Re-Thinking BYOD Policy.pptx
-
Upload
thomas-bain -
Category
Technology
-
view
106 -
download
2
description
Transcript of Re-Thinking BYOD Policy.pptx
Forget About BYOD: Develop a Realistic Mobile Security Policy
Tom Bain Director, Product Marke4ng Security Innova4on
Who Am I?
• Director, Product Marke0ng, Security Innova0on
• Formerly with Q1 Labs (an IBM Company) and Applica0on Security, Inc.
• Ac0ve blogger, presenter
• BA, Communica0ons, RIC; MS, Interna0onal Rela0ons/Public Affairs, UMASS
Thomas Bain
Tonight’s Agenda ① BYOD Dilemma:
Ø Stats/Trends
Ø Biz vs IT Sec Need
Ø Why it’s a security risk
② Differences Between App & IT Sec Policy
Ø Incremental policy construc0on
Ø Real-‐world policy improvement
③ Recommenda0ons Ø Steps you should consider
Who We Are Application Security Experts • 10+ Years vulnerability research • Security Tes0ng Methodology adopted by SAP, Microso\, Symantec
• Authors of 8+ books Products and Services • Standards -‐ Best Prac0ces • Educa0on -‐ CBT & Instructor-‐Led • Assessment -‐ So\ware and SDLC
Reducing Application Security Risk • Cri0cal Vulnerability Discovery • Secure SDLC Rollout • Internal Competency Development
I. BYOD: Security Challenges are Emerging
The BYOD Dilemma • Mobile devices help employees increase produc0vity – staying connected is not really op0onal anymore!
• Usage has experienced a massive up0ck: 60% of today’s workforce is using a smartphone specifically for business use.
• IT is struggling to keep up with device management.
• Mobility by its nature opens up a larger agack surface with more points of entry.
• Difficult to measure business need through IT Security lens.
• Developing a policy isn’t as easy as it might seem. --Mobility Outlook Report, Mobile Enterprise, 2013
Business vs. Security • Users lose autonomy with security policies that aren’t well-‐defined.
• Performance + capabili0es o\en trump security = IT headache.
• Users expect an always-‐on, secure connec0on and func0onality
• Time to market pressures hurt security: But good architecture and backend systems can help.
• EX: Frameworks like PhoneGap can get to market quickly: But can introduce new vulnerabili0es
Business Usage Uptick • 84% use the same smartphone for work and for personal usage.
• 81% of employed adults use at least one personally owned electronic device for business (Harris Interac0ve survey, February 2012)
• 59% of employees surveyed use mobile devices to run line-‐of-‐business applica0ons (Ibid)
• 74% of companies allow BYOD usage in some manner (Aberdeen Group, February 2011)
--Experian Mobile Security Survey, November 2012; Harris Interactive, Feb 2012; Aberdeen Group, Feb., 2011
Security Isn’t a Priority • 50% of companies have experienced a data breach due to inadequate device security (Ponemon survey, 2012)
• 47% don’t have a password on their mobile phone.
• 51% stated their companies couldn’t execute a remote wipe if lost or stolen.
• 49% said mobile security has not been addressed with them by IT.
--Experian Mobile Security Survey, November 2012; Harris Interactive, Feb 2012; Aberdeen Group, Feb., 2011
Gartner’s Top 7 Failures in Mobile Device Security
• Inconsistent security policies • Laptop encryp0on bypass mode • Unmanageable devices
• Shared media leakage • Minimal device management
• Readable data on disposed-‐of devices
• Inter-‐applica0on data leakage
-‐-‐Girard, John, Top 7 Failurs in Mobile Device Security,, Gartner, February 2013
Mobile is the Top Security Risk
-‐-‐Efficacy of Emerging Network Security Technologies, Ponemon Research, February 2013
On Pace for Increased Incidents
Why is BYOD a Security Problem? • Device turn-‐over: What happens to the old device? • New devices: Default or customized setngs? • How can you know everything about every device?
• So\ware updates – user vs IT. • App Stores: Approved apps?
• Applica0ons: Ø What data is on your device? Ø What enterprise applica0ons can you connect to?
Ø Which apps are connected to other apps? EX: Your blog app is connected to your CMS, which feeds to Twiger, etc.
Mobile Devices & Data Sources
Mobile Vulnerabilities
Traditional Vulnerabilities
What Are Attackers After?
Verizon Business Data Breach Investigations Report, 2012
II. BYOD: AppSec vs InfoSec Policy
InfoSec vs. AppSec Policy Information Security Application Security
Role Based Receptionist, IT Manager, etc
• Architect, Developer, Tester • Application Roles and Privileges
How to Implement
Rollout and configuration of servers, databases, anti-virus, communications, certificates, etc.
Rollout of web application firewall and secure development best practices • Application Authentication checks • Secure Design components • Attack surface reduction • Code hardening • Data Encryption • Input validation
Expertise Needed to Implement
IT networking, database and computer/OS configuration skills
• How applications interact with environment • How applications function and fail with respect to security • Software development skills w/ security overlay
Policy Statement Comparison • Network Security Control
Ø Enable SSL on the web server. Ø Don’t transmit sensi0ve data via IM chats. (Actually a policy statement in PCI-‐DSS)
• Database Security Control Ø Configure DB server so sensi0ve data stores are encrypted.
• Physical Control Ø Shred documents that contain sensi0ve data.
• Applica<on Security Control Ø Encrypt sensi0ve data during transmission. Ø Web facing applica0ons must be resilient to SQL injec0on agacks.
Good, Better, Best: ���SQL Injection Policy
✔ MINIMUM Build web applica0ons that defend against SQL injec0on agacks.
✔✔ BETTER Build web applica0ons that defend against SQL injec0on agacks by sani4zing all user input.
✔✔✔ GOOD Build web applica0ons that defend against SQL injec0on agacks by sani0zing all user input using this approved sani4za4on rou4ne.
✔✔✔✔ EXCELLENT …..plus
• So\ware Developers do X • So\ware Testers do Y
Good, Better, Best: ���Protect Sensitive Data
✔ MINIMUM Protect sensi0ve data.
✔✔ BETTER Protect sensi0ve data by using this approved encryp4on.
✔✔✔ GOOD Protect sensi0ve data by using this approved encryp0on in databases that store and during transmission of sensi4ve data.
✔✔✔✔ EXCELLENT ….plus
• Architects define algorithms.
• Developers never write their own crypto.
• Test/QA verifies XYZ.
Good, Better, Best: ���Cross-Site Forgery
✔ MINIMUM Create applica0ons that are resilient to Cross-‐Site Request Forgery.
✔✔ BETTER Create so\ware applica0ons that are resilient to CSRF agacks by using the OWASP Top 10 “CSRF Cheat Sheet.”
✔✔✔ GOOD Create so\ware applica0ons that are resilient to CSRF agacks by using the OWASP Top 10 “CSRF Cheat Sheet” and implement a language-‐appropriate framework.
✔✔✔✔ EXCELLENT ….plus
• Use challenge-‐response. • QA check reference headers.
Inadequate Example: ���App Pen Testing
• Policy: • “Conduct annual tests of internet facing applica0ons.”
• How to improve it
• Specify the type of test, e.g., web vulnerability scan, source code review, paper audit, etc.
• How deep should it go / What should be tested? Ø OWASP Top 10 vulnerabili0es
• Define the key assets you are trying to protect.
• Specify which agacks should be conducted. Ø Threat modeling in advance can guide you here.
Inadequate Example: Authentication • Policy
Ø “Ensure applica0ons processing data properly authen0cate users through central authen0ca0on systems where possible.”
Ø “If addi0onal func0onality is needed, coordinate development with Informa0on Technology Services.”
• How to improve it Ø Here is our approved authen0ca0on library <URL>. Ø Remove ambiguity.
• “coordinate with ITS”
• Rather, obtain wrigen excep0on for using any authen0ca0on mechanism not explicitly approved by InfoSec Office
Ø “where possible”
Inadequate Example: SQL Injection • Policy
Ø “SQL Injec0on vulnerabili0es must be prevented.” Ø See OWASP SQL_Injec0on_Preven0on_Cheat_Sheet for recommenda0ons.
• How to improve it Ø Use Parameterized SQL statements and stored procedures.
Ø Use white-‐lis0ng to constrain user input. Ø Use company-‐approved sanita0on library, found here <URL>.
Inadequate Example: Input Validation • Policy
Ø “Ensure applica0ons validate input properly and restric0vely, allowing only those types of input that are known to be correct.”
Ø …”examples include, but are not limited to, cross-‐site scrip0ng, buffer overflow errors, and injec0on flaws.”
Ø “…see hgp://www.owasp.org for more.”
• How to improve it Ø Use this input sanita0on rou0ne <URL>. Ø Validate Input from all sources For Type, Length, Format, and Range.
Ø Iden0fy all source of input and verify validators have been used to check input.
Ø User type-‐safe parameters and stored procedures.
III. BYOD: Policy Development to Fit Your Business
Where do I Start? I. Consider risk scenarios. II. Adapt from proven or trustworthy
models.
III. Measure percep0on. IV. Understand roles, privileges and
what’s in place today. V. Get granular with your ques0ons &
considera0ons.
VI. Figure out a strategy for tes0ng your applica0ons.
VII. Policy enforcement.
VIII. Raise awareness/required training.
Determine Risk Tolerance
• Take an inventory of your high-‐risk applica0ons/mobile applica0ons.
• Determine business cri0cality.
• What’s your agack probability? • How do you define the agack surface?
• Consider overall business impact. • Where does compliance factor in? • What are the security threats?
Trustworthy Sources
Measure Perception • Attudes of general popula0on toward security (suppor0ve, antagonis0c, indifferent?)
• Attudes of general popula0on toward management (suppor0ve, antagonis0c, indifferent?)
• Attudes of management toward security?
• What’s the percep0on of the current BYOD policy?
• Have there been related security incidents?
Role-Based Questions • Which departments/groups/individuals have been most ac0ve in developing policies?
• Has there been any previous collabora0on between policies and authors?
• Can you iden0fy a poten0al champion(s) to support the new policy?
• Areas of agreement in commonly implemented controls re: policies?
• Support documents, materials and related policies should be cited in mobile device policy.
• Know who has access to what and how they are able to access.
Granularity is Good • How will mobile devices be used? • Devices assigned to one person or shared? • Which mobile applica0ons would be used?
• What informa0on is accessible through mobile devices? • What informa0on will be stored on the mobile devices?
• How will data be shared to/from and between mobile devices? • Who’s ul0mately responsible for mobile devices? • Will personal ac0vi0es on company devices be permiged?
• What levels of support are expected?
Define Your Data • How sensi0ve is your data? • What kind of data is it? PII, customer data, credit card data, proprietary, IP, etc.
• Is it subject to regulatory mandates? Which ones?
• Conduct a threat model: Ø Determine threats
Ø Iden0fy poten0al agacks Ø Understand the frequency & severity with which they are executed.
Rank Your Mobile Apps
Threat Rating
Sensitive Data Lifespan
Compliance Stringency
Customer-Facing
Tier 1 Restricted Long High Yes
Tier 2 Private Mid Medium Yes
Tier 3 Public Short N/A No
Application Criteria
Test Mobile Apps (for Security)
Threat Rating
Static Analysis
Dynamic Analysis
Manual Pen Test
Threat Modeling
Complete/Frequency
Complete/Frequency
Complete/Frequency
Complete/Frequency
Tier 1 Required/Major code changes
Required/Major code changes
Required/Per Milestone
Required/Per Release
Tier 2 Suggested/Monthly
Required/Quarterly
Required/Per Release
Suggested/Per Release
Tier 3 Optional/Quarterly
Required/Annually
Optional/As Needed
Optional/As Needed
Depth, Breadth, Frequency
Summary: Policy Attributes • Describes contextual, technical guidelines on how security should be integrated within the SDLC Ø By phase, role, technology, applica0on type Ø Leverages internal secure development champion(s) for input
• Maps to compliance mandates
• Considers cri0cality of applica0on and data Ø Requirements, ac0vi0es and level of detail needed will differ
• Has clear excep0on policy Ø What if minimum standards can’t be met? What is considered acceptable? Who approves?
• Includes internally built and third party applica0ons
• Reflects current maturity and secure development skills Ø The more skilled, the less explicit you need to be with policies
Policy Enforcement • You need management buy-‐in! • Broad strategy vs Targeted strategy roll-‐out • On-‐boarding:
Ø Require all device info as part of hiring process (especially applica0ons)
Ø Require policy training up front • Require training for various departments:
Ø General popula0on receives awareness training
Ø Technical employees receive in-‐depth training • Monitor for effec0veness – EX: Deliver training or reminder when employee is out of compliance.
Thank You!! [email protected]
TwiWer: @tmbainjr1