Getting a Grip on Mobile Devices. Last year thousands of travellers left personal items in London taxi cabs.

Slides:

Advertisements

Similar presentations

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

Advertisements

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Computer Security set of slides 10 Dr Alexei Vernitski.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Mr C Johnston ICT Teacher

GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.

Purdue University proudly presents Doug Couch & Nathan Heck, IT Security Analysts.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Why Comply with PCI Security Standards?

Payment Card Industry (PCI) Data Security Standard

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

New Data Regulation Law 201 CMR TJX Video.

Copyright Security-Assessment.com 2004 New Technology Enforcement Strategies by Peter Benson.

Course ILT Security Unit objectives Configure operating system and file system security Install a fingerprint scanner and card reader Manage the human.

Security Squad Keeping your Equipment and Information Safe Security Squad Keeping your Equipment and Information Safe Security Squad Video Series, Part.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.

I T Essentials I Chapter 9 JEOPARDY.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

GCSE ICT Viruses, Security & Hacking. Introduction to Viruses – what is a virus? Computer virus definition - Malicious code of computer programming How.

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

1.1 System Performance Security Module 1 Version 5.

Troubleshooting Windows Vista Security Chapter 4.

Module 14: Configuring Server Security Compliance

Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

TECHNOLOGY GUIDE THREE Protecting Your Information Assets.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

System utility pieces of software. Antivirus Antivirus (or anti-virus) software is used to safeguard a computer from malware, including viruses, computer.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

How can IT help you today?. Agenda Why Do You Care? What Are The Risks? What Can You Do? Questions? How can IT help you today? 2.

Chapter 2 Securing Network Server and User Workstations.

Module 11: Designing Security for Network Perimeters.

Frontline Enterprise Security

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.

Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.

Computer Security Sample security policy Dr Alexei Vernitski.

Technical and organisational measures for protecting data and ensuring data security Simon Rice Group Manager (Technology) 29 May 2014.

Information Systems Design and Development Security Precautions Computing Science.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.

Intro to Digital Technology Review for Final Introduction to Digital Technology Finals Seniors Monday, 5/16 – 2 nd Tuesday 5/17 – 1 st,3 rd Underclassmen.

Advanced Endpoint Security Data Connectors-Charlotte January 2016

TECHNOLOGY GUIDE THREE

Business Risks of Insecure Networks

12 STEPS TO A GDPR AWARE NETWORK

Implementing Client Security on Windows 2000 and Windows XP Level 150

Cybersecurity and Cyberhygiene

Designing IIS Security (IIS – Internet Information Service)

G061 - Network Security.

Comodo Dome Data Protection

Presentation transcript:

Getting a Grip on Mobile Devices

Last year thousands of travellers left personal items in London taxi cabs

27 toilet seats

4 sets of false teeth

3 dogs

2 babies

1 cat

1 pheasant

Funeral ashes

A dead body

Over 50,000 mobile computing devices

devices can hold 10k photos 200k docs 100k s

10% capacity = +50m photos +1B docs +500M s

That's a lot of information!

“73% of London businesses surveyed allowed employees to bring their own device to work for processing commercial information in 2013.” Poneman Survey February 2014

How do you Get a Grip on that?

Business Challenges

Our Challenges

Our Risks

HISTORY Lesson

History 101

What’s Your Definition ?

Is it Definitive ? Copiers Faxes Scanners Telephones Coffee machines Any device with memory capability that can be carried out.

Top 10 Mobile Risks 1.Loss 2.Theft 3.Malware 4.Stealth installs 5.Data interception 6.Direct attack 7.Call hi-jacking 8.VPN hi-jacking 9.Session hi-jacking 10.Device hi-jacking

Risk Du Jour

How do you Get a Grip on that?

Step 1 Quantify the Problem Stop. First measure the problem Conduct a survey How many devices? Running what applications? Processing, storing, transmitting: what data? Conduct a treat / risk assessment Draft Asset Register Draft Risk Register

What’s the threat?

Quantify If the definition of a threat is the "expressed potential" for a "harmful event" to happen to your business. "What mobile device events would be harmful to your business?

What Applies?

Step 2 Draft policies Device ownership Device liability Acceptable devices Acceptable use Acceptable applications Minimum device security requirements Where to report lost/stolen devices Security Awareness Program

Consider… Mandating use of PINs to access devices Mandating use of complex passwords to access applications Set max number of password failures Set max days of non-use lock out Specify password change interval Prevent password reuse via password history Set screen-lock

Step 3 Configuration Firewall Anti-virus (Malware, Trojans, Spyware) O/S Updates Hardening Back end support servers VPN dual authentication

Adding or removing root certs Configuring WiFi including trusted SSIDs, passwords, etc. Configuring VPN settings and usage Blocking installation of additional apps from the AppStore Blocking GeoLocation Blocking use of the iPhone’s camera Blocking screen captures Blocking use of the iTunes Music Store Blocking use of YouTube Blocking explicit content Consider…

35

Step 4 Encryption Data Disk Document, File & Folder Laptop Port & Device Controls Removable Media & Device

Layers Data Disk Document File & Folder Client Side Laptop Port & Device Controls Removable Media & Device

Encryption Options Data Base Encryption: Application–level encryption of data “at rest” in data base. Disk Encryption: Disk-level encryption for all data on the logic or physical drive (user files, swap files, system files, page file). Document Encryption: Application-level encryption of data in document format (WORD/ Excel, Notebook). File & Folder Encryption: Application-level encryption method. Client Side Encryption: Application-level encryption method used by servers to encrypt data on a computer that has connected to them.

Options Laptop Encryption: Operating system-level encryption method started at boot-up authorisation. Port & Device Control: Monitor device usage and file transfer activity. Controls access to laptop ports, devices and wireless networks Removable Media & Device Encryption (USB memory, CD, DVD): Read and write encrypted data on media Encryption: Dual key method securing data in transit from client. Gateway Encryption: Automatic encryption and decryption of sensitive s between gateway and receiver.

Step 5 Incident response Included in BC/DR Plan Back ups Alternatives: – Find it – Track it – Kill it

How to Get a Grip Quantify the problem policies Configuration Encryption Incident Response

PCI DPAISO

DPA Mobile Security Device security policy Firewall Anti-virus protection O/S routinely updated Latest patches or security updates installed Access restricted on "need to know" principle No password sharing Encryption of personal information held on devices Regular back-ups Wipe data before disposal of device Anti-spyware protection

PCI Mobile Security Device user security policy Device labelled and listed on asset register Firewall Dual authentication Encrypted VPN connection Anti-virus protection Anti-spyware protection O/S routinely updated Latest patches or security updates installed Connection subject to testing Access restricted on "need to know" principle No password sharing

ISO Mobile Security Device user security policy Device labelled and listed on asset register Firewall Dual authentication Encrypted VPN connection Anti-virus protection Anti-spyware protection O/S routinely updated Latest patches or security updates installed Connection subject to testing Access restricted on "need to know" principle Device must be password controlled

Minimum Controls Risk assessments Device user security policy Security awareness training Information asset register Device labelled and listed on asset register Firewall Dual authentication Encrypted VPN connection Anti-virus protection Anti-spyware protection O/S routinely updated & randomly audited Latest patches or security updates installed Device must be password controlled

ISACA Plug

10 Rules Mobile Security 1.If Dr. Evil can run his programs on your mobile device its not your device anymore. 2.If Dr. Evil can make changes to your mobile its not your mobile any more. 3.If Dr. Evil can upload programs to your network from your mobile its not your website anymore. 4.If Dr. Evil can access data entering or exiting your mobile its not your data any more. 5.If Dr. Evil uses your mobile to launch an attack on another network its your problem.

10 Rules 6.If Dr. Evil can use your mobile to access your partners network its your problem. 7.If Dr. Evil can physically access your mobile devices on its not your data anymore. 8.More often than not, Mini-Me works for you. 9.Dr. Evil knows where you hide your spare keys. 10.Dr. Evil is always faster and smarter.

Take the problem in hand

26 Dover Street London United Kingdom W1S 4LY +44 (0) A different perspective from