The document discusses mobile security issues organizations face and recommendations to address them. It notes that mobile devices are increasingly prevalent in businesses but many lack adequate security practices and tools. Common problems include loss/theft of devices, malware infections, and intellectual property losses. The document recommends organizations implement mobile device management, extend security policies to mobile devices, conduct security audits, and use encryption and other best practices. It also provides an overview of security tools and trends organizations should consider.

1. Mobile security blunders and what
you can do about them
Ben Rothke, CISSP CISA
BT Global Services
Senior Security Consultant

2. About me….
• Ben Rothke (too many certifications)
• Senior Security Consultant – British Telecom
• Frequent writer and speaker
• Author - Computer Security: 20 Things Every Employee
Should Know
BT Americas Inc. 2

3. Show me the methodology…
• How do you currently handle?
– Smartphones
– iPads
– wireless devices
BT Professional Services 3

4. Serious security
• In your organization - how does management spell
security?
• Have they deployed adequate:
– staff
– budget
– processes
– oversight
BT Professional Services 4

5. Why does this matter?
• Wi-fi is everywhere • mobility is a business
• today’s mobile device is necessity
really a desktop • the perimeter is porous
• mobile devices are walking • compliance pressures
data breaches • consumerized technologies
• mobile are here to stay
convenience/benefits are • past approaches aren’t
obvious working
• attackers focusing on • social media will be
mobile devices ubiquitous
• weak mobile security • misconfigurations
BT Professional Services 5

6. Real-world problems
• loss and theft
• malware infections
• intercepted network traffic
• intellectual property losses
• no adequate data backups
• users not being held responsible for security
• slew of new applications creating risks…
BT Professional Services 6

7. Scary numbers
• 2010 Information Week Mobile Device Management
and Security Survey
– 87% say smartphones will become more predominant in their
business
– Security is biggest reason (73%) for deploying mobile device
management (MDM)
– Why organizations haven’t deployed MDM:
• Not enough IT staff to support it – 61%
• Too few mobile devices – 34%
• Too expensive – 32%
• Don’t see the need – 26%
BT Professional Services 7

8. Recent issues I’ve come across
BT Professional Services 8

9. Why do we have these problems?
• mobile devices are new/complex
• unauthorized usage difficult to prevent
• improper implementation of controls
• unstructured files all around
• failed security policies
• people not thinking about their choices
BT Professional Services 9

10. Lots of devices out there to consider
• If it’s got network connectivity and storage, secure it:
– smartphones
– dumbphones
– tablets
– netbooks
– laptops
– mobile storage
– wireless networks
BT Professional Services 10

11. Security audit
• What’s being stored where
• passwords
• encryption
• malware protection
• data backups
• VPN, rdp, gotomypc, etc.
• wifi weaknesses
BT Professional Services 11

12. Mobile security best practices
• Management and security
– Build management and security into the entire mobile security
product life cycle
– ensure management tools for mobile devices are interoperable
with other management infrastructure
• Policy
– Extend enterprise security policies to mobile and wireless
– use technologies that provide comparable controls.
• wireless- and mobile-optimized versions of network access control,
IDS/IPS, VPN, firewall, data encryption, IDM, DLP, etc.
12

13. Mobile security best practices
• Security as a requirement
– Ensure security is a required purchasing consideration for all
mobile and wireless technology and services
– require security provisions as a component of all RFP
BT Professional Services 13

14. BlackBerry security best practices
• Any BlackBerry containing corporate data should be
managed under BlackBerry Enterprise Server (BES) or
comparable platform
– Unmanaged devices can be set by users to be vulnerable to
login, sync and data access attacks
– managed BlackBerrys can be guaranteed to comply with strict
policies
• Ensure you have a uniform set of security capabilities
across all models that can be managed and audited to a
guaranteed level of compliance
– Good news: All BlackBerry models have a common security
architecture, so this is relatively easy
BT Professional Services 14

15. iPad/iPhone best practices
• Do they exist?
– Applications cannot be considered fully secure until they use
Apple Data Protection APIs
• today, only a few applications support them today.
– of the built-in Apple applications, only Mail currently supports
the Data Protection API to protect message data/attachments
– require employee-owned devices to be secured and managed
by the enterprise
– deny access to jailbroken or modified devices
– restrict sensitive data exported to these devices
– use complex passcodes
– automatically wipe data after multiple failed login attempts
BT Professional Services 15

16. Since no one listens to best practices
• At a bare minimum:
– All mobile devices should have policies enabled that require
passwords
– high priority to encryption on devices where sensitive data will
be stored.
– over-the-air kill features used where supported
– integrated into vulnerability and configuration management
processes
BT Professional Services 16

17. Tools that can help
• Native security • MobileIron
• ActiveSync • Trust Digital
• Lookout • Good Technology
• BlackBerry BES – Enterprise
• Mobile Active Defense – Government
• 42Gears
BT 17

18. Future trends
• little knowledge needed
• more internal breaches
• more elaborate hacks
• more directed hacks
• physical attacks (stolen devices)
• broadened attack surfaces
• mobile business apps
• Wikileaks
• directed spear phishing
Copyright (c) 2007, Principle Logic, 18
LLC - All Rights Reserved

19. Keys to information security success
1. Getting the right people
2. Focusing on core issues
3. Proper testing
4. Effective metrics
5. Policies and processes
6. Right technologies
7. Incident response
8. Architecture
BT Professional Services 19

20. Contact info…
• Ben Rothke, CISSP CISA
• Senior Security Consultant
• BT Professional Services
• www.linkedin.com/in/benrothke
• www.twitter.com/benrothke
• www.slideshare.net/benrothke
BT Professional Services 20