Getting a Grip on Getting a Grip on Mobile DevicesMobile Devices
Last year thousands of Last year thousands of travellers left personal travellers left personal items in London taxi cabs items in London taxi cabs
27 toilet seats27 toilet seats
4 sets of false teeth 4 sets of false teeth
3 dogs 3 dogs
2 babies 2 babies
1 cat 1 cat
1 pheasant 1 pheasant
Funeral ashes Funeral ashes
A dead bodyA dead body
Over 75,000 mobile Over 75,000 mobile computing devicescomputing devices
These devices can hold These devices can hold
10k 10k photosphotos
200k 200k docsdocs
100k 100k emailsemails
How do you Get a How do you Get a Grip on that?Grip on that?
Top 10 Risks Top 10 Risks 1. Loss2. Theft3. Malware 4. Stealth installs5. Data interception 6. Direct attack 7. Call hi-jacking8. VPN hi-jacking9. Session hi-jacking10.Device hi-jacking
Step 1Step 1
Quantify the Quantify the ProblemProblem• Stop.• First measure the problem• Conduct a survey• How many devices? Running what applications? • Processing, storing, transmitting: what data?• Draft Asset Register• Draft Risk Register
Step 2Step 2
Draft policies Draft policies
• Device ownership• Device liability• Acceptable devices• Acceptable use• Acceptable applications• Minimum device security requirements• Where to report lost/stolen devices• Security Awareness Program
Consider…Consider…
• Mandating the use of PINs to access devices• Mandating use of complex passwords to access
applications• Set max number of password failures • Set max days of non-use lock out• Specify password change interval• Prevent password reuse via password history• Set screen-lock
Step 3Step 3
ConfigurationConfiguration
• Firewall• Anti-virus (Malware, Trojans, Spyware)• O/S Updates• Hardening• Back end support servers• VPN dual authentication
• Adding or removing root certs• Configuring WiFi including trusted SSIDs, passwords, etc.• Configuring VPN settings and usage• Blocking installation of additional apps from the
AppStore• Blocking GeoLocation• Blocking use of the iPhone’s camera• Blocking screen captures• Blocking use of the iTunes Music Store• Blocking use of YouTube• Blocking explicit content
Consider…Consider…
20
Step 4Step 4
EncryptionEncryption
• Data• Disk• Document, File & Folder• Laptop• Port & Device Controls• Removable Media &
Device• Email
Step 5Step 5
Incident responseIncident response
• Included in BC/DR Plan• Back ups• Alternatives: – Find it– Track it– Kill it
How to Get a GripHow to Get a Grip
Quantify the problempoliciesConfiguration Encryption Incident Response
SourceSource
the problem in handthe problem in hand
26 Dover Street 26 Dover Street LondonLondon
United KingdomUnited KingdomW1S 4LYW1S 4LY
+44 (0)20 3586 1025+44 (0)20 3586 1025www.riskfactory.comwww.riskfactory.com
A different perspectiveA different perspective