Building a Mobile Security Model
-
Upload
thomas-bain -
Category
Documents
-
view
188 -
download
2
Transcript of Building a Mobile Security Model
![Page 1: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/1.jpg)
What to Consider When Building a Mobile Security Model
![Page 2: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/2.jpg)
Who Am I?
• 12+ years in information security
• Experience includes: CounterTack, Security Innovation, Q1 Labs/IBM, Application Security, Inc./TrustWave, Sophos, WAVE Systems
• SecureWorld, Hacker Halted, ISSA, OWASP, Security Meetup’s, Boston Security Conference, OASIS-Montgomery Conference
• Mobile device owner@tmbainjr1
http://www.countertack.com/blog
![Page 3: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/3.jpg)
Agenda
• Mobile security trends
• Figuring out mobile security
• Understanding risks/policy creation
• Developing an adaptive model and best practices
![Page 4: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/4.jpg)
TRENDS
![Page 5: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/5.jpg)
Do We Really Have a Choice?• 84% use the same smartphone for
work and for personal usage.
• 81% of employed adults use at least one personally owned electronic device for business
• 59% use their mobile devices to run line-of-business applications
• 74% of companies allow BYOD usage in some manner
• 1/3 use mobile devices exclusively
--Experian Mobile Security Survey, November 2013 (Harris Interactive)
![Page 6: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/6.jpg)
The Great Mobile Security Debate
• When will the great mobile data breach happen?
• 2017: endpoint breaches will shift to tablets/smartphones.
• Physical vs Virtual
• BYOD/Mobile security policy
• Business vs Security
![Page 7: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/7.jpg)
What are CISO’s concerned with?
![Page 8: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/8.jpg)
Its More About the Data
![Page 9: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/9.jpg)
State of Mobile Security
• Productivity vs. Security
• Rise of mobile campaigns
• More targeted malware
• Volume of usage = increased risk
• End user error
![Page 10: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/10.jpg)
User Perspective on Mobile Security
• 50% of companies have experienced a data breach due to inadequate device security
• 47% don’t have a password on their mobile phone.
• 51% stated their companies couldn’t execute a remote wipe if lost or stolen.
• 49% said mobile security has not been addressed with them by IT.
![Page 11: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/11.jpg)
UNDERSTANDING MOBILE SECURITY ISSUES
![Page 12: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/12.jpg)
Mobile Security Failures
• Inconsistent security policies
• Unmanageable devices
• Minimal number of devices
• Data artifacts existing on disposed devices
• Data leakage
![Page 13: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/13.jpg)
Unique Mobile Security Issues
• Multi-user/single user
• Browsing environment
• Updates/patching
• SSL
• CSRF
• Geolocation
• Apps
![Page 14: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/14.jpg)
Mobile Malware Trends• 98% of all mobile malware
targets Android users
• Kaspersky: 3.4M malware detections on 1.1M devices
• 60% of all attacks are capable of stealing users’ money
• Reported attacks have increased 6X! (from 35K in August 2013 to 242K as of March 2014
Real-time Endpoint Threat Detection and Response14
![Page 15: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/15.jpg)
The Most Popular Mobile MalwareMalware
SMS RiskTool AdWare Trojan
![Page 16: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/16.jpg)
Faketoken
![Page 17: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/17.jpg)
Svpeng
![Page 18: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/18.jpg)
Android Resources
![Page 19: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/19.jpg)
iOS Resources
![Page 20: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/20.jpg)
POLICY, RISK ASSESSMENT & BUILDING AN ADAPTIVE MODEL
![Page 21: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/21.jpg)
BYOD Challenges
• Device turn-over and EOL
• New devices: Default or customized settings?
• How can you know everything about every device?
• App Stores: Approved apps?
• Applications
![Page 22: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/22.jpg)
Mobile Security Policy Checklist
Consider risk scenarios.
Adapt from proven or trustworthy models.
Measure perception.
Understand roles, privileges and what’s in place today.
Get granular with your questions & considerations.
Figure out a strategy for testing your applications.
Policy enforcement.
Raise awareness/required training.
![Page 23: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/23.jpg)
Assess and Validate Risk
Take an inventory of your high-risk applications/mobile applications.
Determine business criticality.
What’s your attack probability?
How do you define the attack surface?
Consider overall business impact.
Where does compliance factor in?
What are the security threats?
![Page 24: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/24.jpg)
Roles and Access Controls• Which departments/groups/individuals have been most
active in developing policies?
• Has there been any previous collaboration between policies and authors?
• Can you identify a potential champion(s) to support the new policy?
• Areas of agreement in commonly implemented controls re: policies?
• Support documents, materials and related policies should be cited in mobile device policy.
![Page 25: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/25.jpg)
Get Granular• How will mobile devices be used?
• Devices assigned to one person or shared?
• Which mobile applications would be used?
• What information is accessible through mobile devices?
• What information will be stored on the mobile devices?
• How will data be shared to/from and between mobile devices?
• Who’s ultimately responsible for mobile devices?
• Will personal activities on company devices be permitted?
• What levels of support are expected?
![Page 26: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/26.jpg)
Know and Define Your Data
![Page 27: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/27.jpg)
Defining Policy• Provide contextual, technical guidelines
• Map to compliance mandates
• Considers criticality of application and data‒ Requirements, activities and level of detail needed will differ
• Have clear exception policies where necessary‒ What if minimum standards can’t be met? What is considered
acceptable? Who approves?
• Includes internally built and third party applications
• Reflects current maturity and skillset of staff‒ The more skilled, the less explicit you need to be with policies
![Page 28: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/28.jpg)
Enforcing Policy• You need management buy-in!
• Broad strategy vs Targeted strategy roll-out
• On-boarding:
‒ Require all device info as part of hiring process
‒ Require policy training up front
• Require training for various departments:
‒ General population receives awareness training
‒ Technical employees receive in-depth training
• Monitor for effectiveness – EX: Deliver training or reminder when employee is out of compliance.
![Page 29: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/29.jpg)
Where are you at? Ad Hoc
Implementation
Technology
People ProcessData
![Page 30: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/30.jpg)
Get to the next level of ‘Repeatable’
• Collect examples
• Present business needs & educate executives
• Create a mobile security policy
• Identify some short and long-term risks/goals
• Make the case simple
![Page 31: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/31.jpg)
Now you are at ‘Repeatable’
Implementation
Technology
People ProcessData
![Page 32: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/32.jpg)
Adaptive Mobile Security
Gartner, 2014, Adaptive Security Model
![Page 33: Building a Mobile Security Model](https://reader033.fdocuments.us/reader033/viewer/2022060201/559ad6ca1a28abe4078b4809/html5/thumbnails/33.jpg)
www.countertack.comBlog: http://www.countertack.com/blogTwitter: @CounterTack, @tmbainjr1
Real-time Endpoint Threat Detection and Response.