SlideShare a Scribd company logo

Building a Mobile Security Model

tmbainjr131
tmbainjr131
1 of 33
Download to read offline
What to Consider When Building a Mobile Security Model
Who Am I? •12+ years in information security •Experience includes: CounterTack, Security Innovation, Q1 Labs/IBM, Application Security, Inc./TrustWave, Sophos, WAVE Systems •SecureWorld, Hacker Halted, ISSA, OWASP, Security Meetup’s, Boston Security Conference, OASIS-Montgomery Conference •Mobile device owner @tmbainjr1 http://www.countertack.com/blog
Agenda •Mobile security trends •Figuring out mobile security •Understanding risks/policy creation •Developing an adaptive model and best practices
TRENDS
Do We Really Have a Choice? •84% use the same smartphone for work and for personal usage. •81% of employed adults use at least one personally owned electronic device for business •59% use their mobile devices to run line-of-business applications •74% of companies allow BYOD usage in some manner •1/3 use mobile devices exclusively --Experian Mobile Security Survey, November 2013 (Harris Interactive)
The Great Mobile Security Debate •When will the great mobile data breach happen? •2017: endpoint breaches will shift to tablets/smartphones. •Physical vs Virtual •BYOD/Mobile security policy •Business vs Security
What are CISO’s concerned with?
Its More About the Data
State of Mobile Security •Productivity vs. Security •Rise of mobile campaigns •More targeted malware •Volume of usage = increased risk •End user error
User Perspective on Mobile Security •50% of companies have experienced a data breach due to inadequate device security •47% don’t have a password on their mobile phone. •51% stated their companies couldn’t execute a remote wipe if lost or stolen. •49% said mobile security has not been addressed with them by IT.
UNDERSTANDING MOBILE SECURITY ISSUES
Mobile Security Failures •Inconsistent security policies •Unmanageable devices •Minimal number of devices •Data artifacts existing on disposed devices •Data leakage
Unique Mobile Security Issues •Multi-user/single user •Browsing environment •Updates/patching •SSL •CSRF •Geolocation •Apps
Mobile Malware Trends •98% of all mobile malware targets Android users •Kaspersky: 3.4M malware detections on 1.1M devices •60% of all attacks are capable of stealing users’ money •Reported attacks have increased 6X! (from 35K in August 2013 to 242K as of March 2014 Real-time Endpoint Threat Detection and Response 14
The Most Popular Mobile Malware Malware SMS RiskTool AdWare Trojan
Faketoken
Svpeng
Android Resources
iOS Resources
POLICY, RISK ASSESSMENT & BUILDING AN ADAPTIVE MODEL
BYOD Challenges •Device turn-over and EOL •New devices: Default or customized settings? •How can you know everything about every device? •App Stores: Approved apps? •Applications
Mobile Security Policy Checklist Consider risk scenarios. Adapt from proven or trustworthy models. Measure perception. Understand roles, privileges and what’s in place today. Get granular with your questions & considerations. Figure out a strategy for testing your applications. Policy enforcement. Raise awareness/required training.
Assess and Validate Risk Take an inventory of your high-risk applications/mobile applications. Determine business criticality. What’s your attack probability? How do you define the attack surface? Consider overall business impact. Where does compliance factor in? What are the security threats?
Roles and Access Controls •Which departments/groups/individuals have been most active in developing policies? •Has there been any previous collaboration between policies and authors? •Can you identify a potential champion(s) to support the new policy? •Areas of agreement in commonly implemented controls re: policies? •Support documents, materials and related policies should be cited in mobile device policy.
Get Granular •How will mobile devices be used? •Devices assigned to one person or shared? •Which mobile applications would be used? •What information is accessiblethrough mobile devices? •What information will be storedon the mobile devices? •How will data be shared to/from and between mobile devices? •Who’s ultimately responsible for mobile devices? •Will personal activities on company devices be permitted? •What levels of support are expected?
Know and Define Your Data
Defining Policy •Provide contextual, technical guidelines •Map to compliance mandates •Considers criticality of application and data ‒Requirements, activities and level of detail needed will differ •Have clear exception policies where necessary ‒What if minimum standards can’t be met? What is considered acceptable? Who approves? •Includes internally built and third party applications •Reflects current maturity and skillset of staff ‒The more skilled, the less explicit you need to be with policies
Enforcing Policy •You need management buy-in! •Broad strategy vsTargeted strategy roll-out •On-boarding: ‒Require all device info as part of hiring process ‒Require policy training up front •Require training for various departments: ‒General population receives awareness training ‒Technical employees receive in-depth training •Monitor for effectiveness –EX: Deliver training or reminder when employee is out of compliance.
Where are you at? Ad Hoc Implementation Technology People Process Data
Get to the next level of ‘Repeatable’ •Collect examples •Present business needs & educate executives •Create a mobile security policy •Identify some short and long-term risks/goals •Make the case simple
Now you are at ‘Repeatable’ Implementation Technology People Process Data
Adaptive Mobile Security Gartner, 2014, Adaptive Security Model
www.countertack.comBlog: http://www.countertack.com/blogTwitter: @CounterTack, @tmbainjr1 Real-time Endpoint Threat Detection and Response.

Recommended

Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainEC-Council
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurityMatthew Rosenquist
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
 
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart GlassesPete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart GlassesAugmentedWorldExpo
 

Recommended

Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainEC-Council
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurityMatthew Rosenquist
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
 
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart GlassesPete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart GlassesAugmentedWorldExpo
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...centralohioissa
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devicesMarc Vael
 
Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
The Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistThe Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistMatthew Rosenquist
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityMatthew Rosenquist
 
Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Matthew Rosenquist
 
Technology: Built for Attack : Dr. Emma Garrison-Alexander
Technology: Built for Attack : Dr. Emma Garrison-Alexander Technology: Built for Attack : Dr. Emma Garrison-Alexander
Technology: Built for Attack : Dr. Emma Garrison-Alexander EC-Council
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Mind the gap
Mind the gapMind the gap
Mind the gapRoger Hagedorn
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AIDexterJanPineda
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNorth Texas Chapter of the ISSA
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
SolarWinds IT Security Survey - February 2013
SolarWinds IT Security Survey - February 2013SolarWinds IT Security Survey - February 2013
SolarWinds IT Security Survey - February 2013SolarWinds
 
Eliminate cyber-security threats using data analytics – Build a resilient ent...
Eliminate cyber-security threats using data analytics – Build a resilient ent...Eliminate cyber-security threats using data analytics – Build a resilient ent...
Eliminate cyber-security threats using data analytics – Build a resilient ent...Impetus Technologies
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile appsMartin Vigo
 
Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020tmbainjr131
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestJay McLaughlin
 

More Related Content

What's hot

NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...centralohioissa
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devicesMarc Vael
 
Security in the News
Security in the NewsSecurity in the News
Security in the NewsJames Sutter
 
The Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistThe Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistMatthew Rosenquist
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityMatthew Rosenquist
 
Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Matthew Rosenquist
 
Technology: Built for Attack : Dr. Emma Garrison-Alexander
Technology: Built for Attack : Dr. Emma Garrison-Alexander Technology: Built for Attack : Dr. Emma Garrison-Alexander
Technology: Built for Attack : Dr. Emma Garrison-Alexander EC-Council
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
SolarWinds IT Security Survey - February 2013
SolarWinds IT Security Survey - February 2013SolarWinds IT Security Survey - February 2013
SolarWinds IT Security Survey - February 2013SolarWinds
 
Eliminate cyber-security threats using data analytics – Build a resilient ent...
Eliminate cyber-security threats using data analytics – Build a resilient ent...Eliminate cyber-security threats using data analytics – Build a resilient ent...
Eliminate cyber-security threats using data analytics – Build a resilient ent...Impetus Technologies
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile appsMartin Vigo
 

What's hot (20)

NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devices
 
Security in the News
Security in the NewsSecurity in the News
Security in the News
 
The Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistThe Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew Rosenquist
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in Cybersecurity
 
Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016
 
Technology: Built for Attack : Dr. Emma Garrison-Alexander
Technology: Built for Attack : Dr. Emma Garrison-Alexander Technology: Built for Attack : Dr. Emma Garrison-Alexander
Technology: Built for Attack : Dr. Emma Garrison-Alexander
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
 
Mind the gap
Mind the gapMind the gap
Mind the gap
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AI
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
SolarWinds IT Security Survey - February 2013
SolarWinds IT Security Survey - February 2013SolarWinds IT Security Survey - February 2013
SolarWinds IT Security Survey - February 2013
 
Eliminate cyber-security threats using data analytics – Build a resilient ent...
Eliminate cyber-security threats using data analytics – Build a resilient ent...Eliminate cyber-security threats using data analytics – Build a resilient ent...
Eliminate cyber-security threats using data analytics – Build a resilient ent...
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
 

Similar to Building a Mobile Security Model

Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020tmbainjr131
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestJay McLaughlin
 
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler Service2Media
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Huntsman Security
 
Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)Huntsman Security
 
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...From Device Selection to Data Protection: Selecting the Right Mobility Soluti...
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...Enterprise Mobile
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsSirius
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
 
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyDevelop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyOracleIDM
 
How to Manage the Great BlackBerry Migration
How to Manage the Great BlackBerry MigrationHow to Manage the Great BlackBerry Migration
How to Manage the Great BlackBerry MigrationTroy C. Fulton
 
7 Best Practices to Protect Critical Business Information [Infographic]
7 Best Practices to Protect Critical Business Information [Infographic]7 Best Practices to Protect Critical Business Information [Infographic]
7 Best Practices to Protect Critical Business Information [Infographic]Citrix
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSonny Hashmi
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSonny Hashmi
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersCisco Mobility
 

Similar to Building a Mobile Security Model (20)

Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, West
 
Outside the Office: Mobile Security
Outside the Office: Mobile SecurityOutside the Office: Mobile Security
Outside the Office: Mobile Security
 
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)
 
Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)
 
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...From Device Selection to Data Protection: Selecting the Right Mobility Soluti...
From Device Selection to Data Protection: Selecting the Right Mobility Soluti...
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyDevelop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
 
How to Manage the Great BlackBerry Migration
How to Manage the Great BlackBerry MigrationHow to Manage the Great BlackBerry Migration
How to Manage the Great BlackBerry Migration
 
7 Best Practices to Protect Critical Business Information [Infographic]
7 Best Practices to Protect Critical Business Information [Infographic]7 Best Practices to Protect Critical Business Information [Infographic]
7 Best Practices to Protect Critical Business Information [Infographic]
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEs
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb es
 
Mobile Security
Mobile Security Mobile Security
Mobile Security
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leaders
 

Building a Mobile Security Model

  • 1. What to Consider When Building a Mobile Security Model
  • 2. Who Am I? •12+ years in information security •Experience includes: CounterTack, Security Innovation, Q1 Labs/IBM, Application Security, Inc./TrustWave, Sophos, WAVE Systems •SecureWorld, Hacker Halted, ISSA, OWASP, Security Meetup’s, Boston Security Conference, OASIS-Montgomery Conference •Mobile device owner @tmbainjr1 http://www.countertack.com/blog
  • 3. Agenda •Mobile security trends •Figuring out mobile security •Understanding risks/policy creation •Developing an adaptive model and best practices
  • 5. Do We Really Have a Choice? •84% use the same smartphone for work and for personal usage. •81% of employed adults use at least one personally owned electronic device for business •59% use their mobile devices to run line-of-business applications •74% of companies allow BYOD usage in some manner •1/3 use mobile devices exclusively --Experian Mobile Security Survey, November 2013 (Harris Interactive)
  • 6. The Great Mobile Security Debate •When will the great mobile data breach happen? •2017: endpoint breaches will shift to tablets/smartphones. •Physical vs Virtual •BYOD/Mobile security policy •Business vs Security
  • 7. What are CISO’s concerned with?
  • 8. Its More About the Data
  • 9. State of Mobile Security •Productivity vs. Security •Rise of mobile campaigns •More targeted malware •Volume of usage = increased risk •End user error
  • 10. User Perspective on Mobile Security •50% of companies have experienced a data breach due to inadequate device security •47% don’t have a password on their mobile phone. •51% stated their companies couldn’t execute a remote wipe if lost or stolen. •49% said mobile security has not been addressed with them by IT.
  • 12. Mobile Security Failures •Inconsistent security policies •Unmanageable devices •Minimal number of devices •Data artifacts existing on disposed devices •Data leakage
  • 13. Unique Mobile Security Issues •Multi-user/single user •Browsing environment •Updates/patching •SSL •CSRF •Geolocation •Apps
  • 14. Mobile Malware Trends •98% of all mobile malware targets Android users •Kaspersky: 3.4M malware detections on 1.1M devices •60% of all attacks are capable of stealing users’ money •Reported attacks have increased 6X! (from 35K in August 2013 to 242K as of March 2014 Real-time Endpoint Threat Detection and Response 14
  • 15. The Most Popular Mobile Malware Malware SMS RiskTool AdWare Trojan
  • 20. POLICY, RISK ASSESSMENT & BUILDING AN ADAPTIVE MODEL
  • 21. BYOD Challenges •Device turn-over and EOL •New devices: Default or customized settings? •How can you know everything about every device? •App Stores: Approved apps? •Applications
  • 22. Mobile Security Policy Checklist Consider risk scenarios. Adapt from proven or trustworthy models. Measure perception. Understand roles, privileges and what’s in place today. Get granular with your questions & considerations. Figure out a strategy for testing your applications. Policy enforcement. Raise awareness/required training.
  • 23. Assess and Validate Risk Take an inventory of your high-risk applications/mobile applications. Determine business criticality. What’s your attack probability? How do you define the attack surface? Consider overall business impact. Where does compliance factor in? What are the security threats?
  • 24. Roles and Access Controls •Which departments/groups/individuals have been most active in developing policies? •Has there been any previous collaboration between policies and authors? •Can you identify a potential champion(s) to support the new policy? •Areas of agreement in commonly implemented controls re: policies? •Support documents, materials and related policies should be cited in mobile device policy.
  • 25. Get Granular •How will mobile devices be used? •Devices assigned to one person or shared? •Which mobile applications would be used? •What information is accessiblethrough mobile devices? •What information will be storedon the mobile devices? •How will data be shared to/from and between mobile devices? •Who’s ultimately responsible for mobile devices? •Will personal activities on company devices be permitted? •What levels of support are expected?
  • 26. Know and Define Your Data
  • 27. Defining Policy •Provide contextual, technical guidelines •Map to compliance mandates •Considers criticality of application and data ‒Requirements, activities and level of detail needed will differ •Have clear exception policies where necessary ‒What if minimum standards can’t be met? What is considered acceptable? Who approves? •Includes internally built and third party applications •Reflects current maturity and skillset of staff ‒The more skilled, the less explicit you need to be with policies
  • 28. Enforcing Policy •You need management buy-in! •Broad strategy vsTargeted strategy roll-out •On-boarding: ‒Require all device info as part of hiring process ‒Require policy training up front •Require training for various departments: ‒General population receives awareness training ‒Technical employees receive in-depth training •Monitor for effectiveness –EX: Deliver training or reminder when employee is out of compliance.
  • 29. Where are you at? Ad Hoc Implementation Technology People Process Data
  • 30. Get to the next level of ‘Repeatable’ •Collect examples •Present business needs & educate executives •Create a mobile security policy •Identify some short and long-term risks/goals •Make the case simple
  • 31. Now you are at ‘Repeatable’ Implementation Technology People Process Data
  • 32. Adaptive Mobile Security Gartner, 2014, Adaptive Security Model
  • 33. www.countertack.comBlog: http://www.countertack.com/blogTwitter: @CounterTack, @tmbainjr1 Real-time Endpoint Threat Detection and Response.