SlideShare a Scribd company logo

Practical steps for assessing tablet & mobile device security

Download as PPTX, PDF
E
EnclaveSecurity
Technology
1 of 28
Practical Steps for Assessing Tablet & Mobile Device Security James Tarala, Enclave Security & the SANS Institute
Mobility is a Reality • Organizations want their toys… • These devices will not be going away anytime soon… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Business Legitimacy • Almost every industry has discovered ways of enhancing productivity with mobility: – Healthcare – Financial Services – Manufacturing – Retail – Government – Professional Services – And more… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
What are we protecting? • Potentially any / all of your organization’s data • More than simply contacts & calendars • Potentially we are protecting: – Financial records – Private health records – Credit card numbers – Anything in an email mailbox – And much, much more… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
What if we ignore the risk? • The primary risk to consider is the loss of data confidentiality • If a mobile device is lost or stolen, the information stored on the device is also at risk • However, other risks include: – Compromised authentication (SMS, soft tokens) – Manipulation of data sets – Impersonation of device owner Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Mobility Statistics • Smartphones are second only to laptops in the executive’s arsenal of devices. While 87% of executives use a laptop, 82% indicated they have some kind of smartphone. (Forbes, 2010) • More than half of senior executives agreed that their mobile device is now their primary communications tool. Among executives under age 40, 73% see their mobile device as more critical to communications than their landline. (Forbes 2010) • All signs point to a mobile future. 45% of senior corporate executives said they believe a smartphone or Web-enabled tablet will be their primary device for business-related use within three years. (Forbes 2010) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Mobility Statistics (cont) • 81% of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months (Ponemon 2010) • 64% of companies surveyed reported that they have never conducted an inventory of sensitive consumer information (Ponemon 2010) • 85% say handheld devices used in their organization should require security protection (Bluefire Wireless Security, April 2006) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Evolution of Mobile Risk • There has been an evolution in mobile computing • The evolution has been from: – Phones & PDAs – Laptops – Smart Phones & Tablets • Although device capabilities have evolved, security controls have not necessarily kept up Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Example of Mobile Risk Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 Reproduced from Symantec Internet Security Report 2011
Typical Mobile Device Controls • Generally organizations secure laptops by implementing technical controls, such as: – Whole disk encryption – Anti-malware software – Application whitelisting software – Personal / host-based firewalls – Strong / two-factor authentication – Secure operating system configurations Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Creating a Scoring System • It would seem reasonable to measure mobile devices against this same controls list • Therefore we have created a scorecard: – For the latest version of each operating system – For the native operating system (without apps) – For the native operating system (without a Mobile Device Manager) – However we included the use of BES / AD / ActiveSync capabilities in the scoring Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Whole Disk Encryption Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Anti-Malware Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Application Whitelisting Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Host-Based Firewall Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Authentication Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Security Configuration Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 * Limited capabilities. ActiveSync or BES configuration only.
More than BlackBerrys • RIM BlackBerrys are the modern Lotus Notes • Phrases heard from clients: – “We went with BlackBerry because of their security.” – “BlackBerrys are protected by default by RIM and BlackBerry Enterprise Servers (BES).” • These principles apply to all mobile devices • Develop a methodology for evaluating all potential mobile options Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
So what have we learned so far? • By default most mobile devices do not implement even basic security controls • Even when software is available it must be configured, it is not “out of the box” • Most mobile devices require not only configuration, but owners to research & buy additional software to gain functionality • Centralized management is another issue altogether… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Mobile Specific Threat Vectors In addition to traditional risk vectors, mobile devices deserve extra attention in the areas of: – Physical theft / loss – Wireless / Bluetooth hacking – Geo-location tracking – General privacy threats – General ownership threats Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Minimum Technical Controls • Already, the following controls for all mobile devices have been mentioned: – Whole disk encryption – Anti-malware software – Application whitelisting software – Personal / host-based firewalls – Strong / two-factor authentication – Secure operating system configurations Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Minimum Technical Controls (cont) • In addition, organizations should consider controls such as: – Functionality limitations (cameras, wireless, etc) – LoJack / phone home – Storage card encryption – Remote wiping – Remote locking – Logging / auditing – “Jailbreak detection” Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Governance Questions • In addition to technical controls, organizations must establish policy to determine: – Can organization data reside on personal devices? – Who is responsible for data residing on a device? – Will the organization purchase mobile devices for workforce members? – Regardless of ownership, can mobile devices be inspected by organization personnel? – Can data on devices be monitored by organizational personnel? Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Governance Questions (cont) – Who will support mobile devices? – Which workforce members will be offered support? – Will all or only certain types of devices be supported by the organization? – Will application support be included? – Who is responsible installing / supporting security software applications on devices? – And on, and on, and on… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Central Management • Laws are useful, but only when there are sufficient mechanisms to enforce those laws • If end users can disable controls, they will • Technical controls help organizations to enforce business decisions • Therefore centralized mobile device management must be considered Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Commercial Enterprise Tools • May 2013, Gartner releases a “Magic Quadrant” study for mobile device management software • Evaluates security & manageability • Names the following leaders: – AirWatch – Good Technology – MobileIron – Citrix Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 http://mobilityjourney.com/2013/05/30/2013-mdm-gartner-magic-quadrant-mobile0device-management
Lessons Learned • Organizations want to use mobile devices (even infosec groups), do not just be a barrier • Educate business owners on specific risks and allow them to accept it or not • Define mandatory and optional security controls for these devices, and stick to them • But be willing to ban devices that do not meet corporate standards for mobility Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit – Blog: http://www.auditscripts.com • Resources for further study: – SANS Security 505: Securing Windows – SANS Security 575: Mobile Device Security and Ethical Hacking – Forbes: The Untethered Executive (2010) – Gartner Magic Quadrant for Mobile Device Management Software (May 2013) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013

Recommended

Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security failEnclaveSecurity
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 

Recommended

Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security failEnclaveSecurity
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationSridhar Karnam
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmasterHafid CHEBRAOUI
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
 
Fmea
FmeaFmea
Fmeaemc5714
 
04 fmea 2010
04 fmea 201004 fmea 2010
04 fmea 2010Benhur Demetrius de oliveira cruz
 

More Related Content

What's hot

Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationSridhar Karnam
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
 

What's hot (20)

Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integration
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
 

Viewers also liked

Fmea final
Fmea finalFmea final
Fmea finalemc5714
 
Apresentação fmea
Apresentação fmeaApresentação fmea
Apresentação fmeaemc5714
 
Fmea versao final
Fmea versao finalFmea versao final
Fmea versao finalemc5714
 
Trabalho fmea final
Trabalho fmea finalTrabalho fmea final
Trabalho fmea finalemc5714
 
Aldo Rossi and The Architecture of the City
Aldo Rossi and The Architecture of the CityAldo Rossi and The Architecture of the City
Aldo Rossi and The Architecture of the Cityhollan12
 
FMEA - Failure mode and effects analysis
FMEA - Failure mode and effects analysisFMEA - Failure mode and effects analysis
FMEA - Failure mode and effects analysisAndré Faria Gomes
 
Graphic Novel Intro #1
Graphic Novel Intro #1Graphic Novel Intro #1
Graphic Novel Intro #1bradythecamel
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Hypertension power point
Hypertension power pointHypertension power point
Hypertension power pointkreid204
 

Viewers also liked (13)

Fmea
FmeaFmea
Fmea
 
04 fmea 2010
04 fmea 201004 fmea 2010
04 fmea 2010
 
Fmea final
Fmea finalFmea final
Fmea final
 
Apresentação fmea
Apresentação fmeaApresentação fmea
Apresentação fmea
 
Fmea versao final
Fmea versao finalFmea versao final
Fmea versao final
 
Trabalho fmea final
Trabalho fmea finalTrabalho fmea final
Trabalho fmea final
 
FMEA e FTA
FMEA e FTAFMEA e FTA
FMEA e FTA
 
Aldo Rossi and The Architecture of the City
Aldo Rossi and The Architecture of the CityAldo Rossi and The Architecture of the City
Aldo Rossi and The Architecture of the City
 
FMEA - Failure mode and effects analysis
FMEA - Failure mode and effects analysisFMEA - Failure mode and effects analysis
FMEA - Failure mode and effects analysis
 
Apresentacao fmea
Apresentacao fmeaApresentacao fmea
Apresentacao fmea
 
Graphic Novel Intro #1
Graphic Novel Intro #1Graphic Novel Intro #1
Graphic Novel Intro #1
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Hypertension power point
Hypertension power pointHypertension power point
Hypertension power point
 

Similar to Practical steps for assessing tablet & mobile device security

The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionEnclaveSecurity
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devicesMarc Vael
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestJay McLaughlin
 
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart GlassesPete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart GlassesAugmentedWorldExpo
 
Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)Huntsman Security
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Huntsman Security
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec
 
Smarter Commerce Summit - IBM MobileFirst Services
Smarter Commerce Summit - IBM MobileFirst ServicesSmarter Commerce Summit - IBM MobileFirst Services
Smarter Commerce Summit - IBM MobileFirst ServicesChris Pepin
 
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...From Device Selection to Data Protection: Selecting the Right Mobility Soluti...
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...Enterprise Mobile
 
PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)
PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)
PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)Pace IT at Edmonds Community College
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile securityJAYANT RAJURKAR
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Security
 
Best practices for mobile enterprise security and the importance of endpoint ...
Best practices for mobile enterprise security and the importance of endpoint ...Best practices for mobile enterprise security and the importance of endpoint ...
Best practices for mobile enterprise security and the importance of endpoint ...Chris Pepin
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainEC-Council
 
Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020tmbainjr131
 
Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Omar Khawaja
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the EnterpriseWill Adams
 

Similar to Practical steps for assessing tablet & mobile device security (20)

The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devices
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, West
 
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart GlassesPete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
 
Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
 
Smarter Commerce Summit - IBM MobileFirst Services
Smarter Commerce Summit - IBM MobileFirst ServicesSmarter Commerce Summit - IBM MobileFirst Services
Smarter Commerce Summit - IBM MobileFirst Services
 
mobile application security
mobile application securitymobile application security
mobile application security
 
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...From Device Selection to Data Protection: Selecting the Right Mobility Soluti...
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...
 
PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)
PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)
PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile security
 
Mobile Security
Mobile Security Mobile Security
Mobile Security
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
 
Best practices for mobile enterprise security and the importance of endpoint ...
Best practices for mobile enterprise security and the importance of endpoint ...Best practices for mobile enterprise security and the importance of endpoint ...
Best practices for mobile enterprise security and the importance of endpoint ...
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
 
Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020
 
Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 
Outside the Office: Mobile Security
Outside the Office: Mobile SecurityOutside the Office: Mobile Security
Outside the Office: Mobile Security
 

More from EnclaveSecurity

Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usualEnclaveSecurity
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 

More from EnclaveSecurity (6)

Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security Assessments
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 

Recently uploaded

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Practical steps for assessing tablet & mobile device security

  • 1. Practical Steps for Assessing Tablet & Mobile Device Security James Tarala, Enclave Security & the SANS Institute
  • 2. Mobility is a Reality • Organizations want their toys… • These devices will not be going away anytime soon… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 3. Business Legitimacy • Almost every industry has discovered ways of enhancing productivity with mobility: – Healthcare – Financial Services – Manufacturing – Retail – Government – Professional Services – And more… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 4. What are we protecting? • Potentially any / all of your organization’s data • More than simply contacts & calendars • Potentially we are protecting: – Financial records – Private health records – Credit card numbers – Anything in an email mailbox – And much, much more… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 5. What if we ignore the risk? • The primary risk to consider is the loss of data confidentiality • If a mobile device is lost or stolen, the information stored on the device is also at risk • However, other risks include: – Compromised authentication (SMS, soft tokens) – Manipulation of data sets – Impersonation of device owner Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 6. Mobility Statistics • Smartphones are second only to laptops in the executive’s arsenal of devices. While 87% of executives use a laptop, 82% indicated they have some kind of smartphone. (Forbes, 2010) • More than half of senior executives agreed that their mobile device is now their primary communications tool. Among executives under age 40, 73% see their mobile device as more critical to communications than their landline. (Forbes 2010) • All signs point to a mobile future. 45% of senior corporate executives said they believe a smartphone or Web-enabled tablet will be their primary device for business-related use within three years. (Forbes 2010) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 7. Mobility Statistics (cont) • 81% of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months (Ponemon 2010) • 64% of companies surveyed reported that they have never conducted an inventory of sensitive consumer information (Ponemon 2010) • 85% say handheld devices used in their organization should require security protection (Bluefire Wireless Security, April 2006) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 8. Evolution of Mobile Risk • There has been an evolution in mobile computing • The evolution has been from: – Phones & PDAs – Laptops – Smart Phones & Tablets • Although device capabilities have evolved, security controls have not necessarily kept up Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 9. Example of Mobile Risk Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 Reproduced from Symantec Internet Security Report 2011
  • 10. Typical Mobile Device Controls • Generally organizations secure laptops by implementing technical controls, such as: – Whole disk encryption – Anti-malware software – Application whitelisting software – Personal / host-based firewalls – Strong / two-factor authentication – Secure operating system configurations Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 11. Creating a Scoring System • It would seem reasonable to measure mobile devices against this same controls list • Therefore we have created a scorecard: – For the latest version of each operating system – For the native operating system (without apps) – For the native operating system (without a Mobile Device Manager) – However we included the use of BES / AD / ActiveSync capabilities in the scoring Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 12. Whole Disk Encryption Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 13. Anti-Malware Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 14. Application Whitelisting Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 15. Host-Based Firewall Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 16. Authentication Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 17. Security Configuration Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 * Limited capabilities. ActiveSync or BES configuration only.
  • 18. More than BlackBerrys • RIM BlackBerrys are the modern Lotus Notes • Phrases heard from clients: – “We went with BlackBerry because of their security.” – “BlackBerrys are protected by default by RIM and BlackBerry Enterprise Servers (BES).” • These principles apply to all mobile devices • Develop a methodology for evaluating all potential mobile options Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 19. So what have we learned so far? • By default most mobile devices do not implement even basic security controls • Even when software is available it must be configured, it is not “out of the box” • Most mobile devices require not only configuration, but owners to research & buy additional software to gain functionality • Centralized management is another issue altogether… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 20. Mobile Specific Threat Vectors In addition to traditional risk vectors, mobile devices deserve extra attention in the areas of: – Physical theft / loss – Wireless / Bluetooth hacking – Geo-location tracking – General privacy threats – General ownership threats Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 21. Minimum Technical Controls • Already, the following controls for all mobile devices have been mentioned: – Whole disk encryption – Anti-malware software – Application whitelisting software – Personal / host-based firewalls – Strong / two-factor authentication – Secure operating system configurations Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 22. Minimum Technical Controls (cont) • In addition, organizations should consider controls such as: – Functionality limitations (cameras, wireless, etc) – LoJack / phone home – Storage card encryption – Remote wiping – Remote locking – Logging / auditing – “Jailbreak detection” Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 23. Governance Questions • In addition to technical controls, organizations must establish policy to determine: – Can organization data reside on personal devices? – Who is responsible for data residing on a device? – Will the organization purchase mobile devices for workforce members? – Regardless of ownership, can mobile devices be inspected by organization personnel? – Can data on devices be monitored by organizational personnel? Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 24. Governance Questions (cont) – Who will support mobile devices? – Which workforce members will be offered support? – Will all or only certain types of devices be supported by the organization? – Will application support be included? – Who is responsible installing / supporting security software applications on devices? – And on, and on, and on… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 25. Central Management • Laws are useful, but only when there are sufficient mechanisms to enforce those laws • If end users can disable controls, they will • Technical controls help organizations to enforce business decisions • Therefore centralized mobile device management must be considered Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 26. Commercial Enterprise Tools • May 2013, Gartner releases a “Magic Quadrant” study for mobile device management software • Evaluates security & manageability • Names the following leaders: – AirWatch – Good Technology – MobileIron – Citrix Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 http://mobilityjourney.com/2013/05/30/2013-mdm-gartner-magic-quadrant-mobile0device-management
  • 27. Lessons Learned • Organizations want to use mobile devices (even infosec groups), do not just be a barrier • Educate business owners on specific risks and allow them to accept it or not • Define mandatory and optional security controls for these devices, and stick to them • But be willing to ban devices that do not meet corporate standards for mobility Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  • 28. Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit – Blog: http://www.auditscripts.com • Resources for further study: – SANS Security 505: Securing Windows – SANS Security 575: Mobile Device Security and Ethical Hacking – Forbes: The Untethered Executive (2010) – Gartner Magic Quadrant for Mobile Device Management Software (May 2013) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013

Editor's Notes

  1. Cool Mobility = Mobile productivity. Mobile applications enable us to have instant access to information anywhere, anytime. But, what about confidential data? How do we secure and audit mobile devices? This presentation will provide a streamline approach to understanding and auditing endpoint security on mobile devices.