520 likes | 694 Views
Getting a Grip on Mobile Devices. Last year thousands of travellers left personal items in London taxi cabs. 27 toilet seats. 4 sets of false teeth. 3 dogs. 2 babies. 1 cat. 1 pheasant. Funeral ashes. A dead body. Over 50,000 mobile computing devices. devices can hold. 10k photos.
E N D
Last year thousands of travellers left personal items in London taxi cabs
devices can hold 10k photos 200k docs 100k emails
10% capacity = LOST +50m photos +1B docs +500M emails
“73% of London businesses surveyed allowed employees to bring their own device to work for processing commercial information in 2013.” Poneman Survey February 2014
Is it Definitive ? • Copiers • Faxes • Scanners • Telephones • Coffee machines • Any device with memory capability that can be carried out.
Top 10 Mobile Risks • Loss • Theft • Malware • Stealth installs • Data interception • Direct attack • Call hi-jacking • VPN hi-jacking • Session hi-jacking • Device hi-jacking
Step 1 Quantify the Problem • Stop. • First measure the problem • Conduct a survey • How many devices? Running what applications? • Processing, storing, transmitting: what data? • Conduct a treat / risk assessment • Draft Asset Register • Draft Risk Register
Quantify If the definition of a threat is the "expressed potential" for a "harmful event" to happen to your business. "What mobile device events would be harmful to your business?
Step 2 Draft policies • Device ownership • Device liability • Acceptable devices • Acceptable use • Acceptable applications • Minimum device security requirements • Where to report lost/stolen devices • Security Awareness Program
Consider… • Mandating use of PINs to access devices • Mandating use of complex passwords to access applications • Set max number of password failures • Set max days of non-use lock out • Specify password change interval • Prevent password reuse via password history • Set screen-lock
Step 3 Configuration • Firewall • Anti-virus (Malware, Trojans, Spyware) • O/S Updates • Hardening • Back end support servers • VPN dual authentication
Consider… • Adding or removing root certs • Configuring WiFi including trusted SSIDs, passwords, etc. • Configuring VPN settings and usage • Blocking installation of additional apps from the AppStore • Blocking GeoLocation • Blocking use of the iPhone’s camera • Blocking screen captures • Blocking use of the iTunes Music Store • Blocking use of YouTube • Blocking explicit content
Step 4 • Data • Disk • Document, File & Folder • Laptop • Port & Device Controls • Removable Media & Device • Email Encryption
Layers • Data • Disk • Document • File & Folder • Client Side • Laptop • Port & Device Controls • Removable Media & Device • Email
Encryption Options • Data Base Encryption: Application–level encryption of data “at rest” in data base. • Disk Encryption: Disk-level encryption for all data on the logic or physical drive (user files, swap files, system files, page file). • Document Encryption: Application-level encryption of data in document format (WORD/ Excel, Notebook). • File & Folder Encryption: Application-level encryption method. • Client Side Encryption: Application-level encryption method used by servers to encrypt data on a computer that has connected to them.
Options • Laptop Encryption: Operating system-level encryption method started at boot-up authorisation. • Port & Device Control: Monitor device usage and file transfer activity. Controls access to laptop ports, devices and wireless networks • Removable Media & Device Encryption (USB memory, CD, DVD): Read and write encrypted data on media • Email Encryption: Dual key method securing data in transit from client. • Email Gateway Encryption: Automatic encryption and decryption of sensitive emails between email gateway and receiver.
Step 5 • Included in BC/DR Plan • Back ups • Alternatives: • Find it • Track it • Kill it Incident response
How to Get a Grip • Quantify the problem • policies • Configuration • Encryption • Incident Response
DPA Mobile Security • Device security policy • Firewall • Anti-virus protection • O/S routinely updated • Latest patches or security updates installed • Access restricted on "need to know" principle • No password sharing • Encryption of personal information held on devices • Regular back-ups • Wipe data before disposal of device • Anti-spyware protection
PCI Mobile Security • Device user security policy • Device labelled and listed on asset register • Firewall • Dual authentication • Encrypted VPN connection • Anti-virus protection • Anti-spyware protection • O/S routinely updated • Latest patches or security updates installed • Connection subject to testing • Access restricted on "need to know" principle • No password sharing
ISO Mobile Security • Device user security policy • Device labelled and listed on asset register • Firewall • Dual authentication • Encrypted VPN connection • Anti-virus protection • Anti-spyware protection • O/S routinely updated • Latest patches or security updates installed • Connection subject to testing • Access restricted on "need to know" principle • Device must be password controlled
Minimum Controls • Risk assessments • Device user security policy • Security awareness training • Information asset register • Device labelled and listed on asset register • Firewall • Dual authentication • Encrypted VPN connection • Anti-virus protection • Anti-spyware protection • O/S routinely updated & randomly audited • Latest patches or security updates installed • Device must be password controlled
10 Rules Mobile Security • If Dr. Evil can run his programs on your mobile device its not your device anymore. • If Dr. Evil can make changes to your mobile its not your mobile any more. • If Dr. Evil can upload programs to your network from your mobile its not your website anymore. • If Dr. Evil can access data entering or exiting your mobile its not your data any more. • If Dr. Evil uses your mobile to launch an attack on another network its your problem.
10 Rules • If Dr. Evil can use your mobile to access your partners network its yourproblem. • If Dr. Evil can physically access your mobile devices on its not your data anymore. • More often than not, Mini-Me works for you. • Dr. Evil knows where you hide your spare keys. • Dr. Evil is always faster and smarter.