60
Security Awareness Training: Mobile Devices November 20, 2014 10:00 AM PST/1:00 PM EDT Sponsored by: Join the conversation on Twitter - #SWwebcon

Security Awareness Training: Mobile Devices

Embed Size (px)

DESCRIPTION

In a bring-your-own-device (BYOD) workplace, mobile security depends largely on the user behind the device. Strong security policies, the right technology and employee education enable your organization to protect sensitive corporate data on mobile devices. Learn how to educate employees on the importance of mobile security best practices: - Develop security awareness training for users - Address employee privacy concerns and fears - Highlight pitfalls of jailbreaking or rooting a device - Teach users to create strong passwords and identify mobile threats

Citation preview

Page 1: Security Awareness Training: Mobile Devices

Security Awareness Training: Mobile Devices

November 20, 2014 10:00 AM PST/1:00 PM EDT

Sponsored by:

Join the conversation on Twitter - #SWwebcon

Page 2: Security Awareness Training: Mobile Devices

Web Conference Overview In a bring-your-own-device (BYOD) workplace, mobile security depends largely on the user behind the device. Strong security policies, the right technology and employee education enable your organization to protect sensitive corporate data on mobile devices. During today’s program, our experts will discuss how to educate employees on the importance of mobile security best practices.

#SWwebcon

Page 3: Security Awareness Training: Mobile Devices

Barbara Endicott-Popovsky Director, Center of Information Assurance and Cybersecurity at the University of Washington

Moderator

Barbara Endicott-Popovsky, Ph.D., CRISC, is Director for the Center of Information Assurance and Cybersecurity at the University of Washington and the Academic Director for the Masters in Infrastructure Planning and Management in the Urban Planning Department of the School of Built Environments.

#SWwebcon

Page 4: Security Awareness Training: Mobile Devices

Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III

Web Conference Agenda – Featured Presenters

#SWwebcon

Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University David Lingenfelter Information Security Officer MaaS360, an IBM Company

Page 5: Security Awareness Training: Mobile Devices

Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III

Featured Presenter

Sandy Bacik, author and former CSO, has over 16 years direct information security experience in the areas of IT Audit, BCP/DR, Incident Response, Physical Security, Privacy, Regulatory Compliance, Policies/Procedures, Operations and Management. She also has an additional 15 years in Information Technology Operations.

#SWwebcon

Page 6: Security Awareness Training: Mobile Devices

Sandy Bacik, CISSP, ISSMP, CISM, CGEIT

Security Professional

Limiting Risk of Personal Mobility

#SWwebcon

Page 7: Security Awareness Training: Mobile Devices

Agenda

♦ What is personal mobility? ♦ What are the risks of personal mobility? ♦ How can you protect a personal mobile device? ♦ BYOD / BYOT in an enterprise environment

7 #SWwebcon

Page 9: Security Awareness Training: Mobile Devices

How Computing Has Changed?

9

Main frame and terminal

Desktop computer

Laptop

Tablet Smartphone PDA

Page 10: Security Awareness Training: Mobile Devices

How a Personal Mobile Device can be used?

♦ Pros: – Can be used to save a life – Can be used to access and store information – Can be used to communicate via many options – voice, text, email,

and video

♦ Cons – May be damaged, lost or stolen – Can be used to access, store and communicate inappropriate

material – Can disrupt the home or work environment – Camera functions can lead to child protection and data protection

issues with regard to inappropriate capture, use or distribution of images

10

Page 11: Security Awareness Training: Mobile Devices

So, My Mobile Device is Not Secured By Default? ♦ Applications downloaded on mobile phones and tablets

have the ability to broadcast: – Your location – Private conversations – Pictures – Banking information – And other sensitive data, even when these mobile devices are not

in use ♦ Growing potential for increasing risk related to data or

personal security and privacy

11 #SWwebcon

Page 12: Security Awareness Training: Mobile Devices

Rooted?

♦ Rooting is a device hack that provides users with unrestricted access to the entire file system of the mobile device.

♦ Jailbreaking, another term for rooting, is a device hack that provides users with unrestricted access to the entire file system of their mobile devices.

♦ Rooted, or jailbroke, on a mobile device means it has been compromised by malware or a bad guy.

♦ The mobile device may be more vulnerable to malicious apps and stability issues.

12 #SWwebcon

Page 13: Security Awareness Training: Mobile Devices

How Safe is Your Personal App Store?

♦ Every vendor and provider has a different privacy policy and end user license agreement.

♦ Committed to protecting customers and their data, and also to providing greater transparency into the unique level of protection they offer customers.

♦ Recognize that customers want and need access to apps that do not infringe on their privacy or impact their security.

13 #SWwebcon

Page 14: Security Awareness Training: Mobile Devices

Some Mobility Security Applications to Consider ♦ Find my phone ♦ Data backup ♦ Encrypted texting, phone calls, and emails ♦ Whole device encryption ♦ Secure password storage ♦ Call blocking ♦ Identity protection ♦ Anti-virus ♦ Anti-malware ♦ Website filtering ♦ Firewall

14 #SWwebcon

Page 15: Security Awareness Training: Mobile Devices

BYOD / BYOT IN AN ENTERPRISE

15 #SWwebcon

Page 16: Security Awareness Training: Mobile Devices

Personally Owned Device Risk to the Enterprise

♦ Uncontrolled endpoints ♦ Data leakage ♦ Malware ♦ Spam ♦ Lost device and data ♦ Communication interception ♦ Unsecured access ♦ Liability

16 #SWwebcon

Page 17: Security Awareness Training: Mobile Devices

What You Need to Implement Personal Mobility?

♦ Mobile Device Management (MDM) – Allows MYC to enforce corporate policies and validate security

settings ♦ Secure Mobile Messaging

– Allows MYC to store corporate email in an encrypted container on the device

♦ Mobile Application Platform – Allows MYC to provide a set of tools and applications to users

♦ Perimeter, network, and host protections, including monitoring

♦ USER TRAINING - COMMUNICATION

17 #SWwebcon

Page 18: Security Awareness Training: Mobile Devices

Published MYC Mobile Policies and Procedures

♦ Policy: MYC Owned Mobile Devices ♦ Procedure: Requesting a MYC Owned Mobile Device ♦ Procedure: Non-MYC-Owned Device Minimum Security

Standard ♦ Form: MYC Stewardship Agreement (Non-MYC-owned

Devices) ♦ Training course: training for a non-MYC-owned device

♦ Communicate, communicate, communicate

♦ Privacy of personal mobility

18 #SWwebcon

Page 19: Security Awareness Training: Mobile Devices

Tie Your Mobility Practices into Other Documents

♦ Code of Conduct ♦ Computer System Security ♦ Employee Conduct ♦ Protection of Confidential Information and Trade Secrets ♦ Electronic Information and Communication Policy ♦ Dissemination of Information ♦ Information Security

19 #SWwebcon

Page 20: Security Awareness Training: Mobile Devices

User Responsibilities Include, But Are Not Limited To ♦ You may connect to the BYOD wireless network but are

prohibited from connecting to the CORPNET or GUESTNET wireless network.

♦ You may not connect the personal device to the MYC network via MYC VPN.

♦ You may not forward MYC sponsored or owned phone numbers to a personal device.

♦ You are responsible for the protection of the MYC information asset being accessed by adhering to all MYC policies and procedures.

♦ You are responsible for all expenses and communication plans on the personal device except as agreed to for MYC approved international travel.

20

Page 21: Security Awareness Training: Mobile Devices

User Responsibilities Include, But Are Not Limited To ♦ You will allow MYC IT to install mobile device security standards

on the personal device, including encryption and password protection.

♦ You are prohibited from ‘jail breaking’ or otherwise circumventing the built-in security of a personal device after MYC mobile device security standards have been installed.

♦ You agree that MYC will not be held liable should anything happen to the personal device.

♦ You will notify IT within 48 hours of loss of your personal device. ♦ You will protect all passwords which enable access to MYC

assets. If you suspect a compromise, you will change the password immediately and advise the IT Help Desk.

21 #SWwebcon

Page 22: Security Awareness Training: Mobile Devices

Strategy Summary

♦ Manage and protect what matters to the enterprise ♦ Pay attention to service delivery to the business

community ♦ Be clear on roles, responsibilities, and ownership

♦ Ensure users understand what can happen ♦ Train for users – over communicate ♦ Integrate into your environment documents or a program

22 #SWwebcon

Page 23: Security Awareness Training: Mobile Devices

Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III

Thank You!

#SWwebcon

Questions?

Page 24: Security Awareness Training: Mobile Devices

Featured Presenter

Dr. Margaret Leary, CISSP, CIPP/G, CRISC, is a Professor of IT/Cybersecurity at Northern Virginia Community College and George Mason University. She serves as the Director, Curriculum of the National CyberWatch Center and has been a member of the NCC Leadership Team for the past 8 years.

#SWwebcon

Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University

Page 25: Security Awareness Training: Mobile Devices

25

Mobile Device Security: Expanding Threats

Dr. Margaret Leary

CISSP, CIPP/G, CRISC

#SWwebcon

Page 26: Security Awareness Training: Mobile Devices

Expanding Mobile Threats

• Mobile threats are expanding globally – Financially-motivated attacks – Malware – Cross-platform threats

• Many of these new threats leverage traditional PC-type malware

• While most (90%) are Android, iPhone attacks are on the rise

26

#SWwebcon

Page 27: Security Awareness Training: Mobile Devices

Malware Attacks • Malware much greater threat than loss of phone –

yet most BYOD policies are focused on loss or theft of phone

• Sophos Labs reports seeing more than 2,000 pieces of mobile malware every day*. In some countries, mobile devices are attacked more than PCs. – Denial of Service Attacks – turning smartphones into

bots on a botnet or placing them at risk of ransomware

– Attacks on Confidentiality – attacker remotely enabling microphone or camera

*http://www.sophos.com/en-us/threat-center/mobile-security-threat-report.aspx

27

Page 28: Security Awareness Training: Mobile Devices

What If?

• Your connected smartphone is used as a conduit to inject malware into your car?

• Your phone is connected to a health monitoring device, and that health information is disclosed, or worse, modified by an attacker?

• Your smartphone is connected to your smart home?

28

#SWwebcon

Page 29: Security Awareness Training: Mobile Devices

The Problem

• The same threats exist for mobile devices as those with PCs

• Increased connectivity • Too trusting of a user • Current market dynamics

29

#SWwebcon

Page 30: Security Awareness Training: Mobile Devices

Common Mobile Application Development Mistakes

• Insecure data storage • Weak server side controls • Insufficient transport layer protection • Poor authentication and authorization

mechanisms • Insufficient testing

30

Page 31: Security Awareness Training: Mobile Devices

Common Mobile Application Development Solutions

• Encrypt! • Security should use a “layered” approach • Use SSL/TLS (HTTPS) to encrypt the session • Don’t store passwords in plain text • Generate credentials securely • Test, test, and test again!!!

– https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Mobile_Security_Testing

31

#SWwebcon

Page 32: Security Awareness Training: Mobile Devices

Additional Countermeasures

• Train your users AND your app developers! • Develop a Secure Mobile Application

Development Policy for developers • Keep patches updated • Keep phones in lockers or bags • Think twice about any app you download

32

#SWwebcon

Page 33: Security Awareness Training: Mobile Devices

Thank You!

#SWwebcon

Questions?

Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University

Page 34: Security Awareness Training: Mobile Devices

Featured Presenter

David has over 20 years experience with risk management, information security, compliance, policy development and currently heads security and compliance at Fiberlink Communications.

#SWwebcon

David Lingenfelter Information Security Officer MaaS360, an IBM Company

Page 35: Security Awareness Training: Mobile Devices

Balancing Security and Opportunity in the Mobile Era Tackling Mobile Security with a Layered Defense David Lingenfelter @Simply_Security

#SWwebcon

Page 36: Security Awareness Training: Mobile Devices

New = Scary

36 #SWwebcon

Page 37: Security Awareness Training: Mobile Devices

Old = Comfortable

37 #SWwebcon

Page 38: Security Awareness Training: Mobile Devices

Change is inevitable

38 #SWwebcon

Page 39: Security Awareness Training: Mobile Devices

Mobile technologies are more empowering

39

of employed adults use at least one personally-owned mobile device for business

Mobile workers will use at least one business-focused app this year

yearly increase in revenue from people using mobile devices to purchase items.

Page 40: Security Awareness Training: Mobile Devices

But security threats are even greater

40

Threats on your employees

Threats on your customers

of financial apps on Android have been hacked

of Top 100 Android apps have been hacked

annual cost of crime

Page 41: Security Awareness Training: Mobile Devices

IT’s role and Focus has Changed

Many different use cases within a

single company

Corporate Owned BYOD Shared Devices Cart Devices Kiosk Devices Data Leakage Apps Blacklisting URL filtering SharePoint/EFSS Intranet Access

41

Page 42: Security Awareness Training: Mobile Devices

These Don’t Help…

42

• Compliance • Rules/Regulations • Privacy • Intellectual Property • Legal

#SWwebcon

Page 43: Security Awareness Training: Mobile Devices

Embrace The New Normal

43

Mobile is becoming THE IT platform

Go beyond enabling these new devices

– Mobile utilization of corporate network/resources – Separation of corporate & personal apps/data – App management & security (and app dev assist) – Identity, context and more sophisticated policy

#SWwebcon

Page 44: Security Awareness Training: Mobile Devices

So what does it take to Enable all of this…

#SWwebcon

Page 45: Security Awareness Training: Mobile Devices

…and the Right Technology

• Mobile Device Management

• Mobile App Management

• Mobile Content Management

• Mobile Enterprise Gateway

• File Edit, Sync, and Share

#SWwebcon

Page 46: Security Awareness Training: Mobile Devices

MaaS360 Layered Approach

Secure the Device

Secure the Content

Secure the App

Secure the Network

Separating Corporate and Personal Lives

#SWwebcon

Page 47: Security Awareness Training: Mobile Devices

Secure the Device

Dynamic security and compliance features continuously monitor devices and take action.

47 #SWwebcon

Page 48: Security Awareness Training: Mobile Devices

Secure the Container: Mail & Content An office productivity app with email, calendar, contacts, & content

48

Page 49: Security Awareness Training: Mobile Devices

Secure the App

15

Enhancing private and public app security through (SDK or wrapping) code libraries and policies

Page 50: Security Awareness Training: Mobile Devices

Secure the Network

A fully-functional web browser to enable secure access to corporate intranet sites and enforce compliance of policies

50 #SWwebcon

Page 51: Security Awareness Training: Mobile Devices

When you do this, expect great things

Gaming and Entertainment • Need – Reduce drink wait times • Solution – Locked down tablet with

enterprise app • Outcome - Reduce drink times from 20

minutes to 4 minutes with a single managed tablet and app.

• Ended up also using tablets to check in guests

51 #SWwebcon

Page 52: Security Awareness Training: Mobile Devices

When you do this, expect great things

52

Highly Regulated Industry • Need – Secure email • Solution – Implement secure email

container • Outcome – Meet regulatory requirements

• Now also delivers sensitive documents

#SWwebcon

Page 53: Security Awareness Training: Mobile Devices

When you do this, expect great things

53

Education • Need – Help students with learning

disabilities • Solution – iPads with customized policies

for each student • Outcome – Unique learning environment

to suit a large spectrum of student abilities

• Improved quality of life

#SWwebcon

Page 54: Security Awareness Training: Mobile Devices

Being Productive and Secure

54

MaaS360 Trusted Workplace™

Continuously assess context & usage Real-time controls of entitlements Secure Data-at-rest, in-motion, & in-use

Enterprise access controls Native controls or container BYOD privacy protections

MaaS360 Secure Productivity Suite

Secure Mail

File Sync, Edit & Share

App Security & Management

Enterprise

Gateway

Page 55: Security Awareness Training: Mobile Devices

Why Customers Choose MaaS360

Easiest to Deploy and Scale Mobile Device, App, and Content Management & Security platform For organizations that are…

• Embracing multi-OS environments (iOS, Android, Windows Phone) • Allowing Bring-Your-Own-Device (BYOD) programs • Developing and deploying mobile apps (public and private) • Enabling corporate content on mobile devices securely (push and

pull) • AND MORE….

55

Page 56: Security Awareness Training: Mobile Devices

Wrap-up • Unlocking productivity with Apps and Content • Capabilities exists today to Enable • Take a Layered approach for Security You can do it now, Empower Users Build Trust Do it with IBM MaaS360

David Lingenfelter @simply_security

#SWwebcon

Page 57: Security Awareness Training: Mobile Devices

Thank You!

#SWwebcon

Questions?

David Lingenfelter Information Security Officer MaaS360, an IBM Company

Page 58: Security Awareness Training: Mobile Devices

Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III

#SWwebcon

Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University David Lingenfelter Information Security Officer MaaS360, an IBM Company

Open Discussion

Page 59: Security Awareness Training: Mobile Devices

Barbara Endicott-Popovsky Director, Center of Information Assurance and Cybersecurity at the University of Washington

Closing Remarks

Thoughts on Security Awareness Training: Mobile Devices

#SWwebcon

Page 60: Security Awareness Training: Mobile Devices

Thank you MaaS360 for making today’s program possible!

SecureWorldExpo.com

Visit us for the latest security news and blogs from industry leaders.

Thank you for attending today’s web conference. Join us on December 4 for

“Target One Year Later: What Have We Learned?”

Questions? Idea for a topic? Contact Tom Bechtold – [email protected] #SWwebcon