Past, Present & Future: State of Technology andUse of Mobile Devices

Jeff Spivey, CRISC, CPPVice President of Strategy, RiskIQ, Inc.President, Security Risk Management, Inc.

Introduction

Drivers

www.cloudsecurityalliance.orgCopyright © 2012 Cloud Security Alliance

MOBILE

What is the current state of your Cybersecurity ?

Threats “Outside the Firewall”

Agreeing to what ???

Flashlight APP Settles with FTC

over SPYING

Mobile, BYOD and BYONMobile Threats (Evil 8!)

1. Insecure or Rogue Marketplaces

2. Data Loss from Stolen, Lost, or Decommissioned Devices

3. Information Stealing Malware

4. Insecure WIFI / Network Access / Rogue Access Points

5. Insufficient Access to APIs, Management Tools, and Multi-Personas

6. Data Loss / Data Leaking Through Poorly Written Applications

7. Vulnerabilities in Hardware, OS, Applications, 3rd-Party Apps

8. NFC / Proximity-Based Hacking

BYOD Considerations

Employee Privacy

Legal Gray Areas: Overtime, Plan usage comp

Compliance: What is allowed on device?

Device Usage / Functionality / Onboarding

• Emerging technologies will be the dominant driver of disruptive change for the foreseeable future, bringing significant opportunities and threats

• In the race to the future, organizations that manage risk for the right emerging technologies will better survive and prosper •– those that don’t, will NOT

So What?

“…if each part of a system is made to operate as efficiently as possible, the system as a whole will not operate as effectively as possible. The performance of a system depends more on how its parts interact than on how they act independently of each other“ Russell Ackoff,

Performance of a System

Data Loss: Root Cause Analysis

Adair Barton, CPA, CISAVice President of Internal AuditDycom Industries, Inc.

Data Loss: Root Cause Analysis

Adair Barton, CPA, CISAVice President of Internal Audit

- 23 years of risk and controls experience- Internal Audit experience in:

- banking- retail- shipping- telecommunications- construction

- Leads an audit team performing

operational, IT, compliance, and financial audits.

Data Loss: Root Cause Analysis

- Dycom Industries, Inc.- Palm Beach Gardens, FL- Telecommunications Construction

- AT&T, Verizon, Comcast, CenturyLink, Windstream, Frontier Communications, Time Warner Cable, etc.

- Telecom Construction, Cable Installation, Cell tower build out, Engineering, Underground Locating, etc.

- $1.6B revenue in FY13- 45 subsidiaries- 10,500 employees- A lot of mobile devices (laptops, smart phones, tablets,

etc.)

Data Loss: Root Cause Analysis

Situation:- Employee losses their laptop in an airport

- Potential loss of sensitive data- Potential reputational risk

Follow up:- Provided targeted data security training

- Online and in person training- Re-enforced policies regarding data security

- Researching kill switch for key employees- Help prevent data stored locally from being taken

Data Loss: Root Cause Analysis

- Researching ways to sync data on connection to network (cloud-based)

- Network drive- Smartsheet- Google Docs

- New procedure for reporting lost devices- Who, what, where, when, and how?- Police report, insurance claim?- Confidential data stored on the device?

- SSN, credit cards, customer pricing, business forecast, bid information, medical records, etc.

Data Loss: Root Cause Analysis

- IT Policies- InfoSec Policies

- Physical security of hardware- User authentication (unique id’s and complex passwords)- Monitoring network traffic (firewall rules, etc.)- Virus protection- Remote access (VPN, public wireless networks, etc.)

- Computer Hardware Policies- Use of mobile devices- Data backup and recovery

- General Computer Use Policy

Mobile Security Solutions

David A. Less, CISA, CISMCIO & SVPSunteck, Inc.

• Unsecure File Transfer• Lost/Stolen Devices• Malware and Viruses• Unclear Corporate Policies• Open Wi-Fi Networks and Public Hotspots

Top Mobile Security Threats

• Apple - Someone had mistakenly included an extra 'goto fail' programming statement that left encrypted data sent via SSL/TLS open to capture by hackers.

• iOS users - Devices were locked via Apple's Find My iPhone service. The hackers demanded money to restore them

• Linux - GnuTLS library included a programming flaw that exposed user data to potential breaches This was similar to Apple’s 'goto fail' problem. In the case of GnuTLS – it is suspected that the programming flaw existed for up to 10 years

• Mobile Banking Trojans – Mobile phishing, theft of credit card information, from a bank card to the mobile account and finally to a QIWI wallet. These Trojans would check on the victim’s balance to ensure maximum profit.

• Mobile Botnets – Offers greater flexibility in illegal money-making schemes. It is estimated that about 60% of mobile malware includes elements of large and small botnets.

Recent Mobile Events

• Backdoor.AndroidOS.Obad – Includes three exploits; (1) Backdoor, (2) SMS Trojan,

(3) bot capabilities. Referred to as a Swiss Army Knife. Circumvents Android's app

integrity check on installation (also known as master key vulnerability), Gain enhanced

rights, and hinder the analysis of an app.

• Attacks on PCs through an Android device – An infected Android device connected

to a PC via the USB drive emulation mode enables a malicious payload to be launched

• Using GCM to control botnets - Use Google Cloud Messaging (GCM) to control zombie devices in a botnet. The execution of commands received from GCM is performed by the GCM system and it is impossible to block them directly on an infected device

• APT attacks against Uyghur activists - Windows and Mac OS X malware deployed against . PDF, XLS, DOC and ZIP files have been sent in e-mails to perform attacks. . APK files have now been added to the arsenal for spying on personal information stored on the a device and transmitting its location

Recent Mobile Events

US Data Breaches per Year

According to the Identity Theft Resource Center, there have already been 395 data breaches in the U.S. this year that have been reported to regulators or covered by media outlets

21 % increase over the same period last year

• The current tally of compromised credit cards from major breaches is closing in on 5 million.

• Online accounts - Half a billion.

• eBay – Attackers compromised a ”small number of employee log-in credentials” between late February and March to gain access to the company’s network and, through it, compromised a database that contained customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. This breach may have affected the majority of the company’s 145 million members.

• Michaels Stores - PoSs at 54 were hacked via malware between May 2013 and January 2014. Up to 2.6 million payment card numbers and expiration dates at Michaels stores and 400,000 at Aaron Brothers could have been obtained,

• Montana Department of Public Health and Human Services – Server containing names, addresses, dates of birth and Social Security numbers on roughly 1.3 million people was hacked.

• St. Vincent Breast Center, Indianapolis sent 63,000 letters containing information on upcoming appointments to the wrong people

Recent Data Breaches

• Stanford Federal Credit Union - Accidentally attached a file with information on 18,000 customers to an email

• Variable Annuity Life Insurance Co. – A former financial advisor was found in the possession of a thumb drive that included full or partial Social Security numbers for 774,723 customers

• York, PA – Thousands of medical records were dumped at a public incineration site

• Sutherland Healthcare Solutions, Torrance, CA – Eight stolen laptops in February that contained medical information on almost 400,000 people.

• Spec’s Wine, Spirits and Finer Foods, Houston, TX - Financial information for more than half a million customers may have been exposed in what the company is calling a sophisticated hacking scheme. The breach, which covered 34 Spec’s-owned stores spanning the state, is believed to have run from October 31, 2012 until as recently as March 20 of this year.

• St. Joseph Health System - Attacked between Dec. 16 and 18 last year. It contained "approximately 405,000 former and current patients', employees' and some employees' beneficiaries' information." This included names, Social Security numbers, dates of birth, medical information and, in some cases, addresses and bank account information

• Others - AOL, Avast’s online forums, Holiday Inn, Marriott Hotels, Neiman Marcus, and PF Chang’s another 360 million usernames and passwords surfaced on hacker forums in February

Recent Data Breaches

• May 2012 – A regulatory agency on the United Kingdom fined a company for disturbing malware versions of popular gaming applications that triggered mobile devices to send costly text messages to a premium-rate telephone number.

• February 2012 – Symantec Corporation reported that a large number of Android devices in China were infected with malware that connected them to a botnet (22). The botnet’s operator was able to remotely control the devices and incur charges on user accounts for premium services such as sending text messages to premium numbers, contacting premium telephony services, and connecting to pay-per-view video services. The number of infected devices able to generate revenue on any given day ranged from 10,000 to 30,000, enough to potentially net the botnet’s operator millions of dollars annually if infection rates were sustained.

• January 2012 – An antivirus company reported that hackers had subverted the search results of certain popular mobile applications so that they would redirect users to a web page where they were encouraged to download a fake antivirus program containing

malware.

GAO – Report to Congressional Committees – September 2012

GAO – Report to Congressional Committees – September 2012

GAO – Report to Congressional Committees – September 2012

GAO – Report to Congressional Committees – September 2012

GAO – Report to Congressional Committees – September 2012

GAO – Report to Congressional Committees – September 2012

Security Control DescriptionEnable user authentication Devices can be configured to require passwords or PINs. In addition the password

field can be masked to prevent it from being observed, and the devices can activate idle-time screen locking to prevent unauthorized access.

Enable two-factor authentication for sensitive transactions

Two-factor authentication can be used when conducting sensitive transactions on mobile devices. Mobile devices can be used as a second factor in some two-factor authentication schemes used for remote access.

Verify the authenticity of downloaded applications

Procedures can be implemented for assessing the digital signatures of downloaded applications to ensure that they have not been tampered with.

Install anti-malware capability Can be installed to protect against malicious applications, viruses, spyware, infected secure digital cards, and malware-based attacks. Can also protect against unwanted (spam) voice messages, text messages, and e-mail attachments.

Adopt centralized security management Software tools can be used to scan devices for key compromising events, report the results with risk rating and recommended mitigation.

Turn off or set Bluetooth connection capabilities to non-discoverable

When in discoverable mode, Bluetooth-enabled devices are “visible” to other nearby devices.

Limit use of public Wi-Fi networks when conducting sensitive transactions

Attackers pay patrol public Wi-Fi networks for unsecured devices or even create malicious Wi-Fi spots designed to attack mobile devices.

GAO – Report to Congressional Committees – September 2012

COSO 2013 – Principal 11

*Conclusions - The COSO Internal Control – Integrated Framework now includes internal and nonfinancial reporting objectives covered by IC, and also includes IT general controls as a primary consideration (principal 11) of all IC systems. Thus it is more applicable and useful to IT professionals than the 1992 version. IS/IT professionals should seek compliance in understanding and applying the 2013 content to the governance, management and assurance of enterprise IT, and should, therefore, include the COSO 2013 framework in their schedule of future continuing education.

• Heighten awareness• Inventory authorized and unauthorized devices• Inventory authorized and unauthorized software• Develop and manage secure configurations for all

devices• Conduct continuous (automated) vulnerability

assessment and remediation• Actively manage and control the use of administrative

privileges• Configure a passcode to gain access to and use the

device.

What to do…

• Set an idle timeout that will automatically lock the device when not in use

• Keep all software up to date, including the operating system and installed “Apps”.

• Do not “jailbreak” or “root” devices. “Jailbreaking” and “rooting” removes the manufacturers protection against malware.

• Obtain apps only from trusted sources such as Apple iTunes Store, Google Play, or the Amazon App Store for Android.

• Enroll devices into a managed environment that also includes remote wipe.

• Deploy devices that support encrypted storage

What to do…

What to Do…

• Email protection– Allow only managed devices to synchronize with and download content from the cloud.

• Download control– Control downloading of sensitive data to unsecured devices.

• Containerize content on devices– Monitor downloaded content, control apps that interact with a VPN, and deploy containerization

tools.

• Self-destructing content– Auto-delete and purge content from devices - control data even when it’s outside of the cloud

• Content linked back to the user– Implement a solution with a watermarking capability. This system automatically marks

documents with the email or username of the employee accessing the information. If a user steals a document from the cloud and leaks it to unapproved sources, the company can easily identify the user and take action.

What to do…..

• Manage and control OS & Devices• Configures device policies and deploys them

over-the-air• Enforces built-in security features such as

passcodes and device encryption• Provides full loss and theft protection for lost or

stolen devices• Builds group-based compliance policies

Mobile Device Management (MDM)

• Securely distributes apps to individual users or groups

• Deploys iOS-managed apps to individual over app data

• Password protects apps containing corporate data for extra security

• Blacklists apps that might be risky or time-wasting

• Supports enterprise purchasing of APPS via Apple’s Volume Purchasing (VPP)

Mobile Application Management (MAM)

• Distributes email settings• Controls access to email via a secure email

gateway based on the device health• Supports email containers like Nitrodesk

Touchdown• Selectively wipes all corporate emails, once a

user leaves the company

Mobile Email Management (MEM)

How is data encrypted?– First line of defense– The solution should encrypt both “in transit” (between your

organization and the vendor) and “at rest” (vendor’s storage)

Is two-step verification supported?– Additional protection– Requires a one-time-use security code and is usually

delivered via text message, phone call, or authentication app. This is in addition to sign-in password

What admin reporting is available?– Logs and activity reports

What to ask the vendor (1/ 4)?

How do you protect your infrastructure and data?

– Should provide established, documented and tested policies and procedures

Is single sign-on (SSO) supported?– Simplifies management of multiple services– Should apply your organizations network password

policies to all incorporated services

Can data be remote wiped?– Enables admin delete of data stored on a device

What to ask the vendor (2/4) ?

Can web sessions be terminated remotely?– Terminate sessions from another device

What kind of permissions control is available?– Limit access to files, folders, or accounts– Ease of administration should be considered

If third-party apps can access data, how is authentication handled?

– Third-party apps are only granted access to data only, not account credentials.

What to ask the vendor (3/4) ?

To what degree can the vendor access my company data?

– Access needs to be clearly defined and only allowed on an as-needed basis.

What compliance certification and auditing has the vendor completed?

– Look for independent authority validation (i.e. Service Organization Control (SOC) auditing, ISO 27001 certification)

What does the vendor do to protect user privacy?– Review the privacy policy which should clearly state how

information is managed, as well as, how government data requests are handled.

What to ask the vendor (4/4) ?

The Small, Portable Mobile handheld devices are often left unsecured due to their limited computing power. The approach is also inadequate for mobile applications that require security as a controllable service attribute to maintain various security levels that are acceptable to the users. Hence, we need a tunable and differentiable application security framework for handheld devices that provides differential security levels for Application Security Requirements and user preferences. In this paper, we have proposed a Mobile Application Security Framework (MASF), which is necessary for mobile applications to achieve the best possible security and performance levels. In essence, the idea is to embed MASF in mobile terminals to enable run time composition of mobile security applications. The application security framework provides a reusable structure with security mechanisms, which enables end-to-end security in the cellular environment.http://academic.research.microsoft.com/Paper/5098934.aspx

Mobile Application Security Framework for the

Handheld Devices in Wireless Cellular Networks

The overload of defensive support is like a “Fog of More” – more options, more tools, more knowledge, more advice, and more requirements… but not always more security.

“The Fog of More”

Mobile Security Testing & COSO 2013

Link & Transition to New 2013 Framework

Overview – Aviva Spectrum

Professional Bio:

Sonia Luna has over 16 years of internal and external audit experience. Worked at 2 of the Big 4 before leaving as an audit manager to create Aviva Spectrum, in 2004. Aviva Spectrum provides a wide variety of internal audit services including SOX404, COSO 2013 transition, compliance audits and quality assessment reviews.

Polling Q?

Have you started COSO transition and what percentage of completion are you?

Where am I?Percentage of Completion

A Running to Finish Line 75%

B Getting There 50%

C Formulating a Plan 25%

D Not Started 0%

Where ITAF, COBIT & COSO 2013 meet on Mobile Device Security!

IT AF COBIT Processes 2013 COSO

3630.4—Information Systems Operations

PO4 Define the IT processes, organization and relationships.

Pr#3: Mgmt est. w/BOD oversight, structures & report and appropriate auth. & responsibilities in pursuit of objectives.

3630.7—Info. Security Mgt PO6 Communicate management aims and directions.

Pr#9: ID & Assesses Changes that could impact system of Internal controls.

3630.10—Database Mgt & Controls

PO9 Assess and manage risks. Pr#11: Select/Develop IT General Controls to meet obj.

3630.11—Network Mgt & Controls

DS5 Ensure systems security. Pr#12: Deploy control activities through Policies and Procedures

3630.16—Enterprise Portals DS11 Manage data. Pr#13: Obtain/Generate relevant quality info. To support functioning of IC

3630.17—ID & Authentication ME3 Ensure compliance with established regulations.

Pr#16: Dev. & perform ongoing &/or separate evaluations that IC functioning

ISACA – 2010

Guidance to Test Mobile Devices

1. Audit Program2. Maturity Model Assessment

Control “Should Be” StateNIST 800-53

Other “Test Scripts” Mobile Devices

How many of your organizations provide you a SMART PHONE?

How many have a BYOD at their organization?

Polling Q?

COSO transition Mapping Template

http://avivaspectrum.com/free-downloads

Mobile Device – Security Audit

Don’t re-invent the wheel. Audit report conducted by an IA team.

Q & A session (5 – 8 Min)

Sonia Luna- President, CEOAviva Spectrumwww.linkedin.com/in/sonialuna www.slideshare.net/soxppt www.avivaspectrum.com/podcasts