SlideShare a Scribd company logo

BYOD: Device Control in the Wild, Wild, West

Jay McLaughlin
Jay McLaughlin

This presentation was given at the Western Independent Banker's 2012 Technology Conference in San Diego, CA.

Related slideshows

Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
How to Manage the Great BlackBerry Migration
How to Manage the Great BlackBerry MigrationHow to Manage the Great BlackBerry Migration
How to Manage the Great BlackBerry Migration
 
7.5 steps to overlaying byod & iot
7.5 steps to overlaying byod & iot7.5 steps to overlaying byod & iot
7.5 steps to overlaying byod & iot
 
1 of 33
Download to read offline
BYOD: Device Control in the Wild, Wild, West September 25th, 2012
About the Speaker • Chief Security Officer, Q2ebanking • Former CIO for multi-billion financial institution • 13 years industry exp. in Information Technology & Security • CISSP® (Certified Information Systems Security Professional) • Published & quoted in American Banker, ABA Banking Journal, BankInfoSecurity.com, CIO Magazine, ComputerWorld, Credit Union Times • Speaker/evangelist - InfoSec World, Innotech, ComputerWorld SNW, BAI PaymentsConnect, regional banking conferences
Agenda • Changing mobile landscape • Drivers behind BYOD(evice) • Considering threat agents • Implementing a BYOD program • policies, technologies, privacy • Summary & QA
Mobile Tidal Wave • 300,000 apps developed in 3 years • 1.2 billion mobile web users • 8 trillion SMS messages sent last year • 35 billion value of apps downloaded • 86.1 billion mobile payments made in 2011 • 1.1 billion mobile banking customers (2015)
BYOD: Bring Your Own Device formally advocates use of personal or non-company issued equipment to accessing corporate resources & data obligates IT to ensure jobs can be performed with an accept- able level of security
Business Benefits • Cut operating costs by eliminating support - Operating system support - Application support - Access support • Reduce device hardware costs & procurement • Remove productivity barriers (flexible work styles) • Extend applications to offsite/traveling employees • Increase employee satisfaction through programs • On-demand, whenever, wherever, multiple channels
BYOD: Device Control in the Wild, Wild, West
BYOR(isk) • Understand the risks being introduced • Industry is coming to terms with security concerns that exist around unsecured mobile devices/smartphones • Conduct a risk assessment to identify address the different threat agents
Protect What? From whom? or what? and How?
BYOD presents a NEW problem... ...well, not really
The “Human” Problem • Increased use of social media, coupled with the ubiquity of ecommerce, has fueled growth in socially engineered schemes waged for financial gain • According to the Anti-Phishing Working Group, there are presently about 30,000 to 35,000 unique phishing campaigns every month, each targeting hundreds of thousands to millions of email users • Anytime a user is asked to make a voluntary decision, phishing schemes will work, because humans are easy to manipulate ➡ this a social problem, not a technical problem.
Do you really believe that you control your endpoints?
Device Control • How many of you have local admin rights on your computer? • How many of you are able to take your computer and browse the Internet freely away from the network? • How many of you disallow PST files - do prevent users from taking data? • How many of you are doing mobile device management?
How do you manage a device that you don’t control?
Get out in Front Reactive approaches result in ad hoc programs Are you prepared to answer this question from your CEO: “what security did we have on the device when he lost it?”
Understand your Data What are you protecting? • How sensitive is your data? • How is your sensitive data used? • What compliance and/or regulations exist?
Focus Group: Computer Security
Jailbreaking Devices • Why? for functionality or to get paid apps for free • “Jailbreaking” or “rooting destroys the security model • Jailbreaking techniques leave the device with a standard root password that may grant admin-level access to an app...(and attacker or malware) • Convenience at the sake of security
Mobile Malware
Mobile Malware • Researchers identify first instance of mobile malware in 2004 • More than 80 infected ex. Gozi apps have been removed from Google Play since 2011 • Android malware has infected more than 250,000 users
QR Codes • QR codes surfacing containing malicious links • First case confirmed by Kaspersky Labs last year - mobile malware used to http://siliconangle.com/blog/ send premium SMS 2011/10/21/infected-qr-malware- surfaces-on-smartphones-apps/ messages
Which one is evil?
BYOD: Device Control in the Wild, Wild, West
Not the Device • Over focused on the • Data in motion endpoint and device (network) • ...it’s the data stupid! • Data presentation (application) • Data at rest (data stores/shares)
Establish Policies • Will a formal agreement between the institution and the BYOD user (EULA) specify allowed activities and the consequences for breaking the agreement? • Create policies before procuring devices • Do your BYOD policies address? • the use of consumer apps • services such as cloud storage > Box.net, Dropbox, SpiderOak, Evernote, SkyDrive, iCloud • Communicate the privacy policy to employees and make it clear what data you can & cannot collect from their mobile devices
MDM Solutions • What are you trying to protect • Address four key areas: 1) standardization of service, not device • consistent set of security controls across different platforms while providing the same level of service 2) common delivery methods 3) intelligent access controls - role, group, etc. 4) data containment • encryption • partitioning • sandboxing
Questions to Consider • Which devices will be supported? • What is the risk profile of the employee/group using the devices? • Does the institution have the ability to require and install applications to the device(s), such as remote wipe and/or virus/ malware software? • Can the institution require a “business only secure partition” on the mobile device?  • Mandatory or will the organization bend for certain users? • What happens if the device is compromised?  Will your institution be able to perform any forensics? • When should we say no?
Balancing User Privacy • Is ‘sandboxing’ or ‘partitioning’ sufficient to maintain separate personas? • Is there a reasonable expectation of privacy? ✓should the organization be able to read messages? ✓should the organization be able to perform a full wipe of the device? • State specific privacy laws (ex CA/MA) may prevent corporations from even viewing non-corporate data
Policy + Technology • Policies alone not sufficient - Technology ensures enforcement • Many solutions, but requirements should include: ✓simple self-enrollment --> complexity increases non- compliance ✓over-the-air updating ✓ability to selectively wipe data on the device • corporate apps, email, and documents must be protected by IT if the employee decides to leave the organization ✓management of the OS patch/update process ✓reporting & alerting --> devices that are non-compliant
COMPLIANCE
Legal Issues • Big question surrounds legal issues -- agreements between employees and employer -- and placing a company-owned agent on an employee’s handset • It’s the start of whole new relationship between mobile device users, in dual roles as individual consumer and employee, and the company for which they work. • Unresolved questions? • e-discovery, Culpability, Liability • ex: combined mailboxes
Summary • Understand the mobile landscape of your device population • Policies and procedures should reflect the allowable usage and the breadth and depth of security and control settings • Consider how BYOD policies can be tested and validated to ensure that security and controls have been successfully implemented • Threat landscape is continuously changing • Risk assessments should be performed regularly to identify threats and vulnerabilities
Thank You if “?” >= then response_variable = ‘answer‘ else response_variable = ‘thankyou’ end if;

More Related Content

BYOD: Device Control in the Wild, Wild, West

  • 1. BYOD: Device Control in the Wild, Wild, West September 25th, 2012
  • 2. About the Speaker • Chief Security Officer, Q2ebanking • Former CIO for multi-billion financial institution • 13 years industry exp. in Information Technology & Security • CISSP® (Certified Information Systems Security Professional) • Published & quoted in American Banker, ABA Banking Journal, BankInfoSecurity.com, CIO Magazine, ComputerWorld, Credit Union Times • Speaker/evangelist - InfoSec World, Innotech, ComputerWorld SNW, BAI PaymentsConnect, regional banking conferences
  • 3. Agenda • Changing mobile landscape • Drivers behind BYOD(evice) • Considering threat agents • Implementing a BYOD program • policies, technologies, privacy • Summary & QA
  • 4. Mobile Tidal Wave • 300,000 apps developed in 3 years • 1.2 billion mobile web users • 8 trillion SMS messages sent last year • 35 billion value of apps downloaded • 86.1 billion mobile payments made in 2011 • 1.1 billion mobile banking customers (2015)
  • 5. BYOD: Bring Your Own Device formally advocates use of personal or non-company issued equipment to accessing corporate resources & data obligates IT to ensure jobs can be performed with an accept- able level of security
  • 6. Business Benefits • Cut operating costs by eliminating support - Operating system support - Application support - Access support • Reduce device hardware costs & procurement • Remove productivity barriers (flexible work styles) • Extend applications to offsite/traveling employees • Increase employee satisfaction through programs • On-demand, whenever, wherever, multiple channels
  • 8. BYOR(isk) • Understand the risks being introduced • Industry is coming to terms with security concerns that exist around unsecured mobile devices/smartphones • Conduct a risk assessment to identify address the different threat agents
  • 9. Protect What? From whom? or what? and How?
  • 10. BYOD presents a NEW problem... ...well, not really
  • 11. The “Human” Problem • Increased use of social media, coupled with the ubiquity of ecommerce, has fueled growth in socially engineered schemes waged for financial gain • According to the Anti-Phishing Working Group, there are presently about 30,000 to 35,000 unique phishing campaigns every month, each targeting hundreds of thousands to millions of email users • Anytime a user is asked to make a voluntary decision, phishing schemes will work, because humans are easy to manipulate ➡ this a social problem, not a technical problem.
  • 12. Do you really believe that you control your endpoints?
  • 13. Device Control • How many of you have local admin rights on your computer? • How many of you are able to take your computer and browse the Internet freely away from the network? • How many of you disallow PST files - do prevent users from taking data? • How many of you are doing mobile device management?
  • 14. How do you manage a device that you don’t control?
  • 15. Get out in Front Reactive approaches result in ad hoc programs Are you prepared to answer this question from your CEO: “what security did we have on the device when he lost it?”
  • 16. Understand your Data What are you protecting? • How sensitive is your data? • How is your sensitive data used? • What compliance and/or regulations exist?
  • 18. Jailbreaking Devices • Why? for functionality or to get paid apps for free • “Jailbreaking” or “rooting destroys the security model • Jailbreaking techniques leave the device with a standard root password that may grant admin-level access to an app...(and attacker or malware) • Convenience at the sake of security
  • 20. Mobile Malware • Researchers identify first instance of mobile malware in 2004 • More than 80 infected ex. Gozi apps have been removed from Google Play since 2011 • Android malware has infected more than 250,000 users
  • 21. QR Codes • QR codes surfacing containing malicious links • First case confirmed by Kaspersky Labs last year - mobile malware used to http://siliconangle.com/blog/ send premium SMS 2011/10/21/infected-qr-malware- surfaces-on-smartphones-apps/ messages
  • 22. Which one is evil?
  • 24. Not the Device • Over focused on the • Data in motion endpoint and device (network) • ...it’s the data stupid! • Data presentation (application) • Data at rest (data stores/shares)
  • 25. Establish Policies • Will a formal agreement between the institution and the BYOD user (EULA) specify allowed activities and the consequences for breaking the agreement? • Create policies before procuring devices • Do your BYOD policies address? • the use of consumer apps • services such as cloud storage > Box.net, Dropbox, SpiderOak, Evernote, SkyDrive, iCloud • Communicate the privacy policy to employees and make it clear what data you can & cannot collect from their mobile devices
  • 26. MDM Solutions • What are you trying to protect • Address four key areas: 1) standardization of service, not device • consistent set of security controls across different platforms while providing the same level of service 2) common delivery methods 3) intelligent access controls - role, group, etc. 4) data containment • encryption • partitioning • sandboxing
  • 27. Questions to Consider • Which devices will be supported? • What is the risk profile of the employee/group using the devices? • Does the institution have the ability to require and install applications to the device(s), such as remote wipe and/or virus/ malware software? • Can the institution require a “business only secure partition” on the mobile device?  • Mandatory or will the organization bend for certain users? • What happens if the device is compromised?  Will your institution be able to perform any forensics? • When should we say no?
  • 28. Balancing User Privacy • Is ‘sandboxing’ or ‘partitioning’ sufficient to maintain separate personas? • Is there a reasonable expectation of privacy? ✓should the organization be able to read messages? ✓should the organization be able to perform a full wipe of the device? • State specific privacy laws (ex CA/MA) may prevent corporations from even viewing non-corporate data
  • 29. Policy + Technology • Policies alone not sufficient - Technology ensures enforcement • Many solutions, but requirements should include: ✓simple self-enrollment --> complexity increases non- compliance ✓over-the-air updating ✓ability to selectively wipe data on the device • corporate apps, email, and documents must be protected by IT if the employee decides to leave the organization ✓management of the OS patch/update process ✓reporting & alerting --> devices that are non-compliant
  • 31. Legal Issues • Big question surrounds legal issues -- agreements between employees and employer -- and placing a company-owned agent on an employee’s handset • It’s the start of whole new relationship between mobile device users, in dual roles as individual consumer and employee, and the company for which they work. • Unresolved questions? • e-discovery, Culpability, Liability • ex: combined mailboxes
  • 32. Summary • Understand the mobile landscape of your device population • Policies and procedures should reflect the allowable usage and the breadth and depth of security and control settings • Consider how BYOD policies can be tested and validated to ensure that security and controls have been successfully implemented • Threat landscape is continuously changing • Risk assessments should be performed regularly to identify threats and vulnerabilities
  • 33. Thank You if “?” >= then response_variable = ‘answer‘ else response_variable = ‘thankyou’ end if;