Mobile security blunders and what
you can do about themBen Rothke, CISSP CISA
BT Global Services
Senior Security Consultant
BT Americas Inc. 2
About me….
• Ben Rothke (too many certifications)
• Senior Security Consultant – British Telecom
• Frequent writer and speaker
• Author - Computer Security: 20 Things Every Employee
Should Know
Show me the methodology…
• How do you currently handle?
– Smartphones
– iPads
– wireless devices
BT Professional Services 3
Serious security
• In your organization - how does management spell
security?
• Have they deployed adequate:
– staff
– budget
– processes
– oversight
BT Professional Services 4
Why does this matter?
• Wi-fi is everywhere
• today’s mobile device is
really a desktop
• mobile devices are walking
data breaches
• mobile
convenience/benefits are
obvious
• attackers focusing on
mobile devices
• weak mobile security
• mobility is a business
necessity
• the perimeter is porous
• compliance pressures
• consumerized technologies
are here to stay
• past approaches aren’t
working
• social media will be
ubiquitous
• misconfigurations
BT Professional Services 5
Real-world problems
• loss and theft
• malware infections
• intercepted network traffic
• intellectual property losses
• no adequate data backups
• users not being held responsible for security
• slew of new applications creating risks…
BT Professional Services 6
Scary numbers
• 2010 Information Week Mobile Device Management
and Security Survey
– 87% say smartphones will become more predominant in their business
– Security is biggest reason (73%) for deploying mobile device management (MDM)
– Why organizations haven’t deployed MDM:
• Not enough IT staff to support it – 61%
• Too few mobile devices – 34%
• Too expensive – 32%
• Don’t see the need – 26%
BT Professional Services 7
Recent issues I’ve come across
BT Professional Services 8
Why do we have these problems?
• mobile devices are new/complex
• unauthorized usage difficult to prevent
• improper implementation of controls
• unstructured files all around
• failed security policies
• people not thinking about their choices
BT Professional Services 9
Lots of devices out there to consider
• If it’s got network connectivity and storage, secure it:
– smartphones
– dumbphones
– tablets
– netbooks
– laptops
– mobile storage
– wireless networks
BT Professional Services 10
Security audit
• What’s being stored where
• passwords
• encryption
• malware protection
• data backups
• VPN, rdp, gotomypc, etc.
• wifi weaknesses
BT Professional Services 11
Mobile security best practices
• Management and security
– Build management and security into the entire mobile security product life cycle
– ensure management tools for mobile devices are interoperable with other management infrastructure
• Policy
– Extend enterprise security policies to mobile and wireless
– use technologies that provide comparable controls.
• wireless- and mobile-optimized versions of network access control,
IDS/IPS, VPN, firewall, data encryption, IDM, DLP, etc.
12
Mobile security best practices
• Security as a requirement
– Ensure security is a required purchasing consideration for all mobile and wireless technology and services
– require security provisions as a component of all RFP
BT Professional Services 13
BlackBerry security best practices
• Any BlackBerry containing corporate data should be
managed under BlackBerry Enterprise Server (BES) or
comparable platform
– Unmanaged devices can be set by users to be vulnerable to login, sync and data access attacks
– managed BlackBerrys can be guaranteed to comply with strict policies
• Ensure you have a uniform set of security capabilities
across all models that can be managed and audited to a
guaranteed level of compliance
– Good news: All BlackBerry models have a common security architecture, so this is relatively easy
BT Professional Services 14
iPad/iPhone best practices
• Do they exist?
– Applications cannot be considered fully secure until they use Apple Data Protection APIs
• today, only a few applications support them today.
– of the built-in Apple applications, only Mail currently supports the Data Protection API to protect message data/attachments
– require employee-owned devices to be secured and managed by the enterprise
– deny access to jailbroken or modified devices
– restrict sensitive data exported to these devices
– use complex passcodes
– automatically wipe data after multiple failed login attempts
BT Professional Services 15
Since no one listens to best practices
• At a bare minimum:
– All mobile devices should have policies enabled that require passwords
– high priority to encryption on devices where sensitive data will be stored.
– over-the-air kill features used where supported
– integrated into vulnerability and configuration management processes
BT Professional Services 16
Tools that can help
• Native security
• ActiveSync
• Lookout
• BlackBerry BES
• Mobile Active Defense
• MobileIron
• Trust Digital
• Good Technology
– Enterprise
– Government
• 42Gears
BT 17
Future trends
• little knowledge needed
• more internal breaches
• more elaborate hacks
• more directed hacks
• physical attacks (stolen devices)
• broadened attack surfaces
• mobile business apps
• Wikileaks
• directed spear phishing
Copyright (c) 2007, Principle Logic,
LLC - All Rights Reserved
18
Keys to information security success
1. Getting the right people
2. Focusing on core issues
3. Proper testing
4. Effective metrics
5. Policies and processes
6. Right technologies
7. Incident response
8. Architecture
BT Professional Services 19
Contact info…
• Ben Rothke, CISSP CISA
• Senior Security Consultant
• BT Professional Services
• www.linkedin.com/in/benrothke
• www.twitter.com/benrothke
• www.slideshare.net/benrothke
BT Professional Services 20