Smartphones & tablets in government — a CISO-turned-auditor's take on mobile devices

114 views

Published on

One office's experience auditing government's management of mobile device usage ... w.r.t. to information security and privacy!
Where? British Columbia.
When? 2016.
Who, what, why and how:
- What is a mobile device
- Why even the audit title was critical
- Why you must scope the devices that are in and the ones that are out
- How (for us) scoping allowed 'outsourcing' some work
- What Lines of Enquiry and Criteria we chose
- Why you WILL run into auditees who don't understand the risks
- Why you WILL run into auditors who don't understand the risks
- Who we 'outsourced' work to
- What was our value-add

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
114
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Smartphones & tablets in government — a CISO-turned-auditor's take on mobile devices

  1. 1. Auditing moving targets:  Smartphones & tablets in government – or – John Bullock, BSc, CISSP, CISA, CRISC, GICSP Senior IT Audit Specialist Office of the Auditor General of BC jbullock@bcauditor.com / www.linkedin.com/in/jb00seven a CISO‐turned‐auditor's take on mobile devices
  2. 2. 2/29 PNIAF 2017‐03‐17 • mobile device audit gotchas • cybersecurity & privacy insights specific to mobile • perspective of both security practitioner & auditor • mobile device enthusiast • audit enthusiast what's in it for me what's in it for you
  3. 3. everything! We use them for … why mobile devices? 3/29 PNIAF 2017‐03‐17
  4. 4. watch, alarm clock, personal planner, social calendar, … organizers diary, camera, video camera, audio recorder, … life recorders calculator, GPS navigation, compass, address book, dictionary, barcode scanner… productivity music player, game console, radio, TV, remote control, … entertainment books, comics, recipes, magazines, newspapers, … reading flashlight, measuring tape, level, magnifier, telescope, … tools from 99 things replaced by smartphones 4/29 PNIAF 2017‐03‐17
  5. 5. And it’s always increasing 5/29 PNIAF 2017‐03‐17
  6. 6. ↑ functionality = ↑ risk why an audit? 6/29 PNIAF 2017‐03‐17
  7. 7. risk factors: size • small size → high number of devices lost or stolen "One in 10 smartphone users have  had their phones stolen" http://www.wired.com/2014/12/wher e‐stolen‐smart‐phones‐go/ For lost‐but‐returned devices, more  than 90% of the good Samaritans  snooped before returning them http://www.informationweek.com/m obile/lose‐your‐smartphone‐finders‐ will‐snoop‐through‐it/d/d‐id/1103354 7/29 PNIAF 2017‐03‐17
  8. 8. where thefts occur loss & theft • 2.1m stolen • 3.1m lost (stats taken from a 2015 US report) 8/29 PNIAF 2017‐03‐17
  9. 9. • tendency to use simple passwords due to the lack of a  physical keyboard (or a very small keyboard) risk factors: keyboards/passwords 9/29 PNIAF 2017‐03‐17
  10. 10. • frequent model changes mean devices quickly become  unsupported (can't get security updates) risk factors: lack of support 10/29 PNIAF 2017‐03‐17
  11. 11. • evolving operating systems provide opportunities for  malware (malicious software) risk factors: malware New mobile malware tripled in 2015.  Growth continued in 2016 with  Ransomware (which blocks access  until a user pays a sum of money) as  the latest flavour. https://www.scmagazineuk.com/kasp ersky‐finds‐significant‐growth‐of‐ mobile‐malware‐in‐ 2015/article/531116/ 11/29 PNIAF 2017‐03‐17
  12. 12. how to start the audit? 12/29 PNIAF 2017‐03‐17
  13. 13. names/words matter • flash drive? • laptop? • tablet? Name of audit: MDM or MMD? • Mobile Device Management is a product What is a mobile device? • Management of Mobile Devices  • allowed for Policies, Procedures, Standards,  Guidelines, and Practices. • dumb (i.e. feature) phone, cell phone, smartphone? 14/29 PNIAF 2017‐03‐17
  14. 14. What's  in scope? What's  out of  scope?
  15. 15. scoping • small input area (strong passwords more difficult) • dramatically higher loss/theft risk • immature security measures for OS/device Think: What's different? The big question:  laptop/tablet/smartphone • not laptops (we know how to easily secure them, even  if we don't) • not flash drives, not even Chromebooks 16/29 PNIAF 2017‐03‐17 smartphones & tablets with mobile specific OS 
  16. 16. scoping Yes? • May need to examine personal devices. Talk to a lawyer. • Whew. Examine controls to prevent, detect and  remediate existence of BYOD devices.  Depends on whether official BYOD program or not The awkward question:  BYOD No? 17/29 PNIAF 2017‐03‐17
  17. 17. scoping • location information (current/past GPS coordinates, and  Wi‐Fi and Bluetooth connection histories The following are largely personal privacy issues: The easy question:  privacy • resources constrained • coordinated audit w/ Privacy Commissioner investigation!  • photographs • app behaviour (Best Flashlight & contacts) • performance data (telemetry) • voice commands 18/29 PNIAF 2017‐03‐17 we scoped it out 
  18. 18. scoping • phishing • mobile banking Solution? Think, is it different on mobile? • largely "NO" • but be prepared to justify your decisions again & again Other questions: 19/29 PNIAF 2017‐03‐17
  19. 19. lines of enquiry 1. strategic planning activities 2. full lifecycle management of devices 3. security controls 4. monitoring, logging, incident management 20/29 PNIAF 2017‐03‐17
  20. 20. No audit plan survives contact with the auditee. ~ Helmuth von Moltke, with  apologies  21/29 PNIAF 2017‐03‐17
  21. 21. risk gotchas • "Why does X matter? We/they can do remote wipe. • "It's unreasonable for us/them to have to type a passcode  several times a day." • infatuated with technology  • mobile devices are the Most Personal Computers. Ever! Cause: • "Doesn't the fact that a smartphone is a tracking device cause security issues?" • confusing privacy and security / seeing only risk, not  benefits 22/29 PNIAF 2017‐03‐17
  22. 22. inventory gotcha 23/29 PNIAF 2017‐03‐17 Devices  billed by  carrier Devices on MDM unknown  devices •unofficial channels  used to purchase •some BYOD •feature phones •some  smartphones w/o  security settings •jail‐broken/rooted •BYOD •deliberately  unmanaged? well managed
  23. 23. Special considerations 24/29 PNIAF 2017‐03‐17
  24. 24. Top 15 tips guide • we published a Mobile Devices: Tips for Security & Privacy  document and released it the same day as our report • a collaboration with the Officer of the Information and  Privacy Commissioner's office (OIPC). • designed to be used by everyone – work or personal, BC  or anywhere else • 10 security‐related tips, 5 privacy‐related; all in (correct)  priority order  25/29 PNIAF 2017‐03‐17
  25. 25. 1. Password protect your device 2. Lock your screen 3. Encrypt it 4. Limit password attempts 5. Use anti‐malware software 6. Don't jailbreak or root your device 7. Be choosy with apps 8. Limit app permissions 9. Keep software up‐to‐date 10. Limit location information 11. Review voice commands 12. Promptly report lost/stolen devices 13. Bluetooth, Wi‐Fi, NFC 14. Safely dispose of your device 15. Consider using Find My Phone 26/29 Summary of  Mobile Devices:  Tips for Security  & Privacy
  26. 26. marketing Downloads Report 560 Tips 248 Social media impressions* LinkedIn 909 (lock your screen – #2) Facebook 871 (password protect your device – #1) Twitter 288 (use anti‐malware – #5) * from "Tips" promotion 2017‐Jan 27/29 PNIAF 2017‐03‐17
  27. 27. Special considerations conclusion • we feel we provided value (to auditee and citizens) • gov't responded promptly to some findings (best day ever!) • collaboration with the OIPC was win/win 28/29 PNIAF 2017‐03‐17
  28. 28. Special considerations questions? John Bullock, BSc, CISSP, CISA, CRISC, GICSP Senior IT Audit Specialist Office of the Auditor General of BC jbullock@bcauditor.com +1 250 419 6214 29/29 PNIAF 2017‐03‐17

×