Angry Bird Management - Building a Mobile Security & BYOD Strategy
 

Angry Bird Management - Building a Mobile Security & BYOD Strategy

on

  • 2,054 views

Mobile devices can be a tempting target for some very angry birds who can steal data, decimate public trust, and destroy confidentiality with the flick of a finger. This presentation presents a ...

Mobile devices can be a tempting target for some very angry birds who can steal data, decimate public trust, and destroy confidentiality with the flick of a finger. This presentation presents a rational framework for assessing mobile security needs in your business and establishing a Mobile Security Strategy.

Statistics

Views

Total Views
2,054
Views on SlideShare
2,054
Embed Views
0

Actions

Likes
0
Downloads
20
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Anitian does not share our hacking efforts with the public. We research our research and expertise for our clients and their benefit.
  • If there is anything the Arab Spring has shown is that mobility is extremely powerful in giving voices to people. Those voices can topple governments, and destroy businesses – for good or bad. Employees forms a relationship with your network, but they have relationships with 1000 other people – any one of them could be an elite hacker who wants to hurt your company.
  • I just got back from RSABank vs. Resturant example At RSA, David Brooks said emotions are how we ascribe value
  • Users make bad decisions because they are not always able to properly ascribe value to a relationship. People will tend to dismiss threats they do not understand. I know that the email from “FedEx” is a phishing email, because my experience has colored my emotions that allows me to ascribe the correct value (none) to that email. Regular users lack that experience, and therefore will over value that relationship, providing a channel for abuse, theft and attack.
  • Consumer and business have overlapping and sometimes exclusionary goals and desiresThis whole first part of the presentation is to get you thinking in the right frame of mind. 1. people, 2. policy/process 3. technology
  • You spent all this money on Application ID, intrusion prevention, web filters and such, and somebody walks in with a iPhone that has a completely independent connection that bypasses everything.
  • Anitian was the first firm in the nation to develop a mobile security assessment frameworkAnitian developed this framework, as well as others, to assess organizationsMention cloud computing frameworkThis is our intellectual property, we’re sharing

Angry Bird Management - Building a Mobile Security & BYOD Strategy Angry Bird Management - Building a Mobile Security & BYOD Strategy Presentation Transcript

  • intelligent information securityANITIAN BUILDING A MOBILE SECURITY & BYOD STRATEGY Angry bird management
  • intelligent information securityANITIAN Overview Intention • Provide you both insights and a framework for building a BYOD strategy for your organization Contents • The Challenge of Mobility & BYOD • Credible Mobile Security Threats • Mobile Security Assessment Framework • Building a Mobile Security Strategy & Business Requirements • Summary
  • intelligent information securityANITIAN Meet the Speaker – Andrew Plato • President / CEO of Anitian • 20 years of experience in IT & security • Completed thousands of security assessments & projects • Discovered SQL injection attack tactic in 1995 • Helped develop first in-line IPS engine (BlackICE) • Co-developed RiskNow™ - Rapid Risk Assessment approach • Championed movement toward practical, pragmatic information security solutions View slide
  • intelligent information securityANITIAN We enlighten, protect and empower great security leaders. We believe security will make the world a better place. • Security is necessary for innovation and growth • Security can be empowering when it is practical and pragmatic • Good security comes from rational, scientific methods of analysis ANITIAN View slide
  • intelligent information securityANITIAN What You Will NOT Get in this Presentation • A product sales pitch • How to install, deploy, integrate a specific product • How to develop, support or complain about mobile apps • How to solve problems with your iPhone, Android or Blackberry device • A lesson in hacking smart phones • Idiotic tales of how we hacked some celebrity’s phone • Black Hat style sensationalism
  • intelligent information securityANITIAN THE CHALLENGE OF MOBILITY & BYOD Angry Birds Management
  • intelligent information securityANITIAN Hyperconnectivity • Mobile devices are mechanisms for facilitating relationships • Current generation has grown up with hyperconnectivity: access anywhere, anytime, all the time • Hyperconnectivity is changing the world • We are not going to stop the avalanche of greater mobility, access and openness • Hyperconnectivity and trust often are in opposition • How do you establish trust with a diverse and complex web of relationships, when any one of those could be dangerous?
  • intelligent information securityANITIAN Trust Relationships in a Hyperconnected World • We form trust relationships all the time • Different relationships have different needs, requirements & expectations • We ascribe value to a relationship via our emotions, and rationalize that value post-decision • Relationship devices (smartphones) are altering our ability to ascribe value to a relationship • Moreover, its very easy to elevate perception and make a relationship seem more valuable than it really is
  • intelligent information securityANITIAN Controlling the Avalanche • Do you trust your users? • Are your users able to make sound decisions about risk? • Have you empowered them with the information they need to make good decisions about risk? • Mobility is people • Do you have the mechanisms for evaluating and monitoring trust relationships? • The ability of an organization to succeed and innovate hinges on its ability to create, evaluate, monitor, and terminate trust relationships efficiently, consistently and securely
  • intelligent information securityANITIAN Mobility is the New Frontier • Can not stop it, time to join it • Mobile security must translate an emotional act (ascribing value to a relationship) into a business process and technology • The carriers (Verizon, AT&T, etc.) and hardware vendors are marginally interested in security • Mobile security is a relatively new, immature market • Mobility is more than smartphones, it is also laptops, USB drives, and anything else that facilitates on the go access • Building a mobile security strategy must address (in order): 1. People and trust relationships 2. Business objectives, requirements & expectations 3. Technology
  • intelligent information securityANITIAN CREDIBLE MOBILE SECURITY THREATS Angry Birds Management
  • intelligent information securityANITIAN The Threat Matrix Probability Threat 60.0% • Loss or theft 35.0% • Data leakage (intentional or not) 4.9% • Malware 0.1% • Russian hackers • Crime syndicates • Anonymous, Lulz Sec, etc. • Anything remotely related to terrorism • Exploding batteries • Anything proceeded with the words “game- changer”
  • intelligent information securityANITIAN Loss or Theft • Overwhelmingly the most serious problem for mobile devices • Recovery is impossible and pointless • Does not matter who took the phone, you need to wipe it • Quick financial gain is the prevalent reason for theft • A sound mobile security solution must focus nearly exclusively on this primary threat • Breach notification laws apply to mobile devices that are lost AND have confidential data on them
  • intelligent information securityANITIAN Data Leakage • Rapidly evolving problem • Mobile platforms provide easy methods to capture and transmit data • Can completely bypass existing controls • Multiple leakage vectors: • SMS (text) • Pictures • Email • Voice / video capture • Malware leakage • What are they leaking?
  • intelligent information securityANITIAN Malware • From 2007-2011, mobile malware has increased 1091%! • This is not abating • Mobile platforms are an excellent target • App stores are cracking down • Some platforms are better than others…
  • intelligent information securityANITIAN Platform Summary Platform Strengths Concerns Apple iOS Engineered for security, sandboxes apps, quick to patch A very large target Blackberry Extensive suite of native security controls. Strong device encryption. Most secure email delivery. Aging OS, financial problems, loss of market share Android Google is aware of their concerns and is making attempts to fix them Limited app control, diverse platform state, rapid market growth, lax to patch Windows Mimics many of Apple’s security features. Limited market share and knowledge about the platform
  • intelligent information securityANITIAN MOBILE SECURITY ASSESSMENT FRAMEWORK Angry Birds Management
  • intelligent information securityANITIAN Mobile Security Assessment Framework • First and only mobile assessment framework of its kind • Rank your organization on these categories 1. Culture 2. Data Sensitivity 3. Maturity of Organizational Security 4. Technical Environment 5. Regulations 6. Necessity of Access 7. Tolerance to Risk 8. Administrative Support • Weight categories as you see fit
  • intelligent information securityANITIAN 1. Culture What is your organization’s attitude toward security and access? 1. Wide Open - relaxed, open access, high expectation of personal privacy. 2. Open – Limited security, mostly open, few areas of control 3. Balanced – Mixture of open areas and tightly controlled areas. 4. Mostly Closed – Tight restrictions in most areas of the business with a few exceptions. Limited expectation of privacy. 5. Closed – Very stringent security with zero expectation of privacy and limited access.
  • intelligent information securityANITIAN 2. Data Sensitivity What type of data could mobile devices handle? 1. Trivial – Public data with no sensitivity or confidentiality issues whatsoever 2. Low Risk – Mostly public or non-sensitive data with some small exceptions. 3. Mixed Risk – Mixture of sensitive and public data. 4. High Risk – Users will routinely handle data with high confidentiality or sensitivity risk. 5. High Secrecy – Users will handle data with an extremely high sensitivity risk, such as protected information or national security data.
  • intelligent information securityANITIAN 3. Maturity of Organizational Security How mature is your security program? 1. Non-Existent – Security? What’s that? 2. Rudimentary – Basic controls, some policies 3. Immature – Some controls, better policies, regularly assessed, making progress 4. Operational – Solid set of controls with good operations, complete set of policies, well governed 5. Sophisticated – Dedicated security team and ISO, strong operations, extensive controls
  • intelligent information securityANITIAN 4. Technical Environment How sophisticated is your technical environment in context of mobile device control? 1. Ad hoc – No technical standards, ad hoc administration, aging technologies 2. Immature – Some standards, some formalization, older technologies 3. Satisfactory – Widespread standardization, mostly formalized, sound practices for implementing new technologies 4. Advanced – Tightly standardized and formalized. 5. Core Function – Our entire organization is centered around mobility and we are quick to adopt new solutions.
  • intelligent information securityANITIAN 5. Regulations How regulated is your business? 1. None – No regulations on our IT systems at all. 2. Minimal – Very limited regulations. Some general guidelines or suggestions. 3. Typical – Some regulation around privacy or confidentiality, no technical requirements. 4. Strict – Very strictly regulated, such as PCI-DSS or NERC-CIP. 5. Extreme – The entire business is tightly regulated and there are very specific controls required for mobile devices and data.
  • intelligent information securityANITIAN 6. Necessity of Access What is the expectation of access in your organization? 1. None - Employees have no expectation of being able to access work data. 2. Some – Employees want access, but its not a required to be successful at their jobs. 3. Typical – Access is desired, and some employees need for their jobs, but for most it is a luxury. 4. Required – Most of the business needs mobile access to be effective at their jobs. 5. Core Function – Mobility *IS* our business.
  • intelligent information securityANITIAN 7. Tolerance to Risk What is your organization’s tolerance for loss, theft of compromise of a mobile device? 1. High – Who cares. Get another phone. 2. Moderate – Not desirable, but not dangerous to the business. 3. Low – We do not want this happening. It would be bad. 4. None – Loss of a mobile device would be very, very bad. 5. Catastrophic – Looks like I picked the wrong week to stop snorting Heisenberg’s Blue Meth.
  • intelligent information securityANITIAN 8. Administrative Support Is the organization willing to support mobile security? 1. No – No budget, no project, no way 2. Maybe – With the right persuasion (and low cost) we could get support. 3. Probably – There is concern and budget. 4. Yes – Budget and administration are already planned and in place. 5. Core Function –Did you hear me earlier? Mobility *IS* our business. Now, c’mon, let’s do this thing! YEAH!!!
  • intelligent information securityANITIAN Rate Yourself Area Weight Score Weighted Score Culture 1.0 3 3 Data Sensitivity 1.5 3 4.5 Technical Maturity 1.0 2 2 Regulations 1.0 1 1 Necessity of Access 1.0 3 3 Tolerance to Risk 1.5 4 6 Administrative Support 1.0 2 2 Totals 18 21.5 Average 2.25 2.69
  • intelligent information securityANITIAN Evaluate Your Score Average Recommendation 0 – 1 Do nothing. Be happy you have a smartphone 1 – 2 ActiveSync is good enough, basic controls 2 – 3 Mobile security solution & strategy needed. 3 – 4 Full-featured platform, strong policies, clear strategy. 5+ Mobile security is an absolute necessity to your business
  • intelligent information securityANITIAN How to Use this Evaluation • Use this as a guide for to evaluate your business. • Document each of the eight areas and why you scored yourself as such. • Set your own weights accordingly. • This forms the rational basis for mobile security in your organization. • Use this to drive business requirements.
  • intelligent information securityANITIAN BUILDING A MOBILE SECURITY STRATEGY & BUSINESS REQUIREMENTS Angry Birds Management
  • intelligent information securityANITIAN A Mobile Security Strategy Must address these key areas: 1. Authority - Who is responsible for mobile security? 2. Resources – Money and people to implement the strategy. 3. Need – Business justification for mobile security. 4. Evaluation Criteria – How you will evaluation solutions. 5. Personal Devices – How will you handle personally owned devices? 6. Awareness – A program to educate and inform users. 7. Policy - Organizational policy and standards for mobile security and operational authority.
  • intelligent information securityANITIAN 0. Put the Right Person in the Driver’s Seat • Who should drive mobile security efforts? • Information security • CISO / CIO • Internal audit • Who should NOT drive mobile security (but may help) • Executives who have emotional attachments to shiny objects • Helpdesk • Network operations • System administration • Resellers • Sales people
  • intelligent information securityANITIAN 1. Clearly Define Roles & Responsibility • Who will lead the effort? • Who will design the strategy? • Who is responsible for implementing mobile security? • Who will enforce the rules? • Who is paying for all this? • Who will be part of a pilot or beta test? • Who will run that? • Who will communicate this effort to the employees? • Who decides the apps and features you can or cannot use?
  • intelligent information securityANITIAN 2. Obtain Resources • Establish estimates for: • Cost of product • Integration expense • Personnel costs • Training costs • Duration to install, implement, tune, and handle all the complaining
  • intelligent information securityANITIAN 3. Justify the Need • Write down at least three solid business justifications why you need mobile security • Focus on your business, not technical features • Good: With an initiative to expand into Asia, our sales people need better access, in more places and will be handling more sensitive data across more platforms, including mobile devices. Mobile security is necessary to protect our business efforts and support continued growth. • Bad: We need email encryption because our VAR said we do.
  • intelligent information securityANITIAN 4. Establish Evaluation Criteria • Define the feature priorities…such as: • Device encryption • Remote wipe • App control • Etc. • Define evaluation criteria…such as: • Solution must keep sending remote wipe commands until successful • Solution must allow for remote app removal • Solution must integrate with existing Active Directory authentication. • Solution must support iOS, Android and Windows Mobile.
  • intelligent information securityANITIAN 4. Establish Evaluation Criteria (continued) • Define an Evaluation Process • Who will run it • Establish a short list of 3-5 vendors (no more!) • Set a budget • Get rid of the platform snobs: • This needs to be a business & technical evaluation • Solutions should be selected based on their alignment with business objectives and need • Platform holy wars are unproductive
  • intelligent information securityANITIAN 5. BYOD • BYOD is not easy, regardless of what vendors say • Address the personal device issues (BYOD): • Do you trust your users? • Do they trust you? • Establish policy • Set physical and logical boundaries • Define access restrictions • Define app rights and access • Address personal privacy • Define the Environment • What is supported, what is not
  • intelligent information securityANITIAN 6. Educate Users • Educate end-users on mobile security threats such as: • Phishing • Malware • Data leakage • Theft and loss • Conduct an awareness campaign of new controls, features and policies surrounding mobile security • Don’t enforce, reassure • Establish early communication with the business
  • intelligent information securityANITIAN 7. Develop Policies & Standards • Draft an Organizational Mobile Policy • Write a one page organizational policy outlining mobile security expectations, responsibilities and accountability • Draft Mobile Device Practices • How lost / stolen devices are reported • Periodic inventory • How devices are provisioned & terminated • Define who will operate the solutions
  • intelligent information securityANITIAN SUMMARY Angry Birds Management
  • intelligent information securityANITIAN Don’t • Disable, rather think of how you can enable • Let sales people drive or influence your efforts • Let a single issue, platform or concern drive the effort • Keep your users in the dark • Try to evaluate dozens of products • Waste time with celebrity phone hackers or sensationalist nuts • Confuse consumer and business issues
  • intelligent information securityANITIAN Do • Think of mobility in terms of trust, not control • Assess what could be leaked, do you even care? • Consider personal privacy expectations and issues • Focus on business requirements • Establish accountability for mobile security on end users • Be public and open about your efforts • Communicate mobile security efforts with the user population • Prohibit mobile devices in high-security or high turn over environments
  • intelligent information securityANITIAN Thank You EMAIL: andrew.plato@anitian.com WEB: www.anitian.com BLOG: blog.anitian.com SLIDES: http://bit.ly/anitian