byod: device control in the wild, wild, west
DESCRIPTION
This presentation was given at the Western Independent Banker's 2012 Technology Conference in San Diego, CA.TRANSCRIPT
BYOD: Device Control in the
Wild, Wild, West
September 25th, 2012
About the Speaker• Chief Security Officer, Q2ebanking
• Former CIO for multi-billion financial institution
• 13 years industry exp. in Information Technology & Security
• CISSP® (Certified Information Systems Security Professional)
• Published & quoted in American Banker, ABA Banking Journal, BankInfoSecurity.com, CIO Magazine, ComputerWorld, Credit Union Times
• Speaker/evangelist - InfoSec World, Innotech, ComputerWorld SNW, BAI PaymentsConnect, regional banking conferences
Agenda• Changing mobile landscape
• Drivers behind BYOD(evice)
• Considering threat agents
• Implementing a BYOD program• policies, technologies, privacy
• Summary & QA
Mobile Tidal Wave• 300,000
• 1.2 billion
• 8 trillion
• 35 billion
• 86.1 billion
• 1.1 billion
apps developed in 3 years
mobile web users
SMS messages sent last year
value of apps downloaded
mobile payments made in 2011
mobile banking customers (2015)
BYOD: Bring Your Own Device
formally advocates use of personal or non-company issued equipment to accessing corporate resources & data obligates IT to ensure jobs can be performed with an accept- able level of security
Business Benefits• Cut operating costs by eliminating support
- Operating system support
- Application support
- Access support
• Reduce device hardware costs & procurement
• Remove productivity barriers (flexible work styles)
• Extend applications to offsite/traveling employees
• Increase employee satisfaction through programs
• On-demand, whenever, wherever, multiple channels
BYOR(isk)• Understand the risks
being introduced
• Industry is coming to terms with security concerns that exist around unsecured mobile devices/smartphones
• Conduct a risk assessment to identify address the different threat agents
Protect What?
From whom? or what?
and How?
BYOD presents a NEW problem...
...well, not really
The “Human” Problem• Increased use of social media, coupled with the ubiquity of
ecommerce, has fueled growth in socially engineered schemes waged for financial gain
• According to the Anti-Phishing Working Group, there are presently about 30,000 to 35,000 unique phishing campaigns every month, each targeting hundreds of thousands to millions of email users
• Anytime a user is asked to make a voluntary decision, phishing schemes will work, because humans are easy to manipulate
➡ this a social problem, not a technical problem.
Do you really believe that you control your
endpoints?
Device Control• How many of you have local admin rights on
your computer?
• How many of you are able to take your computer and browse the Internet freely away from the network?
• How many of you disallow PST files - do prevent users from taking data?
• How many of you are doing mobile device management?
How do you manage a device that you don’t control?
Get out in FrontReactive approaches result in ad hoc programs
Are you prepared to answer this question from your CEO:
“what security did we have on the device when he lost it?”
Understand your Data
• How sensitive is your data?
• How is your sensitive data used?
• What compliance and/or regulations exist?
What are you protecting?
Focus Group: Computer Security
Jailbreaking Devices• Why? for functionality or to
get paid apps for free
• “Jailbreaking” or “rooting destroys the security model
• Jailbreaking techniques leave the device with a standard root password that may grant admin-level access to an app...(and attacker or malware)
• Convenience at the sake of security
Mobile Malware
Mobile Malware• Researchers identify
first instance of mobile malware in 2004
• More than 80 infected apps have been removed from Google Play since 2011
• Android malware has infected more than 250,000 users
ex. Gozi
QR Codes• QR codes surfacing
containing malicious links
• First case confirmed by Kaspersky Labs last year - mobile malware used to send premium SMS messages
http://siliconangle.com/blog/2011/10/21/infected-qr-malware-surfaces-on-smartphones-apps/
Which one is evil?
Not the Device• Over focused on the
endpoint and device
• ...it’s the data stupid!
• Data in motion (network)
• Data presentation (application)
• Data at rest (data stores/shares)
Establish Policies• Will a formal agreement between the institution and the
BYOD user (EULA) specify allowed activities and the consequences for breaking the agreement?
• Create policies before procuring devices
• Do your BYOD policies address? • the use of consumer apps
• services such as cloud storage > Box.net, Dropbox, SpiderOak, Evernote, SkyDrive, iCloud
• Communicate the privacy policy to employees and make it clear what data you can & cannot collect from their mobile devices
MDM Solutions• What are you trying to protect
• Address four key areas: 1) standardization of service, not device
• consistent set of security controls across different platforms while providing the same level of service
2) common delivery methods3) intelligent access controls - role, group, etc.4) data containment
• encryption• partitioning• sandboxing
Questions to Consider• Which devices will be supported?
• What is the risk profile of the employee/group using the devices?
• Does the institution have the ability to require and install applications to the device(s), such as remote wipe and/or virus/malware software?
• Can the institution require a “business only secure partition” on the mobile device?
• Mandatory or will the organization bend for certain users?
• What happens if the device is compromised? Will your institution be able to perform any forensics?
• When should we say no?
Balancing User Privacy• Is ‘sandboxing’ or ‘partitioning’ sufficient
to maintain separate personas?
• Is there a reasonable expectation of privacy?
✓should the organization be able to read messages?
✓should the organization be able to perform a full wipe of the device?
• State specific privacy laws (ex CA/MA) may prevent corporations from even viewing non-corporate data
Policy + Technology• Policies alone not sufficient - Technology ensures enforcement
• Many solutions, but requirements should include:
✓simple self-enrollment --> complexity increases non-compliance
✓over-the-air updating
✓ability to selectively wipe data on the device
• corporate apps, email, and documents must be protected by IT if the employee decides to leave the organization
✓management of the OS patch/update process
✓reporting & alerting --> devices that are non-compliant
COMPLIANCE
Legal Issues• Big question surrounds legal issues -- agreements
between employees and employer -- and placing a company-owned agent on an employee’s handset
• It’s the start of whole new relationship between mobile device users, in dual roles as individual consumer and employee, and the company for which they work.
• Unresolved questions?
• e-discovery, Culpability, Liability
• ex: combined mailboxes
Summary• Understand the mobile landscape of your device
population
• Policies and procedures should reflect the allowable usage and the breadth and depth of security and control settings
• Consider how BYOD policies can be tested and validated to ensure that security and controls have been successfully implemented
• Threat landscape is continuously changing
• Risk assessments should be performed regularly to identify threats and vulnerabilities
Thank Youif “?” >= then
response_variable = ‘answer‘
else
response_variable = ‘thankyou’
end if;