Embed Size (px)
Citation preview
Mobile Device Securityand Privacy
Discussion - PlanningConsiderations for a SuccessfulMobile Device Program
August 2012
PwC
Discussion Topics
• Mobile Device Definition and Characteristics
• Mobile Device Access – High Level Architecture
• Mobile Device Use Cases – Functionality Versus Threats
• Example Threats to Mobile Devices
• Controls – Available Risk Reduction Options
• Bring Your Own Device (BYOD)
• Non-BYOD Enterprise Device Refresh - Planning Considerationsfor Program and Device Deployment Stages
2
PwC
Level Set – Basic Mobile Device Characteristics
• Generally, “mobile devices” refers to mobile phones, smart phones, tabletsand specialized mobile computing devices that primarily connect to a wirelesscarrier for communications. Excluded are traditional portable computingplatforms such as laptops and touch screen computers running a laptopoperating system (i.e. Windows).
• Mobile devices will normally include a tailored purpose operating systemsuch as iOS, Android, Blackberry OS, Windows Phone, Symbian or aproprietary device OS
• Mobile devices generally include the option to connect to available wirelessbroadband services in addition to the carrier network
• Many types of mobile devices will be able to download applications from theInternet or proprietary services unless specifically blocked by the deviceconfiguration
• Generally, users will be able to synchronize their devices with enterpriseapplications via desktop/laptop computers and/or wirelessly
3
PwC
Examples of Common and Emerging MobileDevices
4
Blackberry – Several device models primarily used inconjunction with the Blackberry Enterprise Server.Introducing tablets based on Palm OS via acquisition.
_________________________________________
Apple – Several versions of the iPhone and three versionsof the iPad. Based on synchronization using iTunes,iCloudand Apple’s enterprise device management tools.Applications added via App S tore.
_________________________________________
Android – Google’s operating system deployed on phonesand tablets from multiple manufacturers. Used inconjunction with Google’s services and applicationsnormally added via Android Market.
_________________________________________
Windows Phone and Symbian – Windows Phonereplaces Windows Mobile. Symbian OS found primarily onNokia phones and outside of the U.S. Nokia is now movingto Windows Phone as the manufacturer’s primary deviceoperating system.
_________________________________________
PwC
Mobile Device Access - High Level Architecture
5
MobileDevices
Users NetworkChannels /
Applications
Browser(WAP /
HTML 5)
SMS
Email Client
NativeClients(App)
Voice
IM
Enterprise
ApplicationServers
Email /DomainServers
DataApplications
USSD
MDM / MEAPServers
ContentManagement
Servers
Web Services
OTA Sync
CRM
Financial
InventoryManagement
CoreBack-officePlatforms(e.g. ERP)
DirectoryServers
Sales
P2P
Business Services& Integration
Secure API
Secure SOA
OtherContent
SSL /TLS
RFID /NFC
WPA
802.22
802.1x
Protocols
Web
Publis
hin
gS
erv
er
MD
MG
ate
way
Serv
er
DMZ
Public
AP
I
LANConnectivity
Bluetooth
WIFI
2G /3G /4G /LTE
WANConnectivity
Mobile
Mid
dle
ware
RIA
Java ME
MobileVirtualization
Solution
PwC
Mobile Access at Work – Use Cases and RiskProfiles
6
Ris
k
• Organization provides only Internet access via Wi-Fi,normally via a guest network arrangement
• Organization provides access to e-mail and calendar viamobile browser (i.e. Outlook Web Access)
• Organization provides synchronization of e-mail andcalendar via a mobile application
• Organization provides access to corporate applicationsand data via a thin client model (e.g. Citrix)
• Organization provides access to corporate applicationsand data with on-device data storage
• Organization develops and delivers custom applicationsto mobile users with data modification, direct input andon-device storage
Low
HIGH
Low
HIGH
Fu
nctio
na
lity
PwC
Lost or Stolen Devices - The Number One ThreatAssociated with Mobility Programs
• 56% of us misplace our cell phone or laptop each month
• 113 cell phones are lost or stolen every minute in the U.S.
• 120,000 cell phones are lost annually in Chicago taxi cabs
• 25% of Americans lose or damage their cell phone each year
• Major city transit authorities receive over 200 lost items per day
7
Source: MicroTrax Study, 2011
PwC
Other Notable Threats to Mobile Devices
• August 2012 – First variants of Zeus malware detected on Blackberry devices.
• Feb 2012 – Mobile social network Path caught uploading users’ address books to theirnetwork without approval. Class action lawsuit against 18 companies filed in March 2012.
• Jan 2012 – Up to 5 million Android users download 13 malware infected applicationsfrom Google’s Android Market
• Jan 2012 – QR Codes used to trick users to visit mobile spam sites
• Dec 2011 – CarrierIQ tracking software found on a wide range of devices
• Oct 2011 – Device manufacturer HTC admits vulnerability in their phones that cancause unauthorized access to data
• Sept 2011 – German security firm G Data reports mobile malware increased 270%during the first six months of 2011 with 1.2 million new variants
• March 2011 – “Droid Dream” – malicious code was delivered to more than 260,000mobile devices within 58 downloaded applications from the Android Market
• February 2011 – Malware “Zeus Mitmo” combined traditional PC malware with mobilephone malware sent by a bogus SMS message which appeared to originate from the user’sbank to steal bank log-on passwords
8
PwC
Mobile Security – Controls
9
Policies and Procedures *
- Acceptable Use Policy
- Data Classification and Handling Policy
- Social Media Policy
- Information Security
Policy
- Device Loss Process/Workflow
- Incident Management Plan
User Acknowledgement and Opt-In
- Signed User Acceptance Form
- Clear Instructions For Reporting Loss ofDevice
- Consent to Geo-Track (As Applicable)
- Potential Tax Impact (Certain States andCountries)
- Specific Security Training forUsers
- Limits on Supported Devices
Technical Controls and Platforms
- Blackberry Enterprise Server
- Exchange ActiveSync
- Vendor Security Controls
- On Device Encryption
- Mobile Management Platform (MDM)
- Mobile Device Anti-Virus/Malware (AsWarranted)
Auditing, Logging and Monitoring
- Periodic Audits of Mobile Program and KeyControls
- Integration with Log Management and SIEMPlatforms
- Periodic Survey of Users to ConfirmCompliance
Risk ReductionOptions
* With Specific Content for Mobile Device Use
PwC
Bring Your Own Device (BYOD)
PwC
BYOD Program Payment Options May ImpactControls
• User purchases device and pays for monthly service. User uses the device toaccess company resources primarily for personal convenience. Pros - the companyhas no telecoms management overhead. Cons - there is no control over the devicetypes or incentives for the user to report problems.
Self Pay
• User selects an approved device that they pay for from a list and the company paysmonthly charges directly to the carrier. This is normally done by an Intranet sitehosted by a 3rd party. Pros - the company can manage device types and offloadstelecoms management to a 3rd party. Cons - This can be a very costly proposition iflarge number of employees go mobile. There's a potential for high use and abuse.
Sponsored *
• User purchases device and pays for monthly service - usually with publishedcorporate discounts. The company reimburses each month for business calls orprovides a set stipend each month for use. Pros - Minimal advantages as thecompany cannot control device types and is still managing telecoms in somefashion. Cons - there is no control over device type.
Stipend *
11
* In certain States and foreign localities, they may be a potential tax impact for Sponsored and Stipend models.
PwC
“Bring Your Own” Device Security Considerations
• Many organizations have now opted to allow employees to procure their owndevices which will ultimately connect to enterprise data and resources
• A “Bring Your Own” strategy presents additional security and privacy challengeswhich should be carefully considered prior to implementation
• Policies must be carefully crafted that mandate certain restrictions on theemployee’s access to corporate data with a personally owned device. Policies shouldcover minimum device security standards, use of anti-virus or endpoint securitysoftware based on legal or compliance requirements and clear language regardingconsent for the enterprise to access enterprise data on the device on a timely basis.
• The enterprise should aggressively monitor access by employees with personallyowned devices and consider restricting access to the minimum level required toperform the employee’s role (e.g. e-mail and calendar)
• The enterprise should reserve the right to rapidly bar access to data and resourcesby employees with personally owned devices if necessary to protect enterprise data,address newly identified risks or to comply with legal or compliance requirements
• It is becoming increasingly hard to efficiently operate a BYOD program withoutusing a Mobile Device Management (MDM) platform
12
PwC
Common BYOD Challenges and Risks
• BYOD increasingly reopens traditional debates on use of personally ownedlaptops and computing equipment (i.e. Macs, external storage, printers)
• Use of personally owned devices blurs owner responsibilities regardingdevice support, ownership of data and how much access and control theorganization may have to data on the device
• There is still frequent resistance by users to sign acknowledgements oracceptable use agreements (“It’s my device!”)
• Users want the latest smartphone, regardless of what operating system orfeatures the organization is able to support
• Users have little incentive to report lost or stolen devices on a timely basis.In many cases the organization will only learn of a lost device when the userrequests access for a new device
• If the user cancels carrier service, it is impossible to complete over the airdevice wiping
13
PwC
Specific Recommendations for
Enterprise Mobile Device Refresh
Programs (Non-BYOD)
PwC
Planning Considerations – Prior to Procurement
• It’s important to consider long term mobile strategy prior to a purchasing decision.Key requirements can be included in Request for Proposals for mobile devices andmanagement software.
• Some possible considerations prior to procurement include:
o Do the intended devices meet enterprise security and privacy policies (or arepolicy changes warranted in light of the new capabilities)? Can the devicessupport encryption if required for sensitive data or compliance reasons?
o Can security features such as remote wipe, policy enforcement and remotedevice location be enabled?
o Will the enterprise allow limited personal use of the device and the carrierservice? If not, how will charges be calculated and recovered from theemployee?
o If employees are allowed to add content to the company provided devices, whoowns the content (i.e. applications, music, games, etc.)? How can this contentbe transferred prior to return of the device to the company?
o What mechanisms are available to deploy enterprise custom applications to thedevices?
o Do the devices and management software include location based services thatcan track the location of the devices? If so, does the enterprise require aprivacy policy for employees using the devices?
15
PwC
Planning Considerations – During Procurement
• Consider “friendly user” field tests ofproposed devices to measure usability, assesspotential risk and identify specific policy gaps
• Explore vendor security assets such aswhite papers, configuration guides,deployment tools and case studies
• Request results of mobile code andmanagement software security code reviewsand testing from short listed vendors
• Consider contacting other companies whohave deployed similar devices to obtain theirlessons learned
• Research reported security flaws andattacks against devices and operating systemsusing resources such as SearchSecurity.com.SANS.org and fiercewireless.com
16
PwC
Receipt of Devices and Distribution
• Consider having the devices delivered to a central locationfor inventory, staging, power on testing, configuration andpreparation for issuance to employees. Test encryption anddecryption if enabled.
• Verify that device packs are complete and include allaccessories. Use barcode scanners if feasible.
• Determine if devices will be marked as company propertyand prepare durable labeling in advance. Use “return to iffound” labels per enterprise policy.
• Collect basic device information for asset managementpurposes including the device serial number, IMEI and/orICCID. (Some vendors may provide this information on a listwith the devices.)
• Consider providing employees with documentation alongwith the device to include enterprise security and acceptable usepolicies, instructions on how to report problems, theft reportingprocedures and a FAQ
• Consider using an inventory and pre-deployment checklist tosupport a sustainable and repeatable device preparation process
17
PwC
Device Issuance to Employees• Determine the most appropriate way to distribute devices including to employeeswho may work from remote locations. If mailed, consider courier services or certifiedmail with delivery tracking. If done in person, determine if the carrier ormanufacturer can assist in this process – particularly for large volumes.
• Consider having employees sign a receipt for the device and accessories whichincludes consent for the enterprise to access enterprise data on the device, employeereturn of the device on departure from the company, consent to track, device upgradepolicy, etc. There should also be enterprise approved text on e-discoveryrequirements should the device be included in a legal discovery order.
• The receipt or accompanying documentation may include specific provisions forpayment for personal use, payroll deduction for loss of the device or failure to returnthe device at the end of employment. This may also include the use of a promissorynote if employees elect to retain the device if within the enterprise’s policy.
18
PwC
Considerations During Normal Operations
• Train the enterprise's Help Desk staff on mobile devicepolicies and procedures. Establish Help Desk liaisonarrangements with the carrier(s) and device provider(s) torapidly address more complex technical issues.
• Arrange for the carrier(s) and device manufacturer(s) toprovide security and technical alerts covering the services anddevices
• Integrate mobile device use cases into the enterprisesecurity violation, breach reporting and disaster recoveryplans. Consider having prepared checklists for managingincidents involving loss of mobile devices containing sensitiveor highly regulated information.
• Conduct periodic tests of incident handling proceduresinvolving mobile devices.
• Consider including the mobile device program in internalaudit plans to assess program effectiveness and performperiodic risk assessments
19
PwC
Recovery and End of Life
• The recovery process is an essential step in efficient mobile device management.Recovery is designed to preclude devices containing enterprise data from remainingoutside the enterprise, loss of control or devices being stored in various desk drawerswithin the organization when an employee departs
• Device recovery should be part of the employee out-processing process and enforcedby both human resources and supervisors
• Recovery should be closely linked to the asset management process and inventories ofmobile devices should be periodically audited for accurate counts
• The enterprise must have a process to remove sensitive data from devices prior toreturning to the carrier or commercial salvage. This can include device wiping,overwriting data or removal of storage media
• As many mobile devices use solid state drives or non-volatile memory, traditionaldegaussing techniques will likely not be effective for pre-salvage preparations
• The organization should maintain accurate documentation detailing which deviceshave been transferred to the carrier or for salvage at end of life. This documentation willsupport asset management, e-discovery and possible claims that devices were notreturned at the end of their useful life.
20
PwC
For More Information
Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Director, IT Risk and Security Assurance
Tel. +1 210 421-8233
21
