BYOD: Device Control in the Wild, Wild, West


Published on

This presentation was given at the Western Independent Banker's 2012 Technology Conference in San Diego, CA.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

BYOD: Device Control in the Wild, Wild, West

  1. 1. BYOD:Device Control in the Wild, Wild, West September 25th, 2012
  2. 2. About the Speaker• Chief Security Officer, Q2ebanking• Former CIO for multi-billion financial institution• 13 years industry exp. in Information Technology & Security• CISSP® (Certified Information Systems Security Professional)• Published & quoted in American Banker, ABA Banking Journal,, CIO Magazine, ComputerWorld, Credit Union Times• Speaker/evangelist - InfoSec World, Innotech, ComputerWorld SNW, BAI PaymentsConnect, regional banking conferences
  3. 3. Agenda• Changing mobile landscape• Drivers behind BYOD(evice)• Considering threat agents• Implementing a BYOD program • policies, technologies, privacy• Summary & QA
  4. 4. Mobile Tidal Wave• 300,000 apps developed in 3 years• 1.2 billion mobile web users• 8 trillion SMS messages sent last year• 35 billion value of apps downloaded• 86.1 billion mobile payments made in 2011• 1.1 billion mobile banking customers (2015)
  5. 5. BYOD: Bring Your Own Deviceformally advocates use of personal or non-companyissued equipment to accessing corporate resources& dataobligates IT to ensure jobs can be performed with anaccept- able level of security
  6. 6. Business Benefits• Cut operating costs by eliminating support - Operating system support - Application support - Access support• Reduce device hardware costs & procurement• Remove productivity barriers (flexible work styles)• Extend applications to offsite/traveling employees• Increase employee satisfaction through programs• On-demand, whenever, wherever, multiple channels
  7. 7. BYOR(isk)• Understand the risks being introduced• Industry is coming to terms with security concerns that exist around unsecured mobile devices/smartphones• Conduct a risk assessment to identify address the different threat agents
  8. 8. Protect What? From whom? or what? and How?
  9. 9. BYOD presents a NEW problem... ...well, not really
  10. 10. The “Human” Problem• Increased use of social media, coupled with the ubiquity of ecommerce, has fueled growth in socially engineered schemes waged for financial gain• According to the Anti-Phishing Working Group, there are presently about 30,000 to 35,000 unique phishing campaigns every month, each targeting hundreds of thousands to millions of email users• Anytime a user is asked to make a voluntary decision, phishing schemes will work, because humans are easy to manipulate ➡ this a social problem, not a technical problem.
  11. 11. Do you really believethat you control your endpoints?
  12. 12. Device Control• How many of you have local admin rights on your computer?• How many of you are able to take your computer and browse the Internet freely away from the network?• How many of you disallow PST files - do prevent users from taking data?• How many of you are doing mobile device management?
  13. 13. How do you manage a device that you don’t control?
  14. 14. Get out in FrontReactive approaches result in ad hoc programs Are you prepared to answer this question from your CEO: “what security did we have on the device when he lost it?”
  15. 15. Understand your DataWhat are you protecting?• How sensitive is your data?• How is your sensitive data used?• What compliance and/or regulations exist?
  16. 16. Focus Group:Computer Security
  17. 17. Jailbreaking Devices• Why? for functionality or to get paid apps for free• “Jailbreaking” or “rooting destroys the security model• Jailbreaking techniques leave the device with a standard root password that may grant admin-level access to an app...(and attacker or malware)• Convenience at the sake of security
  18. 18. Mobile Malware
  19. 19. Mobile Malware• Researchers identify first instance of mobile malware in 2004• More than 80 infected ex. Gozi apps have been removed from Google Play since 2011• Android malware has infected more than 250,000 users
  20. 20. QR Codes• QR codes surfacing containing malicious links• First case confirmed by Kaspersky Labs last year - mobile malware used to send premium SMS 2011/10/21/infected-qr-malware- surfaces-on-smartphones-apps/ messages
  21. 21. Which one is evil?
  22. 22. Not the Device• Over focused on the • Data in motion endpoint and device (network)•’s the data stupid! • Data presentation (application) • Data at rest (data stores/shares)
  23. 23. Establish Policies• Will a formal agreement between the institution and the BYOD user (EULA) specify allowed activities and the consequences for breaking the agreement?• Create policies before procuring devices• Do your BYOD policies address? • the use of consumer apps • services such as cloud storage >, Dropbox, SpiderOak, Evernote, SkyDrive, iCloud• Communicate the privacy policy to employees and make it clear what data you can & cannot collect from their mobile devices
  24. 24. MDM Solutions• What are you trying to protect• Address four key areas: 1) standardization of service, not device • consistent set of security controls across different platforms while providing the same level of service 2) common delivery methods 3) intelligent access controls - role, group, etc. 4) data containment • encryption • partitioning • sandboxing
  25. 25. Questions to Consider• Which devices will be supported?• What is the risk profile of the employee/group using the devices?• Does the institution have the ability to require and install applications to the device(s), such as remote wipe and/or virus/ malware software?• Can the institution require a “business only secure partition” on the mobile device? • Mandatory or will the organization bend for certain users?• What happens if the device is compromised?  Will your institution be able to perform any forensics?• When should we say no?
  26. 26. Balancing User Privacy• Is ‘sandboxing’ or ‘partitioning’ sufficient to maintain separate personas?• Is there a reasonable expectation of privacy? ✓should the organization be able to read messages? ✓should the organization be able to perform a full wipe of the device?• State specific privacy laws (ex CA/MA) may prevent corporations from even viewing non-corporate data
  27. 27. Policy + Technology• Policies alone not sufficient - Technology ensures enforcement• Many solutions, but requirements should include: ✓simple self-enrollment --> complexity increases non- compliance ✓over-the-air updating ✓ability to selectively wipe data on the device • corporate apps, email, and documents must be protected by IT if the employee decides to leave the organization ✓management of the OS patch/update process ✓reporting & alerting --> devices that are non-compliant
  28. 28. COMPLIANCE
  29. 29. Legal Issues• Big question surrounds legal issues -- agreements between employees and employer -- and placing a company-owned agent on an employee’s handset• It’s the start of whole new relationship between mobile device users, in dual roles as individual consumer and employee, and the company for which they work.• Unresolved questions? • e-discovery, Culpability, Liability • ex: combined mailboxes
  30. 30. Summary• Understand the mobile landscape of your device population• Policies and procedures should reflect the allowable usage and the breadth and depth of security and control settings• Consider how BYOD policies can be tested and validated to ensure that security and controls have been successfully implemented• Threat landscape is continuously changing• Risk assessments should be performed regularly to identify threats and vulnerabilities
  31. 31. Thank Youif “?” >= thenresponse_variable = ‘answer‘ elseresponse_variable = ‘thankyou’end if;