SlideShare a Scribd company logo

Mobile Devices for Today's Banking Environment

Download as PPTX, PDF
Scott Sharp
Scott Sharp

With the transition from mobile phones to mobile devices (such as iPhone, iPad, or Android) comes greater productivity with greater vulnerability. This presentation will explore the transition from phones to mobile devices along with the best practices in securing such devices and common uses in banking environments not yet commonly deployed. With proper compensating controls, the tactical advantages and productivity savings far out way the risks of deploying mobile devices, so why not explore the options that best fit your environment?

Technology
1 of 32
MOBILE DEVICES IN TODAY’S BANKING ENVIRONMENT Scott Sharp
SCOTT SHARP  Chief Technology Officer for Sharp BancSystems, Inc.  VP, Director of Information Security for First Baird BancShares, Inc.  CISSP, LPT, CHFI, CEH, MCITP, RHCSA, CCNA, etc…  Part Banker / Part Geek
OVERVIEW & INTENT  Overview  Mobile Use  Statistics  Scary Facts  Mitigation & Best Practices  Automated Tools  Intent  Not to Scare, unless it helps motivate  Inform
MOBILE DEVICES ON THE RISE  Smart Phones are rapidly replacing regular mobile phones; Gartner reported 85% year-over- year increase  Smart Phones and other mobile devices are smaller, lighter, and easier to take everywhere; with similar capabilities to PC’s  PC’s have long been the target of security audits while mobile is being overlooked
IMPORTANCE OF MOBILE  How Important are mobile devices to your organization?  Where do you fit in?  What about BYOD? Bring Your Own Device
MOBILE DEVICE TYPES  Smart Phones  Apple  Android (Google)  Blackberry (RIM)  Microsoft  Other  Tablets  Apple  Android  Other Source: comScore (February 2012)
COMMON USES In Financial Institutions: For Consumer:  Phones for Officers  Mobile Banking  Web Based, read your logs  Board Room Automation  App Based  Web Delivery or USB  Email - ALL  Meeting Notes  Text  Remote Workers  Contacts  Customer Service Terminal  Home, Mom, Hubby  Health  Customer Support  Social  Point Of Sale  Fun
CHALLENGES TO MOBILE  Security  Upgrades  Policy Enforcement  Consistency  Training  User  Tech
WHY DOES SECURITY MATTER?  Would you conduct online banking and shopping on a PC without an antivirus software installed?  Are you willing to remove antivirus, firewall, encryption and VPN software on your workstation?  In the transition from Phones to Smart Phones; Why weren’t we paying attention?
VULNERABILITY POINTS (1 OF 2)  Unencrypted Information  On Phone  Removable Memory Card  Responsible for data once received  Consumer Applications  Share more than needed  Unproductive behavior  Mobile Malware  Looks Fun, but designed to steal  Less on Apple, more on other  Weak Passwords or none at all  SMS Fuzzing  Discover device  Bluetooth/Wireless Interfaces
VULNERABILITY POINTS (2 OF 2)  GPS Location Services  Where are you now?  Camera, Video, Microphones  Theft from BYOD (Bring Your Own Device)  Internal Storage (USB or Cloud)  Equivalent to Thumb Drive, sometimes without plugging in!  Carrier Service Technicians  They have the key to the data!  Manufacturer Data Storage  Blackberry or others (banned in France)  Call Recording - SIP  Older Devices  Patched, Not Patched, Supported?
HACK DEMONSTRATION  Most Common Bluetooth Hack Tools:  Super Bluetooth Hack 1.08  Blue Scanner  Blue Sniff  BlueBugger  BTBrowser  BTCrawler  BlueSnarfing
TYPICAL DATA ON DEVICES  Loan Portfolios or Board Packages  Web Delivery or USB  Email  Different from PC, b/c of location  Contacts  Corporate Account Take Over (CATO)  Guidance – Reasonable Assumption  Certificates / Keys for VPN  Personal Data  Wait for later information  Blackmail
BREACH LAWS  http://www.ncsl.org/issues-research/telecom/security-breach- notification-laws.aspx  Where the Customer is Located!  For Texas: "breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.
POST BREACH CLEAN-UP  Legal Representation  Investigation – Forensics  Regulatory  Reputational  Newspaper or Channel 5  Social Media / Internet  Identity Theft Solutions  Lawsuits
NOW FOR THE NOT SO SCARY PART  Mitigating the Risk  Business Case w Risk Assessment  Policy  Agreements  Device Selection  Device Management  Configuration  Applications  Automated Solutions  Audit & Update Risk Assessment
MITIGATING – BUILD A CASE  Build a Business Case to Permit and/or Use Mobile Devices  Cost of Device  Cost of Compliance  Identify Users  Implementation Staff  Training?  Get Approval?
MITIGATING – POLICY & AGREEMENT  Policy  Device Types  Control  Permission  Monitoring  Enforcement  Agreement  User Acknowledgement  Understanding  Acceptance  Annually!
MITIGATING – DEVICE SELECTION  Apple  iPhone  Encrypted by Default  Encryption uncracked, keys are easy to obtain: http://www.eweek.com/c/a/Security/iPhone-4-Encryption-Remains-Uncracked-But- Password-Keys-Easy-to-Obtain-686228/  Better App Controls in iTunes  Likes to add Cloud Sync  Remote Wipe Capable  iPad  Same as iPhone  Bigger target for theft
MITIGATING – DEVICE SELECTION  Android – Phone & Tablet  Currently the Most Popular  Offers more Control & Faster Innovation  Not Encrypted by default  No Remote Wipe by default – look for highly regarded ―Mobile Defense‖ app  Location Services from some Vendors  Inconsistent Implementation of features  Vendor’s Choice  Open Source, but Supported
MITIGATING – DEVICE SELECTION  Others  Blackberry  Losing Market Share FAST!  Banned for Government use in some countries  Stores data in transit for 7 days  Expensive to Control  Blackberry Enterprise Server  Other Solutions to fill Gaps  Microsoft  Newer / Less Market Share  Stigma from previous versions
DEVICE RECOMMENDATIONS  Stick with Apple and/or Android  The more devices, the higher cost of ownership  Use Third Party Software/Services to fill Compliance Gaps  At the Least:  Remote Wipe  Password Protection (more than 4 number PIN)  Encryption (all storage & transmission)  Update device every 2 years  Support, but more importantly, Vulnerability Management
MITIGATING – DEVICE MANAGEMENT  Common Configuration Controls for Devices:  Encryption (ENABLE, all Storage)  Allow or prohibit simple password  Remote wipe (ENABLE)  Password expiration (90 Days)  Enforce password on device  Password history (5) (ENABLE)  Policy refresh interval (Daily)  Minimum password length (8 or Optional: biometic)  Minimum number of complex  Maximum failed password characters in password attempts before local wipe (10-15)  Require manual syncing while  Require both numbers and letters roaming (ENABLE)  Allow camera  Inactivity time in minutes (1 to 5 minutes)  Allow web browsing
MITIGATING – DEVICE MANAGEMENT  Less Common Configuration Controls for Devices:  Block access from unapproved  App Management: devices  Whitelist Approved Apps  Block access from non-compliant  Prevent Removal of Antivirus, devices Firewall, etc.  Device Check-In Interval  Block Non-Approved Apps  Ensure Device not Lost  Manage App Access to Functions  Automatically Wipe  Disable Access to GPS for Social Apps  Prevent Wireless & Bluetooth  Enable/Disable GPS  Designated Staff Administer Bluetooth Devices only  Monitor Employee  Recover Phone
MITIGATING  Select the Controls that work best to protect your institution  Test Features & Controls  Monitor Usage & Compliance  Enforce Policy Not much different than a PC, is it?
MITIGATING – TOOLS & AUDITS  Automated Solutions:  Symantec Mobile Management: http://www.symantec.com/mobile- management  MaaS360 Mobile Device and App Management: http://www.maas360.com  Zenprise MobileManager: http://www.zenprise.com/products/zenprise- mobilemanager  Good for Enterprise (GFE): http://www.good.com/products/good-for- enterprise.php  Risk Assessment:  Consider New Controls  Before and After Audit  Audit:  In Scope Statement
CONCLUSION  Form an adoption Plan  Identify Users & Support  Agreements to Ensure Understanding  Identify Devices  Pick 1 or 2 devices to support at most  Identify Features  Control Device Features  Identify Apps  Require Security Apps for Antivirus, Firewall, Encryption, Remote Wipe, Tracking  Whitelist good, Blacklist everything else  Use Tools to Control and Monitor – Ensure Compliance  DOD Wipe prior to service or return  Test, Monitor, Audit
OUT OF SCOPE ADDITION  Note relating to Customers  Update Online Banking & Website Disclosures / Policies  PC/Computer = PC/Computer or Mobile Device  Additions to Website  Notification of Lost/Stolen Phone or other Device  Suspend Online Banking and Bill Pay Accounts  Change Password and/or Username  Invest in Mobile formatted Website  Quick links to ATM/Branch locations  Links to Online Banking Login  Even if Online Banking is not Mobile Enabled  Disclose mobile devices that work
ENDING REMARKS  Mobile is here to stay, will only increase  Secure through tools  through prohibition is only temporary
QUESTIONS ?
CONTACT ME http://www.linkedin.com/in/mscottsharp scott@firstbaird.com scott@sharpbancsystems.com scott@geekandahalf.com (972) 979-2680
REFERENCES Rashid, Fahmida Y. (2011) iPhone 4 Encryption Remains Uncracked, but Password Keys Easy to Obtain. Retrieved from http://www.eweek.com/c/a/Security/iPhone-4-Encryption-Remains- Uncracked-But-Password-Keys-Easy-to-Obtain-686228/ Parmar, Vivek (2010) 7 Most Popular Bluetooth Hacking Software To Hack Mobile Phones. Retrieved from http://techpp.com/2010/06/30/7-most-popular-bluetooth-hacking-software-to- hack-your-mobile-phone/ Notes on the implementation of encryption in Android 3.0. Retrieved from http://source.android.com/tech/encryption/android_crypto_implementation.htm Pinola, Melanie Install or Enable Remote Wipe on Your Smartphone Now. Retrieved from http://mobileoffice.about.com/od/mobilesecurity/qt/smartphone-remote-wipe.htm Bradley, Tony Lock Down Your Android Devices. Retrieved from http://www.pcworld.com/businesscenter/article/209597/lock_down_your_android_devices.ht ml Choudhry, Shahab (2012) iPad in Banking – 7 Important Considerations. Retrieved from http://www.propelics.com/ipad-in-banking-7-important-considerations/ Brownlow, Mark (2012) Smartphone statistics and market share. Retrieved from http://www.email- marketing-reports.com/wireless-mobile/smartphone-statistics.htm Oltsik, Jon (2010) Juniper Networks Bets on Mobile Device Security—and Beyond. Retrieved from http://www.enterprisestrategygroup.com/2010/08/juniper-networks-bets-on-mobile-device- security%E2%80%94and-beyond/ Shein, Omar (2012). Blackberry, Are we hacked?. Security Kaizen Magazine, Vol 2, Issue 5, 5-6.

Recommended

The product importance and involvement measurement
The product importance and involvement measurementThe product importance and involvement measurement
The product importance and involvement measurement
Bisola Eirene Efemini
 
Mobile banking project
Mobile banking projectMobile banking project
Mobile banking project
Arfan Afzal
 
Virtualization in Community Banks
Virtualization in Community BanksVirtualization in Community Banks
Virtualization in Community Banks
Scott Sharp
 
Regulatory Hot Topics 2012
Regulatory Hot Topics 2012Regulatory Hot Topics 2012
Regulatory Hot Topics 2012
Scott Sharp
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 

Recommended

The product importance and involvement measurement
The product importance and involvement measurementThe product importance and involvement measurement
The product importance and involvement measurement
Bisola Eirene Efemini
 
Mobile banking project
Mobile banking projectMobile banking project
Mobile banking project
Arfan Afzal
 
Virtualization in Community Banks
Virtualization in Community BanksVirtualization in Community Banks
Virtualization in Community Banks
Scott Sharp
 
Regulatory Hot Topics 2012
Regulatory Hot Topics 2012Regulatory Hot Topics 2012
Regulatory Hot Topics 2012
Scott Sharp
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
FIDO Alliance
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
FIDO Alliance
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
Hyperleger Tokyo Meetup
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
FIDO Alliance
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
FIDO Alliance
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
ScyllaDB
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
jbellis
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
ScyllaDB
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
BrainSell Technologies
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
FIDO Alliance
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
Mark Billinghurst
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Leah Henrickson
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
FIDO Alliance
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
中 央社
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
Mark Opanasiuk
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 

More Related Content

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 

Recently uploaded (20)

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 

Featured

Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 

Featured (20)

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 

Mobile Devices for Today's Banking Environment

  • 1. MOBILE DEVICES IN TODAY’S BANKING ENVIRONMENT Scott Sharp
  • 2. SCOTT SHARP  Chief Technology Officer for Sharp BancSystems, Inc.  VP, Director of Information Security for First Baird BancShares, Inc.  CISSP, LPT, CHFI, CEH, MCITP, RHCSA, CCNA, etc…  Part Banker / Part Geek
  • 3. OVERVIEW & INTENT  Overview  Mobile Use  Statistics  Scary Facts  Mitigation & Best Practices  Automated Tools  Intent  Not to Scare, unless it helps motivate  Inform
  • 4. MOBILE DEVICES ON THE RISE  Smart Phones are rapidly replacing regular mobile phones; Gartner reported 85% year-over- year increase  Smart Phones and other mobile devices are smaller, lighter, and easier to take everywhere; with similar capabilities to PC’s  PC’s have long been the target of security audits while mobile is being overlooked
  • 5. IMPORTANCE OF MOBILE  How Important are mobile devices to your organization?  Where do you fit in?  What about BYOD? Bring Your Own Device
  • 6. MOBILE DEVICE TYPES  Smart Phones  Apple  Android (Google)  Blackberry (RIM)  Microsoft  Other  Tablets  Apple  Android  Other Source: comScore (February 2012)
  • 7. COMMON USES In Financial Institutions: For Consumer:  Phones for Officers  Mobile Banking  Web Based, read your logs  Board Room Automation  App Based  Web Delivery or USB  Email - ALL  Meeting Notes  Text  Remote Workers  Contacts  Customer Service Terminal  Home, Mom, Hubby  Health  Customer Support  Social  Point Of Sale  Fun
  • 8. CHALLENGES TO MOBILE  Security  Upgrades  Policy Enforcement  Consistency  Training  User  Tech
  • 9. WHY DOES SECURITY MATTER?  Would you conduct online banking and shopping on a PC without an antivirus software installed?  Are you willing to remove antivirus, firewall, encryption and VPN software on your workstation?  In the transition from Phones to Smart Phones; Why weren’t we paying attention?
  • 10. VULNERABILITY POINTS (1 OF 2)  Unencrypted Information  On Phone  Removable Memory Card  Responsible for data once received  Consumer Applications  Share more than needed  Unproductive behavior  Mobile Malware  Looks Fun, but designed to steal  Less on Apple, more on other  Weak Passwords or none at all  SMS Fuzzing  Discover device  Bluetooth/Wireless Interfaces
  • 11. VULNERABILITY POINTS (2 OF 2)  GPS Location Services  Where are you now?  Camera, Video, Microphones  Theft from BYOD (Bring Your Own Device)  Internal Storage (USB or Cloud)  Equivalent to Thumb Drive, sometimes without plugging in!  Carrier Service Technicians  They have the key to the data!  Manufacturer Data Storage  Blackberry or others (banned in France)  Call Recording - SIP  Older Devices  Patched, Not Patched, Supported?
  • 12. HACK DEMONSTRATION  Most Common Bluetooth Hack Tools:  Super Bluetooth Hack 1.08  Blue Scanner  Blue Sniff  BlueBugger  BTBrowser  BTCrawler  BlueSnarfing
  • 13. TYPICAL DATA ON DEVICES  Loan Portfolios or Board Packages  Web Delivery or USB  Email  Different from PC, b/c of location  Contacts  Corporate Account Take Over (CATO)  Guidance – Reasonable Assumption  Certificates / Keys for VPN  Personal Data  Wait for later information  Blackmail
  • 14. BREACH LAWS  http://www.ncsl.org/issues-research/telecom/security-breach- notification-laws.aspx  Where the Customer is Located!  For Texas: "breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.
  • 15. POST BREACH CLEAN-UP  Legal Representation  Investigation – Forensics  Regulatory  Reputational  Newspaper or Channel 5  Social Media / Internet  Identity Theft Solutions  Lawsuits
  • 16. NOW FOR THE NOT SO SCARY PART  Mitigating the Risk  Business Case w Risk Assessment  Policy  Agreements  Device Selection  Device Management  Configuration  Applications  Automated Solutions  Audit & Update Risk Assessment
  • 17. MITIGATING – BUILD A CASE  Build a Business Case to Permit and/or Use Mobile Devices  Cost of Device  Cost of Compliance  Identify Users  Implementation Staff  Training?  Get Approval?
  • 18. MITIGATING – POLICY & AGREEMENT  Policy  Device Types  Control  Permission  Monitoring  Enforcement  Agreement  User Acknowledgement  Understanding  Acceptance  Annually!
  • 19. MITIGATING – DEVICE SELECTION  Apple  iPhone  Encrypted by Default  Encryption uncracked, keys are easy to obtain: http://www.eweek.com/c/a/Security/iPhone-4-Encryption-Remains-Uncracked-But- Password-Keys-Easy-to-Obtain-686228/  Better App Controls in iTunes  Likes to add Cloud Sync  Remote Wipe Capable  iPad  Same as iPhone  Bigger target for theft
  • 20. MITIGATING – DEVICE SELECTION  Android – Phone & Tablet  Currently the Most Popular  Offers more Control & Faster Innovation  Not Encrypted by default  No Remote Wipe by default – look for highly regarded ―Mobile Defense‖ app  Location Services from some Vendors  Inconsistent Implementation of features  Vendor’s Choice  Open Source, but Supported
  • 21. MITIGATING – DEVICE SELECTION  Others  Blackberry  Losing Market Share FAST!  Banned for Government use in some countries  Stores data in transit for 7 days  Expensive to Control  Blackberry Enterprise Server  Other Solutions to fill Gaps  Microsoft  Newer / Less Market Share  Stigma from previous versions
  • 22. DEVICE RECOMMENDATIONS  Stick with Apple and/or Android  The more devices, the higher cost of ownership  Use Third Party Software/Services to fill Compliance Gaps  At the Least:  Remote Wipe  Password Protection (more than 4 number PIN)  Encryption (all storage & transmission)  Update device every 2 years  Support, but more importantly, Vulnerability Management
  • 23. MITIGATING – DEVICE MANAGEMENT  Common Configuration Controls for Devices:  Encryption (ENABLE, all Storage)  Allow or prohibit simple password  Remote wipe (ENABLE)  Password expiration (90 Days)  Enforce password on device  Password history (5) (ENABLE)  Policy refresh interval (Daily)  Minimum password length (8 or Optional: biometic)  Minimum number of complex  Maximum failed password characters in password attempts before local wipe (10-15)  Require manual syncing while  Require both numbers and letters roaming (ENABLE)  Allow camera  Inactivity time in minutes (1 to 5 minutes)  Allow web browsing
  • 24. MITIGATING – DEVICE MANAGEMENT  Less Common Configuration Controls for Devices:  Block access from unapproved  App Management: devices  Whitelist Approved Apps  Block access from non-compliant  Prevent Removal of Antivirus, devices Firewall, etc.  Device Check-In Interval  Block Non-Approved Apps  Ensure Device not Lost  Manage App Access to Functions  Automatically Wipe  Disable Access to GPS for Social Apps  Prevent Wireless & Bluetooth  Enable/Disable GPS  Designated Staff Administer Bluetooth Devices only  Monitor Employee  Recover Phone
  • 25. MITIGATING  Select the Controls that work best to protect your institution  Test Features & Controls  Monitor Usage & Compliance  Enforce Policy Not much different than a PC, is it?
  • 26. MITIGATING – TOOLS & AUDITS  Automated Solutions:  Symantec Mobile Management: http://www.symantec.com/mobile- management  MaaS360 Mobile Device and App Management: http://www.maas360.com  Zenprise MobileManager: http://www.zenprise.com/products/zenprise- mobilemanager  Good for Enterprise (GFE): http://www.good.com/products/good-for- enterprise.php  Risk Assessment:  Consider New Controls  Before and After Audit  Audit:  In Scope Statement
  • 27. CONCLUSION  Form an adoption Plan  Identify Users & Support  Agreements to Ensure Understanding  Identify Devices  Pick 1 or 2 devices to support at most  Identify Features  Control Device Features  Identify Apps  Require Security Apps for Antivirus, Firewall, Encryption, Remote Wipe, Tracking  Whitelist good, Blacklist everything else  Use Tools to Control and Monitor – Ensure Compliance  DOD Wipe prior to service or return  Test, Monitor, Audit
  • 28. OUT OF SCOPE ADDITION  Note relating to Customers  Update Online Banking & Website Disclosures / Policies  PC/Computer = PC/Computer or Mobile Device  Additions to Website  Notification of Lost/Stolen Phone or other Device  Suspend Online Banking and Bill Pay Accounts  Change Password and/or Username  Invest in Mobile formatted Website  Quick links to ATM/Branch locations  Links to Online Banking Login  Even if Online Banking is not Mobile Enabled  Disclose mobile devices that work
  • 29. ENDING REMARKS  Mobile is here to stay, will only increase  Secure through tools  through prohibition is only temporary
  • 32. REFERENCES Rashid, Fahmida Y. (2011) iPhone 4 Encryption Remains Uncracked, but Password Keys Easy to Obtain. Retrieved from http://www.eweek.com/c/a/Security/iPhone-4-Encryption-Remains- Uncracked-But-Password-Keys-Easy-to-Obtain-686228/ Parmar, Vivek (2010) 7 Most Popular Bluetooth Hacking Software To Hack Mobile Phones. Retrieved from http://techpp.com/2010/06/30/7-most-popular-bluetooth-hacking-software-to- hack-your-mobile-phone/ Notes on the implementation of encryption in Android 3.0. Retrieved from http://source.android.com/tech/encryption/android_crypto_implementation.htm Pinola, Melanie Install or Enable Remote Wipe on Your Smartphone Now. Retrieved from http://mobileoffice.about.com/od/mobilesecurity/qt/smartphone-remote-wipe.htm Bradley, Tony Lock Down Your Android Devices. Retrieved from http://www.pcworld.com/businesscenter/article/209597/lock_down_your_android_devices.ht ml Choudhry, Shahab (2012) iPad in Banking – 7 Important Considerations. Retrieved from http://www.propelics.com/ipad-in-banking-7-important-considerations/ Brownlow, Mark (2012) Smartphone statistics and market share. Retrieved from http://www.email- marketing-reports.com/wireless-mobile/smartphone-statistics.htm Oltsik, Jon (2010) Juniper Networks Bets on Mobile Device Security—and Beyond. Retrieved from http://www.enterprisestrategygroup.com/2010/08/juniper-networks-bets-on-mobile-device- security%E2%80%94and-beyond/ Shein, Omar (2012). Blackberry, Are we hacked?. Security Kaizen Magazine, Vol 2, Issue 5, 5-6.

Editor's Notes

  1. WelcomeThank you for attending
  2. When talking to auditors:Question – Mobile DevicesHow many answer No; knowing personal phonesAnswer Yes, but only address company devices
  3. No one should be in bottom 14% b/c of BYOD
  4. Stick with the most common
  5. Share Experience:Officer Phones with Exchange (no USB or Cloud) Issued by Techs & Returned to TechsBoard Meetings on iPad Techs Load to Newsstand Enforce Policy
  6. Email - explain, not a worry before, but once received, our responsibilityContacts - guidance suggests breach, reasonable to assume majority are customersgoldmine for CATO thieves