Practical Steps for Assessing Tablet &
Mobile Device Security
James Tarala, Enclave Security & the SANS Institute
Mobility is a Reality
• Organizations want their toys…
• These devices will not be going away anytime
soon…
Practical Step...
Business Legitimacy
• Almost every industry has discovered ways of
enhancing productivity with mobility:
– Healthcare
– Fi...
What are we protecting?
• Potentially any / all of your organization’s data
• More than simply contacts & calendars
• Pote...
What if we ignore the risk?
• The primary risk to consider is the loss of data
confidentiality
• If a mobile device is los...
Mobility Statistics
• Smartphones are second only to laptops in the
executive’s arsenal of devices. While 87% of executive...
Mobility Statistics (cont)
• 81% of companies surveyed reported the loss of one
or more laptops containing sensitive infor...
Evolution of Mobile Risk
• There has been an evolution in mobile
computing
• The evolution has been from:
– Phones & PDAs
...
Example of Mobile Risk
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Reproduced fr...
Typical Mobile Device Controls
• Generally organizations secure laptops by
implementing technical controls, such as:
– Who...
Creating a Scoring System
• It would seem reasonable to measure mobile
devices against this same controls list
• Therefore...
Whole Disk Encryption Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Anti-Malware Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Application Whitelisting Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Host-Based Firewall Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Authentication Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Security Configuration Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
* L...
More than BlackBerrys
• RIM BlackBerrys are the modern Lotus Notes
• Phrases heard from clients:
– “We went with BlackBerr...
So what have we learned so far?
• By default most mobile devices do not
implement even basic security controls
• Even when...
Mobile Specific Threat Vectors
In addition to traditional risk vectors, mobile
devices deserve extra attention in the area...
Minimum Technical Controls
• Already, the following controls for all mobile
devices have been mentioned:
– Whole disk encr...
Minimum Technical Controls (cont)
• In addition, organizations should consider
controls such as:
– Functionality limitatio...
Governance Questions
• In addition to technical controls, organizations
must establish policy to determine:
– Can organiza...
Governance Questions (cont)
– Who will support mobile devices?
– Which workforce members will be offered
support?
– Will a...
Central Management
• Laws are useful, but only when there are
sufficient mechanisms to enforce those laws
• If end users c...
Commercial Enterprise Tools
• May 2013, Gartner releases a “Magic
Quadrant” study for mobile device
management software
• ...
Lessons Learned
• Organizations want to use mobile devices
(even infosec groups), do not just be a barrier
• Educate busin...
Further Questions
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit
– Blog: http://www.auditsc...
Upcoming SlideShare
Loading in …5
×

Practical steps for assessing tablet & mobile device security

1,625 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,625
On SlideShare
0
From Embeds
0
Number of Embeds
588
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Cool Mobility = Mobile productivity. Mobile applications enable us to have instant access to information anywhere, anytime. But, what about confidential data? How do we secure and audit mobile devices? This presentation will provide a streamline approach to understanding and auditing endpoint security on mobile devices.
  • Practical steps for assessing tablet & mobile device security

    1. 1. Practical Steps for Assessing Tablet & Mobile Device Security James Tarala, Enclave Security & the SANS Institute
    2. 2. Mobility is a Reality • Organizations want their toys… • These devices will not be going away anytime soon… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    3. 3. Business Legitimacy • Almost every industry has discovered ways of enhancing productivity with mobility: – Healthcare – Financial Services – Manufacturing – Retail – Government – Professional Services – And more… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    4. 4. What are we protecting? • Potentially any / all of your organization’s data • More than simply contacts & calendars • Potentially we are protecting: – Financial records – Private health records – Credit card numbers – Anything in an email mailbox – And much, much more… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    5. 5. What if we ignore the risk? • The primary risk to consider is the loss of data confidentiality • If a mobile device is lost or stolen, the information stored on the device is also at risk • However, other risks include: – Compromised authentication (SMS, soft tokens) – Manipulation of data sets – Impersonation of device owner Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    6. 6. Mobility Statistics • Smartphones are second only to laptops in the executive’s arsenal of devices. While 87% of executives use a laptop, 82% indicated they have some kind of smartphone. (Forbes, 2010) • More than half of senior executives agreed that their mobile device is now their primary communications tool. Among executives under age 40, 73% see their mobile device as more critical to communications than their landline. (Forbes 2010) • All signs point to a mobile future. 45% of senior corporate executives said they believe a smartphone or Web-enabled tablet will be their primary device for business-related use within three years. (Forbes 2010) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    7. 7. Mobility Statistics (cont) • 81% of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months (Ponemon 2010) • 64% of companies surveyed reported that they have never conducted an inventory of sensitive consumer information (Ponemon 2010) • 85% say handheld devices used in their organization should require security protection (Bluefire Wireless Security, April 2006) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    8. 8. Evolution of Mobile Risk • There has been an evolution in mobile computing • The evolution has been from: – Phones & PDAs – Laptops – Smart Phones & Tablets • Although device capabilities have evolved, security controls have not necessarily kept up Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    9. 9. Example of Mobile Risk Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 Reproduced from Symantec Internet Security Report 2011
    10. 10. Typical Mobile Device Controls • Generally organizations secure laptops by implementing technical controls, such as: – Whole disk encryption – Anti-malware software – Application whitelisting software – Personal / host-based firewalls – Strong / two-factor authentication – Secure operating system configurations Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    11. 11. Creating a Scoring System • It would seem reasonable to measure mobile devices against this same controls list • Therefore we have created a scorecard: – For the latest version of each operating system – For the native operating system (without apps) – For the native operating system (without a Mobile Device Manager) – However we included the use of BES / AD / ActiveSync capabilities in the scoring Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    12. 12. Whole Disk Encryption Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    13. 13. Anti-Malware Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    14. 14. Application Whitelisting Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    15. 15. Host-Based Firewall Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    16. 16. Authentication Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    17. 17. Security Configuration Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 * Limited capabilities. ActiveSync or BES configuration only.
    18. 18. More than BlackBerrys • RIM BlackBerrys are the modern Lotus Notes • Phrases heard from clients: – “We went with BlackBerry because of their security.” – “BlackBerrys are protected by default by RIM and BlackBerry Enterprise Servers (BES).” • These principles apply to all mobile devices • Develop a methodology for evaluating all potential mobile options Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    19. 19. So what have we learned so far? • By default most mobile devices do not implement even basic security controls • Even when software is available it must be configured, it is not “out of the box” • Most mobile devices require not only configuration, but owners to research & buy additional software to gain functionality • Centralized management is another issue altogether… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    20. 20. Mobile Specific Threat Vectors In addition to traditional risk vectors, mobile devices deserve extra attention in the areas of: – Physical theft / loss – Wireless / Bluetooth hacking – Geo-location tracking – General privacy threats – General ownership threats Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    21. 21. Minimum Technical Controls • Already, the following controls for all mobile devices have been mentioned: – Whole disk encryption – Anti-malware software – Application whitelisting software – Personal / host-based firewalls – Strong / two-factor authentication – Secure operating system configurations Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    22. 22. Minimum Technical Controls (cont) • In addition, organizations should consider controls such as: – Functionality limitations (cameras, wireless, etc) – LoJack / phone home – Storage card encryption – Remote wiping – Remote locking – Logging / auditing – “Jailbreak detection” Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    23. 23. Governance Questions • In addition to technical controls, organizations must establish policy to determine: – Can organization data reside on personal devices? – Who is responsible for data residing on a device? – Will the organization purchase mobile devices for workforce members? – Regardless of ownership, can mobile devices be inspected by organization personnel? – Can data on devices be monitored by organizational personnel? Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    24. 24. Governance Questions (cont) – Who will support mobile devices? – Which workforce members will be offered support? – Will all or only certain types of devices be supported by the organization? – Will application support be included? – Who is responsible installing / supporting security software applications on devices? – And on, and on, and on… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    25. 25. Central Management • Laws are useful, but only when there are sufficient mechanisms to enforce those laws • If end users can disable controls, they will • Technical controls help organizations to enforce business decisions • Therefore centralized mobile device management must be considered Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    26. 26. Commercial Enterprise Tools • May 2013, Gartner releases a “Magic Quadrant” study for mobile device management software • Evaluates security & manageability • Names the following leaders: – AirWatch – Good Technology – MobileIron – Citrix Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 http://mobilityjourney.com/2013/05/30/2013-mdm-gartner-magic-quadrant-mobile0device-management
    27. 27. Lessons Learned • Organizations want to use mobile devices (even infosec groups), do not just be a barrier • Educate business owners on specific risks and allow them to accept it or not • Define mandatory and optional security controls for these devices, and stick to them • But be willing to ban devices that do not meet corporate standards for mobility Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
    28. 28. Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit – Blog: http://www.auditscripts.com • Resources for further study: – SANS Security 505: Securing Windows – SANS Security 575: Mobile Device Security and Ethical Hacking – Forbes: The Untethered Executive (2010) – Gartner Magic Quadrant for Mobile Device Management Software (May 2013) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013

    ×