Security Awareness Training: Mobile Devices

November 20, 2014 10:00 AM PST/1:00 PM EDT

Sponsored by:

Join the conversation on Twitter - #SWwebcon

Web Conference Overview In a bring-your-own-device (BYOD) workplace, mobile security depends largely on the user behind the device. Strong security policies, the right technology and employee education enable your organization to protect sensitive corporate data on mobile devices. During today’s program, our experts will discuss how to educate employees on the importance of mobile security best practices.

#SWwebcon

Barbara Endicott-Popovsky Director, Center of Information Assurance and Cybersecurity at the University of Washington

Moderator

Barbara Endicott-Popovsky, Ph.D., CRISC, is Director for the Center of Information Assurance and Cybersecurity at the University of Washington and the Academic Director for the Masters in Infrastructure Planning and Management in the Urban Planning Department of the School of Built Environments.

#SWwebcon

Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III

Web Conference Agenda – Featured Presenters

#SWwebcon

Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University David Lingenfelter Information Security Officer MaaS360, an IBM Company

Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III

Featured Presenter

Sandy Bacik, author and former CSO, has over 16 years direct information security experience in the areas of IT Audit, BCP/DR, Incident Response, Physical Security, Privacy, Regulatory Compliance, Policies/Procedures, Operations and Management. She also has an additional 15 years in Information Technology Operations.

#SWwebcon

Sandy Bacik, CISSP, ISSMP, CISM, CGEIT

Security Professional

Limiting Risk of Personal Mobility

#SWwebcon

Agenda

♦ What is personal mobility? ♦ What are the risks of personal mobility? ♦ How can you protect a personal mobile device? ♦ BYOD / BYOT in an enterprise environment

7 #SWwebcon

How Phone Communications Have Changed

8

Switchboard with old desk phone Portable

phone Old cell phone

More modern cell phone Smartphone

How Computing Has Changed?

9

Main frame and terminal

Desktop computer

Laptop

Tablet Smartphone PDA

How a Personal Mobile Device can be used?

♦ Pros: – Can be used to save a life – Can be used to access and store information – Can be used to communicate via many options – voice, text, email,

and video

♦ Cons – May be damaged, lost or stolen – Can be used to access, store and communicate inappropriate

material – Can disrupt the home or work environment – Camera functions can lead to child protection and data protection

issues with regard to inappropriate capture, use or distribution of images

10

So, My Mobile Device is Not Secured By Default? ♦ Applications downloaded on mobile phones and tablets

have the ability to broadcast: – Your location – Private conversations – Pictures – Banking information – And other sensitive data, even when these mobile devices are not

in use ♦ Growing potential for increasing risk related to data or

personal security and privacy

11 #SWwebcon

Rooted?

♦ Rooting is a device hack that provides users with unrestricted access to the entire file system of the mobile device.

♦ Jailbreaking, another term for rooting, is a device hack that provides users with unrestricted access to the entire file system of their mobile devices.

♦ Rooted, or jailbroke, on a mobile device means it has been compromised by malware or a bad guy.

♦ The mobile device may be more vulnerable to malicious apps and stability issues.

12 #SWwebcon

How Safe is Your Personal App Store?

♦ Every vendor and provider has a different privacy policy and end user license agreement.

♦ Committed to protecting customers and their data, and also to providing greater transparency into the unique level of protection they offer customers.

♦ Recognize that customers want and need access to apps that do not infringe on their privacy or impact their security.

13 #SWwebcon

Some Mobility Security Applications to Consider ♦ Find my phone ♦ Data backup ♦ Encrypted texting, phone calls, and emails ♦ Whole device encryption ♦ Secure password storage ♦ Call blocking ♦ Identity protection ♦ Anti-virus ♦ Anti-malware ♦ Website filtering ♦ Firewall

14 #SWwebcon

BYOD / BYOT IN AN ENTERPRISE

15 #SWwebcon

Personally Owned Device Risk to the Enterprise

♦ Uncontrolled endpoints ♦ Data leakage ♦ Malware ♦ Spam ♦ Lost device and data ♦ Communication interception ♦ Unsecured access ♦ Liability

16 #SWwebcon

What You Need to Implement Personal Mobility?

♦ Mobile Device Management (MDM) – Allows MYC to enforce corporate policies and validate security

settings ♦ Secure Mobile Messaging

– Allows MYC to store corporate email in an encrypted container on the device

♦ Mobile Application Platform – Allows MYC to provide a set of tools and applications to users

♦ Perimeter, network, and host protections, including monitoring

♦ USER TRAINING - COMMUNICATION

17 #SWwebcon

Published MYC Mobile Policies and Procedures

♦ Policy: MYC Owned Mobile Devices ♦ Procedure: Requesting a MYC Owned Mobile Device ♦ Procedure: Non-MYC-Owned Device Minimum Security

Standard ♦ Form: MYC Stewardship Agreement (Non-MYC-owned

Devices) ♦ Training course: training for a non-MYC-owned device

♦ Communicate, communicate, communicate

♦ Privacy of personal mobility

18 #SWwebcon

Tie Your Mobility Practices into Other Documents

♦ Code of Conduct ♦ Computer System Security ♦ Employee Conduct ♦ Protection of Confidential Information and Trade Secrets ♦ Electronic Information and Communication Policy ♦ Dissemination of Information ♦ Information Security

19 #SWwebcon

User Responsibilities Include, But Are Not Limited To ♦ You may connect to the BYOD wireless network but are

prohibited from connecting to the CORPNET or GUESTNET wireless network.

♦ You may not connect the personal device to the MYC network via MYC VPN.

♦ You may not forward MYC sponsored or owned phone numbers to a personal device.

♦ You are responsible for the protection of the MYC information asset being accessed by adhering to all MYC policies and procedures.

♦ You are responsible for all expenses and communication plans on the personal device except as agreed to for MYC approved international travel.

20

User Responsibilities Include, But Are Not Limited To ♦ You will allow MYC IT to install mobile device security standards

on the personal device, including encryption and password protection.

♦ You are prohibited from ‘jail breaking’ or otherwise circumventing the built-in security of a personal device after MYC mobile device security standards have been installed.

♦ You agree that MYC will not be held liable should anything happen to the personal device.

♦ You will notify IT within 48 hours of loss of your personal device. ♦ You will protect all passwords which enable access to MYC

assets. If you suspect a compromise, you will change the password immediately and advise the IT Help Desk.

21 #SWwebcon

Strategy Summary

♦ Manage and protect what matters to the enterprise ♦ Pay attention to service delivery to the business

community ♦ Be clear on roles, responsibilities, and ownership

♦ Ensure users understand what can happen ♦ Train for users – over communicate ♦ Integrate into your environment documents or a program

22 #SWwebcon

Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III

Thank You!

#SWwebcon

Questions?

Featured Presenter

Dr. Margaret Leary, CISSP, CIPP/G, CRISC, is a Professor of IT/Cybersecurity at Northern Virginia Community College and George Mason University. She serves as the Director, Curriculum of the National CyberWatch Center and has been a member of the NCC Leadership Team for the past 8 years.

#SWwebcon

Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University

25

Mobile Device Security: Expanding Threats

Dr. Margaret Leary

CISSP, CIPP/G, CRISC

#SWwebcon

Expanding Mobile Threats

• Mobile threats are expanding globally – Financially-motivated attacks – Malware – Cross-platform threats

• Many of these new threats leverage traditional PC-type malware

• While most (90%) are Android, iPhone attacks are on the rise

26

#SWwebcon

Malware Attacks • Malware much greater threat than loss of phone –

yet most BYOD policies are focused on loss or theft of phone

• Sophos Labs reports seeing more than 2,000 pieces of mobile malware every day*. In some countries, mobile devices are attacked more than PCs. – Denial of Service Attacks – turning smartphones into

bots on a botnet or placing them at risk of ransomware

– Attacks on Confidentiality – attacker remotely enabling microphone or camera

*http://www.sophos.com/en-us/threat-center/mobile-security-threat-report.aspx

27

What If?

• Your connected smartphone is used as a conduit to inject malware into your car?

• Your phone is connected to a health monitoring device, and that health information is disclosed, or worse, modified by an attacker?

• Your smartphone is connected to your smart home?

28

#SWwebcon

The Problem

• The same threats exist for mobile devices as those with PCs

• Increased connectivity • Too trusting of a user • Current market dynamics

29

#SWwebcon

Common Mobile Application Development Mistakes

• Insecure data storage • Weak server side controls • Insufficient transport layer protection • Poor authentication and authorization

mechanisms • Insufficient testing

30

Common Mobile Application Development Solutions

• Encrypt! • Security should use a “layered” approach • Use SSL/TLS (HTTPS) to encrypt the session • Don’t store passwords in plain text • Generate credentials securely • Test, test, and test again!!!

– https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Mobile_Security_Testing

31

#SWwebcon

Additional Countermeasures

• Train your users AND your app developers! • Develop a Secure Mobile Application

Development Policy for developers • Keep patches updated • Keep phones in lockers or bags • Think twice about any app you download

32

#SWwebcon

Thank You!

#SWwebcon

Questions?

Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University

Featured Presenter

David has over 20 years experience with risk management, information security, compliance, policy development and currently heads security and compliance at Fiberlink Communications.

#SWwebcon

David Lingenfelter Information Security Officer MaaS360, an IBM Company

Balancing Security and Opportunity in the Mobile Era Tackling Mobile Security with a Layered Defense David Lingenfelter @Simply_Security

#SWwebcon

New = Scary

36 #SWwebcon

Old = Comfortable

37 #SWwebcon

Change is inevitable

38 #SWwebcon

Mobile technologies are more empowering

39

of employed adults use at least one personally-owned mobile device for business

Mobile workers will use at least one business-focused app this year

yearly increase in revenue from people using mobile devices to purchase items.

But security threats are even greater

40

Threats on your employees

Threats on your customers

of financial apps on Android have been hacked

of Top 100 Android apps have been hacked

annual cost of crime

IT’s role and Focus has Changed

Many different use cases within a

single company

Corporate Owned BYOD Shared Devices Cart Devices Kiosk Devices Data Leakage Apps Blacklisting URL filtering SharePoint/EFSS Intranet Access

41

These Don’t Help…

42

• Compliance • Rules/Regulations • Privacy • Intellectual Property • Legal

#SWwebcon

Embrace The New Normal

43

Mobile is becoming THE IT platform

Go beyond enabling these new devices

– Mobile utilization of corporate network/resources – Separation of corporate & personal apps/data – App management & security (and app dev assist) – Identity, context and more sophisticated policy

#SWwebcon

So what does it take to Enable all of this…

#SWwebcon

…and the Right Technology

• Mobile Device Management

• Mobile App Management

• Mobile Content Management

• Mobile Enterprise Gateway

• File Edit, Sync, and Share

#SWwebcon

MaaS360 Layered Approach

Secure the Device

Secure the Content

Secure the App

Secure the Network

Separating Corporate and Personal Lives

#SWwebcon

Secure the Device

Dynamic security and compliance features continuously monitor devices and take action.

47 #SWwebcon

Secure the Container: Mail & Content An office productivity app with email, calendar, contacts, & content

48

Secure the App

15

Enhancing private and public app security through (SDK or wrapping) code libraries and policies

Secure the Network

A fully-functional web browser to enable secure access to corporate intranet sites and enforce compliance of policies

50 #SWwebcon

When you do this, expect great things

Gaming and Entertainment • Need – Reduce drink wait times • Solution – Locked down tablet with

enterprise app • Outcome - Reduce drink times from 20

minutes to 4 minutes with a single managed tablet and app.

• Ended up also using tablets to check in guests

51 #SWwebcon

When you do this, expect great things

52

Highly Regulated Industry • Need – Secure email • Solution – Implement secure email

container • Outcome – Meet regulatory requirements

• Now also delivers sensitive documents

#SWwebcon

When you do this, expect great things

53

Education • Need – Help students with learning

disabilities • Solution – iPads with customized policies

for each student • Outcome – Unique learning environment

to suit a large spectrum of student abilities

• Improved quality of life

#SWwebcon

Being Productive and Secure

54

MaaS360 Trusted Workplace™

Continuously assess context & usage Real-time controls of entitlements Secure Data-at-rest, in-motion, & in-use

Enterprise access controls Native controls or container BYOD privacy protections

MaaS360 Secure Productivity Suite

Secure Mail

File Sync, Edit & Share

App Security & Management

Enterprise

Gateway

Why Customers Choose MaaS360

Easiest to Deploy and Scale Mobile Device, App, and Content Management & Security platform For organizations that are…

• Embracing multi-OS environments (iOS, Android, Windows Phone) • Allowing Bring-Your-Own-Device (BYOD) programs • Developing and deploying mobile apps (public and private) • Enabling corporate content on mobile devices securely (push and

pull) • AND MORE….

55

Wrap-up • Unlocking productivity with Apps and Content • Capabilities exists today to Enable • Take a Layered approach for Security You can do it now, Empower Users Build Trust Do it with IBM MaaS360

David Lingenfelter @simply_security

#SWwebcon

Thank You!

#SWwebcon

Questions?

David Lingenfelter Information Security Officer MaaS360, an IBM Company

Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III

#SWwebcon

Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University David Lingenfelter Information Security Officer MaaS360, an IBM Company

Open Discussion

Barbara Endicott-Popovsky Director, Center of Information Assurance and Cybersecurity at the University of Washington

Closing Remarks

Thoughts on Security Awareness Training: Mobile Devices

#SWwebcon

Thank you MaaS360 for making today’s program possible!

SecureWorldExpo.com

Visit us for the latest security news and blogs from industry leaders.

Thank you for attending today’s web conference. Join us on December 4 for

“Target One Year Later: What Have We Learned?”

Questions? Idea for a topic? Contact Tom Bechtold – Tom@secureworldexpo.com #SWwebcon