byod - isaca - final 20130223 vorapoj lookmaipun.pdf

7/28/2019 BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf

1/41

2/23/2013

1

BY VORAPOJ LOOKMAIPUNCISA, CISM, CRISC, CISSP

[email protected]

Security Cases

What is BYOD

Best Practice

Case Study

Agenda


2/41

2/23/2013

2

Botnet designed for Financial Crime

Compose of

Zeus Builder

Create Zeus bot

Zeus Admin (C&C Command and Control)

Web Dashboard Page

Zeus bot

Collecting system configuration data Collecting transaction and personal information

Web injective

Etc.

Zeus

ZITMO (Zeus in the mobile)

Banking malware to steal from your bank account

Infection

Threat

Analysis


3/41

2/23/2013

3




4/41

2/23/2013

4




5/41

2/23/2013

5

BOT , C&C

Baseball Superstars 2010

Threat

Intercept inbound SMS,

Send SMS,

Restart Packages

Access GPS location

Access browser history

Etc.

Trojan Genimi

iKee

1st worm on iPhone

Nov 2009,

Attack Jailbreak device

Use SSH default

password vulnerability to

distribute on network

iOS malware


6/41

2/23/2013

6

IT Trend in 2013


7/41

2/23/2013

7

Consumer driven IT


8/41

2/23/2013

8

Bring Your Own Device

Bring Your Own Applications

Bring Your Own Data

Bring Your Own Friends

BYOD


9/41

2/23/2013

9

Gartner CIO agenda 2012

What is BYOD?

BYOD = Bring Your Own Device

The recent trend of employees bringing personally-owned

mobile devices to their place of work, and using those devices

to access privileged company resources such as email, file

servers, and databases. An alternative strategy that allows employees, business

partners and other users to use a personally selected and

purchased client device to execute applications and access

data.

Mobile innovation is now driven by consumer markets than by

business markets


10/41

2/23/2013

10

What are the challenges for IT?

Protecting sensitive data

Support

Security

How does BYOD benefit the organization

Increase Flexibility

Empower Employees and Increase worker productivity

Overall Cost Saving

BYOD

Components Traditional End user

computing

BYOD Concept

Devices Structure and Standardized

Typically PC, laptops and

Blackberry devices

Heterogeneous PCs,

laptops, Macs, tablets &

smartphones

Applications & Operating

System

Standardized Heterogeneous Various

Applications, Operating

Systems, even form factors

Devices Management Endpoint Securi ty, Systems,

and Asset Management are

used and in full control

Minimal control or no control

at all

Traditional vs BYOD Concept


11/41

2/23/2013

11

Pros Cons

Business Business adopting a BYOD policy can save on buying

costly desktop devices. Also, saving terms of maintaining

and supporting computer devices with the hiring of IT

support staff.

With the cost savings, business could take advantage by

investing in other technology, or other areas of business.

Employees tend to take better care of self owned

property/devices

Without proper BYOD policies and technologies in place a

business or computer risks exposing classified information.

Information will not be as secure as it would be on a device

exclusively controlled by the company.

Devices brought in by employees likely face in compatibility

issues. IT departments may need to spend extra time

troubleshooting various devices, and looking for best solutions

to issues

Employees Employee can decide which devices that they prefer,

which in turn would increase employee morale and

productivity.

As BYOD devices are mobile devices, employees could

work resources and application anywhere and anytime

which in turn improves productivity.

Employees are now empowered to work more efficiently

and be more productive, instead of corporate-owned

devices.

Due to security issues, the employees often do not have true

full control over their devices. The company they work for

would need to ensure that proprietary and private information

is secure at all times.

It is an out-of-pocket expense for the employees. They would

be responsible for repairs it their devices were damaged or

broken at work.

Without proper security measures, BYOD could mean

BYOMalware to the office, which eventually causes damage

to organization

BYOD Pro & Con

BYOD Pro & Con


12/41

2/23/2013

12

To balance conflict goals

Social Keep employees happy

Business Keep process running effectively

Financial Manage costs

Risk management Stop bad things from happening

BYOD Goal

Mobile Infrastructure


13/41

2/23/2013

13

The mobile experience for customers, employees and

partners.

How will they transact, be informed and be serviced?

Demand

Which technologies, resources and partner will deliver the

mobile experience?Supply

Who needs to be involved, who is providing the funding, and

how will risks be mitigated?

Governance and

Risks

BYOD Strategy


14/41

2/23/2013

14

Security Risks & Concerns

Business

Employees

Technical Solution to reduce BYOD risk?

BYOD Pro & Con

BEST PRACTICE


15/41

2/23/2013

15

BYOD Security Blueprint

App Store

Mobile Device Security

Network Access Control

Wireless Access Point

Guest Limited Full

Safe mobile device configurations

Safe mobile device provisions

Safe access channel for mobile device


App Store




Guest Limited Full





16/41

2/23/2013

16

WIFI Threats

WIFI Security

Change SSID Default

Hide SSID Broadcast

Strong Encryption

WPA/WPA2

Strong Password (Wifi

Router Admin)

Enable Router Firewall

Disable Auto Connect

(option)

WIFI Security


17/41

2/23/2013

17

Remote Access

Connect to enterprise via WIFI to enterprise network via

VPN or IPSec

WIFI use WPA2 or better

BYOD Security ISACA Framework



18/41

2/23/2013

18

Network Access Control Strategy

Embrace = Allow everyone to BYOD for almost everything

Contain = Allow some people to use some devices to

access some resources

Block = Not allow

Disregard = No change

Contain

Sample Access Control Policies

Allow Internet access

Allow access to email, calendar and contacts (such as

via Exchange Active Sync)

Allow access to some corporate applications

Block access to sensitive intellectual property and data

BYOD NAC


19/41

2/23/2013

19

Contain

Network Access Level

Limited access Zone, restrict access to applications & data

Support Wireless LAN and Wired LAN

Limit access according to users role (by integrating with

Active Directory)

Server Based Computing (such as VDI and Windows

Terminal Server) SSL VPN

Firewall, wireless controller or any Layer 3 network

component that accepts ACLs

BYOD NAC

Embrace

Sample Endpoint Control and Security Policies

Required MDM agents for tablets and smartphones

Required DLP agents for tablets and smartphones

Maintain current OS levels and patches for WindowsPCs and Apple OS X devices

Require security agents for Windows PCs and Apple OSX devices (such as NAC, Endpoint protection, DLP)

Network Access Level

Allow personal owned endpoints that compliant withsecurity policies to access the corporate network.

BYOD NAC


20/41

2/23/2013

20

Moving From Contain Embrace

Gain CIO Support

Partner With the Mobile Team

Begin with Contain Policies

Slowly Evolve to an Embrace Approach

BYOD NAC

BYOD NAC


21/41

2/23/2013

21


SSL/TLS or VPN

Active Directory

2nd Factor Authentication

BYOD NAC ISACA Framework

Security Level

(Weak to Strong)Security Criteria

7 Air Gap

6 Geo Location Policy Enforcement

5 Mobile Device Encryption

4 Mobile Content Control

3 Mobile Device Lock Down

2 Sandbox, Container, Wrapper

1 Password Management

0 Do Nothing



22/41

2/23/2013

22

0 Do nothing

Dont know what they have in the organization.

Blackberry system is security built-in environment, locked

down devices and management was handled invisibly in a

data center with BES.



Required Passcode

Minimum Password Length

Password Expiration

Password History



23/41

2/23/2013

23

2- Sandboxes, Containers &

Wrappers

Memory Isolation, memory

protection from OS collapse

app-wrapper VPN capability

rather entire device


3 - Mobile Device Lock Down

Device identity authentication

CA-based handshaking with AD to create mobile

workforce provisioning, management and reporting.

Always-on VPN

VoIP traffic must be encrypted

WIFI traffic must be encrypted

The user cannot bypass the VPN



24/41

2/23/2013

24

4 - Mobile Content Control

Begin with harden stateful inspection mobile firewall:-

services, ports, process, users/groups

Centralize management mobile firewall, make entire

mobile population becomes invisible to the internet and

attacker

Application Black Listing - SIEM

Check Jailbreak, Root


5 - Mobile Device Encryption

Device level encryption to protect data at rest, OS level

Do not allow sensitive data to reside at rest on the mobile

device,

Using Critrix-like tool to access corporate resources

Treat mobile device as GUI dump terminal and

encrypted traffic

Application Wrapping



25/41

2/23/2013

25

6 - Geo-Location Policy Enforcement

GPS or tower-based resolution enforcement

Integrate mobile firewall and policy with highly granular

resolution with 3 meters



26/41

2/23/2013

26

7 - Air Gap

Two devices

Users have one mobile device for business and one

for work.

Make mobile device full as secure as fully

compliant desktop computer; Andriod and iOS

More expensive, depend on worth of


7 - Air Gap


BYOD Air Gap

Personal/Business data intermingled on device? Yes No

Personal Privacy in Jeopardy? Yes No

Compliance Risk? Yes No

Company potentially liable for personal data loss? Yes No

Who is liable for breached company data? Unknown Company

Who is liable for compromised personal data? Unknown Not Applicable


27/41

2/23/2013

27

MDM Product

MDM Product


28/41

2/23/2013

28

Device Access Restriction

Strong password

2nd authentication factor

Password expired in every 90 days

Device lock after 3 unsuccessful password attempts

Data permission & access is aligned with data classification

Data accessibility and permission is within user job

function and data classification


Device security

Explicit permission to Wipe data

Encryption and data protection at least AES 128 bits or

3DES 168 bits

Remote Access

Bluetooth discoverable is disable

Bluetooth connect with previously pair devices

Connect to enterprise network via VPN or IPSec

Connect to enterprise via WIFI to enterprise network via

VPN or IPSec



29/41

2/23/2013

29

Malware Protection

Antivirus installed

Firewall


BASELINE SECURITY FEATURE


30/41

2/23/2013

30

Baseline Security Feature (Andriod)

Andriod 2.2

Password policies: required, minimum length, alphanumeric, maximum attempts

Maximum inactivity time lock (idle time)

Andriod 3.0

Password policies: complexity, minimum letters/characters/symbols, expiration, history

Full file system encryption

Data Execution Protection (DEP) using ARM XN

Andriod 4.0

Support for Microsoft Exchange ActiveSync (EAS) v.14(Exchange Server 2010) and EAS

certificates

Automatic sync to be disable while roaming

Disable camera

Keychain API

Address space layout randomization (ALSR) to help protect system and third-party apps

from exploitation due to memory management issues

VPN API and underlying secure credential storage

Device Security

Basis access locks :- passcode, pattern lock, face

recognition

Lock after timeout and wife after retry limit

Bluetooth and Wi-Fi access controls

SIM card password

Andriod devices should not be allowed to host business data

and apps without under control of MDM tool, that provides

access control policies, proactive status reporting and root

detection.

Baseline Security Feature (Andriod)


31/41

2/23/2013

31

Encryption

Always-on AES hardware storage encryption

Configuration profiles that can be encrypted and locked to a device, withremoval requiring an administrative password

iTunes backups that can be encrypted and password-protected at theusers discretion

Native S/MIME email support

Certificates

Certificate enrollment can be linked to a companys public-keyinfrastructure and certificate authority

Certificates can be required for virtual private network (VPN) connections

Online Certificated Status Protocol (OCSP) facilitates certificate revocation Simple Certificate Enrollment Protocol (SCEP) establishes opt-in policy

controls at the user device

Exchange Active Sync (EAS) and VPN client access can be set to require adevice certificate

Baseline Security Feature (iOS)

Apps

JavaScript VM App Isolation

Jailbreak-proof App Keychain

Address Space Layout Randomization

Safari Private Browsing and anti-phishing policies Enterprise-installed apps installed/removed by MDM tools

Embedded VPN

L2TP, IPsec, PPTP and SSL are natively supported.

Proxy configuration is supported in Safari and by a VPNconfiguration profile

VPN can autoconnect to bring up a tunnel only if a resource isrequested



32/41

2/23/2013

32

Endpoint Policies

Apple provides email controls for app-generated messages and

forwarding policies. Combined with EAS, this servers as an

introductory over the air (OTA) management solution.

Additional local device security policies may be administered on

a tethered connection using iPhone Configuration Utility (IPCU),

or can be delivered OTA by email, a Web URL and third-party

MDM tools

Apple Configurator can help IT administrators to mass configureand supervisor iOS devices by means of a tethered connection

Apples MDM API provides lots of policy functions to third-party

developers


BYOD CASE STUDY


33/41

2/23/2013

33

Financial service company

100,000 endpoint devices

200 location

Anticipate approximate 10,000 employee owned

smartphones, tablets and laptops.

Case Study

Use Case

1. Employee-owned Tablet/Smartphone

2. Employee owned Windows Laptop

3. Employee owned MacBook Laptop

Case Study


34/41

2/23/2013

34

Use Case 1 Employee Owned Tablet/Smartphone

Policies

- Install MDM agent for the device to gain access towireless BYOD network

Action

- If MDM agent is detected, Citrix like agents is used togrant access to subset of applications on the corporatenetwork.

- If MDM agent is not detected, the device is positionedon the guest network, and is limited to internet access only.

- Jailbroken iOS devices and rootkitted Andriod aredenied access to network, including guest network.

Case Study

Use Case 2 Employee Brings Own Windows Laptop

Policies

Up-to-date patches are required.

Up-to-date antivirus signatures are required.

Disk Encryption is required.

Specific ports must be blocked via a personal firewall

(such as Telnet/SSH)

Mobile Endpoint enable for checking configuration

status

Data Loss Prevention agent is required.

Case Study


35/41

2/23/2013

35

Use Case 2 Employee Brings Own Windows Laptop

Actions

If Windows laptop is compliant with all policy criteria, it

is granted full access to corporate network.

If Windows laptop is non compliant with one or more

policies, it is positioned on the guest network and is

limited to internet access only. (The user must register

at the guest Web Portal)

Case Study

Use Case 3 Employee Brings Own MacBook Laptop

Policies

It must be running OS 10.5 or later

MDM agent must be enabled

Vontu DLP agent is required.

Actions:

If compliant with all policy, it is granted full access to

the corporate network.

If not compliant with all policies, it is positioned to

guest network and limited to internet access only.

Case Study


36/41

2/23/2013

36

3 Phases project

1st phase

A pilot project, 200 IT staff brought personally owned

devices to work.

6 months

Refine the Web registration portal

Address minor product integration issues with MDM

agent,

Case Study

3 Phases project

2nd phase

Support 1,000 employee-owned devices

Employee in IT risk management and risk compliance

department included

Assess the end-user experience and overall

performance of the solution.

Define and monitor role based access.

1 years period

Case Study


37/41

2/23/2013

37

3 Phases project

3rd phase

Support all employee and contractors

By year end 2014

Case Study

Results

80% employee have chosen to comply with corporate policies

and install required MDM agent and other software in their

mobile devices.

Users who choose not to comply with policy, must registerdevices at guest portal on daily basis, and are allow only

internet access.

(August 2012) approximately 1,000 employee owned devices

are present on corporate network on a regular basis.

Contractor represent 85% of the non corporate devices

Smartphones and tablets 10% of non corporate devices

Macbooks are 5% of non corporate devices

Case Study


38/41

2/23/2013

38

Results

The company did not add full disk encryption to supportBYOD initiative. There are Endpoint service consultants areon-site and support broader NAC project.

Policy enforcement has gone smoothly. For example-

5 employees reports that they lost their personallyowned device, then these devices were immediatelywipe clean, the entire devices.

The employees had signed waivers agreeing to theremote wipe policy, because the policy wascommunicate clearly, the employees (grudgingly)accepted the fact that they lost personal content.

Case Study

Air Gap. Two devices.

I want my mobile work as homogenous as possible. iOS plus a

select best of breed Andriods.

Lock-down, VPN, firewall and content filtering

Full Disk Encryption

VDI

????

What is the right answer?


39/41

2/23/2013

39


App Store




Guest Limited Full




Change SSID Default

Hide SSID Broadcast

Strong Encryption

WAP/WPA2

Strong Password (Wifi

Router Admin)

Enable Router Firewall

Disable Auto Connect

(option)

WIFI Security


40/41

2/23/2013

40

Network Access Control Strategy

Contain = Permit some users to use some personally owned devices

Embrace = Permit all users to use some personally owned devices

Block = Prohibit all personally owned devices in workplace

Disregard = Ignore the issue; do not establish any BYOD policies

Security Level

(Weak to Strong)Security Criteria

7 Air Gap

6 Geo Location Policy Enforcement

5 Mobile Device Encryption

4 Mobile Content Control

3 Mobile Device Lock Down

2 Sandbox, Container, Wrapper


0 Do Nothing



41/41

2/23/2013

Lock code

Lock when idle

Complex password

Remote wipe capability

Device Encryption

Easy Mobile Security

byod - isaca - final 20130223 vorapoj lookmaipun.pdf

Documents