Outside the Office: Mobile Security
-
Upload
mckonly-asbury-llp -
Category
Business
-
view
99 -
download
0
Transcript of Outside the Office: Mobile Security
CybersecurityFrameworks and You
The Perfect Match
Building SuccessfulEmployee
RelationshipsA Cornerstone to Fraud Prevention
and Risk Management
Building SuccessfulEmployee
RelationshipsA Cornerstone to Fraud Prevention
and Risk Management
Mobile SecurityOutside the Office
Introductions
Tyler Wenger• Helpdesk Technician• Marketing Consultant• Microsoft Technology Associate (MTA)
David Hammarberg• Principal of Forensic Accounting• Certified Fraud Examiner (CFE)• Director of Information Technology• CPA, MCSE, CISSP, CISA• 16+ years of experience
Today’s Objective• To better understand mobile technologies, the threats that
exist within a mobile / remote environment, how to avoid and thwart those threats, and to understand your role within mobile security.
Why Is This Important?• Usage• Time• Accessibility• Money• Constantly Changing• Data! Data! Data!
Takes Two To Be Secure• Proper Security measures need to be put in place by the IT
department to keep mobile users secure.
• Proper employee security training needs to be place.
Agenda• An overview of the smartphone / tablet industry
• An understanding of what mobile technologies are being used by small to medium size organizations
• An understanding of the increased risk of mobile technology
• An understanding of mitigation strategies for risks associated with mobile technologies. What is your mobility strategy?
• Living in a mobile world: practical steps and real questions
Mobile Technology• Smart Phones
• Tablets
• Laptops
• Watches
• BYOD
Smartphone Statistics• Research estimates more than six billion smartphone users by 2020
• Over 50% of smartphone users grab their smartphone immediately after waking up
• 84% of mobile users utilize the same smartphone for business and personal use
• Mobile email opens have grown by 180% in the last three years
• Mobile will likely account for 50% of all digital ad spend in 2016 (worth $100B)
Data from https://www.impactbnd.com/blog/mobile-marketing-statistics-for-2016 and https://www.sophos.com/en-us/security-news-trends/security-trends/malware-goes-mobile.aspx
Smartphones• All-In-One Devices
• Super Computers• Limitless Mobility
• Size• Physical security
• Unique Operating Systems (OS)• Apple (iOS)• Android• Windows
• Mobile Fragmentation• Susceptible to attacks
• App Based, web-based, or SMS/Text Message-based
Apple vs. Android• Android
• Global popularity and open approach• Open source vs proprietary• Lack of control of its potential integrations
• Apple• Control the entire ecosystem
• Software, hardware, firmware• App Transport Security (ATS)
• Secures user data sent via Apps
• "The majority of enterprises still feel it is easier for them to secure their enterprise data on the iOS platform.” - Mobile Analyst Dionisio Zumerle
7 Tips for Smartphone Security1. Use a PIN or Password2. Download Apps only from trusted stores• Apple App Store• Google Play Store
3. Keep your Operating System and Apps Update4. Log Out of sites / apps after completing transactions5. Turn off Wi-Fi and Bluetooth when not in use6. Backup your data7. Avoid giving out personal information
Secure Technology Options for Mobile Users• Citrix
• VPN – Company to User
• Cloud based – Connection to the Cloud Server
• MDM – Mobile Device management Solutions
What Are The Risks?• Data breach caused by:• Unsecure connections• Lost or stolen mobile devices• Unauthorized users• Compromised devices connecting to the network
• Malware incident
Three Most Common Mobile Security Breaches1. Device loss / Theft
• Theft of all pertinent data• Expensive international calls• In app purchases
2. Malware• Spam email contacts• Infect other devices• Harvest Passwords (secure password products?)
3. Unsecured Networks• Rogue Wi-Fi Networks• Tricks people into joining wrong network at airports, stations, or coffee shops• More common in Asia than in US / Europe
Real Life Examples• Mobile phishing and ransomware
• Using an infected mobile device to infiltrate nearby devices
• Cross-platform banking attacks
• Cryptocurrency mining attacks
Mobility Driving Business and IT Change• Forcing organizations to have BYOD policy and plan; provide
employee device choice
• Anytime, anywhere, any device access now standard
• Heightened importance of social business interactions
• Need to factor in considerations across the business not just IT- HR, Legal, Security, Finance, Telco Plans.
Mobile Security and Management• Protection of privacy and confidential information
• Policies for client-owned smartphones and tablets
• Visibility, security & management of mobile platform requirements
Mobile Strategy Helps You Make The Right Choice1. Understand current state and strategic direction.
2. Understand user profiles and their security requirements
3. Analyze gaps
4. Define recommendations and solution outline
5. Build road map
Key Areas You Need to Address• Devices: Which device types and form factors should be supported and do I have a need
for special types of devices? • Governance: What are the policies, guidelines and programs for mobile users and bring-
your-own devices? (BYOD) • Support: What is the best way to support my users? • Mobile Applications: What mobile applications do I have today and what is the best way
to roll out additional applications in the future? • IT Infrastructure: What tools do I need in place to allow me to effectively manage my
mobile devices? • Network: What type of network access will my users require? Cellular Carrier? Corporate
Wi-Fi? • Security: What security policies should be in place to ensure the safety of my corporate
assets?
Bring Your Own Device (BYOD) - Policy• What are you trying to achieve? • Define, document and publish your "Bring Your Own Device" (BYOD) Policy • You need input from a number of departmental functions:
• IT • HR • Legal • Security • Finance • Your network carrier(s)
• Entitlement • Which employees are eligible for business devices (Corporate liable)? • Which employees bring their own?
• What data, functions, applications will be accessed? • Which devices will you support?
Mobile Device Management (MDM)• Advanced mobile device management (MDM) functions are
designed to enhance security and usability of mobile devices
• Software that secures, monitors, manages and supports mobile devices • Over-the-air distribution of applications, data and configuration settings • Supports company-owned and employee-owned devices
Dual Factor Authentication• Requires multiple factors for authentication
• Uses multiple combinations of the following…• Something you know (username, password, PIN, etc.)
• Something you have (smartphone, Token Device, key fab, etc.)
• Something you are (fingerprint, retinal scan, voice recognition, etc.)
• Requires an extra step, but “an ounce of prevention is worth a pound of cure.”
Dual Factor Vendors• Duo Security
• RSA SecurID - Tokens
Security Awareness• Employees are the largest risk to the organization.
• Employees can circumvent the best security policies.
• What is your organization doing to train your employees?
Mobile Threats: They Are Real
Mobile Threats: They Are Real
How Do I Know If My Device Is Infected?• Decreased performance
• Slow operation and function• Poor battery life• Device gets exceptionally hot for no reason• Device turns on by itself• Applications open / close on their own
• Downloaded items/apps without your permission• Phone log shows calls you didn’t make
• Emails sent to unknown addresses
My Device Is Lost / Stolen! Now What?• Ensure that you cannot find it
• Notify your organization’s IT Department
• Wipe the phone remotely via iCloud or other remote solutions
• Contact Law Enforcement
Simple Steps to Mobile Security• Physical security – Know where your device is at!• Use strong username and password controls
• Alphanumeric codes may be the best option
• Keep Operating System and Apps up-to-date• Equip your device with Anti-malware software• Turn Wi-Fi off when in public settings
• Do Not automatically join networks• Wireless Hotspot for Laptops
• Encrypt your device• Think when opening emails (social engineering)• Set device to wipe contents after specified number of failed login attempts
Questions?
Tyler Wenger• Helpdesk Technician• Marketing Consultant• Microsoft Technology Associate (MTA)• [email protected]
David Hammarberg• Principal of Forensic Accounting• Certified Fraud Examiner (CFE)• Director of Information Technology• CPA, MCSE, CISSP, CISA• [email protected]
Building SuccessfulEmployee
RelationshipsA Cornerstone to Fraud Prevention
and Risk Management
Questions?
• Documents:• https://www.nist.gov/cyberframework
• NIST Cybersecurity Framework website• http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf
• Maturity model• https://www.sans.org/media/critical-security-controls/critical-controls-
poster-2016.pdf• SANS Top 20 Critical Security Controls
Questions?
Tyler Wenger• Helpdesk Technician• Marketing Consultant• Microsoft Technology Associate (MTA)• [email protected]
David Hammarberg• Principal of Forensic Accounting• Certified Fraud Examiner (CFE)• Director of Information Technology• CPA, MCSE, CISSP, CISA• [email protected]