Your SlideShare is downloading. ×
0
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Mobile Devices for Today's Banking Environment
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Mobile Devices for Today's Banking Environment

804

Published on

With the transition from mobile phones to mobile devices (such as iPhone, iPad, or Android) comes greater productivity with greater vulnerability. This presentation will explore the transition from …

With the transition from mobile phones to mobile devices (such as iPhone, iPad, or Android) comes greater productivity with greater vulnerability. This presentation will explore the transition from phones to mobile devices along with the best practices in securing such devices and common uses in banking environments not yet commonly deployed. With proper compensating controls, the tactical advantages and productivity savings far out way the risks of deploying mobile devices, so why not explore the options that best fit your environment?

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
804
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • WelcomeThank you for attending
  • When talking to auditors:Question – Mobile DevicesHow many answer No; knowing personal phonesAnswer Yes, but only address company devices
  • No one should be in bottom 14% b/c of BYOD
  • Stick with the most common
  • Share Experience:Officer Phones with Exchange (no USB or Cloud) Issued by Techs & Returned to TechsBoard Meetings on iPad Techs Load to Newsstand Enforce Policy
  • Email - explain, not a worry before, but once received, our responsibilityContacts - guidance suggests breach, reasonable to assume majority are customersgoldmine for CATO thieves
  • Transcript

    • 1. MOBILE DEVICES IN TODAY’S BANKING ENVIRONMENT Scott Sharp
    • 2. SCOTT SHARP Chief Technology Officer for Sharp BancSystems, Inc. VP, Director of Information Security for First Baird BancShares, Inc. CISSP, LPT, CHFI, CEH, MCITP, RHCSA, CCNA, etc… Part Banker / Part Geek
    • 3. OVERVIEW & INTENT Overview  Mobile Use  Statistics  Scary Facts  Mitigation & Best Practices  Automated Tools Intent  Not to Scare, unless it helps motivate  Inform
    • 4. MOBILE DEVICES ON THE RISE Smart Phones are rapidly replacing regular mobile phones; Gartner reported 85% year-over- year increase Smart Phones and other mobile devices are smaller, lighter, and easier to take everywhere; with similar capabilities to PC’s PC’s have long been the target of security audits while mobile is being overlooked
    • 5. IMPORTANCE OF MOBILE How Important are mobile devices to your organization? Where do you fit in? What about BYOD? Bring Your Own Device
    • 6. MOBILE DEVICE TYPES Smart Phones  Apple  Android (Google)  Blackberry (RIM)  Microsoft  Other Tablets  Apple  Android  Other Source: comScore (February 2012)
    • 7. COMMON USESIn Financial Institutions: For Consumer: Phones for Officers  Mobile Banking  Web Based, read your logs Board Room Automation  App Based  Web Delivery or USB  Email - ALL Meeting Notes  Text Remote Workers  Contacts Customer Service Terminal  Home, Mom, Hubby  Health Customer Support  Social Point Of Sale  Fun
    • 8. CHALLENGES TO MOBILE Security Upgrades Policy Enforcement Consistency Training  User  Tech
    • 9. WHY DOES SECURITY MATTER? Would you conduct online banking and shopping on a PC without an antivirus software installed? Are you willing to remove antivirus, firewall, encryption and VPN software on your workstation? In the transition from Phones to Smart Phones; Why weren’t we paying attention?
    • 10. VULNERABILITY POINTS (1 OF 2) Unencrypted Information  On Phone  Removable Memory Card  Responsible for data once received Consumer Applications  Share more than needed  Unproductive behavior Mobile Malware  Looks Fun, but designed to steal  Less on Apple, more on other Weak Passwords or none at all SMS Fuzzing  Discover device Bluetooth/Wireless Interfaces
    • 11. VULNERABILITY POINTS (2 OF 2) GPS Location Services  Where are you now? Camera, Video, Microphones  Theft from BYOD (Bring Your Own Device) Internal Storage (USB or Cloud)  Equivalent to Thumb Drive, sometimes without plugging in! Carrier Service Technicians  They have the key to the data! Manufacturer Data Storage  Blackberry or others (banned in France) Call Recording - SIP Older Devices  Patched, Not Patched, Supported?
    • 12. HACK DEMONSTRATION Most Common Bluetooth Hack Tools:  Super Bluetooth Hack 1.08  Blue Scanner  Blue Sniff  BlueBugger  BTBrowser  BTCrawler  BlueSnarfing
    • 13. TYPICAL DATA ON DEVICES Loan Portfolios or Board Packages  Web Delivery or USB Email  Different from PC, b/c of location Contacts  Corporate Account Take Over (CATO)  Guidance – Reasonable Assumption Certificates / Keys for VPN Personal Data  Wait for later information  Blackmail
    • 14. BREACH LAWS http://www.ncsl.org/issues-research/telecom/security-breach- notification-laws.aspx Where the Customer is Located! For Texas: "breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.
    • 15. POST BREACH CLEAN-UP Legal Representation Investigation – Forensics Regulatory Reputational  Newspaper or Channel 5  Social Media / Internet Identity Theft Solutions Lawsuits
    • 16. NOW FOR THE NOT SO SCARYPART Mitigating the Risk  Business Case w Risk Assessment  Policy  Agreements  Device Selection  Device Management  Configuration  Applications  Automated Solutions  Audit & Update Risk Assessment
    • 17. MITIGATING – BUILD A CASE Build a Business Case to Permit and/or Use Mobile Devices  Cost of Device  Cost of Compliance  Identify Users  Implementation Staff  Training?  Get Approval?
    • 18. MITIGATING – POLICY &AGREEMENT Policy  Device Types  Control  Permission  Monitoring  Enforcement Agreement  User Acknowledgement  Understanding  Acceptance  Annually!
    • 19. MITIGATING – DEVICE SELECTION Apple  iPhone  Encrypted by Default  Encryption uncracked, keys are easy to obtain: http://www.eweek.com/c/a/Security/iPhone-4-Encryption-Remains-Uncracked-But- Password-Keys-Easy-to-Obtain-686228/  Better App Controls in iTunes  Likes to add Cloud Sync  Remote Wipe Capable  iPad  Same as iPhone  Bigger target for theft
    • 20. MITIGATING – DEVICE SELECTION Android – Phone & Tablet  Currently the Most Popular  Offers more Control & Faster Innovation  Not Encrypted by default  No Remote Wipe by default – look for highly regarded ―Mobile Defense‖ app  Location Services from some Vendors  Inconsistent Implementation of features  Vendor’s Choice  Open Source, but Supported
    • 21. MITIGATING – DEVICE SELECTION Others  Blackberry  Losing Market Share FAST!  Banned for Government use in some countries  Stores data in transit for 7 days  Expensive to Control  Blackberry Enterprise Server  Other Solutions to fill Gaps  Microsoft  Newer / Less Market Share  Stigma from previous versions
    • 22. DEVICE RECOMMENDATIONS Stick with Apple and/or Android  The more devices, the higher cost of ownership Use Third Party Software/Services to fill Compliance Gaps  At the Least:  Remote Wipe  Password Protection (more than 4 number PIN)  Encryption (all storage & transmission) Update device every 2 years  Support, but more importantly, Vulnerability Management
    • 23. MITIGATING – DEVICEMANAGEMENT Common Configuration Controls for Devices:  Encryption (ENABLE, all Storage)  Allow or prohibit simple password  Remote wipe (ENABLE)  Password expiration (90 Days)  Enforce password on device  Password history (5) (ENABLE)  Policy refresh interval (Daily)  Minimum password length (8 or Optional: biometic)  Minimum number of complex  Maximum failed password characters in password attempts before local wipe (10-15)  Require manual syncing while  Require both numbers and letters roaming (ENABLE)  Allow camera  Inactivity time in minutes (1 to 5 minutes)  Allow web browsing
    • 24. MITIGATING – DEVICEMANAGEMENT Less Common Configuration Controls for Devices:  Block access from unapproved  App Management: devices  Whitelist Approved Apps  Block access from non-compliant  Prevent Removal of Antivirus, devices Firewall, etc.  Device Check-In Interval  Block Non-Approved Apps  Ensure Device not Lost  Manage App Access to Functions  Automatically Wipe  Disable Access to GPS for Social Apps  Prevent Wireless & Bluetooth  Enable/Disable GPS  Designated Staff Administer Bluetooth Devices only  Monitor Employee  Recover Phone
    • 25. MITIGATING Select the Controls that work best to protect your institution Test Features & Controls Monitor Usage & Compliance Enforce Policy Not much different than a PC, is it?
    • 26. MITIGATING – TOOLS & AUDITS Automated Solutions:  Symantec Mobile Management: http://www.symantec.com/mobile- management  MaaS360 Mobile Device and App Management: http://www.maas360.com  Zenprise MobileManager: http://www.zenprise.com/products/zenprise- mobilemanager  Good for Enterprise (GFE): http://www.good.com/products/good-for- enterprise.php Risk Assessment:  Consider New Controls  Before and After Audit Audit:  In Scope Statement
    • 27. CONCLUSION Form an adoption Plan Identify Users & Support  Agreements to Ensure Understanding Identify Devices  Pick 1 or 2 devices to support at most Identify Features  Control Device Features Identify Apps  Require Security Apps for Antivirus, Firewall, Encryption, Remote Wipe, Tracking  Whitelist good, Blacklist everything else Use Tools to Control and Monitor – Ensure Compliance DOD Wipe prior to service or return Test, Monitor, Audit
    • 28. OUT OF SCOPE ADDITION Note relating to Customers  Update Online Banking & Website Disclosures / Policies  PC/Computer = PC/Computer or Mobile Device  Additions to Website  Notification of Lost/Stolen Phone or other Device  Suspend Online Banking and Bill Pay Accounts  Change Password and/or Username  Invest in Mobile formatted Website  Quick links to ATM/Branch locations  Links to Online Banking Login  Even if Online Banking is not Mobile Enabled  Disclose mobile devices that work
    • 29. ENDING REMARKS Mobile is here to stay, will only increase Secure through tools  through prohibition is only temporary
    • 30. QUESTIONS ?
    • 31. CONTACT MEhttp://www.linkedin.com/in/mscottsharpscott@firstbaird.comscott@sharpbancsystems.comscott@geekandahalf.com(972) 979-2680
    • 32. REFERENCESRashid, Fahmida Y. (2011) iPhone 4 Encryption Remains Uncracked, but Password Keys Easy to Obtain. Retrieved from http://www.eweek.com/c/a/Security/iPhone-4-Encryption-Remains- Uncracked-But-Password-Keys-Easy-to-Obtain-686228/Parmar, Vivek (2010) 7 Most Popular Bluetooth Hacking Software To Hack Mobile Phones. Retrieved from http://techpp.com/2010/06/30/7-most-popular-bluetooth-hacking-software-to- hack-your-mobile-phone/Notes on the implementation of encryption in Android 3.0. Retrieved from http://source.android.com/tech/encryption/android_crypto_implementation.htmPinola, Melanie Install or Enable Remote Wipe on Your Smartphone Now. Retrieved from http://mobileoffice.about.com/od/mobilesecurity/qt/smartphone-remote-wipe.htmBradley, Tony Lock Down Your Android Devices. Retrieved from http://www.pcworld.com/businesscenter/article/209597/lock_down_your_android_devices.ht mlChoudhry, Shahab (2012) iPad in Banking – 7 Important Considerations. Retrieved from http://www.propelics.com/ipad-in-banking-7-important-considerations/Brownlow, Mark (2012) Smartphone statistics and market share. Retrieved from http://www.email- marketing-reports.com/wireless-mobile/smartphone-statistics.htmOltsik, Jon (2010) Juniper Networks Bets on Mobile Device Security—and Beyond. Retrieved from http://www.enterprisestrategygroup.com/2010/08/juniper-networks-bets-on-mobile-device- security%E2%80%94and-beyond/Shein, Omar (2012). Blackberry, Are we hacked?. Security Kaizen Magazine, Vol 2, Issue 5, 5-6.

    ×