Building a Mobile Security Model

What to Consider When Building a Mobile Security Model

Who Am I?

• 12+ years in information security

• Experience includes: CounterTack, Security Innovation, Q1 Labs/IBM, Application Security, Inc./TrustWave, Sophos, WAVE Systems

• SecureWorld, Hacker Halted, ISSA, OWASP, Security Meetup’s, Boston Security Conference, OASIS-Montgomery Conference

• Mobile device owner@tmbainjr1

http://www.countertack.com/blog

Agenda

• Mobile security trends

• Figuring out mobile security

• Understanding risks/policy creation

• Developing an adaptive model and best practices

TRENDS

Do We Really Have a Choice?• 84% use the same smartphone for

work and for personal usage.

• 81% of employed adults use at least one personally owned electronic device for business

• 59% use their mobile devices to run line-of-business applications

• 74% of companies allow BYOD usage in some manner

• 1/3 use mobile devices exclusively

--Experian Mobile Security Survey, November 2013 (Harris Interactive)

The Great Mobile Security Debate

• When will the great mobile data breach happen?

• 2017: endpoint breaches will shift to tablets/smartphones.

• Physical vs Virtual

• BYOD/Mobile security policy

• Business vs Security

What are CISO’s concerned with?

Its More About the Data

State of Mobile Security

• Productivity vs. Security

• Rise of mobile campaigns

• More targeted malware

• Volume of usage = increased risk

• End user error

User Perspective on Mobile Security

• 50% of companies have experienced a data breach due to inadequate device security

• 47% don’t have a password on their mobile phone.

• 51% stated their companies couldn’t execute a remote wipe if lost or stolen.

• 49% said mobile security has not been addressed with them by IT.

UNDERSTANDING MOBILE SECURITY ISSUES

Mobile Security Failures

• Inconsistent security policies

• Unmanageable devices

• Minimal number of devices

• Data artifacts existing on disposed devices

• Data leakage

Unique Mobile Security Issues

• Multi-user/single user

• Browsing environment

• Updates/patching

• SSL

• CSRF

• Geolocation

• Apps

Mobile Malware Trends• 98% of all mobile malware

targets Android users

• Kaspersky: 3.4M malware detections on 1.1M devices

• 60% of all attacks are capable of stealing users’ money

• Reported attacks have increased 6X! (from 35K in August 2013 to 242K as of March 2014

Real-time Endpoint Threat Detection and Response14

The Most Popular Mobile MalwareMalware

SMS RiskTool AdWare Trojan

Faketoken

Svpeng

Android Resources

iOS Resources

POLICY, RISK ASSESSMENT & BUILDING AN ADAPTIVE MODEL

BYOD Challenges

• Device turn-over and EOL

• New devices: Default or customized settings?

• How can you know everything about every device?

• App Stores: Approved apps?

• Applications

Mobile Security Policy Checklist

Consider risk scenarios.

Adapt from proven or trustworthy models.

Measure perception.

Understand roles, privileges and what’s in place today.

Get granular with your questions & considerations.

Figure out a strategy for testing your applications.

Policy enforcement.

Raise awareness/required training.

Assess and Validate Risk

Take an inventory of your high-risk applications/mobile applications.

Determine business criticality.

What’s your attack probability?

How do you define the attack surface?

Consider overall business impact.

Where does compliance factor in?

What are the security threats?

Roles and Access Controls• Which departments/groups/individuals have been most

active in developing policies?

• Has there been any previous collaboration between policies and authors?

• Can you identify a potential champion(s) to support the new policy?

• Areas of agreement in commonly implemented controls re: policies?

• Support documents, materials and related policies should be cited in mobile device policy.

Get Granular• How will mobile devices be used?

• Devices assigned to one person or shared?

• Which mobile applications would be used?

• What information is accessible through mobile devices?

• What information will be stored on the mobile devices?

• How will data be shared to/from and between mobile devices?

• Who’s ultimately responsible for mobile devices?

• Will personal activities on company devices be permitted?

• What levels of support are expected?

Know and Define Your Data

Defining Policy• Provide contextual, technical guidelines

• Map to compliance mandates

• Considers criticality of application and data‒ Requirements, activities and level of detail needed will differ

• Have clear exception policies where necessary‒ What if minimum standards can’t be met? What is considered

acceptable? Who approves?

• Includes internally built and third party applications

• Reflects current maturity and skillset of staff‒ The more skilled, the less explicit you need to be with policies

Enforcing Policy• You need management buy-in!

• Broad strategy vs Targeted strategy roll-out

• On-boarding:

‒ Require all device info as part of hiring process

‒ Require policy training up front

• Require training for various departments:

‒ General population receives awareness training

‒ Technical employees receive in-depth training

• Monitor for effectiveness – EX: Deliver training or reminder when employee is out of compliance.

Where are you at? Ad Hoc

Implementation

Technology

People ProcessData

Get to the next level of ‘Repeatable’

• Collect examples

• Present business needs & educate executives

• Create a mobile security policy

• Identify some short and long-term risks/goals

• Make the case simple

Now you are at ‘Repeatable’

Implementation

Technology

People ProcessData

Adaptive Mobile Security

Gartner, 2014, Adaptive Security Model

www.countertack.comBlog: http://www.countertack.com/blogTwitter: @CounterTack, @tmbainjr1

Real-time Endpoint Threat Detection and Response.