CybersecurityFrameworks and You

The Perfect Match

Building SuccessfulEmployee

RelationshipsA Cornerstone to Fraud Prevention

and Risk Management

Building SuccessfulEmployee

RelationshipsA Cornerstone to Fraud Prevention

and Risk Management

Mobile SecurityOutside the Office

Introductions

Tyler Wenger• Helpdesk Technician• Marketing Consultant• Microsoft Technology Associate (MTA)

David Hammarberg• Principal of Forensic Accounting• Certified Fraud Examiner (CFE)• Director of Information Technology• CPA, MCSE, CISSP, CISA• 16+ years of experience

Today’s Objective• To better understand mobile technologies, the threats that

exist within a mobile / remote environment, how to avoid and thwart those threats, and to understand your role within mobile security.

Why Is This Important?• Usage• Time• Accessibility• Money• Constantly Changing• Data! Data! Data!

Takes Two To Be Secure• Proper Security measures need to be put in place by the IT

department to keep mobile users secure.

• Proper employee security training needs to be place.

Agenda• An overview of the smartphone / tablet industry

• An understanding of what mobile technologies are being used by small to medium size organizations

• An understanding of the increased risk of mobile technology

• An understanding of mitigation strategies for risks associated with mobile technologies. What is your mobility strategy?

• Living in a mobile world: practical steps and real questions

Mobile Technology• Smart Phones

• Tablets

• Laptops

• Watches

• BYOD

Smartphone Statistics• Research estimates more than six billion smartphone users by 2020

• Over 50% of smartphone users grab their smartphone immediately after waking up

• 84% of mobile users utilize the same smartphone for business and personal use

• Mobile email opens have grown by 180% in the last three years

• Mobile will likely account for 50% of all digital ad spend in 2016 (worth $100B)

Data from https://www.impactbnd.com/blog/mobile-marketing-statistics-for-2016 and https://www.sophos.com/en-us/security-news-trends/security-trends/malware-goes-mobile.aspx

Smartphones• All-In-One Devices

• Super Computers• Limitless Mobility

• Size• Physical security

• Unique Operating Systems (OS)• Apple (iOS)• Android• Windows

• Mobile Fragmentation• Susceptible to attacks

• App Based, web-based, or SMS/Text Message-based

Apple vs. Android• Android

• Global popularity and open approach• Open source vs proprietary• Lack of control of its potential integrations

• Apple• Control the entire ecosystem

• Software, hardware, firmware• App Transport Security (ATS)

• Secures user data sent via Apps

• "The majority of enterprises still feel it is easier for them to secure their enterprise data on the iOS platform.” - Mobile Analyst Dionisio Zumerle

7 Tips for Smartphone Security1. Use a PIN or Password2. Download Apps only from trusted stores• Apple App Store• Google Play Store

3. Keep your Operating System and Apps Update4. Log Out of sites / apps after completing transactions5. Turn off Wi-Fi and Bluetooth when not in use6. Backup your data7. Avoid giving out personal information

Secure Technology Options for Mobile Users• Citrix

• VPN – Company to User

• Cloud based – Connection to the Cloud Server

• MDM – Mobile Device management Solutions

What Are The Risks?• Data breach caused by:• Unsecure connections• Lost or stolen mobile devices• Unauthorized users• Compromised devices connecting to the network

• Malware incident

Three Most Common Mobile Security Breaches1. Device loss / Theft

• Theft of all pertinent data• Expensive international calls• In app purchases

2. Malware• Spam email contacts• Infect other devices• Harvest Passwords (secure password products?)

3. Unsecured Networks• Rogue Wi-Fi Networks• Tricks people into joining wrong network at airports, stations, or coffee shops• More common in Asia than in US / Europe

Real Life Examples• Mobile phishing and ransomware

• Using an infected mobile device to infiltrate nearby devices

• Cross-platform banking attacks

• Cryptocurrency mining attacks

Mobility Driving Business and IT Change• Forcing organizations to have BYOD policy and plan; provide

employee device choice

• Anytime, anywhere, any device access now standard

• Heightened importance of social business interactions

• Need to factor in considerations across the business not just IT- HR, Legal, Security, Finance, Telco Plans.

Mobile Security and Management• Protection of privacy and confidential information

• Policies for client-owned smartphones and tablets

• Visibility, security & management of mobile platform requirements

Mobile Strategy Helps You Make The Right Choice1. Understand current state and strategic direction.

2. Understand user profiles and their security requirements

3. Analyze gaps

4. Define recommendations and solution outline

5. Build road map

Key Areas You Need to Address• Devices: Which device types and form factors should be supported and do I have a need

for special types of devices? • Governance: What are the policies, guidelines and programs for mobile users and bring-

your-own devices? (BYOD) • Support: What is the best way to support my users? • Mobile Applications: What mobile applications do I have today and what is the best way

to roll out additional applications in the future? • IT Infrastructure: What tools do I need in place to allow me to effectively manage my

mobile devices? • Network: What type of network access will my users require? Cellular Carrier? Corporate

Wi-Fi? • Security: What security policies should be in place to ensure the safety of my corporate

assets?

Bring Your Own Device (BYOD) - Policy• What are you trying to achieve? • Define, document and publish your "Bring Your Own Device" (BYOD) Policy • You need input from a number of departmental functions:

• IT • HR • Legal • Security • Finance • Your network carrier(s)

• Entitlement • Which employees are eligible for business devices (Corporate liable)? • Which employees bring their own?

• What data, functions, applications will be accessed? • Which devices will you support?

Mobile Device Management (MDM)• Advanced mobile device management (MDM) functions are

designed to enhance security and usability of mobile devices

• Software that secures, monitors, manages and supports mobile devices • Over-the-air distribution of applications, data and configuration settings • Supports company-owned and employee-owned devices

Dual Factor Authentication• Requires multiple factors for authentication

• Uses multiple combinations of the following…• Something you know (username, password, PIN, etc.)

• Something you have (smartphone, Token Device, key fab, etc.)

• Something you are (fingerprint, retinal scan, voice recognition, etc.)

• Requires an extra step, but “an ounce of prevention is worth a pound of cure.”

Dual Factor Vendors• Duo Security

• RSA SecurID - Tokens

Security Awareness• Employees are the largest risk to the organization.

• Employees can circumvent the best security policies.

• What is your organization doing to train your employees?

Mobile Threats: They Are Real

Mobile Threats: They Are Real

How Do I Know If My Device Is Infected?• Decreased performance

• Slow operation and function• Poor battery life• Device gets exceptionally hot for no reason• Device turns on by itself• Applications open / close on their own

• Downloaded items/apps without your permission• Phone log shows calls you didn’t make

• Emails sent to unknown addresses

My Device Is Lost / Stolen! Now What?• Ensure that you cannot find it

• Notify your organization’s IT Department

• Wipe the phone remotely via iCloud or other remote solutions

• Contact Law Enforcement

Simple Steps to Mobile Security• Physical security – Know where your device is at!• Use strong username and password controls

• Alphanumeric codes may be the best option

• Keep Operating System and Apps up-to-date• Equip your device with Anti-malware software• Turn Wi-Fi off when in public settings

• Do Not automatically join networks• Wireless Hotspot for Laptops

• Encrypt your device• Think when opening emails (social engineering)• Set device to wipe contents after specified number of failed login attempts

Questions?

Tyler Wenger• Helpdesk Technician• Marketing Consultant• Microsoft Technology Associate (MTA)• TWenger@macpas.com

David Hammarberg• Principal of Forensic Accounting• Certified Fraud Examiner (CFE)• Director of Information Technology• CPA, MCSE, CISSP, CISA• DHammarberg@macpas.com

Building SuccessfulEmployee

RelationshipsA Cornerstone to Fraud Prevention

and Risk Management

Questions?

• Documents:• https://www.nist.gov/cyberframework

• NIST Cybersecurity Framework website• http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf

• Maturity model• https://www.sans.org/media/critical-security-controls/critical-controls-

poster-2016.pdf• SANS Top 20 Critical Security Controls

Questions?

Tyler Wenger• Helpdesk Technician• Marketing Consultant• Microsoft Technology Associate (MTA)• TWenger@macpas.com

David Hammarberg• Principal of Forensic Accounting• Certified Fraud Examiner (CFE)• Director of Information Technology• CPA, MCSE, CISSP, CISA• DHammarberg@macpas.com