Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Valid concerns about mobile security and how to address them
Ins5tute of Management Consultants and Advisers
Dublin, 19th June 2013
Thursday 20 June 13 (c) VigiTrust 2003-‐2013 1
www.vigitrust.com
Today’s PresentaAon • SeCng the Scene – Defining Mobility • BYOD & ApplicaAon Security – two key Mobility topics Right now
• Preparing for Security Enabled Mobility • 2013-‐2015 Outlook • Q&A
(c) VigiTrust 2003-2013
About VigiTrust
Compliance as a Service
3 1 2 SECURITY TRAINING & eLEARNING Online training for management and staff
COMPLIANCE, READINESS & VALIDATION Comprehensive online programs to achieve and maintain compliance
SECURITY & GRC SERVICES Professional services to enable and support your compliance process
The 5 Pillars of Security Framework™ Physical Security; People Security; Data Security; IT Security; Crisis Management
Chief Security Officer Project leader for all Security Related Matters
DATA Sec
PPL Sec
PHYSICAL SECURITY • Access to
Building
• Physical Assets
• IT Hardware
• Vehicle Fleet
PEOPLE SECURITY • Permanent &
Contract Staff
• Partners
• 3rd Party Employees
• Visitors
• Special Events Security
DATA SECURITY • Trade Secrets
• Employee Data
• Database
• Customer Data
5 Pillars of Security Framework™
PHYS. Sec
INFRA Sec
INFRASTRUCTURE SECURITY • Networks
• Remote Sites
• Remote Users
• Application Security
• Website
• Intranet
CRISIS Mgt
CRISIS MANAGEMENT • Documentation
& Work Procedures
• Emergency Response Plans
• Business Continuity Plans
• Disaster Recovery Plans
Opera>ons Manager, Security Staff HR, Security Staff HR, IT Team &
Manager IT Team & Manager Opera>ons Manager, IT Team, HR
Best Practice Security Framework for Enterprise
eSEC Portfolio US – Existing
• HIPAA • NERC-CIP 101 • MA 201 • Understanding Data Breach Notification Requirements
US
Existing eLearning Portfolio
eSEC Portfolio EMEA - Existing
• Data Protection Fundamentals • Credit Card Security • Introduction to PCI DSS • Banking & Fraud • Green IT & Security • ISO IT & SDLC • Security During M&A Process
EMEA
eSEC Portfolio Generic Training - Existing
• Info Security 101 • Mobility & Security • Security of Social Networks • Cloud Computing & Security 101 • Physical Security for Good
Logical Security
GEN. eSEC Portfolio Technical Training - Existing
• Secure Coding for PCI DSS • Introduction to Secure Printing • Log Management & Security • Wireless Security
TECH.
Mathieu Gorge CEO & Founder, VigiTrust
Thursday 20 June 13 (c) VigiTrust 2003-‐2013
European PCI DSS Roadshow
(Disclaimer: Outside Reviewer)
SeCng the scene
A Few Telling Security Facts & Figures • Veracode Security Survey
– “During our iniAal analysis of mobile applicaAons we found that 91% of the top mobile apps unnecessarily expose a user’s personally idenAfiable informaAon”
– “Despite this, most mobile users and businesses aren’t aware of the risk these apps pose to their organizaAon”
• Gartner – 2013 – “Mobile compuAng raises new security concerns in an increasingly mobile world, where
devices may be employee-‐owned, frequently changed, and used for both personal and business purposes”
• ABI Research Mobility Survey – OpportuniAes for Services – ABI Research esAmates that mobile security services will total $1.88 billion by the end of
2013 – network security, managed security and professional services are set to become the
biggest categories for business-‐to-‐business mobile security – Vendors such as AdapAve Mobile and F-‐Secure are well-‐placed to consolidate their
posiAon for carrier-‐grade security soluAons – Players offering highly-‐innovaAve soluAons in niche markets include Aujas Networks
(India) with professional services and Zimperium (Israel) for mobile IDS/UTM
• The role of consultants & security professionals is key to balancing mobility opportuniAes vs security challenges
Thursday 20 June 13 (c) VigiTrust 2003-‐2013
8
Security Challenges associated with Mobile Devices & Mobile applica>ons roll outs
• Technical Security Challenges – Malware – Smisphing – Bluesnarfing – Data leakage – Data Loss – who is responsible (device owner, app provider, operator, user)?
• Usage Security challenges – ApplicaAons on the mobile device – which ones?
• Geoloca>on – Social media is going mobile – major risks for the organizaAon
• Managing the Blur btw private & personal life on private & corporate devices
• Opera>onal security challenges – Business ConAnuity – what happens if personal devices are lost? Who pays to replace
the device in the case of BYOD
• Legal challenges – Data ProtecAon Act Compliance – eDiscovery challenges
(c) VigiTrust 2003-‐2013 9
Security Challenges associated with Mobile Applica>ons • How secure is the mobile app?
– Security by design? – Benchmarked against OWASP & SANS? – Mobile App Web TesAng?
• Does the Mobile App impact on data security? – Answer is always yes – but to what extent? – Is the app sending data back to a corporate network and/or Cloud?
• Where is the data kept? For how long? Etc… • Data ProtecAon ConsideraAons
– Social media App? • Major risks for the organizaAon because of SNs architectures • Managing the Blur btw private & personal life on private & corporate devices
• Payment via Mobile App? – PCI DSS consideraAons
(c) VigiTrust 2003-‐2013 10
Policies must Focus on what mobile devices allow users to do and what is deemed acceptable • View / Access Corporate Data
– See e-‐mails • View/answer/save/delete
– Access corporate files • View/access • Modify/save/delete?
– Access corporate ERP/CRM Files • Basic access • Limited interacAon • Full access (some func+onality tends to be lost in any case)
– VPN based access to DMZs – Internet Browsing – Sending Pictures
• E.g. Some US banks accept picture copies of checks sent in by mail or MMS
– The odd phone call… – All of the above must be made clear to users in an AUP!
Thursday 20 June 13
(c) VigiTrust 2003-‐2013 11
Best prac>ces to address BYOD security challenges • Classifica>on is key
– Data classifica>on • What data should really be seen/accessed/processed on mobile devices
– Device Classifica>on • Phones • Smart Phones (Blackberry/iPhones/Androids) • Tablets/iPads
– User Classifica>on • Who needs a mobile device • What do they need it for and what is the business jus+fica+on ?
• Policies & Procedures – AUP & Associated iniAal and yearly refresher Training – OperaAonal Procedures
• What do you next then? – Policies & procedures: draw up a list of P&Ps in place @ your org. – Technical SoluAons: update your network diagram + pen test – include BYOD as assets – Awareness Training: idenAfy in-‐scope employees and start the educaAon process
• Consider Implemen>ng a Concierge Service – Contract amendments btw Employers/employees
Thursday 20 June 13 (c) VigiTrust 2003-‐2013
12
BYOD -‐ Recommended Reading • 3 US Federal Government BYOD Case Studies with some interes>ng
sta>s>cs – Equal Employment Opportunity Commission – 75% never used got supplied device to
make calls – case study on BYOD cost savings – Alcohol and Tobacco Tax and Bureau -‐ developed a USB device that turns old
desktops/laptops into a thin client – State of Delaware -‐ Reimbursement Plan
• Links to Good informa>on for your IT & legal teams to consider – Bring-‐your-‐own-‐device (BYOD) and legal/regulatory compliance – Top 10 consumerizaAon and BYOD Aps of 2012 – (ISC)2 2013 Global InformaAon Security Workforce Study – FTC Mobile Privacy Disclosures – focus on Apps Security – www.sophos.com -‐ Mobile Security Toolkit – Upcoming VigiTrust events: PCI DSS One Day Workshops (IT SoluAons), RSA Security
Conference, European PCI DSS Roadshow
www.vigitrust.com
Thursday 20 June 13 (c) VigiTrust 2003-‐2013
13
Technical Solu>ons typically required for Tradi>onal Security • AnA-‐Virus / AnA-‐Spam • Firewalls & VPNs • IDS/IPS • Web Filtering / Mail Filtering • IM monitoring • File Integrity • SIEM – Central Log soluAons • Asset Management • PSD Mgt/Control • EncrypAon
– At rest, in transit, in use
• Bad News: All the above should and does apply to Mobile Security
• Good News: It’s really not rocket science!
(c) VigiTrust 2003-2013
Security & GRC Process
(c) VigiTrust 2003-2013
SOX ISO 27000 series EU Data Protec>on PCI DSS HIPAA Others
Regulatory, Legal & Corporate Governance Frameworks
Education, Security & Awareness
Self-Governed
Pre-Assessment
Security Blueprint
for Remediation
Work
Policies & Procedures
Network & Hardware Security
Pen-‐ Tes>ng & Applica>on Security
Specialized Skills Transfer
Official Assessors &
Auditors
Step 1 Step 2 Step 3 Step 5 Step 4
Corporate Culture & Risk Management – The overall Picture
Residual Risk Surface which needs to be managed by your Organiza>on
Risk Management & Safeguards
Corporate Values
Corporate Ecosystem
Risk Management Strategy for Internal and/or external Risk Management Teams
DPA, PCI DSS & ISO 27001 compliance
Outlook for 2013-‐2015 in the Mobility industry & spheres
• Every business is Going Mobile – For good reasons – commercial opportuni>es – For the wrong reasons
• Because my compe>tor has a mobile app so I need one too…regardless of security concerns
• New Internet of Things – According to NPD Group – US 5.7 internet enabled devices in the home – Your own mobile Internet enabled ecosystem must be kept secure
• Mobility & Security – Two sides of the same coin – Especially as regards payments – Fraud is up in cash less payments
• Prepaid – NFC -‐Contactless – Very ligle implementable guidance available from PCI DSS but this
will change as security associa>ons are taking over • ISACA • ISSA
(c) VigiTrust 2003-2013
Best Prac>ces – Designing & Depoying Secured Mobile Fleets & Apps
• What first steps can you take? – Remember the five accredita>on process steps
• Educa>on • Pre-‐assessment (internal) • Remedia>on • Actual Assessment • Con>nuous compliance
– Mix of 3 key elements • Policies & procedures • Technical Solu>ons • Awareness Training
– What do you next then? • Policies & procedures: draw up a list of P&Ps in place @ your org. • Technical Solu>ons: update your network diagram + App pen test • Awareness Training: iden>fy in-‐scope employees and start the educa>on process
(c) VigiTrust 2003-2013
Thursday 20 June 13 (c) VigiTrust 2003-‐2013 19
[email protected] hgp://www.linkedin.com/in/mgorge
www.vigitrust.com
Valid concerns about mobile security and how to address them
Dublin, 19th June 2013
Changes to Data ProtecAon in the EU • Not a direcAve but a single regulaAon in the EU
– HarmonizaAon at European level…but with challenges
• Applies to companies based outside in the EU if personal data is handled abroad by companies that are acAve in the EU and offer services to EU ciAzens
• Right to be forgoren • Controllers responsibiliAes
– Policies & procedures – Staff Training
• Data processing impact assessment – If any data is likely to present risks to individuals
• Security – Both processor and controllers must put security measures in place
• Data Breach NoAficaAon – Within 24 hours of noAcing the breach
• Data Portability (service providers) & Data Transfers • Data ProtecAon Officers
Thursday 20 June 13 (c) VigiTrust 2003-‐2013
20
Intersec>on between PCI DSS compliance and the DPA • Need for appropriate levels of security • Compliance with PCI DSS should enable compliance with key provisions of the DPA
• ICO in the UK made an example of Lush (Lush Cosme>cs Ltd)
– "This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all Ames”
– For online retailers, the PCI DSS is clearly now best pracAce – Adherence to the PCI DSS should ensure compliance with the security obligaAons under
the Act – Undertaking from Lush requires them to only store minimum amount of payment data
necessary to receive payments, and keep for no longer than necessary.
Clear Overlap between DPA & PCI DSS Requirements:
(c) VigiTrust 2003-2013
• Informa>on security policies – Under the new data protecAon laws, policies and processes will be key, as transparency
takes centre stage • Protect Personal Data – PHI, CHD, PII
– EncrypAon of personal data will avoid the need to contact every data subject in the event of a breach
• Privacy by Design – Personal data should only be processed for the specific purpose for which it was collected,
and not to be retained beyond the minimum necessary – both in terms of amount and Ame