Mobile security blunders and what you can do about them

Mobile security blunders and what

you can do about themBen Rothke, CISSP CISA

BT Global Services

Senior Security Consultant

BT Americas Inc. 2

About me….

• Ben Rothke (too many certifications)

• Senior Security Consultant – British Telecom

• Frequent writer and speaker

• Author - Computer Security: 20 Things Every Employee

Should Know

Show me the methodology…

• How do you currently handle?

– Smartphones

– iPads

– wireless devices

BT Professional Services 3

Serious security

• In your organization - how does management spell

security?

• Have they deployed adequate:

– staff

– budget

– processes

– oversight


Why does this matter?

• Wi-fi is everywhere

• today’s mobile device is

really a desktop

• mobile devices are walking

data breaches

• mobile

convenience/benefits are

obvious

• attackers focusing on

mobile devices

• weak mobile security

• mobility is a business

necessity

• the perimeter is porous

• compliance pressures

• consumerized technologies

are here to stay

• past approaches aren’t

working

• social media will be

ubiquitous

• misconfigurations


Real-world problems

• loss and theft

• malware infections

• intercepted network traffic

• intellectual property losses

• no adequate data backups

• users not being held responsible for security

• slew of new applications creating risks…


Scary numbers

• 2010 Information Week Mobile Device Management

and Security Survey

– 87% say smartphones will become more predominant in their business

– Security is biggest reason (73%) for deploying mobile device management (MDM)

– Why organizations haven’t deployed MDM:

• Not enough IT staff to support it – 61%

• Too few mobile devices – 34%

• Too expensive – 32%

• Don’t see the need – 26%


Recent issues I’ve come across


Why do we have these problems?

• mobile devices are new/complex

• unauthorized usage difficult to prevent

• improper implementation of controls

• unstructured files all around

• failed security policies

• people not thinking about their choices


Lots of devices out there to consider

• If it’s got network connectivity and storage, secure it:

– smartphones

– dumbphones

– tablets

– netbooks

– laptops

– mobile storage

– wireless networks


Security audit

• What’s being stored where

• passwords

• encryption

• malware protection

• data backups

• VPN, rdp, gotomypc, etc.

• wifi weaknesses


Mobile security best practices

• Management and security

– Build management and security into the entire mobile security product life cycle

– ensure management tools for mobile devices are interoperable with other management infrastructure

• Policy

– Extend enterprise security policies to mobile and wireless

– use technologies that provide comparable controls.

• wireless- and mobile-optimized versions of network access control,

IDS/IPS, VPN, firewall, data encryption, IDM, DLP, etc.

12

Mobile security best practices

• Security as a requirement

– Ensure security is a required purchasing consideration for all mobile and wireless technology and services

– require security provisions as a component of all RFP


BlackBerry security best practices

• Any BlackBerry containing corporate data should be

managed under BlackBerry Enterprise Server (BES) or

comparable platform

– Unmanaged devices can be set by users to be vulnerable to login, sync and data access attacks

– managed BlackBerrys can be guaranteed to comply with strict policies

• Ensure you have a uniform set of security capabilities

across all models that can be managed and audited to a

guaranteed level of compliance

– Good news: All BlackBerry models have a common security architecture, so this is relatively easy


iPad/iPhone best practices

• Do they exist?

– Applications cannot be considered fully secure until they use Apple Data Protection APIs

• today, only a few applications support them today.

– of the built-in Apple applications, only Mail currently supports the Data Protection API to protect message data/attachments

– require employee-owned devices to be secured and managed by the enterprise

– deny access to jailbroken or modified devices

– restrict sensitive data exported to these devices

– use complex passcodes

– automatically wipe data after multiple failed login attempts


Since no one listens to best practices

• At a bare minimum:

– All mobile devices should have policies enabled that require passwords

– high priority to encryption on devices where sensitive data will be stored.

– over-the-air kill features used where supported

– integrated into vulnerability and configuration management processes


Tools that can help

• Native security

• ActiveSync

• Lookout

• BlackBerry BES

• Mobile Active Defense

• MobileIron

• Trust Digital

• Good Technology

– Enterprise

– Government

• 42Gears

BT 17

Future trends

• little knowledge needed

• more internal breaches

• more elaborate hacks

• more directed hacks

• physical attacks (stolen devices)

• broadened attack surfaces

• mobile business apps

• Wikileaks

• directed spear phishing

Copyright (c) 2007, Principle Logic,

LLC - All Rights Reserved

18

Keys to information security success

1. Getting the right people

2. Focusing on core issues

3. Proper testing

4. Effective metrics

5. Policies and processes

6. Right technologies

7. Incident response

8. Architecture


Contact info…

• Ben Rothke, CISSP CISA

• Senior Security Consultant

• BT Professional Services

• www.linkedin.com/in/benrothke

• www.twitter.com/benrothke

• www.slideshare.net/benrothke


Mobile security blunders and what you can do about them

Technology

Transcript of Mobile security blunders and what you can do about them