Mobile security blunders and what you can do about them


Published on

Presentation: Mobile security blunders and what you can do about them.

Given by: Ben Rothke

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mobile security blunders and what you can do about them

  1. 1. Mobile security blunders and what you can do about them Ben Rothke, CISSP CISA BT Global Services Senior Security Consultant
  2. 2. About me….• Ben Rothke (too many certifications)• Senior Security Consultant – British Telecom• Frequent writer and speaker• Author - Computer Security: 20 Things Every Employee Should KnowBT Americas Inc. 2
  3. 3. Show me the methodology…• How do you currently handle? – Smartphones – iPads – wireless devicesBT Professional Services 3
  4. 4. Serious security• In your organization - how does management spell security?• Have they deployed adequate: – staff – budget – processes – oversightBT Professional Services 4
  5. 5. Why does this matter?• Wi-fi is everywhere • mobility is a business• today’s mobile device is necessity really a desktop • the perimeter is porous• mobile devices are walking • compliance pressures data breaches • consumerized technologies• mobile are here to stay convenience/benefits are • past approaches aren’t obvious working• attackers focusing on • social media will be mobile devices ubiquitous• weak mobile security • misconfigurations BT Professional Services 5
  6. 6. Real-world problems• loss and theft• malware infections• intercepted network traffic• intellectual property losses• no adequate data backups• users not being held responsible for security• slew of new applications creating risks…BT Professional Services 6
  7. 7. Scary numbers• 2010 Information Week Mobile Device Management and Security Survey – 87% say smartphones will become more predominant in their business – Security is biggest reason (73%) for deploying mobile device management (MDM) – Why organizations haven’t deployed MDM: • Not enough IT staff to support it – 61% • Too few mobile devices – 34% • Too expensive – 32% • Don’t see the need – 26%BT Professional Services 7
  8. 8. Recent issues I’ve come acrossBT Professional Services 8
  9. 9. Why do we have these problems?• mobile devices are new/complex• unauthorized usage difficult to prevent• improper implementation of controls• unstructured files all around• failed security policies• people not thinking about their choicesBT Professional Services 9
  10. 10. Lots of devices out there to consider• If it’s got network connectivity and storage, secure it: – smartphones – dumbphones – tablets – netbooks – laptops – mobile storage – wireless networksBT Professional Services 10
  11. 11. Security audit• What’s being stored where• passwords• encryption• malware protection• data backups• VPN, rdp, gotomypc, etc.• wifi weaknessesBT Professional Services 11
  12. 12. Mobile security best practices• Management and security – Build management and security into the entire mobile security product life cycle – ensure management tools for mobile devices are interoperable with other management infrastructure• Policy – Extend enterprise security policies to mobile and wireless – use technologies that provide comparable controls. • wireless- and mobile-optimized versions of network access control, IDS/IPS, VPN, firewall, data encryption, IDM, DLP, etc. 12
  13. 13. Mobile security best practices• Security as a requirement – Ensure security is a required purchasing consideration for all mobile and wireless technology and services – require security provisions as a component of all RFPBT Professional Services 13
  14. 14. BlackBerry security best practices• Any BlackBerry containing corporate data should be managed under BlackBerry Enterprise Server (BES) or comparable platform – Unmanaged devices can be set by users to be vulnerable to login, sync and data access attacks – managed BlackBerrys can be guaranteed to comply with strict policies• Ensure you have a uniform set of security capabilities across all models that can be managed and audited to a guaranteed level of compliance – Good news: All BlackBerry models have a common security architecture, so this is relatively easyBT Professional Services 14
  15. 15. iPad/iPhone best practices• Do they exist? – Applications cannot be considered fully secure until they use Apple Data Protection APIs • today, only a few applications support them today. – of the built-in Apple applications, only Mail currently supports the Data Protection API to protect message data/attachments – require employee-owned devices to be secured and managed by the enterprise – deny access to jailbroken or modified devices – restrict sensitive data exported to these devices – use complex passcodes – automatically wipe data after multiple failed login attemptsBT Professional Services 15
  16. 16. Since no one listens to best practices• At a bare minimum: – All mobile devices should have policies enabled that require passwords – high priority to encryption on devices where sensitive data will be stored. – over-the-air kill features used where supported – integrated into vulnerability and configuration management processesBT Professional Services 16
  17. 17. Tools that can help• Native security • MobileIron• ActiveSync • Trust Digital• Lookout • Good Technology• BlackBerry BES – Enterprise• Mobile Active Defense – Government • 42Gears BT 17
  18. 18. Future trends• little knowledge needed• more internal breaches• more elaborate hacks• more directed hacks• physical attacks (stolen devices)• broadened attack surfaces• mobile business apps• Wikileaks• directed spear phishingCopyright (c) 2007, Principle Logic, 18LLC - All Rights Reserved
  19. 19. Keys to information security success1. Getting the right people2. Focusing on core issues3. Proper testing4. Effective metrics5. Policies and processes6. Right technologies7. Incident response8. ArchitectureBT Professional Services 19
  20. 20. Contact info…• Ben Rothke, CISSP CISA• Senior Security Consultant• BT Professional Services••• Professional Services 20