1 / 52

Getting a Grip on Mobile Devices

Getting a Grip on Mobile Devices. Last year thousands of travellers left personal items in London taxi cabs. 27 toilet seats. 4 sets of false teeth. 3 dogs. 2 babies. 1 cat. 1 pheasant. Funeral ashes. A dead body. Over 50,000 mobile computing devices. devices can hold. 10k photos.

kapila
Télécharger la présentation

Getting a Grip on Mobile Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Getting a Grip on Mobile Devices

  2. Last year thousands of travellers left personal items in London taxi cabs

  3. 27 toilet seats

  4. 4 sets of false teeth

  5. 3 dogs

  6. 2 babies

  7. 1 cat

  8. 1 pheasant

  9. Funeral ashes

  10. A dead body

  11. Over 50,000 mobile computing devices

  12. devices can hold 10k photos 200k docs 100k emails

  13. 10% capacity = LOST +50m photos +1B docs +500M emails

  14. That's a lot of information!

  15. “73% of London businesses surveyed allowed employees to bring their own device to work for processing commercial information in 2013.” Poneman Survey February 2014

  16. How do you Get a Grip on that?

  17. Business Challenges

  18. Our Challenges

  19. Our Risks

  20. HISTORY Lesson

  21. History 101

  22. What’s Your Definition ?

  23. Is it Definitive ? • Copiers • Faxes • Scanners • Telephones • Coffee machines • Any device with memory capability that can be carried out.

  24. Top 10 Mobile Risks • Loss • Theft • Malware • Stealth installs • Data interception • Direct attack • Call hi-jacking • VPN hi-jacking • Session hi-jacking • Device hi-jacking

  25. Risk Du Jour

  26. How do you Get a Grip on that?

  27. Step 1 Quantify the Problem • Stop. • First measure the problem • Conduct a survey • How many devices? Running what applications? • Processing, storing, transmitting: what data? • Conduct a treat / risk assessment • Draft Asset Register • Draft Risk Register

  28. What’s the threat?

  29. Quantify If the definition of a threat is the "expressed potential" for a "harmful event" to happen to your business. "What mobile device events would be harmful to your business?

  30. What Applies?

  31. Step 2 Draft policies • Device ownership • Device liability • Acceptable devices • Acceptable use • Acceptable applications • Minimum device security requirements • Where to report lost/stolen devices • Security Awareness Program

  32. Consider… • Mandating use of PINs to access devices • Mandating use of complex passwords to access applications • Set max number of password failures • Set max days of non-use lock out • Specify password change interval • Prevent password reuse via password history • Set screen-lock

  33. Step 3 Configuration • Firewall • Anti-virus (Malware, Trojans, Spyware) • O/S Updates • Hardening • Back end support servers • VPN dual authentication

  34. Consider… • Adding or removing root certs • Configuring WiFi including trusted SSIDs, passwords, etc. • Configuring VPN settings and usage • Blocking installation of additional apps from the AppStore • Blocking GeoLocation • Blocking use of the iPhone’s camera • Blocking screen captures • Blocking use of the iTunes Music Store • Blocking use of YouTube • Blocking explicit content

  35. Step 4 • Data • Disk • Document, File & Folder • Laptop • Port & Device Controls • Removable Media & Device • Email Encryption

  36. Layers • Data • Disk • Document • File & Folder • Client Side • Laptop • Port & Device Controls • Removable Media & Device • Email

  37. Encryption Options • Data Base Encryption: Application–level encryption of data “at rest” in data base. • Disk Encryption: Disk-level encryption for all data on the logic or physical drive (user files, swap files, system files, page file). • Document Encryption: Application-level encryption of data in document format (WORD/ Excel, Notebook). • File & Folder Encryption: Application-level encryption method. • Client Side Encryption: Application-level encryption method used by servers to encrypt data on a computer that has connected to them.

  38. Options • Laptop Encryption: Operating system-level encryption method started at boot-up authorisation. • Port & Device Control: Monitor device usage and file transfer activity. Controls access to laptop ports, devices and wireless networks • Removable Media & Device Encryption (USB memory, CD, DVD): Read and write encrypted data on media • Email Encryption: Dual key method securing data in transit from client. • Email Gateway Encryption: Automatic encryption and decryption of sensitive emails between email gateway and receiver.

  39. Step 5 • Included in BC/DR Plan • Back ups • Alternatives: • Find it • Track it • Kill it Incident response

  40. How to Get a Grip • Quantify the problem • policies • Configuration • Encryption • Incident Response

  41. DPA Mobile Security • Device security policy • Firewall • Anti-virus protection • O/S routinely updated • Latest patches or security updates installed • Access restricted on "need to know" principle • No password sharing • Encryption of personal information held on devices • Regular back-ups • Wipe data before disposal of device • Anti-spyware protection

  42. PCI Mobile Security • Device user security policy • Device labelled and listed on asset register • Firewall • Dual authentication • Encrypted VPN connection • Anti-virus protection • Anti-spyware protection • O/S routinely updated • Latest patches or security updates installed • Connection subject to testing • Access restricted on "need to know" principle • No password sharing

  43. ISO Mobile Security • Device user security policy • Device labelled and listed on asset register • Firewall • Dual authentication • Encrypted VPN connection • Anti-virus protection • Anti-spyware protection • O/S routinely updated • Latest patches or security updates installed • Connection subject to testing • Access restricted on "need to know" principle • Device must be password controlled

  44. Minimum Controls • Risk assessments • Device user security policy • Security awareness training • Information asset register • Device labelled and listed on asset register • Firewall • Dual authentication • Encrypted VPN connection • Anti-virus protection • Anti-spyware protection • O/S routinely updated & randomly audited • Latest patches or security updates installed • Device must be password controlled

  45. ISACA Plug

  46. 10 Rules Mobile Security • If Dr. Evil can run his programs on your mobile device its not your device anymore. • If Dr. Evil can make changes to your mobile its not your mobile any more. • If Dr. Evil can upload programs to your network from your mobile its not your website anymore. • If Dr. Evil can access data entering or exiting your mobile its not your data any more. • If Dr. Evil uses your mobile to launch an attack on another network its your problem.

  47. 10 Rules • If Dr. Evil can use your mobile to access your partners network its yourproblem. • If Dr. Evil can physically access your mobile devices on its not your data anymore. • More often than not, Mini-Me works for you. • Dr. Evil knows where you hide your spare keys. • Dr. Evil is always faster and smarter.

More Related