ISACA Bahrain Chapter

28th March 2012

The speaker

Mobile Devices

• Mobile phones

• Smartphones

• Tablet devices (iPad, Tab, etc..)

• Laptops, Notebooks, Netbooks

Smartphones

• Ability to install and run advanced applications

• Productivity tool for enterprise users

• Susceptible to malware and other attacks

• Keyboard or Touchscreen interface• Feature large screens, powerful

memory, processors• Application marketplace:

iTunes(Apple), Ovi (Nokia), Android (Google)

Tablets

• Slate shape

• Touchscreen as primary input device

• OS: MS or Smartphone OS

Laptops & Netbooks

• Primarily used in enterprise environments

• OS: MS, Linux and Mac

• Variety of resources & knowledge in deploying device for enterprise use

Smartphone Operating Systems

• Apple iOS:

• Based on Mac OS X

• Runs on iPhone, iPad, iPod, and Apple TV

• Massive usage enforce enterprises to adopt new mobile device strategies

• More than 500K Apps through Apple Store

• Tight control of HW & SW

• Very secured system (no malwares)

• No AntiVirus Apps

Smartphone Operating Systems

• RIM BlackBerry OS

• Research In Motion

• De facto standard for enterprise (BES)

Authentication

Security of data in transit

Security of the device itself

• BlackBerry 7 : BlackBerry Tablet OS

Smartphone Operating Systems

• Google Android

• Open source OS with many contributors

• Based on Linux

• Thousands of Apps

• Can be found on variety of Handset vendors (Motorola, Samsung, Dell, HTC, and more)

• Lack of policing on marketplace

• More malware found

• Comprehensive security need on device

Smartphone Operating Systems

• Microsoft Windows Mobile & Windows Phone

• Windows Mobile:

Until version 6.5

Targeted towards enterprise

Many built-in security features

• Windows Phone 7:

Different than 6.5

Primarily for consumer use

Missing features such as: VPN, on-device encryption

Smartphone Operating Systems

• Nokia Symbian

• Prior licensees: Sony, Ericsson,

Samsung, others

• Have been on the market for several years

• Wide security solutions available

• Several malware also available

• Nokia announces transition from Symbian to Windows Phone 7

Smartphone Operating Systems

• Other OS:

• HP Palm webOS: Pre 2

• MeeGo: 2010, Linux-based, Nokia

• Samsung bada: Samsung Wave smartphone

Smartphones

TelecomServices

InternetServices

Software Application

Smartphones

Device Features

Smartphones

• Telecom Services:

Voice

SMS

MMS

Smartphones

• Internet Services:

Wi-Fi

E-Mail

Web browsing

Social Networking

Smartphones

• Software Applications

E-Mail

Enterprise apps (CRM, SAP, etc)

Tools and Utilities (Calc, Weather, compass, etc)

Games

Contacts & Calendars

Smartphones

• On Device Features

Powerful processor

Memory

Storage (Internal & External)

Camera (Still & Video)

Touchscreen

Bluetooth

Smartphones

TelecomServices

InternetServices

Software Application

Smartphones

Device Features

Why NOW? Consider RISKs

• The power & advance of the device

• Users started to use their devices at work

• Corporates started to use it instead of laptop

• More malware started to appear

• Connectivity to public Wi-Fi

• Bluetooth connection

• Jailbreak the device (iPhone)

• Open source OS (Android)

Why NOW? Consider the Trend

Type of device owners

• Enterprise owned Mobile devices

• User owned Mobile devices

Policies

• Policy for physical device protection

• Policy for device backup and restore

• Policy for device provisioning

• Application Policy

Physical Security Policy

Policy for Backup & Restore

• User owned:

Backup on desktop or Cloud (Mobile me)

Backup SD cards separately

Ensure to practice the restore

• Corporate owned:

Automated backup and on regular basis

SD cards are not allowed

Inform helpdesk if device lost or stolen

Backup agent on device should not be disabled

Policy for device provisioning

• Upgrade, downgrade, install software

• Upgrade profile settings

Password, VPN, encryption, email

• Decommission the mobile device

Lost, theft, policy violation

Application Policy

White-list of approved

applicationsProfile

settings for approved

applications

User notification

of application policy

violations

Enterprise Management of Mobile Devices

• Mobile Device Management (MDM)

• Over The Air (OTA)

• Exchange ActiveSync (EAS)

• BlackBerry Enterprise Server (BES)

Enterprise Management of Mobile Devices

• Commands from MDM can be send across to all end devices in one of two ways:

• SMS:Available everywhere

Downside: It is available only for 3G/4G devices

• Push notification:Internet based communication channel

Sender knows whether end destination received notification

Downside: It requires Internet access

Enterprise Management of Mobile Devices

• Implement password policies

Password required

Mini length

Password complexity

Password aging

Password history

Idle timeout

Max number of incorrect passwords

Enterprise Management of Mobile Devices

• Applications management

Install required apps

Remove prohibited apps

Control downloading from apps market/stores

Create whitelist or blacklist apps

Monitor violation of apps policy

Enterprise Management of Mobile Devices

• Encrypt data

Enforce data encryption

Install encryption tool for devices with no encryption built-in

Encrypt SD card in case allowed

Prevent using SD card if not permitted

Enterprise Management of Mobile Devices

• Restrict device functionality

Screen capture

Clipboard operations

Bluetooth access

Use of device camera

Access to Gmail or Yahoo emails

Enterprise Management of Mobile Devices

• Configure network settings

Remote access using IPSec VPN

Remote access using SSL VPN

Use default Wi-Fi

Remote Access

• IPSec VPN

Remote Access

• SSL VPN

Smartphone security components

• On device Anti-X protection

• Backup and restore capabilities

• Loss or theft protection

• Firewall protection

• Bluetooth protection

On device Anti-X protection

• Antispyware

• Antivirus

• Antiphishing

• Antispam

• Required for open source OS and jailbreak

Backup and Restore capabilities

• User owned devicePersonal files, including videos and photos

Call log and contact information

Apps and app settings

SMS messages

Email and calendar information

Phone settings

• Corporate ownedMDM solution

Loss or Theft protection

• Report the loss/theft of device

• Locate the device using GPS

• Remotely lock the device

• Remotely set off a loud alarm

• Remotely wipe the device

Firewall protection

• Prevent unauthorised external connections to the device

• Monitor and block internal applications to communicate with the outside world

• Select solution with less power consumption

Bluetooth protection

• Disable bluetooth by default

• Use bluetooth firewall (Fruit Mobile)

• Tethering protection

42

Summary for Addressing Smartphone RISKs

Policy

Up-to-date

AV/OS/Apps

Access Control

Device Mngmt

Up-to-date

AV/OS/Apps

Encryption

Secure Transmission

Awareness

Risks

Mitigation

Legend Keys:

Online Information Sources

• www.isaca.org

• www.sans.org

• www.darkreading.com

• www.f-secure.com

• www.infosec.co.uk

• www.icsa.net

• www.cert.org

Mobile Security Vendors

• www.air-watch.com

• www.good.com

• www.juniper.net/pulse

• www.mobileactivedefense.com

• www.mcafee.com

• www.mobileiron.com

• www.sybase.com

• www.symantec.com