION Comprehensive online programs to achieve and maintain compliance

SECURITY & GRC SERVICES Professional services to enable and support your compliance process

The 5 Pillars of Security Framework™ Physical Security; People Security; Data Security; IT Security; Crisis Management

Page 4: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Chief Security Officer Project leader for all Security Related Matters

DATA Sec

PPL Sec

PHYSICAL SECURITY •  Access to

Building

•  Physical Assets

•  IT Hardware

•  Vehicle Fleet

PEOPLE SECURITY •  Permanent &

Contract Staff

•  Partners

•  3rd Party Employees

•  Visitors

•  Special Events Security

DATA SECURITY •  Trade Secrets

•  Employee Data

•  Database

•  Customer Data

5 Pillars of Security Framework™

PHYS. Sec

INFRA Sec

INFRASTRUCTURE SECURITY •  Networks

•  Remote Sites

•  Remote Users

•  Application Security

•  Website

•  Intranet

CRISIS Mgt

CRISIS MANAGEMENT •  Documentation

& Work Procedures

•  Emergency Response Plans

•  Business Continuity Plans

•  Disaster Recovery Plans

Opera>ons  Manager,  Security  Staff   HR,  Security  Staff   HR,  IT  Team  &  

Manager   IT  Team  &  Manager   Opera>ons  Manager,  IT  Team,  HR  

Best Practice Security Framework for Enterprise

Page 5: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

eSEC Portfolio US – Existing

• HIPAA • NERC-CIP 101 • MA 201 • Understanding Data Breach Notification Requirements

US  

Existing eLearning Portfolio

eSEC Portfolio EMEA - Existing

•  Data Protection Fundamentals •  Credit Card Security •  Introduction to PCI DSS •  Banking & Fraud •  Green IT & Security •  ISO IT & SDLC •  Security During M&A Process

EMEA  

eSEC Portfolio Generic Training - Existing

•  Info Security 101 •  Mobility & Security •  Security of Social Networks •  Cloud Computing & Security 101 •  Physical Security for Good

Logical Security

GEN.   eSEC Portfolio Technical Training - Existing

•  Secure Coding for PCI DSS •  Introduction to Secure Printing •  Log Management & Security •  Wireless Security

TECH.  

Page 6: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Mathieu  Gorge    CEO  &  Founder,  VigiTrust  

Thursday  20  June  13   (c)  VigiTrust  2003-­‐2013  

European PCI DSS Roadshow

(Disclaimer: Outside Reviewer)

Page 7: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

SeCng  the  scene  

Page 8: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

A  Few  Telling  Security  Facts  &  Figures  •  Veracode  Security  Survey  

–  “During  our  iniAal  analysis  of  mobile  applicaAons  we  found  that  91%  of  the  top  mobile  apps  unnecessarily  expose  a  user’s  personally  idenAfiable  informaAon”  

–  “Despite  this,  most  mobile  users  and  businesses  aren’t  aware  of  the  risk  these  apps  pose  to  their  organizaAon”  

•  Gartner  –  2013  –  “Mobile  compuAng  raises  new  security  concerns  in  an  increasingly  mobile  world,  where  

devices  may  be  employee-­‐owned,  frequently  changed,  and  used  for  both  personal  and  business  purposes”  

•  ABI  Research  Mobility  Survey  –  OpportuniAes  for  Services  –  ABI  Research  esAmates  that  mobile  security  services  will  total  $1.88  billion  by  the  end  of  

2013  –  network  security,  managed  security  and  professional  services  are  set  to  become  the  

biggest  categories  for  business-­‐to-­‐business  mobile  security  –  Vendors  such  as  AdapAve  Mobile  and  F-­‐Secure  are  well-­‐placed  to  consolidate  their  

posiAon  for  carrier-­‐grade  security  soluAons  –  Players  offering  highly-­‐innovaAve  soluAons  in  niche  markets  include  Aujas  Networks  

(India)  with  professional  services  and  Zimperium  (Israel)  for  mobile  IDS/UTM  

•  The  role  of  consultants  &  security  professionals  is  key  to  balancing  mobility  opportuniAes  vs  security  challenges  

Thursday  20  June  13  (c)  VigiTrust  2003-­‐2013  

8  

Page 9: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Security  Challenges  associated  with  Mobile  Devices  &  Mobile  applica>ons  roll  outs  

•  Technical  Security  Challenges  –  Malware  –  Smisphing  –  Bluesnarfing  –  Data  leakage  –  Data  Loss  –  who  is  responsible  (device  owner,  app  provider,  operator,  user)?  

•  Usage  Security  challenges  –  ApplicaAons  on  the  mobile  device  –  which  ones?  

•  Geoloca>on  –  Social  media  is  going  mobile  –  major  risks  for  the  organizaAon  

•  Managing  the    Blur  btw  private  &  personal  life  on  private  &  corporate  devices  

•  Opera>onal  security  challenges    –  Business  ConAnuity  –  what  happens  if  personal  devices  are  lost?  Who  pays  to  replace  

the  device  in  the  case  of  BYOD  

•  Legal  challenges  –  Data  ProtecAon  Act  Compliance  –  eDiscovery  challenges  

(c)  VigiTrust  2003-­‐2013  9  

Page 10: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Security  Challenges  associated  with  Mobile  Applica>ons    •  How  secure  is  the  mobile  app?  

–  Security  by  design?  –  Benchmarked  against  OWASP  &  SANS?  –  Mobile  App  Web  TesAng?  

•  Does  the  Mobile  App  impact  on  data  security?  –  Answer  is  always  yes  –  but  to  what  extent?  –  Is  the  app  sending  data    back  to  a  corporate  network  and/or  Cloud?  

•  Where  is  the  data  kept?  For  how  long?  Etc…  •  Data  ProtecAon  ConsideraAons  

–  Social  media  App?    •  Major  risks  for  the  organizaAon  because  of  SNs  architectures  •  Managing  the    Blur  btw  private  &  personal  life  on  private  &  corporate  devices  

•  Payment  via  Mobile  App?  –  PCI  DSS  consideraAons  

(c)  VigiTrust  2003-­‐2013  10  

Page 11: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Policies  must  Focus  on  what  mobile  devices    allow  users  to  do  and  what  is  deemed  acceptable  •  View  /  Access  Corporate  Data  

–  See  e-­‐mails  •  View/answer/save/delete  

–  Access  corporate  files  •  View/access  •  Modify/save/delete?  

–  Access  corporate  ERP/CRM  Files  •  Basic  access  •  Limited  interacAon  •  Full  access    (some    func+onality  tends  to  be  lost  in  any  case)  

–  VPN  based  access  to  DMZs  –  Internet  Browsing  –  Sending  Pictures  

•  E.g.    Some  US  banks  accept  picture  copies  of  checks  sent  in  by  mail  or  MMS  

–  The  odd  phone  call…  –  All  of  the  above  must  be  made  clear  to  users  in  an  AUP!    

 Thursday  20  June  13  

(c)  VigiTrust  2003-­‐2013  11  

Page 12: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Best  prac>ces  to  address  BYOD  security  challenges  •  Classifica>on  is  key  

–  Data  classifica>on  •  What  data  should  really  be  seen/accessed/processed  on  mobile  devices  

–  Device  Classifica>on  •  Phones  •  Smart  Phones  (Blackberry/iPhones/Androids)  •  Tablets/iPads  

–  User  Classifica>on  •  Who  needs  a  mobile  device  •  What  do  they  need  it  for  and  what  is  the  business  jus+fica+on  ?  

•  Policies  &  Procedures  –  AUP  &  Associated  iniAal  and  yearly  refresher  Training  –  OperaAonal  Procedures  

•  What  do  you  next  then?  –  Policies  &  procedures:  draw  up  a  list  of  P&Ps  in  place  @  your  org.  –  Technical  SoluAons:  update  your  network  diagram  +  pen  test  –  include  BYOD  as  assets  –  Awareness  Training:  idenAfy  in-­‐scope  employees  and  start  the  educaAon  process  

•  Consider  Implemen>ng  a  Concierge  Service  –  Contract  amendments  btw  Employers/employees  

Thursday  20  June  13  (c)  VigiTrust  2003-­‐2013  

12  

Page 13: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

BYOD  -­‐  Recommended  Reading  •  3  US  Federal  Government  BYOD  Case  Studies  with  some  interes>ng  

sta>s>cs    –  Equal  Employment  Opportunity  Commission  –  75%  never  used  got  supplied  device  to  

make  calls  –  case  study  on  BYOD  cost  savings  –  Alcohol  and  Tobacco  Tax  and  Bureau  -­‐  developed  a  USB  device  that  turns  old  

desktops/laptops  into  a  thin  client    –  State  of  Delaware  -­‐  Reimbursement  Plan  

•  Links  to  Good  informa>on  for  your  IT  &  legal  teams  to  consider  –  Bring-­‐your-­‐own-­‐device  (BYOD)  and  legal/regulatory  compliance  –  Top  10  consumerizaAon  and  BYOD  Aps  of  2012  –  (ISC)2    2013  Global  InformaAon  Security  Workforce  Study  –  FTC  Mobile  Privacy  Disclosures  –  focus  on  Apps  Security  –  www.sophos.com    -­‐    Mobile  Security  Toolkit  –  Upcoming  VigiTrust  events:  PCI  DSS  One  Day  Workshops  (IT  SoluAons),  RSA  Security  

Conference,  European  PCI  DSS  Roadshow  

www.vigitrust.com    

Thursday  20  June  13  (c)  VigiTrust  2003-­‐2013  

13  

Page 14: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Technical  Solu>ons  typically  required  for  Tradi>onal  Security  •  AnA-­‐Virus  /  AnA-­‐Spam  •  Firewalls  &  VPNs  •  IDS/IPS  •  Web  Filtering  /  Mail  Filtering  •  IM  monitoring  •  File  Integrity  •  SIEM  –  Central  Log  soluAons  •  Asset  Management  •  PSD  Mgt/Control  •  EncrypAon  

–  At  rest,  in  transit,  in  use  

•  Bad  News:  All  the  above  should  and  does  apply  to  Mobile  Security  

•  Good  News:  It’s  really  not  rocket  science!  

   

(c) VigiTrust 2003-2013

Page 15: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Security  &  GRC  Process  

(c) VigiTrust 2003-2013

SOX   ISO  27000  series   EU  Data  Protec>on   PCI  DSS   HIPAA   Others  

Regulatory, Legal & Corporate Governance Frameworks

Education, Security & Awareness

Self-Governed

Pre-Assessment

Security Blueprint

for Remediation

Work

Policies  &  Procedures  

Network  &  Hardware  Security  

Pen-­‐  Tes>ng  &  Applica>on  Security  

Specialized  Skills  Transfer  

Official Assessors &

Auditors

Step  1   Step  2   Step  3   Step  5  Step  4  

Page 16: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Corporate  Culture  &  Risk  Management  –  The  overall  Picture  

Residual  Risk  Surface  which  needs  to  be  managed  by  your  Organiza>on  

Risk  Management  &  Safeguards  

Corporate  Values  

Corporate  Ecosystem  

Risk Management Strategy for Internal and/or external Risk Management Teams

DPA, PCI DSS & ISO 27001 compliance

Page 17: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Outlook  for  2013-­‐2015  in  the  Mobility  industry  &  spheres  

•  Every  business  is  Going  Mobile  –  For  good  reasons  –  commercial  opportuni>es    –  For  the  wrong  reasons  

•  Because  my  compe>tor  has  a  mobile  app  so  I  need  one  too…regardless  of  security  concerns  

•  New  Internet  of  Things  –  According  to  NPD  Group  –  US  5.7  internet  enabled  devices  in  the  home  –  Your  own  mobile  Internet  enabled  ecosystem  must  be  kept  secure  

•  Mobility  &  Security  –  Two  sides  of  the  same  coin  –  Especially  as  regards  payments  –  Fraud  is  up  in  cash  less  payments  

•  Prepaid  –  NFC  -­‐Contactless  –  Very  ligle  implementable  guidance  available  from  PCI  DSS  but  this  

will  change  as  security  associa>ons  are  taking  over  •  ISACA  •  ISSA  

(c) VigiTrust 2003-2013

Page 18: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Best  Prac>ces  –  Designing  &  Depoying  Secured  Mobile  Fleets  &  Apps  

•  What  first  steps  can  you  take?  –  Remember  the  five  accredita>on  process  steps  

•  Educa>on  •  Pre-­‐assessment  (internal)  •  Remedia>on  •  Actual  Assessment  •  Con>nuous  compliance  

–  Mix  of  3  key  elements  •  Policies  &  procedures  •  Technical  Solu>ons  •  Awareness  Training  

–  What  do  you  next  then?  •  Policies  &  procedures:  draw  up  a  list  of  P&Ps  in  place  @  your  org.  •  Technical  Solu>ons:  update  your  network  diagram  +  App  pen  test  •  Awareness  Training:  iden>fy  in-­‐scope  employees  and  start  the  educa>on  process  

 

   

 

(c) VigiTrust 2003-2013

Page 19: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Thursday  20  June  13   (c)  VigiTrust  2003-­‐2013   19  

[email protected]  hgp://www.linkedin.com/in/mgorge    

 www.vigitrust.com  

Valid  concerns  about  mobile  security  and  how  to  address  them  

 Dublin,  19th  June  2013  

Page 20: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Changes  to  Data  ProtecAon  in  the  EU  •  Not  a  direcAve  but  a  single  regulaAon  in  the  EU  

–  HarmonizaAon  at  European  level…but  with  challenges  

•  Applies  to  companies  based  outside  in  the  EU  if  personal  data  is  handled  abroad  by  companies  that  are  acAve  in  the  EU  and  offer  services  to  EU  ciAzens  

•  Right  to  be  forgoren  •  Controllers  responsibiliAes  

–  Policies  &  procedures  –  Staff  Training  

•  Data  processing  impact  assessment    –  If  any  data  is  likely  to  present  risks  to  individuals  

•  Security  –  Both  processor  and  controllers  must  put  security  measures  in  place  

•  Data  Breach  NoAficaAon  –  Within  24  hours  of  noAcing  the  breach  

•  Data  Portability  (service  providers)  &  Data  Transfers  •  Data  ProtecAon  Officers  

Thursday  20  June  13  (c)  VigiTrust  2003-­‐2013  

20  

Page 21: Valid&concernsabout&mobile&security&and&how& … Apps... · About VigiTrust Compliance as a Service 1 2 3 SECURITY TRAINING & eLEARNING Online training for management and staff COMPLIANCE,

Intersec>on  between  PCI  DSS  compliance  and  the  DPA  •  Need  for  appropriate  levels  of  security  •  Compliance  with  PCI  DSS  should  enable  compliance  with  key  provisions  of  the  DPA  

 •  ICO  in  the  UK  made  an  example  of  Lush  (Lush  Cosme>cs  Ltd)  

–  "This  breach  should  serve  as  a  warning  to  all  retailers  that  online  security  must  be  taken  seriously  and  that  the  Payment  Card  Industry  Data  Security  Standard  or  an  equivalent  must  be  followed  at  all  Ames”  

–  For  online  retailers,  the  PCI  DSS  is  clearly  now  best  pracAce  –  Adherence  to  the  PCI  DSS  should  ensure  compliance  with  the  security  obligaAons  under  

the  Act  –  Undertaking  from  Lush  requires  them  to  only  store  minimum  amount  of  payment  data  

necessary  to  receive  payments,  and  keep  for  no  longer  than  necessary.    

 Clear  Overlap  between  DPA  &  PCI  DSS  Requirements:  

(c) VigiTrust 2003-2013

•  Informa>on  security  policies  –  Under  the  new  data  protecAon  laws,  policies  and  processes  will  be  key,  as  transparency  

takes  centre  stage  •  Protect  Personal  Data  –  PHI,  CHD,  PII  

–  EncrypAon  of  personal  data  will  avoid  the  need  to  contact  every  data  subject  in  the  event  of  a  breach  

•  Privacy  by  Design  –  Personal  data  should  only  be  processed  for  the  specific  purpose  for  which  it  was  collected,  

and  not  to  be  retained  beyond  the  minimum  necessary  –  both  in  terms  of  amount  and  Ame