Practical Steps for Assessing Tablet &
Mobile Device Security
James Tarala, Enclave Security & the SANS Institute
Mobility is a Reality
• Organizations want their toys…
• These devices will not be going away anytime
soon…
Practical Step...
Business Legitimacy
• Almost every industry has discovered ways of
enhancing productivity with mobility:
– Healthcare
– Fi...
What are we protecting?
• Potentially any / all of your organization’s data
• More than simply contacts & calendars
• Pote...
What if we ignore the risk?
• The primary risk to consider is the loss of data
confidentiality
• If a mobile device is los...
Mobility Statistics
• Smartphones are second only to laptops in the
executive’s arsenal of devices. While 87% of executive...
Mobility Statistics (cont)
• 81% of companies surveyed reported the loss of one
or more laptops containing sensitive infor...
Evolution of Mobile Risk
• There has been an evolution in mobile
computing
• The evolution has been from:
– Phones & PDAs
...
Example of Mobile Risk
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Reproduced fr...
Typical Mobile Device Controls
• Generally organizations secure laptops by
implementing technical controls, such as:
– Who...
Creating a Scoring System
• It would seem reasonable to measure mobile
devices against this same controls list
• Therefore...
Whole Disk Encryption Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Anti-Malware Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Application Whitelisting Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Host-Based Firewall Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Authentication Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
Security Configuration Scorecard
Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
* L...
More than BlackBerrys
• RIM BlackBerrys are the modern Lotus Notes
• Phrases heard from clients:
– “We went with BlackBerr...
So what have we learned so far?
• By default most mobile devices do not
implement even basic security controls
• Even when...
Mobile Specific Threat Vectors
In addition to traditional risk vectors, mobile
devices deserve extra attention in the area...
Minimum Technical Controls
• Already, the following controls for all mobile
devices have been mentioned:
– Whole disk encr...
Minimum Technical Controls (cont)
• In addition, organizations should consider
controls such as:
– Functionality limitatio...
Governance Questions
• In addition to technical controls, organizations
must establish policy to determine:
– Can organiza...
Governance Questions (cont)
– Who will support mobile devices?
– Which workforce members will be offered
support?
– Will a...
Central Management
• Laws are useful, but only when there are
sufficient mechanisms to enforce those laws
• If end users c...
Commercial Enterprise Tools
• May 2013, Gartner releases a “Magic
Quadrant” study for mobile device
management software
• ...
Lessons Learned
• Organizations want to use mobile devices
(even infosec groups), do not just be a barrier
• Educate busin...
Further Questions
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit
– Blog: http://www.auditsc...
Upcoming SlideShare
Loading in …5
×

Practical steps for assessing tablet & mobile device security

1,654 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Practical steps for assessing tablet & mobile device security

  1. 1. Practical Steps for Assessing Tablet & Mobile Device Security James Tarala, Enclave Security & the SANS Institute
  2. 2. Mobility is a Reality • Organizations want their toys… • These devices will not be going away anytime soon… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  3. 3. Business Legitimacy • Almost every industry has discovered ways of enhancing productivity with mobility: – Healthcare – Financial Services – Manufacturing – Retail – Government – Professional Services – And more… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  4. 4. What are we protecting? • Potentially any / all of your organization’s data • More than simply contacts & calendars • Potentially we are protecting: – Financial records – Private health records – Credit card numbers – Anything in an email mailbox – And much, much more… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  5. 5. What if we ignore the risk? • The primary risk to consider is the loss of data confidentiality • If a mobile device is lost or stolen, the information stored on the device is also at risk • However, other risks include: – Compromised authentication (SMS, soft tokens) – Manipulation of data sets – Impersonation of device owner Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  6. 6. Mobility Statistics • Smartphones are second only to laptops in the executive’s arsenal of devices. While 87% of executives use a laptop, 82% indicated they have some kind of smartphone. (Forbes, 2010) • More than half of senior executives agreed that their mobile device is now their primary communications tool. Among executives under age 40, 73% see their mobile device as more critical to communications than their landline. (Forbes 2010) • All signs point to a mobile future. 45% of senior corporate executives said they believe a smartphone or Web-enabled tablet will be their primary device for business-related use within three years. (Forbes 2010) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  7. 7. Mobility Statistics (cont) • 81% of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months (Ponemon 2010) • 64% of companies surveyed reported that they have never conducted an inventory of sensitive consumer information (Ponemon 2010) • 85% say handheld devices used in their organization should require security protection (Bluefire Wireless Security, April 2006) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  8. 8. Evolution of Mobile Risk • There has been an evolution in mobile computing • The evolution has been from: – Phones & PDAs – Laptops – Smart Phones & Tablets • Although device capabilities have evolved, security controls have not necessarily kept up Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  9. 9. Example of Mobile Risk Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 Reproduced from Symantec Internet Security Report 2011
  10. 10. Typical Mobile Device Controls • Generally organizations secure laptops by implementing technical controls, such as: – Whole disk encryption – Anti-malware software – Application whitelisting software – Personal / host-based firewalls – Strong / two-factor authentication – Secure operating system configurations Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  11. 11. Creating a Scoring System • It would seem reasonable to measure mobile devices against this same controls list • Therefore we have created a scorecard: – For the latest version of each operating system – For the native operating system (without apps) – For the native operating system (without a Mobile Device Manager) – However we included the use of BES / AD / ActiveSync capabilities in the scoring Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  12. 12. Whole Disk Encryption Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  13. 13. Anti-Malware Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  14. 14. Application Whitelisting Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  15. 15. Host-Based Firewall Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  16. 16. Authentication Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  17. 17. Security Configuration Scorecard Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 * Limited capabilities. ActiveSync or BES configuration only.
  18. 18. More than BlackBerrys • RIM BlackBerrys are the modern Lotus Notes • Phrases heard from clients: – “We went with BlackBerry because of their security.” – “BlackBerrys are protected by default by RIM and BlackBerry Enterprise Servers (BES).” • These principles apply to all mobile devices • Develop a methodology for evaluating all potential mobile options Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  19. 19. So what have we learned so far? • By default most mobile devices do not implement even basic security controls • Even when software is available it must be configured, it is not “out of the box” • Most mobile devices require not only configuration, but owners to research & buy additional software to gain functionality • Centralized management is another issue altogether… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  20. 20. Mobile Specific Threat Vectors In addition to traditional risk vectors, mobile devices deserve extra attention in the areas of: – Physical theft / loss – Wireless / Bluetooth hacking – Geo-location tracking – General privacy threats – General ownership threats Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  21. 21. Minimum Technical Controls • Already, the following controls for all mobile devices have been mentioned: – Whole disk encryption – Anti-malware software – Application whitelisting software – Personal / host-based firewalls – Strong / two-factor authentication – Secure operating system configurations Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  22. 22. Minimum Technical Controls (cont) • In addition, organizations should consider controls such as: – Functionality limitations (cameras, wireless, etc) – LoJack / phone home – Storage card encryption – Remote wiping – Remote locking – Logging / auditing – “Jailbreak detection” Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  23. 23. Governance Questions • In addition to technical controls, organizations must establish policy to determine: – Can organization data reside on personal devices? – Who is responsible for data residing on a device? – Will the organization purchase mobile devices for workforce members? – Regardless of ownership, can mobile devices be inspected by organization personnel? – Can data on devices be monitored by organizational personnel? Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  24. 24. Governance Questions (cont) – Who will support mobile devices? – Which workforce members will be offered support? – Will all or only certain types of devices be supported by the organization? – Will application support be included? – Who is responsible installing / supporting security software applications on devices? – And on, and on, and on… Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  25. 25. Central Management • Laws are useful, but only when there are sufficient mechanisms to enforce those laws • If end users can disable controls, they will • Technical controls help organizations to enforce business decisions • Therefore centralized mobile device management must be considered Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  26. 26. Commercial Enterprise Tools • May 2013, Gartner releases a “Magic Quadrant” study for mobile device management software • Evaluates security & manageability • Names the following leaders: – AirWatch – Good Technology – MobileIron – Citrix Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013 http://mobilityjourney.com/2013/05/30/2013-mdm-gartner-magic-quadrant-mobile0device-management
  27. 27. Lessons Learned • Organizations want to use mobile devices (even infosec groups), do not just be a barrier • Educate business owners on specific risks and allow them to accept it or not • Define mandatory and optional security controls for these devices, and stick to them • But be willing to ban devices that do not meet corporate standards for mobility Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013
  28. 28. Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit – Blog: http://www.auditscripts.com • Resources for further study: – SANS Security 505: Securing Windows – SANS Security 575: Mobile Device Security and Ethical Hacking – Forbes: The Untethered Executive (2010) – Gartner Magic Quadrant for Mobile Device Management Software (May 2013) Practical Steps for Assessing Tablet & Mobile Device Security © Enclave Security 2013

×