valid&concernsabout&mobile&security&and&how& … apps... · about vigitrust...
TRANSCRIPT
Valid concerns about mobile security and how to address them
Ins5tute of Management Consultants and Advisers
Dublin, 19th June 2013
Thursday 20 June 13 (c) VigiTrust 2003-‐2013 1
www.vigitrust.com
Today’s PresentaAon • SeCng the Scene – Defining Mobility • BYOD & ApplicaAon Security – two key Mobility topics Right now
• Preparing for Security Enabled Mobility • 2013-‐2015 Outlook • Q&A
(c) VigiTrust 2003-2013
About VigiTrust
Compliance as a Service
3 1 2 SECURITY TRAINING & eLEARNING Online training for management and staff
COMPLIANCE, READINESS & VALIDATION Comprehensive online programs to achieve and maintain compliance
SECURITY & GRC SERVICES Professional services to enable and support your compliance process
The 5 Pillars of Security Framework™ Physical Security; People Security; Data Security; IT Security; Crisis Management
Chief Security Officer Project leader for all Security Related Matters
DATA Sec
PPL Sec
PHYSICAL SECURITY • Access to
Building
• Physical Assets
• IT Hardware
• Vehicle Fleet
PEOPLE SECURITY • Permanent &
Contract Staff
• Partners
• 3rd Party Employees
• Visitors
• Special Events Security
DATA SECURITY • Trade Secrets
• Employee Data
• Database
• Customer Data
5 Pillars of Security Framework™
PHYS. Sec
INFRA Sec
INFRASTRUCTURE SECURITY • Networks
• Remote Sites
• Remote Users
• Application Security
• Website
• Intranet
CRISIS Mgt
CRISIS MANAGEMENT • Documentation
& Work Procedures
• Emergency Response Plans
• Business Continuity Plans
• Disaster Recovery Plans
Opera>ons Manager, Security Staff HR, Security Staff HR, IT Team &
Manager IT Team & Manager Opera>ons Manager, IT Team, HR
Best Practice Security Framework for Enterprise
eSEC Portfolio US – Existing
• HIPAA • NERC-CIP 101 • MA 201 • Understanding Data Breach Notification Requirements
US
Existing eLearning Portfolio
eSEC Portfolio EMEA - Existing
• Data Protection Fundamentals • Credit Card Security • Introduction to PCI DSS • Banking & Fraud • Green IT & Security • ISO IT & SDLC • Security During M&A Process
EMEA
eSEC Portfolio Generic Training - Existing
• Info Security 101 • Mobility & Security • Security of Social Networks • Cloud Computing & Security 101 • Physical Security for Good
Logical Security
GEN. eSEC Portfolio Technical Training - Existing
• Secure Coding for PCI DSS • Introduction to Secure Printing • Log Management & Security • Wireless Security
TECH.
Mathieu Gorge CEO & Founder, VigiTrust
Thursday 20 June 13 (c) VigiTrust 2003-‐2013
European PCI DSS Roadshow
(Disclaimer: Outside Reviewer)
SeCng the scene
A Few Telling Security Facts & Figures • Veracode Security Survey
– “During our iniAal analysis of mobile applicaAons we found that 91% of the top mobile apps unnecessarily expose a user’s personally idenAfiable informaAon”
– “Despite this, most mobile users and businesses aren’t aware of the risk these apps pose to their organizaAon”
• Gartner – 2013 – “Mobile compuAng raises new security concerns in an increasingly mobile world, where
devices may be employee-‐owned, frequently changed, and used for both personal and business purposes”
• ABI Research Mobility Survey – OpportuniAes for Services – ABI Research esAmates that mobile security services will total $1.88 billion by the end of
2013 – network security, managed security and professional services are set to become the
biggest categories for business-‐to-‐business mobile security – Vendors such as AdapAve Mobile and F-‐Secure are well-‐placed to consolidate their
posiAon for carrier-‐grade security soluAons – Players offering highly-‐innovaAve soluAons in niche markets include Aujas Networks
(India) with professional services and Zimperium (Israel) for mobile IDS/UTM
• The role of consultants & security professionals is key to balancing mobility opportuniAes vs security challenges
Thursday 20 June 13 (c) VigiTrust 2003-‐2013
8
Security Challenges associated with Mobile Devices & Mobile applica>ons roll outs
• Technical Security Challenges – Malware – Smisphing – Bluesnarfing – Data leakage – Data Loss – who is responsible (device owner, app provider, operator, user)?
• Usage Security challenges – ApplicaAons on the mobile device – which ones?
• Geoloca>on – Social media is going mobile – major risks for the organizaAon
• Managing the Blur btw private & personal life on private & corporate devices
• Opera>onal security challenges – Business ConAnuity – what happens if personal devices are lost? Who pays to replace
the device in the case of BYOD
• Legal challenges – Data ProtecAon Act Compliance – eDiscovery challenges
(c) VigiTrust 2003-‐2013 9
Security Challenges associated with Mobile Applica>ons • How secure is the mobile app?
– Security by design? – Benchmarked against OWASP & SANS? – Mobile App Web TesAng?
• Does the Mobile App impact on data security? – Answer is always yes – but to what extent? – Is the app sending data back to a corporate network and/or Cloud?
• Where is the data kept? For how long? Etc… • Data ProtecAon ConsideraAons
– Social media App? • Major risks for the organizaAon because of SNs architectures • Managing the Blur btw private & personal life on private & corporate devices
• Payment via Mobile App? – PCI DSS consideraAons
(c) VigiTrust 2003-‐2013 10
Policies must Focus on what mobile devices allow users to do and what is deemed acceptable • View / Access Corporate Data
– See e-‐mails • View/answer/save/delete
– Access corporate files • View/access • Modify/save/delete?
– Access corporate ERP/CRM Files • Basic access • Limited interacAon • Full access (some func+onality tends to be lost in any case)
– VPN based access to DMZs – Internet Browsing – Sending Pictures
• E.g. Some US banks accept picture copies of checks sent in by mail or MMS
– The odd phone call… – All of the above must be made clear to users in an AUP!
Thursday 20 June 13
(c) VigiTrust 2003-‐2013 11
Best prac>ces to address BYOD security challenges • Classifica>on is key
– Data classifica>on • What data should really be seen/accessed/processed on mobile devices
– Device Classifica>on • Phones • Smart Phones (Blackberry/iPhones/Androids) • Tablets/iPads
– User Classifica>on • Who needs a mobile device • What do they need it for and what is the business jus+fica+on ?
• Policies & Procedures – AUP & Associated iniAal and yearly refresher Training – OperaAonal Procedures
• What do you next then? – Policies & procedures: draw up a list of P&Ps in place @ your org. – Technical SoluAons: update your network diagram + pen test – include BYOD as assets – Awareness Training: idenAfy in-‐scope employees and start the educaAon process
• Consider Implemen>ng a Concierge Service – Contract amendments btw Employers/employees
Thursday 20 June 13 (c) VigiTrust 2003-‐2013
12
BYOD -‐ Recommended Reading • 3 US Federal Government BYOD Case Studies with some interes>ng
sta>s>cs – Equal Employment Opportunity Commission – 75% never used got supplied device to
make calls – case study on BYOD cost savings – Alcohol and Tobacco Tax and Bureau -‐ developed a USB device that turns old
desktops/laptops into a thin client – State of Delaware -‐ Reimbursement Plan
• Links to Good informa>on for your IT & legal teams to consider – Bring-‐your-‐own-‐device (BYOD) and legal/regulatory compliance – Top 10 consumerizaAon and BYOD Aps of 2012 – (ISC)2 2013 Global InformaAon Security Workforce Study – FTC Mobile Privacy Disclosures – focus on Apps Security – www.sophos.com -‐ Mobile Security Toolkit – Upcoming VigiTrust events: PCI DSS One Day Workshops (IT SoluAons), RSA Security
Conference, European PCI DSS Roadshow
www.vigitrust.com
Thursday 20 June 13 (c) VigiTrust 2003-‐2013
13
Technical Solu>ons typically required for Tradi>onal Security • AnA-‐Virus / AnA-‐Spam • Firewalls & VPNs • IDS/IPS • Web Filtering / Mail Filtering • IM monitoring • File Integrity • SIEM – Central Log soluAons • Asset Management • PSD Mgt/Control • EncrypAon
– At rest, in transit, in use
• Bad News: All the above should and does apply to Mobile Security
• Good News: It’s really not rocket science!
(c) VigiTrust 2003-2013
Security & GRC Process
(c) VigiTrust 2003-2013
SOX ISO 27000 series EU Data Protec>on PCI DSS HIPAA Others
Regulatory, Legal & Corporate Governance Frameworks
Education, Security & Awareness
Self-Governed
Pre-Assessment
Security Blueprint
for Remediation
Work
Policies & Procedures
Network & Hardware Security
Pen-‐ Tes>ng & Applica>on Security
Specialized Skills Transfer
Official Assessors &
Auditors
Step 1 Step 2 Step 3 Step 5 Step 4
Corporate Culture & Risk Management – The overall Picture
Residual Risk Surface which needs to be managed by your Organiza>on
Risk Management & Safeguards
Corporate Values
Corporate Ecosystem
Risk Management Strategy for Internal and/or external Risk Management Teams
DPA, PCI DSS & ISO 27001 compliance
Outlook for 2013-‐2015 in the Mobility industry & spheres
• Every business is Going Mobile – For good reasons – commercial opportuni>es – For the wrong reasons
• Because my compe>tor has a mobile app so I need one too…regardless of security concerns
• New Internet of Things – According to NPD Group – US 5.7 internet enabled devices in the home – Your own mobile Internet enabled ecosystem must be kept secure
• Mobility & Security – Two sides of the same coin – Especially as regards payments – Fraud is up in cash less payments
• Prepaid – NFC -‐Contactless – Very ligle implementable guidance available from PCI DSS but this
will change as security associa>ons are taking over • ISACA • ISSA
(c) VigiTrust 2003-2013
Best Prac>ces – Designing & Depoying Secured Mobile Fleets & Apps
• What first steps can you take? – Remember the five accredita>on process steps
• Educa>on • Pre-‐assessment (internal) • Remedia>on • Actual Assessment • Con>nuous compliance
– Mix of 3 key elements • Policies & procedures • Technical Solu>ons • Awareness Training
– What do you next then? • Policies & procedures: draw up a list of P&Ps in place @ your org. • Technical Solu>ons: update your network diagram + App pen test • Awareness Training: iden>fy in-‐scope employees and start the educa>on process
(c) VigiTrust 2003-2013
Thursday 20 June 13 (c) VigiTrust 2003-‐2013 19
[email protected] hgp://www.linkedin.com/in/mgorge
www.vigitrust.com
Valid concerns about mobile security and how to address them
Dublin, 19th June 2013
Changes to Data ProtecAon in the EU • Not a direcAve but a single regulaAon in the EU
– HarmonizaAon at European level…but with challenges
• Applies to companies based outside in the EU if personal data is handled abroad by companies that are acAve in the EU and offer services to EU ciAzens
• Right to be forgoren • Controllers responsibiliAes
– Policies & procedures – Staff Training
• Data processing impact assessment – If any data is likely to present risks to individuals
• Security – Both processor and controllers must put security measures in place
• Data Breach NoAficaAon – Within 24 hours of noAcing the breach
• Data Portability (service providers) & Data Transfers • Data ProtecAon Officers
Thursday 20 June 13 (c) VigiTrust 2003-‐2013
20
Intersec>on between PCI DSS compliance and the DPA • Need for appropriate levels of security • Compliance with PCI DSS should enable compliance with key provisions of the DPA
• ICO in the UK made an example of Lush (Lush Cosme>cs Ltd)
– "This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all Ames”
– For online retailers, the PCI DSS is clearly now best pracAce – Adherence to the PCI DSS should ensure compliance with the security obligaAons under
the Act – Undertaking from Lush requires them to only store minimum amount of payment data
necessary to receive payments, and keep for no longer than necessary.
Clear Overlap between DPA & PCI DSS Requirements:
(c) VigiTrust 2003-2013
• Informa>on security policies – Under the new data protecAon laws, policies and processes will be key, as transparency
takes centre stage • Protect Personal Data – PHI, CHD, PII
– EncrypAon of personal data will avoid the need to contact every data subject in the event of a breach
• Privacy by Design – Personal data should only be processed for the specific purpose for which it was collected,
and not to be retained beyond the minimum necessary – both in terms of amount and Ame