tmbainjr131, profile picture
Uploaded bytmbainjr131
PDF, PPTX831 views

Building a Mobile Security Model

This document discusses considerations for building a mobile security model. It covers mobile security trends like the rise of BYOD and increased use of mobile devices for work. It also discusses common mobile security issues like inconsistent policies, malware threats, and data leakage. The document provides a checklist for creating a mobile security policy that assesses risks and validates controls. It emphasizes the need to understand how data will be used and accessed across devices to define clear and enforceable policies.

Embed presentation

Download as PDF, PPTX
What to Consider When Building a Mobile Security Model
Who Am I? •12+ years in information security •Experience includes: CounterTack, Security Innovation, Q1 Labs/IBM, Application Security, Inc./TrustWave, Sophos, WAVE Systems •SecureWorld, Hacker Halted, ISSA, OWASP, Security Meetup’s, Boston Security Conference, OASIS-Montgomery Conference •Mobile device owner @tmbainjr1 http://www.countertack.com/blog
Agenda •Mobile security trends •Figuring out mobile security •Understanding risks/policy creation •Developing an adaptive model and best practices
TRENDS
Do We Really Have a Choice? •84% use the same smartphone for work and for personal usage. •81% of employed adults use at least one personally owned electronic device for business •59% use their mobile devices to run line-of-business applications •74% of companies allow BYOD usage in some manner •1/3 use mobile devices exclusively --Experian Mobile Security Survey, November 2013 (Harris Interactive)
The Great Mobile Security Debate •When will the great mobile data breach happen? •2017: endpoint breaches will shift to tablets/smartphones. •Physical vs Virtual •BYOD/Mobile security policy •Business vs Security
What are CISO’s concerned with?
Its More About the Data
State of Mobile Security •Productivity vs. Security •Rise of mobile campaigns •More targeted malware •Volume of usage = increased risk •End user error
User Perspective on Mobile Security •50% of companies have experienced a data breach due to inadequate device security •47% don’t have a password on their mobile phone. •51% stated their companies couldn’t execute a remote wipe if lost or stolen. •49% said mobile security has not been addressed with them by IT.
UNDERSTANDING MOBILE SECURITY ISSUES
Mobile Security Failures •Inconsistent security policies •Unmanageable devices •Minimal number of devices •Data artifacts existing on disposed devices •Data leakage
Unique Mobile Security Issues •Multi-user/single user •Browsing environment •Updates/patching •SSL •CSRF •Geolocation •Apps
Mobile Malware Trends •98% of all mobile malware targets Android users •Kaspersky: 3.4M malware detections on 1.1M devices •60% of all attacks are capable of stealing users’ money •Reported attacks have increased 6X! (from 35K in August 2013 to 242K as of March 2014 Real-time Endpoint Threat Detection and Response 14
The Most Popular Mobile Malware Malware SMS RiskTool AdWare Trojan
Faketoken
Svpeng
Android Resources
iOS Resources
POLICY, RISK ASSESSMENT & BUILDING AN ADAPTIVE MODEL
BYOD Challenges •Device turn-over and EOL •New devices: Default or customized settings? •How can you know everything about every device? •App Stores: Approved apps? •Applications
Mobile Security Policy Checklist Consider risk scenarios. Adapt from proven or trustworthy models. Measure perception. Understand roles, privileges and what’s in place today. Get granular with your questions & considerations. Figure out a strategy for testing your applications. Policy enforcement. Raise awareness/required training.
Assess and Validate Risk Take an inventory of your high-risk applications/mobile applications. Determine business criticality. What’s your attack probability? How do you define the attack surface? Consider overall business impact. Where does compliance factor in? What are the security threats?
Roles and Access Controls •Which departments/groups/individuals have been most active in developing policies? •Has there been any previous collaboration between policies and authors? •Can you identify a potential champion(s) to support the new policy? •Areas of agreement in commonly implemented controls re: policies? •Support documents, materials and related policies should be cited in mobile device policy.
Get Granular •How will mobile devices be used? •Devices assigned to one person or shared? •Which mobile applications would be used? •What information is accessiblethrough mobile devices? •What information will be storedon the mobile devices? •How will data be shared to/from and between mobile devices? •Who’s ultimately responsible for mobile devices? •Will personal activities on company devices be permitted? •What levels of support are expected?
Know and Define Your Data
Defining Policy •Provide contextual, technical guidelines •Map to compliance mandates •Considers criticality of application and data ‒Requirements, activities and level of detail needed will differ •Have clear exception policies where necessary ‒What if minimum standards can’t be met? What is considered acceptable? Who approves? •Includes internally built and third party applications •Reflects current maturity and skillset of staff ‒The more skilled, the less explicit you need to be with policies
Enforcing Policy •You need management buy-in! •Broad strategy vsTargeted strategy roll-out •On-boarding: ‒Require all device info as part of hiring process ‒Require policy training up front •Require training for various departments: ‒General population receives awareness training ‒Technical employees receive in-depth training •Monitor for effectiveness –EX: Deliver training or reminder when employee is out of compliance.
Where are you at? Ad Hoc Implementation Technology People Process Data
Get to the next level of ‘Repeatable’ •Collect examples •Present business needs & educate executives •Create a mobile security policy •Identify some short and long-term risks/goals •Make the case simple
Now you are at ‘Repeatable’ Implementation Technology People Process Data
Adaptive Mobile Security Gartner, 2014, Adaptive Security Model
www.countertack.comBlog: http://www.countertack.com/blogTwitter: @CounterTack, @tmbainjr1 Real-time Endpoint Threat Detection and Response.

More Related Content

PDF
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
byEC-Council
 
PDF
Symantec Mobile Security Webinar
bySymantec
 
PDF
Vetting Mobile Apps for Corporate Use: Security Essentials
byNowSecure
 
PDF
Leaky Mobile Apps: What You Need to Know
byNowSecure
 
PDF
2014 the future evolution of cybersecurity
byMatthew Rosenquist
 
PPTX
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
byNorth Texas Chapter of the ISSA
 
PDF
2015 Cyber Security
byAllen Zhang
 
PDF
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
byAugmentedWorldExpo
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
byEC-Council
 
Symantec Mobile Security Webinar
bySymantec
 
Vetting Mobile Apps for Corporate Use: Security Essentials
byNowSecure
 
Leaky Mobile Apps: What You Need to Know
byNowSecure
 
2014 the future evolution of cybersecurity
byMatthew Rosenquist
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
byNorth Texas Chapter of the ISSA
 
2015 Cyber Security
byAllen Zhang
 
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
byAugmentedWorldExpo
 

What's hot

PPTX
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
byNorth Texas Chapter of the ISSA
 
PPTX
Understanding Your Attack Surface and Detecting & Mitigating External Threats
byUlf Mattsson
 
PDF
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
byNorth Texas Chapter of the ISSA
 
PPTX
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
bycentralohioissa
 
PDF
How to Reduce the Attack Surface Created by Your Cyber-Tools
byEnterprise Management Associates
 
PPTX
ISACA smart security for smart devices
byMarc Vael
 
PDF
Security in the News
byJames Sutter
 
PDF
The Future of Cyber Security - Matthew Rosenquist
byMatthew Rosenquist
 
PDF
Pivotal Role of HR in Cybersecurity
byMatthew Rosenquist
 
PDF
Securing the Cloud by Matthew Rosenquist 2016
byMatthew Rosenquist
 
PPTX
Technology: Built for Attack : Dr. Emma Garrison-Alexander
byEC-Council
 
PPT
Data Security: What Every Leader Needs to Know
byRoger Hagedorn
 
PPTX
Mind the gap
byRoger Hagedorn
 
PPTX
Cyber security and AI
byDexterJanPineda
 
PPTX
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
byNorth Texas Chapter of the ISSA
 
PPTX
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
bycentralohioissa
 
PPT
Information Technology Security Basics
byMohan Jadhav
 
PPTX
SolarWinds IT Security Survey - February 2013
bySolarWinds
 
PPTX
Eliminate cyber-security threats using data analytics – Build a resilient ent...
byImpetus Technologies
 
PDF
Building secure mobile apps
byMartin Vigo
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
byNorth Texas Chapter of the ISSA
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
byUlf Mattsson
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
byNorth Texas Chapter of the ISSA
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
bycentralohioissa
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
byEnterprise Management Associates
 
ISACA smart security for smart devices
byMarc Vael
 
Security in the News
byJames Sutter
 
The Future of Cyber Security - Matthew Rosenquist
byMatthew Rosenquist
 
Pivotal Role of HR in Cybersecurity
byMatthew Rosenquist
 
Securing the Cloud by Matthew Rosenquist 2016
byMatthew Rosenquist
 
Technology: Built for Attack : Dr. Emma Garrison-Alexander
byEC-Council
 
Data Security: What Every Leader Needs to Know
byRoger Hagedorn
 
Mind the gap
byRoger Hagedorn
 
Cyber security and AI
byDexterJanPineda
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
byNorth Texas Chapter of the ISSA
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
bycentralohioissa
 
Information Technology Security Basics
byMohan Jadhav
 
SolarWinds IT Security Survey - February 2013
bySolarWinds
 
Eliminate cyber-security threats using data analytics – Build a resilient ent...
byImpetus Technologies
 
Building secure mobile apps
byMartin Vigo
 

Similar to Building a Mobile Security Model

PDF
Why You'll Care More About Mobile Security in 2020
bytmbainjr131
 
PDF
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
byDMI
 
PPTX
Outside the Office: Mobile Security
byMcKonly & Asbury, LLP
 
PDF
5 Steps to Mobile Risk Management
byDMIMarketing
 
PDF
Mobile Security: 5 Steps to Mobile Risk Management
byDMIMarketing
 
PPTX
Two Peas in a Pod: Cloud Security and Mobile Security
byOmar Khawaja
 
PPT
Managing Mobile Menaces
byNalneesh Gaur
 
PDF
Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterprise
bySelectedPresentations
 
PDF
Security and risk in a mobile world
byBrian Katz
 
PPTX
Mobile Security: Perceptions vs Device-harvested Reality
byZimperium
 
PDF
3 steps security
bybrightfire-slides
 
PDF
Mobile Application Security by Design
byDMI
 
PDF
How to Manage the Great BlackBerry Migration
byTroy C. Fulton
 
PPT
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
byIBM Danmark
 
PPT
Secure Mobile Working 1.0
byJon Collins
 
PDF
Evaluate Top Seven Risks of Enterprise Mobility
byRapidSSLOnline.com
 
PDF
Top Seven Risks of Enterprise Mobility - How to protect your business
bySymantec
 
PDF
BYOD: Device Control in the Wild, Wild, West
byJay McLaughlin
 
DOCX
ResearchProjectComplete
bydannyboi17
 
PDF
BYOD risk management best practices
byTroy C. Fulton
 
Why You'll Care More About Mobile Security in 2020
bytmbainjr131
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
byDMI
 
Outside the Office: Mobile Security
byMcKonly & Asbury, LLP
 
5 Steps to Mobile Risk Management
byDMIMarketing
 
Mobile Security: 5 Steps to Mobile Risk Management
byDMIMarketing
 
Two Peas in a Pod: Cloud Security and Mobile Security
byOmar Khawaja
 
Managing Mobile Menaces
byNalneesh Gaur
 
Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterprise
bySelectedPresentations
 
Security and risk in a mobile world
byBrian Katz
 
Mobile Security: Perceptions vs Device-harvested Reality
byZimperium
 
3 steps security
bybrightfire-slides
 
Mobile Application Security by Design
byDMI
 
How to Manage the Great BlackBerry Migration
byTroy C. Fulton
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
byIBM Danmark
 
Secure Mobile Working 1.0
byJon Collins
 
Evaluate Top Seven Risks of Enterprise Mobility
byRapidSSLOnline.com
 
Top Seven Risks of Enterprise Mobility - How to protect your business
bySymantec
 
BYOD: Device Control in the Wild, Wild, West
byJay McLaughlin
 
ResearchProjectComplete
bydannyboi17
 
BYOD risk management best practices
byTroy C. Fulton
 

Building a Mobile Security Model

  • 1.
    What to ConsiderWhen Building a Mobile Security Model
  • 2.
    Who Am I? •12+ years in information security •Experience includes: CounterTack, Security Innovation, Q1 Labs/IBM, Application Security, Inc./TrustWave, Sophos, WAVE Systems •SecureWorld, Hacker Halted, ISSA, OWASP, Security Meetup’s, Boston Security Conference, OASIS-Montgomery Conference •Mobile device owner @tmbainjr1 http://www.countertack.com/blog
  • 3.
    Agenda •Mobile securitytrends •Figuring out mobile security •Understanding risks/policy creation •Developing an adaptive model and best practices
  • 4.
  • 5.
    Do We ReallyHave a Choice? •84% use the same smartphone for work and for personal usage. •81% of employed adults use at least one personally owned electronic device for business •59% use their mobile devices to run line-of-business applications •74% of companies allow BYOD usage in some manner •1/3 use mobile devices exclusively --Experian Mobile Security Survey, November 2013 (Harris Interactive)
  • 6.
    The Great MobileSecurity Debate •When will the great mobile data breach happen? •2017: endpoint breaches will shift to tablets/smartphones. •Physical vs Virtual •BYOD/Mobile security policy •Business vs Security
  • 7.
    What are CISO’sconcerned with?
  • 8.
  • 9.
    State of MobileSecurity •Productivity vs. Security •Rise of mobile campaigns •More targeted malware •Volume of usage = increased risk •End user error
  • 10.
    User Perspective onMobile Security •50% of companies have experienced a data breach due to inadequate device security •47% don’t have a password on their mobile phone. •51% stated their companies couldn’t execute a remote wipe if lost or stolen. •49% said mobile security has not been addressed with them by IT.
  • 11.
  • 12.
    Mobile Security Failures •Inconsistent security policies •Unmanageable devices •Minimal number of devices •Data artifacts existing on disposed devices •Data leakage
  • 13.
    Unique Mobile SecurityIssues •Multi-user/single user •Browsing environment •Updates/patching •SSL •CSRF •Geolocation •Apps
  • 14.
    Mobile Malware Trends •98% of all mobile malware targets Android users •Kaspersky: 3.4M malware detections on 1.1M devices •60% of all attacks are capable of stealing users’ money •Reported attacks have increased 6X! (from 35K in August 2013 to 242K as of March 2014 Real-time Endpoint Threat Detection and Response 14
  • 15.
    The Most PopularMobile Malware Malware SMS RiskTool AdWare Trojan
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
    POLICY, RISK ASSESSMENT& BUILDING AN ADAPTIVE MODEL
  • 21.
    BYOD Challenges •Deviceturn-over and EOL •New devices: Default or customized settings? •How can you know everything about every device? •App Stores: Approved apps? •Applications
  • 22.
    Mobile Security PolicyChecklist Consider risk scenarios. Adapt from proven or trustworthy models. Measure perception. Understand roles, privileges and what’s in place today. Get granular with your questions & considerations. Figure out a strategy for testing your applications. Policy enforcement. Raise awareness/required training.
  • 23.
    Assess and ValidateRisk Take an inventory of your high-risk applications/mobile applications. Determine business criticality. What’s your attack probability? How do you define the attack surface? Consider overall business impact. Where does compliance factor in? What are the security threats?
  • 24.
    Roles and AccessControls •Which departments/groups/individuals have been most active in developing policies? •Has there been any previous collaboration between policies and authors? •Can you identify a potential champion(s) to support the new policy? •Areas of agreement in commonly implemented controls re: policies? •Support documents, materials and related policies should be cited in mobile device policy.
  • 25.
    Get Granular •Howwill mobile devices be used? •Devices assigned to one person or shared? •Which mobile applications would be used? •What information is accessiblethrough mobile devices? •What information will be storedon the mobile devices? •How will data be shared to/from and between mobile devices? •Who’s ultimately responsible for mobile devices? •Will personal activities on company devices be permitted? •What levels of support are expected?
  • 26.
    Know and DefineYour Data
  • 27.
    Defining Policy •Providecontextual, technical guidelines •Map to compliance mandates •Considers criticality of application and data ‒Requirements, activities and level of detail needed will differ •Have clear exception policies where necessary ‒What if minimum standards can’t be met? What is considered acceptable? Who approves? •Includes internally built and third party applications •Reflects current maturity and skillset of staff ‒The more skilled, the less explicit you need to be with policies
  • 28.
    Enforcing Policy •Youneed management buy-in! •Broad strategy vsTargeted strategy roll-out •On-boarding: ‒Require all device info as part of hiring process ‒Require policy training up front •Require training for various departments: ‒General population receives awareness training ‒Technical employees receive in-depth training •Monitor for effectiveness –EX: Deliver training or reminder when employee is out of compliance.
  • 29.
    Where are youat? Ad Hoc Implementation Technology People Process Data
  • 30.
    Get to thenext level of ‘Repeatable’ •Collect examples •Present business needs & educate executives •Create a mobile security policy •Identify some short and long-term risks/goals •Make the case simple
  • 31.
    Now you areat ‘Repeatable’ Implementation Technology People Process Data
  • 32.
    Adaptive Mobile Security Gartner, 2014, Adaptive Security Model
  • 33.
    www.countertack.comBlog: http://www.countertack.com/blogTwitter: @CounterTack,@tmbainjr1 Real-time Endpoint Threat Detection and Response.