Bring Your Own Breach - Building a Mobile Security Strategy


Published on

Mobile devices can be a tempting target for some very angry birds who can steal data, decimate public trust, and destroy confidentiality with the flick of a finger. This presentation presents a rational framework for assessing mobile security needs in your business and establishing a Mobile Security Strategy.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Anitian does not share our hacking efforts with the public. We research our research and expertise for our clients and their benefit.
  • If there is anything the Arab Spring has shown is that mobility is extremely powerful in giving voices to people. Those voices can topple governments, and destroy businesses – for good or bad. Employees forms a relationship with your network, but they have relationships with 1000 other people – any one of them could be an elite hacker who wants to hurt your company.
  • I just got back from RSABank vs. Resturant example At RSA, David Brooks said emotions are how we ascribe value
  • Users make bad decisions because they are not always able to properly ascribe value to a relationship. People will tend to dismiss threats they do not understand. I know that the email from “FedEx” is a phishing email, because my experience has colored my emotions that allows me to ascribe the correct value (none) to that email. Regular users lack that experience, and therefore will over value that relationship, providing a channel for abuse, theft and attack.
  • Consumer and business have overlapping and sometimes exclusionary goals and desiresThis whole first part of the presentation is to get you thinking in the right frame of mind. 1. people, 2. policy/process 3. technology
  • You spent all this money on Application ID, intrusion prevention, web filters and such, and somebody walks in with a iPhone that has a completely independent connection that bypasses everything.
  • Anitian was the first firm in the nation to develop a mobile security assessment frameworkAnitian developed this framework, as well as others, to assess organizationsMention cloud computing frameworkThis is our intellectual property, we’re sharing
  • Bring Your Own Breach - Building a Mobile Security Strategy

    1. 1. intelligent information securityANITIAN BRING YOUR OWN BREACH A N I T I A N Building a Mobile Security Strategy
    2. 2. intelligent information securityANITIAN MEET THE SPEAKER – ANDREW PLATO • President / CEO of Anitian • Principal at TrueBit CyberPartners • 20+ years of experience in security • Discovered SQL injection in 1995 • Helped develop first in-line IPS engine (BlackICE)
    3. 3. intelligent information securityANITIAN Vision: Security is essential to growth, innovation, and prosperity. Mission: Build great security leaders. ANITIAN Rapid Risk Assessment Compliance Auditing Next-Generation Penetration Testing Managed Threat Intelligence
    4. 4. intelligent information securityANITIAN OVERVIEW Intention • Describe the challenge of mobile security • Define mobile risk assessment approach • Provide a mobile security strategy Contents • The Challenge of Mobility & BYOD • Credible Mobile Security Threats • Mobile Risk Assessment Framework • Building a Mobile Security Strategy
    5. 5. intelligent information securityANITIAN WHAT YOU WILL NOT GET IN THIS PRESENTATION • A product sales pitch • How to install, deploy, integrate a specific product • How to develop, support or complain about mobile apps • How to solve problems with your device • A lesson in hacking smart phones • Tales of how we hacked some celebrity’s phone
    6. 6. intelligent information securityANITIAN THE CHALLENGE OF MOBILE SECURITY
    7. 7. intelligent information securityANITIAN HYPERCONNECTIVITY
    8. 8. intelligent information securityANITIAN TRUST vs HYPERCONNECTIVITY
    9. 9. intelligent information securityANITIAN DO YOU TRUST THEM?
    10. 10. intelligent information securityANITIAN OF THE WORKFORCE IN 2025 50% Source: Bureau Of Labor and Statistics, 2015
    11. 11. intelligent information securityANITIAN MOBILITY IS THE FUTURE
    12. 12. intelligent information securityANITIAN BUILDING A MOBILE SECURITY STRATEGY Building a mobile security strategy must address (in order): 1. People and trust relationships 2. Business objectives, requirements & expectations 3. Technology
    13. 13. intelligent information securityANITIAN MOBILE THREATS
    14. 14. intelligent information securityANITIAN
    15. 15. intelligent information securityANITIAN LOSS OR THEFT • Overwhelmingly the most serious problem for mobile devices • Recovery is impossible and pointless • Does not matter who took the phone, you need to wipe it • Quick financial gain is the prevalent reason for theft • A sound mobile security solution must focus nearly exclusively on this primary threat • Breach notification laws apply to mobile devices that are lost AND have confidential data on them
    16. 16. intelligent information securityANITIAN DATA LEAKAGE • Rapidly evolving problem • Mobile platforms provide easy methods to capture and transmit data • Can completely bypass existing controls • Multiple leakage vectors: • SMS (text) • Pictures • Email • Voice / video capture • Malware leakage • What are they leaking?
    17. 17. intelligent information securityANITIAN MORE MOBILE MALWARE
    18. 18. intelligent information securityANITIAN MOBILE MALWARE TYPES
    19. 19. intelligent information securityANITIAN PLATFORM SUMMARY Platform Strengths Concerns · Engineered for security · Sandboxes all apps · Tight control of apps · Quick patching · Native encryption · No backdoors · A very large target · Flexible platform · Ample third-party controls · Weak app control · Native encryption is manufacturer dependent · Slow patching · Tons of malware · Engineered for security · Sandboxes all apps · Native encryption · Limited third party support · History of lax security · Strong suite of security controls · Native encryption · Tight network controls · Secure email delivery · Aging platform · Failing company
    20. 20. intelligent information securityANITIAN BYOD RISK ASSESSMENT FRAMEWORK
    21. 21. intelligent information securityANITIAN MOBILE SECURITY ASSESSMENT FRAMEWORK • Help you analyze your risk of mobile threats • Analyze the threat on eight categories: 1. Culture 2. Data Sensitivity 3. Maturity of Organizational Security 4. Technical Environment 5. BYOD 6. Necessity of Access 7. Tolerance to Risk 8. Administrative Support • Weight categories as you see fit
    22. 22. intelligent information securityANITIAN 1. CULTURE # Level Description 1 Relaxed Relaxed, open access, high expectation of personal privacy 2 Business Casual Limited security, mostly open, few areas of control 3 Professional Mixture of open areas and tightly controlled areas. 4 Strict Tight restrictions with a few exceptions. Limited expectation of privacy. 5 Rigid Very stringent security with zero expectation of privacy and limited access. What is your business culture like?
    23. 23. intelligent information securityANITIAN 2. DATA SENSITIVITY # Level Description 1 Trivial Public data with no sensitivity or confidentiality issues whatsoever 2 Low Mostly public or non-sensitive data with some small exceptions. 3 Moderate Mixture of sensitive and public data. 4 High Users will routinely handle data with high confidentiality or sensitivity risk (HIPAA, PCI) 5 Top Secret Users will handle data with an extremely high sensitivity risk, such as protected information or national security data. How sensitive is the data in your environment?
    24. 24. intelligent information securityANITIAN 3. MATURITY OF ORGANIZATIONAL SECURITY # Level Description 1 None Security? What’s that? 2 Ad Hoc Basic controls, some policies, informal 3 Emerging Full set of controls and policies, not independently validated 4 Operational Full set of controls, independent validation 5 Mature Formal program with extensive independent validation How mature is your information security program?
    25. 25. intelligent information securityANITIAN 4. TECHNICAL MATURITY # Level Description 1 Ad Hoc No technical standards, no formal IT, aging technology 2 Immature Basic standardization, casual oversight, older equipment 3 Average Standardized program, formal controls 4 Mature Tight standardization, formalized IT management, rapid adoption of new technologies 5 Core Function Mobility is a core function of the business How mature is your technical infrastructure?
    26. 26. intelligent information securityANITIAN 5. BYOD # Level Description 1 NO! Absolutely NOT 2 Few A few people, but nobody else 3 Some About half will, but lower security staff will not 4 Yes Everybody will have some access 5 Extreme Yes, and we cannot control them at all Will users be allowed to use their own devices?
    27. 27. intelligent information securityANITIAN 6. NECESSITY OF ACCESS # Level Description 1 None Employees get no access and never will 2 Limited Very few get access, typically reserved for executives 3 Typical Access is desired and available to some 4 Required Most of the business needs mobile access to be effective at their jobs 5 Core Function Mobility is a core function of the business How important is mobile access to data?
    28. 28. intelligent information securityANITIAN 7. TOLERANCE TO RISK What is your organization’s tolerance for loss, theft of compromise of a mobile device? # Level Description 1 High Who cares get another phone 2 Moderate Undesirable, but the business can adapt. 3 Low Very little tolerance. 4 None No tolerance. 5 Extreme Assurance Even talking about this is bad
    29. 29. intelligent information securityANITIAN 8. ADMINISTRATIVE SUPPORT Is the organization willing to support mobile security? # Level Description 1 None No budget, no support 2 Discovery Limited executive interest 3 Interested Concern, limited budget 4 Planned Budget and focus are planned 5 Core Function Let’s do this, YEAH!
    30. 30. intelligent information securityANITIAN RATE YOURSELF Area Weight Score Weighted Score Culture 1.0 3 3 Data Sensitivity 1.5 3 4.5 Technical Maturity 1.0 2 2 BYOD 2.0 3 6 Necessity of Access 1.0 3 3 Tolerance to Risk 1.5 4 6 Administrative Support 1.0 2 2 Totals 21.5 Average 3.31
    31. 31. intelligent information securityANITIAN EVALUATE YOUR SCORE # Level Description 0-1 Low Risk Do nothing, be happy you have a smartphone 1-2 Moderate Risk Basic controls 2-3 High Risk Mobile security strategy and solution needed 3-4 Extreme Risk Dedicated mobile security team 5 Core Function You should be giving this presentation
    32. 32. intelligent information securityANITIAN BYOD STRATEGY
    33. 33. intelligent information securityANITIAN 0. PUT THE RIGHT PERSON IN THE DRIVER’S SEAT • Who should drive mobile security efforts? • Information security • CISO / CIO • Internal audit • Who should NOT drive mobile security (but may help) • Executives who have emotional attachments to shiny objects • Helpdesk • Network operations • System administration • Resellers • Sales people
    34. 34. intelligent information securityANITIAN 1. CLEARLY DEFINE ROLES & RESPONSIBILITY • Who will lead the effort? • Who will design the strategy? • Who is responsible for implementing mobile security? • Who will enforce the rules? • Who is paying for all this? • Who will be part of a pilot or beta test? • Who will run that? • Who will communicate this effort to the employees? • Who decides the apps and features you can or cannot use?
    35. 35. intelligent information securityANITIAN 2. OBTAIN RESOURCES • Executive and organizational buy-in • Establish estimates for: • Cost of products • Integration expense • Personnel costs • Training costs • Duration to install, implement, tune, and handle all the complaining
    36. 36. intelligent information securityANITIAN 3. JUSTIFY THE NEED • Write down at least three solid business justifications why you need mobile security • Focus on your business, not technical features • Good: With an initiative to expand into Asia, our sales people need better access, in more places and will be handling more sensitive data across more platforms, including mobile devices. Mobile security is necessary to protect our business efforts and support continued growth. • Bad: We need email encryption because our VAR said we do.
    37. 37. intelligent information securityANITIAN 4. BYOD • BYOD is not easy, regardless of what vendors say • Address the personal device issues (BYOD): • Do you trust your users? • Do they trust you? • Establish policy • Set physical and logical boundaries • Define access restrictions • Define app rights and access • Address personal privacy • Define the Environment • What is supported, what is not
    38. 38. intelligent information securityANITIAN 5. EDUCATE USERS • Educate end-users on mobile security threats such as: • Phishing • Malware • Data leakage • Theft and loss • Conduct an awareness campaign of new controls, features and policies surrounding mobile security • Don’t enforce, reassure • Establish early communication with the business
    39. 39. intelligent information securityANITIAN 6. DEVELOP POLICIES & STANDARDS • Draft an Organizational Mobile Policy • Write a one page organizational policy outlining mobile security expectations, responsibilities and accountability • Draft Mobile Device Practices • How lost / stolen devices are reported • Periodic inventory • How devices are provisioned & terminated • Define who will operate the solutions
    40. 40. intelligent information securityANITIAN 7. IMPLEMENT CONTROLS • Network segmentation and isolation • Authentication and authorization • Mobile device management (MDM) • Cloud access security broker (CASB) • Data Loss Prevention (DLP) • Secure Web Gateway (SWG) • App locker / Restricted App stores • Endpoint malware scanning • Mobile file sharing • Encryption
    41. 41. intelligent information securityANITIAN CONCLUSION Building a Mobile Security Strategy
    42. 42. intelligent information securityANITIAN DON’T • Disable, rather think of how you can enable • Let a single issue, platform or concern drive the effort • Keep your users in the dark • Conflate consumer and business issues • Allow personal devices, if you don’t have to • Let sales people drive or influence your efforts
    43. 43. intelligent information securityANITIAN DO • Think of mobility in terms of trust, not control • Think about how you can help people trust better • Assess what could be leaked, do you even care? • Consider personal privacy expectations and issues • Establish accountability for mobile security on end users • Be public and open about your efforts • Communicate mobile security efforts with the user population • Prohibit mobile devices in high-security or high turn over environments
    44. 44. intelligent information securityANITIAN THANK YOU EMAIL: TWITTER: @andrewplato @AnitianSecurity WEB: BLOG: SLIDES: CALL: 888-ANITIAN