Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Awareness Training: Mobile Devices

3,849 views

Published on

In a bring-your-own-device (BYOD) workplace, mobile security depends largely on the user behind the device. Strong security policies, the right technology and employee education enable your organization to protect sensitive corporate data on mobile devices.

Learn how to educate employees on the importance of mobile security best practices:

- Develop security awareness training for users
- Address employee privacy concerns and fears
- Highlight pitfalls of jailbreaking or rooting a device
- Teach users to create strong passwords and identify mobile threats

Published in: Mobile
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security Awareness Training: Mobile Devices

  1. 1. Security Awareness Training: Mobile Devices November 20, 2014 10:00 AM PST/1:00 PM EDT Sponsored by: Join the conversation on Twitter - #SWwebcon
  2. 2. Web Conference Overview In a bring-your-own-device (BYOD) workplace, mobile security depends largely on the user behind the device. Strong security policies, the right technology and employee education enable your organization to protect sensitive corporate data on mobile devices. During today’s program, our experts will discuss how to educate employees on the importance of mobile security best practices. #SWwebcon
  3. 3. Barbara Endicott-Popovsky Director, Center of Information Assurance and Cybersecurity at the University of Washington Moderator Barbara Endicott-Popovsky, Ph.D., CRISC, is Director for the Center of Information Assurance and Cybersecurity at the University of Washington and the Academic Director for the Masters in Infrastructure Planning and Management in the Urban Planning Department of the School of Built Environments. #SWwebcon
  4. 4. Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III Web Conference Agenda – Featured Presenters #SWwebcon Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University David Lingenfelter Information Security Officer MaaS360, an IBM Company
  5. 5. Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III Featured Presenter Sandy Bacik, author and former CSO, has over 16 years direct information security experience in the areas of IT Audit, BCP/DR, Incident Response, Physical Security, Privacy, Regulatory Compliance, Policies/Procedures, Operations and Management. She also has an additional 15 years in Information Technology Operations. #SWwebcon
  6. 6. Sandy Bacik, CISSP, ISSMP, CISM, CGEIT Security Professional Limiting Risk of Personal Mobility #SWwebcon
  7. 7. Agenda ♦ What is personal mobility? ♦ What are the risks of personal mobility? ♦ How can you protect a personal mobile device? ♦ BYOD / BYOT in an enterprise environment 7 #SWwebcon
  8. 8. How Phone Communications Have Changed 8 Switchboard with old desk phone Portable phone Old cell phone More modern cell phone Smartphone
  9. 9. How Computing Has Changed? 9 Main frame and terminal Desktop computer Laptop Tablet Smartphone PDA
  10. 10. How a Personal Mobile Device can be used? ♦ Pros: – Can be used to save a life – Can be used to access and store information – Can be used to communicate via many options – voice, text, email, and video ♦ Cons – May be damaged, lost or stolen – Can be used to access, store and communicate inappropriate material – Can disrupt the home or work environment – Camera functions can lead to child protection and data protection issues with regard to inappropriate capture, use or distribution of images 10
  11. 11. So, My Mobile Device is Not Secured By Default? ♦ Applications downloaded on mobile phones and tablets have the ability to broadcast: – Your location – Private conversations – Pictures – Banking information – And other sensitive data, even when these mobile devices are not in use ♦ Growing potential for increasing risk related to data or personal security and privacy 11 #SWwebcon
  12. 12. Rooted? ♦ Rooting is a device hack that provides users with unrestricted access to the entire file system of the mobile device. ♦ Jailbreaking, another term for rooting, is a device hack that provides users with unrestricted access to the entire file system of their mobile devices. ♦ Rooted, or jailbroke, on a mobile device means it has been compromised by malware or a bad guy. ♦ The mobile device may be more vulnerable to malicious apps and stability issues. 12 #SWwebcon
  13. 13. How Safe is Your Personal App Store? ♦ Every vendor and provider has a different privacy policy and end user license agreement. ♦ Committed to protecting customers and their data, and also to providing greater transparency into the unique level of protection they offer customers. ♦ Recognize that customers want and need access to apps that do not infringe on their privacy or impact their security. 13 #SWwebcon
  14. 14. Some Mobility Security Applications to Consider ♦ Find my phone ♦ Data backup ♦ Encrypted texting, phone calls, and emails ♦ Whole device encryption ♦ Secure password storage ♦ Call blocking ♦ Identity protection ♦ Anti-virus ♦ Anti-malware ♦ Website filtering ♦ Firewall 14 #SWwebcon
  15. 15. BYOD / BYOT IN AN ENTERPRISE 15 #SWwebcon
  16. 16. Personally Owned Device Risk to the Enterprise ♦ Uncontrolled endpoints ♦ Data leakage ♦ Malware ♦ Spam ♦ Lost device and data ♦ Communication interception ♦ Unsecured access ♦ Liability 16 #SWwebcon
  17. 17. What You Need to Implement Personal Mobility? ♦ Mobile Device Management (MDM) – Allows MYC to enforce corporate policies and validate security settings ♦ Secure Mobile Messaging – Allows MYC to store corporate email in an encrypted container on the device ♦ Mobile Application Platform – Allows MYC to provide a set of tools and applications to users ♦ Perimeter, network, and host protections, including monitoring ♦ USER TRAINING - COMMUNICATION 17 #SWwebcon
  18. 18. Published MYC Mobile Policies and Procedures ♦ Policy: MYC Owned Mobile Devices ♦ Procedure: Requesting a MYC Owned Mobile Device ♦ Procedure: Non-MYC-Owned Device Minimum Security Standard ♦ Form: MYC Stewardship Agreement (Non-MYC-owned Devices) ♦ Training course: training for a non-MYC-owned device ♦ Communicate, communicate, communicate ♦ Privacy of personal mobility 18 #SWwebcon
  19. 19. Tie Your Mobility Practices into Other Documents ♦ Code of Conduct ♦ Computer System Security ♦ Employee Conduct ♦ Protection of Confidential Information and Trade Secrets ♦ Electronic Information and Communication Policy ♦ Dissemination of Information ♦ Information Security 19 #SWwebcon
  20. 20. User Responsibilities Include, But Are Not Limited To ♦ You may connect to the BYOD wireless network but are prohibited from connecting to the CORPNET or GUESTNET wireless network. ♦ You may not connect the personal device to the MYC network via MYC VPN. ♦ You may not forward MYC sponsored or owned phone numbers to a personal device. ♦ You are responsible for the protection of the MYC information asset being accessed by adhering to all MYC policies and procedures. ♦ You are responsible for all expenses and communication plans on the personal device except as agreed to for MYC approved international travel. 20
  21. 21. User Responsibilities Include, But Are Not Limited To ♦ You will allow MYC IT to install mobile device security standards on the personal device, including encryption and password protection. ♦ You are prohibited from ‘jail breaking’ or otherwise circumventing the built-in security of a personal device after MYC mobile device security standards have been installed. ♦ You agree that MYC will not be held liable should anything happen to the personal device. ♦ You will notify IT within 48 hours of loss of your personal device. ♦ You will protect all passwords which enable access to MYC assets. If you suspect a compromise, you will change the password immediately and advise the IT Help Desk. 21 #SWwebcon
  22. 22. Strategy Summary ♦ Manage and protect what matters to the enterprise ♦ Pay attention to service delivery to the business community ♦ Be clear on roles, responsibilities, and ownership ♦ Ensure users understand what can happen ♦ Train for users – over communicate ♦ Integrate into your environment documents or a program 22 #SWwebcon
  23. 23. Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III Thank You! #SWwebcon Questions?
  24. 24. Featured Presenter Dr. Margaret Leary, CISSP, CIPP/G, CRISC, is a Professor of IT/Cybersecurity at Northern Virginia Community College and George Mason University. She serves as the Director, Curriculum of the National CyberWatch Center and has been a member of the NCC Leadership Team for the past 8 years. #SWwebcon Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University
  25. 25. 25 Mobile Device Security: Expanding Threats Dr. Margaret Leary CISSP, CIPP/G, CRISC #SWwebcon
  26. 26. Expanding Mobile Threats • Mobile threats are expanding globally – Financially-motivated attacks – Malware – Cross-platform threats • Many of these new threats leverage traditional PC- type malware • While most (90%) are Android, iPhone attacks are on the rise 26 #SWwebcon
  27. 27. Malware Attacks • Malware much greater threat than loss of phone – yet most BYOD policies are focused on loss or theft of phone • Sophos Labs reports seeing more than 2,000 pieces of mobile malware every day*. In some countries, mobile devices are attacked more than PCs. – Denial of Service Attacks – turning smartphones into bots on a botnet or placing them at risk of ransomware – Attacks on Confidentiality – attacker remotely enabling microphone or camera *http://www.sophos.com/en-us/threat-center/mobile-security-threat-report.aspx 27
  28. 28. What If? • Your connected smartphone is used as a conduit to inject malware into your car? • Your phone is connected to a health monitoring device, and that health information is disclosed, or worse, modified by an attacker? • Your smartphone is connected to your smart home? 28 #SWwebcon
  29. 29. The Problem • The same threats exist for mobile devices as those with PCs • Increased connectivity • Too trusting of a user • Current market dynamics 29 #SWwebcon
  30. 30. Common Mobile Application Development Mistakes • Insecure data storage • Weak server side controls • Insufficient transport layer protection • Poor authentication and authorization mechanisms • Insufficient testing 30
  31. 31. Common Mobile Application Development Solutions • Encrypt! • Security should use a “layered” approach • Use SSL/TLS (HTTPS) to encrypt the session • Don’t store passwords in plain text • Generate credentials securely • Test, test, and test again!!! – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Mobile_Security_Testing 31 #SWwebcon
  32. 32. Additional Countermeasures • Train your users AND your app developers! • Develop a Secure Mobile Application Development Policy for developers • Keep patches updated • Keep phones in lockers or bags • Think twice about any app you download 32 #SWwebcon
  33. 33. Thank You! #SWwebcon Questions? Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University
  34. 34. Featured Presenter David has over 20 years experience with risk management, information security, compliance, policy development and currently heads security and compliance at Fiberlink Communications. #SWwebcon David Lingenfelter Information Security Officer MaaS360, an IBM Company
  35. 35. Balancing Security and Opportunity in the Mobile Era Tackling Mobile Security with a Layered Defense David Lingenfelter @Simply_Security #SWwebcon
  36. 36. New = Scary 36 #SWwebcon
  37. 37. Old = Comfortable 37 #SWwebcon
  38. 38. Change is inevitable 38 #SWwebcon
  39. 39. Mobile technologies are more empowering 39 of employed adults use at least one personally- owned mobile device for business Mobile workers will use at least one business- focused app this year yearly increase in revenue from people using mobile devices to purchase items.
  40. 40. But security threats are even greater 40 Threats on your employees Threats on your customers of financial apps on Android have been hacked of Top 100 Android apps have been hacked annual cost of crime
  41. 41. IT’s role and Focus has Changed Many different use cases within a single company Corporate Owned BYOD Shared Devices Cart Devices Kiosk Devices Data Leakage Apps Blacklisting URL filtering SharePoint/EFSS Intranet Access 41
  42. 42. These Don’t Help… 42 • Compliance • Rules/Regulations • Privacy • Intellectual Property • Legal #SWwebcon
  43. 43. Embrace The New Normal 43 Mobile is becoming THE IT platform Go beyond enabling these new devices –Mobile utilization of corporate network/resources –Separation of corporate & personal apps/data –App management & security (and app dev assist) –Identity, context and more sophisticated policy #SWwebcon
  44. 44. So what does it take to Enable all of this… #SWwebcon
  45. 45. …and the Right Technology • Mobile Device Management • Mobile App Management • Mobile Content Management • Mobile Enterprise Gateway • File Edit, Sync, and Share #SWwebcon
  46. 46. MaaS360 Layered Approach Secure the Device Secure the Content Secure the App Secure the Network Separating Corporate and Personal Lives #SWwebcon
  47. 47. Secure the Device Dynamic security and compliance features continuously monitor devices and take action. 47 #SWwebcon
  48. 48. Secure the Container: Mail & Content An office productivity app with email, calendar, contacts, & content 48
  49. 49. Secure the App 15 Enhancing private and public app security through (SDK or wrapping) code libraries and policies
  50. 50. Secure the Network A fully-functional web browser to enable secure access to corporate intranet sites and enforce compliance of policies 50 #SWwebcon
  51. 51. When you do this, expect great things Gaming and Entertainment • Need – Reduce drink wait times • Solution – Locked down tablet with enterprise app • Outcome - Reduce drink times from 20 minutes to 4 minutes with a single managed tablet and app. • Ended up also using tablets to check in guests 51 #SWwebcon
  52. 52. When you do this, expect great things 52 Highly Regulated Industry • Need – Secure email • Solution – Implement secure email container • Outcome – Meet regulatory requirements • Now also delivers sensitive documents #SWwebcon
  53. 53. When you do this, expect great things 53 Education • Need – Help students with learning disabilities • Solution – iPads with customized policies for each student • Outcome – Unique learning environment to suit a large spectrum of student abilities • Improved quality of life #SWwebcon
  54. 54. Being Productive and Secure 54 MaaS360 Trusted Workplace™  Continuously assess context & usage  Real-time controls of entitlements  Secure Data-at-rest, in-motion, & in-use  Enterprise access controls  Native controls or container  BYOD privacy protections MaaS360 Secure Productivity Suite Secure Mail File Sync, Edit & Share App Security & Management Enterprise Gateway
  55. 55. Why Customers Choose MaaS360 Easiest to Deploy and Scale Mobile Device, App, and Content Management & Security platform For organizations that are… • Embracing multi-OS environments (iOS, Android, Windows Phone) • Allowing Bring-Your-Own-Device (BYOD) programs • Developing and deploying mobile apps (public and private) • Enabling corporate content on mobile devices securely (push and pull) • AND MORE…. 55
  56. 56. Wrap-up • Unlocking productivity with Apps and Content • Capabilities exists today to Enable • Take a Layered approach for Security You can do it now,  Empower Users  Build Trust  Do it with IBM MaaS360 David Lingenfelter @simply_security #SWwebcon
  57. 57. Thank You! #SWwebcon Questions? David Lingenfelter Information Security Officer MaaS360, an IBM Company
  58. 58. Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III #SWwebcon Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University David Lingenfelter Information Security Officer MaaS360, an IBM Company Open Discussion
  59. 59. Barbara Endicott-Popovsky Director, Center of Information Assurance and Cybersecurity at the University of Washington Closing Remarks Thoughts on Security Awareness Training: Mobile Devices #SWwebcon
  60. 60. Thank you MaaS360 for making today’s program possible! SecureWorldExpo.com Visit us for the latest security news and blogs from industry leaders. Thank you for attending today’s web conference. Join us on December 4 for “Target One Year Later: What Have We Learned?” Questions? Idea for a topic? Contact Tom Bechtold – Tom@secureworldexpo.com #SWwebcon

×