BYOD:Device Control in the Wild, Wild, West September 25th, 2012
About the Speaker• Chief Security Ofﬁcer, Q2ebanking• Former CIO for multi-billion ﬁnancial institution• 13 years industry exp. in Information Technology & Security• CISSP® (Certiﬁed Information Systems Security Professional)• Published & quoted in American Banker, ABA Banking Journal, BankInfoSecurity.com, CIO Magazine, ComputerWorld, Credit Union Times• Speaker/evangelist - InfoSec World, Innotech, ComputerWorld SNW, BAI PaymentsConnect, regional banking conferences
Agenda• Changing mobile landscape• Drivers behind BYOD(evice)• Considering threat agents• Implementing a BYOD program • policies, technologies, privacy• Summary & QA
Mobile Tidal Wave• 300,000 apps developed in 3 years• 1.2 billion mobile web users• 8 trillion SMS messages sent last year• 35 billion value of apps downloaded• 86.1 billion mobile payments made in 2011• 1.1 billion mobile banking customers (2015)
BYOD: Bring Your Own Deviceformally advocates use of personal or non-companyissued equipment to accessing corporate resources& dataobligates IT to ensure jobs can be performed with anaccept- able level of security
Business Beneﬁts• Cut operating costs by eliminating support - Operating system support - Application support - Access support• Reduce device hardware costs & procurement• Remove productivity barriers (ﬂexible work styles)• Extend applications to oﬀsite/traveling employees• Increase employee satisfaction through programs• On-demand, whenever, wherever, multiple channels
BYOR(isk)• Understand the risks being introduced• Industry is coming to terms with security concerns that exist around unsecured mobile devices/smartphones• Conduct a risk assessment to identify address the different threat agents
BYOD presents a NEW problem... ...well, not really
The “Human” Problem• Increased use of social media, coupled with the ubiquity of ecommerce, has fueled growth in socially engineered schemes waged for ﬁnancial gain• According to the Anti-Phishing Working Group, there are presently about 30,000 to 35,000 unique phishing campaigns every month, each targeting hundreds of thousands to millions of email users• Anytime a user is asked to make a voluntary decision, phishing schemes will work, because humans are easy to manipulate ➡ this a social problem, not a technical problem.
Do you really believethat you control your endpoints?
Device Control• How many of you have local admin rights on your computer?• How many of you are able to take your computer and browse the Internet freely away from the network?• How many of you disallow PST ﬁles - do prevent users from taking data?• How many of you are doing mobile device management?
How do you manage a device that you don’t control?
Get out in FrontReactive approaches result in ad hoc programs Are you prepared to answer this question from your CEO: “what security did we have on the device when he lost it?”
Understand your DataWhat are you protecting?• How sensitive is your data?• How is your sensitive data used?• What compliance and/or regulations exist?
Jailbreaking Devices• Why? for functionality or to get paid apps for free• “Jailbreaking” or “rooting destroys the security model• Jailbreaking techniques leave the device with a standard root password that may grant admin-level access to an app...(and attacker or malware)• Convenience at the sake of security
Mobile Malware• Researchers identify ﬁrst instance of mobile malware in 2004• More than 80 infected ex. Gozi apps have been removed from Google Play since 2011• Android malware has infected more than 250,000 users
QR Codes• QR codes surfacing containing malicious links• First case conﬁrmed by Kaspersky Labs last year - mobile malware used to http://siliconangle.com/blog/ send premium SMS 2011/10/21/infected-qr-malware- surfaces-on-smartphones-apps/ messages
Not the Device• Over focused on the • Data in motion endpoint and device (network)• ...it’s the data stupid! • Data presentation (application) • Data at rest (data stores/shares)
MDM Solutions• What are you trying to protect• Address four key areas: 1) standardization of service, not device • consistent set of security controls across diﬀerent platforms while providing the same level of service 2) common delivery methods 3) intelligent access controls - role, group, etc. 4) data containment • encryption • partitioning • sandboxing
Questions to Consider• Which devices will be supported?• What is the risk proﬁle of the employee/group using the devices?• Does the institution have the ability to require and install applications to the device(s), such as remote wipe and/or virus/ malware software?• Can the institution require a “business only secure partition” on the mobile device? • Mandatory or will the organization bend for certain users?• What happens if the device is compromised? Will your institution be able to perform any forensics?• When should we say no?
Balancing User Privacy• Is ‘sandboxing’ or ‘partitioning’ suﬃcient to maintain separate personas?• Is there a reasonable expectation of privacy? ✓should the organization be able to read messages? ✓should the organization be able to perform a full wipe of the device?• State speciﬁc privacy laws (ex CA/MA) may prevent corporations from even viewing non-corporate data
Policy + Technology• Policies alone not suﬃcient - Technology ensures enforcement• Many solutions, but requirements should include: ✓simple self-enrollment --> complexity increases non- compliance ✓over-the-air updating ✓ability to selectively wipe data on the device • corporate apps, email, and documents must be protected by IT if the employee decides to leave the organization ✓management of the OS patch/update process ✓reporting & alerting --> devices that are non-compliant
Legal Issues• Big question surrounds legal issues -- agreements between employees and employer -- and placing a company-owned agent on an employee’s handset• It’s the start of whole new relationship between mobile device users, in dual roles as individual consumer and employee, and the company for which they work.• Unresolved questions? • e-discovery, Culpability, Liability • ex: combined mailboxes
Summary• Understand the mobile landscape of your device population• Policies and procedures should reﬂect the allowable usage and the breadth and depth of security and control settings• Consider how BYOD policies can be tested and validated to ensure that security and controls have been successfully implemented• Threat landscape is continuously changing• Risk assessments should be performed regularly to identify threats and vulnerabilities