Getting a Grip on Mobile Devices. Last year thousands of travellers left personal items in London taxi cabs

  • Published on
    30-Dec-2015

  • View
    212

  • Download
    0

Embed Size (px)

Transcript

  • Getting a Grip on Mobile Devices

  • Last year thousands of travellers left personal items in London taxi cabs

  • 27 toilet seats

  • 4 sets of false teeth

  • 3 dogs

  • 2 babies

  • 1 cat

  • 1 pheasant

  • Funeral ashes

  • A dead body

  • Over 50,000 mobile computing devices

  • devices can hold

    10k photos200k docs100k emails

  • 10% capacity =

    +50m photos +1B docs+500M emails

  • That's a lot of information!

  • 73% of London businesses surveyed allowed employees to bring their own device to work for processing commercial information in 2013.Poneman Survey February 2014

  • How do you Get a Grip on that?

  • Business Challenges

  • Our Challenges

  • Our Risks

  • HISTORY Lesson

  • History 101

  • Whats Your Definition ?

  • Is it Definitive ?

    CopiersFaxesScannersTelephonesCoffee machines

    Any device with memory capability that can be carried out.

  • Top 10 Mobile Risks LossTheftMalware Stealth installsData interception Direct attack Call hi-jackingVPN hi-jackingSession hi-jackingDevice hi-jacking

  • Risk Du Jour

  • How do you Get a Grip on that?

  • Step 1Quantify the ProblemStop.First measure the problemConduct a surveyHow many devices? Running what applications? Processing, storing, transmitting: what data?Conduct a treat / risk assessmentDraft Asset RegisterDraft Risk Register

  • Whats the threat?

  • Quantify

    If the definition of a threat is the "expressed potential" for a "harmful event" to happen to your business."What mobile device events would be harmful to your business?

  • What Applies?

  • Step 2Draft policies Device ownershipDevice liabilityAcceptable devicesAcceptable useAcceptable applicationsMinimum device security requirementsWhere to report lost/stolen devicesSecurity Awareness Program

  • ConsiderMandating use of PINs to access devicesMandating use of complex passwords to access applicationsSet max number of password failures Set max days of non-use lock outSpecify password change intervalPrevent password reuse via password historySet screen-lock

  • Step 3ConfigurationFirewallAnti-virus (Malware, Trojans, Spyware)O/S UpdatesHardeningBack end support serversVPN dual authentication

  • Adding or removing root certsConfiguring WiFi including trusted SSIDs, passwords, etc.Configuring VPN settings and usageBlocking installation of additional apps from the AppStoreBlocking GeoLocationBlocking use of the iPhones cameraBlocking screen capturesBlocking use of the iTunes Music StoreBlocking use of YouTubeBlocking explicit content

    Consider

  • *

  • Step 4EncryptionDataDiskDocument, File & FolderLaptopPort & Device ControlsRemovable Media & DeviceEmail

  • Layers

    DataDiskDocumentFile & FolderClient SideLaptopPort & Device ControlsRemovable Media & DeviceEmail

  • Encryption Options Data Base Encryption: Applicationlevel encryption of data at rest in data base. Disk Encryption: Disk-level encryption for all data on the logic or physical drive (user files, swap files, system files, page file). Document Encryption: Application-level encryption of data in document format (WORD/ Excel, Notebook). File & Folder Encryption: Application-level encryption method. Client Side Encryption: Application-level encryption method used by servers to encrypt data on a computer that has connected to them.

  • OptionsLaptop Encryption: Operating system-level encryption method started at boot-up authorisation. Port & Device Control: Monitor device usage and file transfer activity. Controls access to laptop ports, devices and wireless networksRemovable Media & Device Encryption (USB memory, CD, DVD): Read and write encrypted data on mediaEmail Encryption: Dual key method securing data in transit from client.Email Gateway Encryption: Automatic encryption and decryption of sensitive emails between email gateway and receiver.

  • Step 5Incident responseIncluded in BC/DR PlanBack upsAlternatives: Find itTrack itKill it

  • How to Get a GripQuantify the problempoliciesConfiguration EncryptionIncident Response

  • DPA Mobile Security

    Device security policy Firewall Anti-virus protection O/S routinely updated Latest patches or security updates installed Access restricted on "need to know" principle No password sharing Encryption of personal information held on devices Regular back-ups Wipe data before disposal of device Anti-spyware protection

  • PCI Mobile Security

    Device user security policy Device labelled and listed on asset register Firewall Dual authentication Encrypted VPN connection Anti-virus protection Anti-spyware protection O/S routinely updated Latest patches or security updates installed Connection subject to testing Access restricted on "need to know" principle No password sharing

  • ISO Mobile Security

    Device user security policy Device labelled and listed on asset register Firewall Dual authentication Encrypted VPN connection Anti-virus protection Anti-spyware protection O/S routinely updated Latest patches or security updates installed Connection subject to testing Access restricted on "need to know" principle Device must be password controlled

  • Minimum Controls

    Risk assessments Device user security policy Security awareness training Information asset register Device labelled and listed on asset register Firewall Dual authentication Encrypted VPN connection Anti-virus protection Anti-spyware protection O/S routinely updated & randomly audited Latest patches or security updates installed Device must be password controlled

  • ISACA Plug

  • 10 Rules Mobile Security If Dr. Evil can run his programs on your mobile device its not your device anymore.If Dr. Evil can make changes to your mobile its not your mobile any more.If Dr. Evil can upload programs to your network from your mobile its not your website anymore.If Dr. Evil can access data entering or exiting your mobile its not your data any more.If Dr. Evil uses your mobile to launch an attack on another network its your problem.

  • 10 RulesIf Dr. Evil can use your mobile to access your partners network its your problem.If Dr. Evil can physically access your mobile devices on its not your data anymore.More often than not, Mini-Me works for you.Dr. Evil knows where you hide your spare keys. Dr. Evil is always faster and smarter.

  • Take the problem in hand

  • 26 Dover Street LondonUnited KingdomW1S 4LY+44 (0)20 3586 1025www.riskfactory.comA different perspective from

    ***