byod - isaca - final 20130223 vorapoj lookmaipun.pdf
TRANSCRIPT
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
1/41
2/23/2013
1
BY VORAPOJ LOOKMAIPUNCISA, CISM, CRISC, CISSP
Security Cases
What is BYOD
Best Practice
Case Study
Agenda
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
2/41
2/23/2013
2
Botnet designed for Financial Crime
Compose of
Zeus Builder
Create Zeus bot
Zeus Admin (C&C Command and Control)
Web Dashboard Page
Zeus bot
Collecting system configuration data Collecting transaction and personal information
Web injective
Etc.
Zeus
ZITMO (Zeus in the mobile)
Banking malware to steal from your bank account
Infection
Threat
Analysis
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
3/41
2/23/2013
3
ZITMO (Zeus in the mobile)
ZITMO (Zeus in the mobile)
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
4/41
2/23/2013
4
ZITMO (Zeus in the mobile)
ZITMO (Zeus in the mobile)
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
5/41
2/23/2013
5
BOT , C&C
Baseball Superstars 2010
Threat
Intercept inbound SMS,
Send SMS,
Restart Packages
Access GPS location
Access browser history
Etc.
Trojan Genimi
iKee
1st worm on iPhone
Nov 2009,
Attack Jailbreak device
Use SSH default
password vulnerability to
distribute on network
iOS malware
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
6/41
2/23/2013
6
IT Trend in 2013
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
7/41
2/23/2013
7
Consumer driven IT
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
8/41
2/23/2013
8
Bring Your Own Device
Bring Your Own Applications
Bring Your Own Data
Bring Your Own Friends
BYOD
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
9/41
2/23/2013
9
Gartner CIO agenda 2012
What is BYOD?
BYOD = Bring Your Own Device
The recent trend of employees bringing personally-owned
mobile devices to their place of work, and using those devices
to access privileged company resources such as email, file
servers, and databases. An alternative strategy that allows employees, business
partners and other users to use a personally selected and
purchased client device to execute applications and access
data.
Mobile innovation is now driven by consumer markets than by
business markets
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
10/41
2/23/2013
10
What are the challenges for IT?
Protecting sensitive data
Support
Security
How does BYOD benefit the organization
Increase Flexibility
Empower Employees and Increase worker productivity
Overall Cost Saving
BYOD
Components Traditional End user
computing
BYOD Concept
Devices Structure and Standardized
Typically PC, laptops and
Blackberry devices
Heterogeneous PCs,
laptops, Macs, tablets &
smartphones
Applications & Operating
System
Standardized Heterogeneous Various
Applications, Operating
Systems, even form factors
Devices Management Endpoint Securi ty, Systems,
and Asset Management are
used and in full control
Minimal control or no control
at all
Traditional vs BYOD Concept
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
11/41
2/23/2013
11
Pros Cons
Business Business adopting a BYOD policy can save on buying
costly desktop devices. Also, saving terms of maintaining
and supporting computer devices with the hiring of IT
support staff.
With the cost savings, business could take advantage by
investing in other technology, or other areas of business.
Employees tend to take better care of self owned
property/devices
Without proper BYOD policies and technologies in place a
business or computer risks exposing classified information.
Information will not be as secure as it would be on a device
exclusively controlled by the company.
Devices brought in by employees likely face in compatibility
issues. IT departments may need to spend extra time
troubleshooting various devices, and looking for best solutions
to issues
Employees Employee can decide which devices that they prefer,
which in turn would increase employee morale and
productivity.
As BYOD devices are mobile devices, employees could
work resources and application anywhere and anytime
which in turn improves productivity.
Employees are now empowered to work more efficiently
and be more productive, instead of corporate-owned
devices.
Due to security issues, the employees often do not have true
full control over their devices. The company they work for
would need to ensure that proprietary and private information
is secure at all times.
It is an out-of-pocket expense for the employees. They would
be responsible for repairs it their devices were damaged or
broken at work.
Without proper security measures, BYOD could mean
BYOMalware to the office, which eventually causes damage
to organization
BYOD Pro & Con
BYOD Pro & Con
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
12/41
2/23/2013
12
To balance conflict goals
Social Keep employees happy
Business Keep process running effectively
Financial Manage costs
Risk management Stop bad things from happening
BYOD Goal
Mobile Infrastructure
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
13/41
2/23/2013
13
The mobile experience for customers, employees and
partners.
How will they transact, be informed and be serviced?
Demand
Which technologies, resources and partner will deliver the
mobile experience?Supply
Who needs to be involved, who is providing the funding, and
how will risks be mitigated?
Governance and
Risks
BYOD Strategy
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
14/41
2/23/2013
14
Security Risks & Concerns
Business
Employees
Technical Solution to reduce BYOD risk?
BYOD Pro & Con
BEST PRACTICE
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
15/41
2/23/2013
15
BYOD Security Blueprint
App Store
Mobile Device Security
Network Access Control
Wireless Access Point
Guest Limited Full
Safe mobile device configurations
Safe mobile device provisions
Safe access channel for mobile device
BYOD Security Blueprint
App Store
Mobile Device Security
Network Access Control
Wireless Access Point
Guest Limited Full
Safe mobile device configurations
Safe mobile device provisions
Safe access channel for mobile device
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
16/41
2/23/2013
16
WIFI Threats
WIFI Security
Change SSID Default
Hide SSID Broadcast
Strong Encryption
WPA/WPA2
Strong Password (Wifi
Router Admin)
Enable Router Firewall
Disable Auto Connect
(option)
WIFI Security
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
17/41
2/23/2013
17
Remote Access
Connect to enterprise via WIFI to enterprise network via
VPN or IPSec
WIFI use WPA2 or better
BYOD Security ISACA Framework
Network Access Control
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
18/41
2/23/2013
18
Network Access Control Strategy
Embrace = Allow everyone to BYOD for almost everything
Contain = Allow some people to use some devices to
access some resources
Block = Not allow
Disregard = No change
Contain
Sample Access Control Policies
Allow Internet access
Allow access to email, calendar and contacts (such as
via Exchange Active Sync)
Allow access to some corporate applications
Block access to sensitive intellectual property and data
BYOD NAC
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
19/41
2/23/2013
19
Contain
Network Access Level
Limited access Zone, restrict access to applications & data
Support Wireless LAN and Wired LAN
Limit access according to users role (by integrating with
Active Directory)
Server Based Computing (such as VDI and Windows
Terminal Server) SSL VPN
Firewall, wireless controller or any Layer 3 network
component that accepts ACLs
BYOD NAC
Embrace
Sample Endpoint Control and Security Policies
Required MDM agents for tablets and smartphones
Required DLP agents for tablets and smartphones
Maintain current OS levels and patches for WindowsPCs and Apple OS X devices
Require security agents for Windows PCs and Apple OSX devices (such as NAC, Endpoint protection, DLP)
Network Access Level
Allow personal owned endpoints that compliant withsecurity policies to access the corporate network.
BYOD NAC
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
20/41
2/23/2013
20
Moving From Contain Embrace
Gain CIO Support
Partner With the Mobile Team
Begin with Contain Policies
Slowly Evolve to an Embrace Approach
BYOD NAC
BYOD NAC
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
21/41
2/23/2013
21
Network Access Control
SSL/TLS or VPN
Active Directory
2nd Factor Authentication
BYOD NAC ISACA Framework
Security Level
(Weak to Strong)Security Criteria
7 Air Gap
6 Geo Location Policy Enforcement
5 Mobile Device Encryption
4 Mobile Content Control
3 Mobile Device Lock Down
2 Sandbox, Container, Wrapper
1 Password Management
0 Do Nothing
Mobile Device Security
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
22/41
2/23/2013
22
0 Do nothing
Dont know what they have in the organization.
Blackberry system is security built-in environment, locked
down devices and management was handled invisibly in a
data center with BES.
Mobile Device Security
1 Password Management
Required Passcode
Minimum Password Length
Password Expiration
Password History
Mobile Device Security
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
23/41
2/23/2013
23
2- Sandboxes, Containers &
Wrappers
Memory Isolation, memory
protection from OS collapse
app-wrapper VPN capability
rather entire device
Mobile Device Security
3 - Mobile Device Lock Down
Device identity authentication
CA-based handshaking with AD to create mobile
workforce provisioning, management and reporting.
Always-on VPN
VoIP traffic must be encrypted
WIFI traffic must be encrypted
The user cannot bypass the VPN
Mobile Device Security
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
24/41
2/23/2013
24
4 - Mobile Content Control
Begin with harden stateful inspection mobile firewall:-
services, ports, process, users/groups
Centralize management mobile firewall, make entire
mobile population becomes invisible to the internet and
attacker
Application Black Listing - SIEM
Check Jailbreak, Root
Mobile Device Security
5 - Mobile Device Encryption
Device level encryption to protect data at rest, OS level
Do not allow sensitive data to reside at rest on the mobile
device,
Using Critrix-like tool to access corporate resources
Treat mobile device as GUI dump terminal and
encrypted traffic
Application Wrapping
Mobile Device Security
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
25/41
2/23/2013
25
6 - Geo-Location Policy Enforcement
GPS or tower-based resolution enforcement
Integrate mobile firewall and policy with highly granular
resolution with 3 meters
Mobile Device Security
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
26/41
2/23/2013
26
7 - Air Gap
Two devices
Users have one mobile device for business and one
for work.
Make mobile device full as secure as fully
compliant desktop computer; Andriod and iOS
More expensive, depend on worth of
Mobile Device Security
7 - Air Gap
Mobile Device Security
BYOD Air Gap
Personal/Business data intermingled on device? Yes No
Personal Privacy in Jeopardy? Yes No
Compliance Risk? Yes No
Company potentially liable for personal data loss? Yes No
Who is liable for breached company data? Unknown Company
Who is liable for compromised personal data? Unknown Not Applicable
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
27/41
2/23/2013
27
MDM Product
MDM Product
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
28/41
2/23/2013
28
Device Access Restriction
Strong password
2nd authentication factor
Password expired in every 90 days
Device lock after 3 unsuccessful password attempts
Data permission & access is aligned with data classification
Data accessibility and permission is within user job
function and data classification
BYOD Security ISACA Framework
Device security
Explicit permission to Wipe data
Encryption and data protection at least AES 128 bits or
3DES 168 bits
Remote Access
Bluetooth discoverable is disable
Bluetooth connect with previously pair devices
Connect to enterprise network via VPN or IPSec
Connect to enterprise via WIFI to enterprise network via
VPN or IPSec
BYOD Security ISACA Framework
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
29/41
2/23/2013
29
Malware Protection
Antivirus installed
Firewall
BYOD Security ISACA Framework
BASELINE SECURITY FEATURE
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
30/41
2/23/2013
30
Baseline Security Feature (Andriod)
Andriod 2.2
Password policies: required, minimum length, alphanumeric, maximum attempts
Maximum inactivity time lock (idle time)
Andriod 3.0
Password policies: complexity, minimum letters/characters/symbols, expiration, history
Full file system encryption
Data Execution Protection (DEP) using ARM XN
Andriod 4.0
Support for Microsoft Exchange ActiveSync (EAS) v.14(Exchange Server 2010) and EAS
certificates
Automatic sync to be disable while roaming
Disable camera
Keychain API
Address space layout randomization (ALSR) to help protect system and third-party apps
from exploitation due to memory management issues
VPN API and underlying secure credential storage
Device Security
Basis access locks :- passcode, pattern lock, face
recognition
Lock after timeout and wife after retry limit
Bluetooth and Wi-Fi access controls
SIM card password
Andriod devices should not be allowed to host business data
and apps without under control of MDM tool, that provides
access control policies, proactive status reporting and root
detection.
Baseline Security Feature (Andriod)
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
31/41
2/23/2013
31
Encryption
Always-on AES hardware storage encryption
Configuration profiles that can be encrypted and locked to a device, withremoval requiring an administrative password
iTunes backups that can be encrypted and password-protected at theusers discretion
Native S/MIME email support
Certificates
Certificate enrollment can be linked to a companys public-keyinfrastructure and certificate authority
Certificates can be required for virtual private network (VPN) connections
Online Certificated Status Protocol (OCSP) facilitates certificate revocation Simple Certificate Enrollment Protocol (SCEP) establishes opt-in policy
controls at the user device
Exchange Active Sync (EAS) and VPN client access can be set to require adevice certificate
Baseline Security Feature (iOS)
Apps
JavaScript VM App Isolation
Jailbreak-proof App Keychain
Address Space Layout Randomization
Safari Private Browsing and anti-phishing policies Enterprise-installed apps installed/removed by MDM tools
Embedded VPN
L2TP, IPsec, PPTP and SSL are natively supported.
Proxy configuration is supported in Safari and by a VPNconfiguration profile
VPN can autoconnect to bring up a tunnel only if a resource isrequested
Baseline Security Feature (iOS)
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
32/41
2/23/2013
32
Endpoint Policies
Apple provides email controls for app-generated messages and
forwarding policies. Combined with EAS, this servers as an
introductory over the air (OTA) management solution.
Additional local device security policies may be administered on
a tethered connection using iPhone Configuration Utility (IPCU),
or can be delivered OTA by email, a Web URL and third-party
MDM tools
Apple Configurator can help IT administrators to mass configureand supervisor iOS devices by means of a tethered connection
Apples MDM API provides lots of policy functions to third-party
developers
Baseline Security Feature (iOS)
BYOD CASE STUDY
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
33/41
2/23/2013
33
Financial service company
100,000 endpoint devices
200 location
Anticipate approximate 10,000 employee owned
smartphones, tablets and laptops.
Case Study
Use Case
1. Employee-owned Tablet/Smartphone
2. Employee owned Windows Laptop
3. Employee owned MacBook Laptop
Case Study
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
34/41
2/23/2013
34
Use Case 1 Employee Owned Tablet/Smartphone
Policies
- Install MDM agent for the device to gain access towireless BYOD network
Action
- If MDM agent is detected, Citrix like agents is used togrant access to subset of applications on the corporatenetwork.
- If MDM agent is not detected, the device is positionedon the guest network, and is limited to internet access only.
- Jailbroken iOS devices and rootkitted Andriod aredenied access to network, including guest network.
Case Study
Use Case 2 Employee Brings Own Windows Laptop
Policies
Up-to-date patches are required.
Up-to-date antivirus signatures are required.
Disk Encryption is required.
Specific ports must be blocked via a personal firewall
(such as Telnet/SSH)
Mobile Endpoint enable for checking configuration
status
Data Loss Prevention agent is required.
Case Study
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
35/41
2/23/2013
35
Use Case 2 Employee Brings Own Windows Laptop
Actions
If Windows laptop is compliant with all policy criteria, it
is granted full access to corporate network.
If Windows laptop is non compliant with one or more
policies, it is positioned on the guest network and is
limited to internet access only. (The user must register
at the guest Web Portal)
Case Study
Use Case 3 Employee Brings Own MacBook Laptop
Policies
It must be running OS 10.5 or later
MDM agent must be enabled
Vontu DLP agent is required.
Actions:
If compliant with all policy, it is granted full access to
the corporate network.
If not compliant with all policies, it is positioned to
guest network and limited to internet access only.
Case Study
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
36/41
2/23/2013
36
3 Phases project
1st phase
A pilot project, 200 IT staff brought personally owned
devices to work.
6 months
Refine the Web registration portal
Address minor product integration issues with MDM
agent,
Case Study
3 Phases project
2nd phase
Support 1,000 employee-owned devices
Employee in IT risk management and risk compliance
department included
Assess the end-user experience and overall
performance of the solution.
Define and monitor role based access.
1 years period
Case Study
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
37/41
2/23/2013
37
3 Phases project
3rd phase
Support all employee and contractors
By year end 2014
Case Study
Results
80% employee have chosen to comply with corporate policies
and install required MDM agent and other software in their
mobile devices.
Users who choose not to comply with policy, must registerdevices at guest portal on daily basis, and are allow only
internet access.
(August 2012) approximately 1,000 employee owned devices
are present on corporate network on a regular basis.
Contractor represent 85% of the non corporate devices
Smartphones and tablets 10% of non corporate devices
Macbooks are 5% of non corporate devices
Case Study
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
38/41
2/23/2013
38
Results
The company did not add full disk encryption to supportBYOD initiative. There are Endpoint service consultants areon-site and support broader NAC project.
Policy enforcement has gone smoothly. For example-
5 employees reports that they lost their personallyowned device, then these devices were immediatelywipe clean, the entire devices.
The employees had signed waivers agreeing to theremote wipe policy, because the policy wascommunicate clearly, the employees (grudgingly)accepted the fact that they lost personal content.
Case Study
Air Gap. Two devices.
I want my mobile work as homogenous as possible. iOS plus a
select best of breed Andriods.
Lock-down, VPN, firewall and content filtering
Full Disk Encryption
VDI
????
What is the right answer?
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
39/41
2/23/2013
39
BYOD Security Blueprint
App Store
Mobile Device Security
Network Access Control
Wireless Access Point
Guest Limited Full
Safe mobile device configurations
Safe mobile device provisions
Safe access channel for mobile device
Change SSID Default
Hide SSID Broadcast
Strong Encryption
WAP/WPA2
Strong Password (Wifi
Router Admin)
Enable Router Firewall
Disable Auto Connect
(option)
WIFI Security
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
40/41
2/23/2013
40
Network Access Control Strategy
Contain = Permit some users to use some personally owned devices
Embrace = Permit all users to use some personally owned devices
Block = Prohibit all personally owned devices in workplace
Disregard = Ignore the issue; do not establish any BYOD policies
Security Level
(Weak to Strong)Security Criteria
7 Air Gap
6 Geo Location Policy Enforcement
5 Mobile Device Encryption
4 Mobile Content Control
3 Mobile Device Lock Down
2 Sandbox, Container, Wrapper
1 Password Management
0 Do Nothing
Mobile Device Security
-
7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
41/41
2/23/2013
Lock code
Lock when idle
Complex password
Remote wipe capability
Device Encryption
Easy Mobile Security