Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Policy. Overview Security Risks with Mobile Devices Guidelines for Managing the Security of Mobile Devices in the Enterprise Threats of Mobile.

Published byLee Gibbs Modified over 9 years ago

Similar presentations

Presentation on theme: "Mobile Policy. Overview Security Risks with Mobile Devices Guidelines for Managing the Security of Mobile Devices in the Enterprise Threats of Mobile."— Presentation transcript:

1 Mobile Policy

2 Overview Security Risks with Mobile Devices Guidelines for Managing the Security of Mobile Devices in the Enterprise Threats of Mobile Devices and Mitigation Strategies Bring Your Own Device (BYOD) Policies for BYOD Case Studies

3 Security Risks with Mobile Devices Device hardware and OS vulnerabilities Mobile Malware Mobile Application Security Risks Using unsecure connection Device lost and stolen

4 Device Hardware and OS Vulnerabilities Android and iOS are comparably risky Vulnerabilities were found in cross-app resource sharing protocols on Apple’s desktop and mobile platform ◦ Exploited to steal data such as password, and authentication keys Jailbreaking iOS and Rooting Android devices

5 Mobile Malware Trojans that send SMS messages to premium rate number Background calling applications that make long distance calls Key logging applications Worms Spyware

6 Mobile Application Security Risks Common vulnerabilities ◦ sensitive data leakage ◦ unsafe sensitive data storage ◦ unsafe sensitive data transmission ◦ hardcoded passwords/keys, etc. HTML5-based mobile apps are at the risk of malicious code injection – Cross Device Scripting Attacks

7 Guidelines for managing the security of mobile devices Organizations should have a mobile device security policy System threat models for mobile devices and resources accessed through the mobile devices should be developed. Organizations should select the services provided by mobile device solutions that meet their needs A pilot mobile device solution needs to be implemented and tested before putting the solution to production. Organization issued mobile device should be fully secured before being used Mobile device security should be regularly maintained

8 Mobile Device Security Policy Defines the types of resources in the organization that may be accessed via mobile devices. Defines the types of mobile devices that are permitted to access organization’s resources. Defines the degree of access of different classes of mobile devices, ◦ organization issued devices vs. personally owned devices. Defines the requirements for mobile device management technologies ◦ the administration of centralized mobile device management servers ◦ the updating of policies in the servers, etc.

9 Services Provided by Mobile Device Solutions General policy. ◦ Enforce enterprise security policies on the mobile device ◦ E.g., restricting access to hardware and software, managing wireless network interfaces, detecting and reporting policy violation. Data communication and storage. ◦ Encrypted data communication and storage, device wiping, and wiping device remotely. User and device authentication. ◦ E.g., resetting forgotten passwords remotely, automatically locking idle devices, and remotely locking devices. Applications. ◦ The app store allowed to use, the applications allowed to be installed ◦ Permissions assigned to the applications, installing and updating applications, the use of synchronization services, etc. ◦ Verifying digital signature on applications ◦ Distributing the organization’s applications from a dedicated mobile application store.

10 Mobile Device Security Maintenance checking for and deploying upgrades and patches ensuring that the clocks of mobile device infrastructure components are synced to a common time source, reconfiguring access control features as needed detecting and documenting anomalies keeping an active inventory of mobile devices and their users and applications revoking access to or deleting an application wiping devices before reissuing them to other users periodically perform assessments to confirm compliance of mobile device policies, processes, and procedures

11 Threats of Mobile Devices in the Enterprise Lack of physical security control Use of untrusted mobile devices Use of untrusted network Use of untrusted applications Interact with other systems Use of untrusted content Use of location services

12 Threats and Mitigation Strategies – (1) Threat Lack of physical Security Control Lost or stolen devices Attacker recovers data from device, or use device to access organization’s remote resources Mitigation Require authentication before gaining access to the device or organization’s resources Encrypt the device’s storage or not store sensitive data on mobile devices User training and awareness to reduce insecure physical security practices

13 Threats and Mitigation Strategies – (2) Threat Use of Untrusted Mobile Devices Restriction on security, OS, etc. could be bypassed through jailbreaking and rooting Mitigation Restrict or prohibit BYOD devices Fully secure organization- issued devices, monitor and address deviations from secure state For BYOD devices, run organization’s software in a secure, isolated sandbox on the mobile device, or use device integrity scanning applications

14 Threats and Mitigation Strategies – (3) Threat Use of Untrusted Network Eavesdropping Man-in-the-Middle attacks Mitigation Use VPN Use mutual authentication mechanism to verify the identities of both endpoints before transmitting data Prohibit use of insecure Wi-Fi networks Disable network interfaces that are not needed

15 Threats and Mitigation Strategies – (4) Threat Use of Untrusted Applications User can download untrusted third party mobile device application User can access untrusted web-based applications through the device’s built-in browsers Mitigation Prohibit all installation of third-party applications allow installation of approved applications only verify that applications only receive the necessary permissions implement a secure sandbox that isolates the organization’s data and applications from all other data and applications on the mobile device perform a risk assessment on each third- party application before permitting its use on organization’s mobile device prohibit or restrict browser access force mobile device traffic through secure web gateways, HTTP proxy servers, or other intermediate devices to assess URLs before allowing access Use a separate browser within a secure sandbox for browser-based access related to organization

16 Threats and Mitigation Strategies – (5) Threat Interact with other systems Connect a personally-owned mobile device to an organization- issued laptop Connect an organization-issued mobile device to personally- owned laptop Connect an organization-issued mobile device to a remote backup service Connect any mobile device to an untrusted charging station Risk of storing organization’s data to unsecured location, and malware transmission Mitigation Implement security controls on organization-issued mobile device restricting what devices it can synchronize with Implement security controls on organization-issued computer restricting the connection of mobile devices block use of remote backup services or configure the mobile devices not to use such services Do not connect mobile devices to unknown charging devices Prevent mobile devices to exchange data with each other through logical or physical means

17 Threats and Mitigation Strategies – (6) Threat Use of Untrusted Content Malicious QR codes could direct mobile devices to malicious websites Mitigation Educate users not to access untrusted content with any mobile devices used for work Have applications (e.g., QR readers) display the unobfuscated content (e.g., the URL) and allow users to accept or reject it before proceeding Use secure web gateways, HTTP proxy servers, etc. to validate URLs before allowing access Restrict peripheral use on mobile devices (e.g., disabling camera use) to prevent QR code reading

18 Threats and Mitigation Strategies – (7) Threat Use of Location Services Attackers could correlate location information with other sources about who the user associates with and the kinds of activities they perform in particular locations Mitigation Disable location service Prohibit use of location services for particular applications such as social networking or photo applications Turn off location services when in sensitive areas Opt out of Internet connection location services whenever possible

19 Bring Your Own Device (BYOD) - Benefits Cost savings. The cost of organization-issued devices could be reduced. Productivity gains. ◦ Employees can work more effectively outside of the office, are more likely to spend more time on work related activities. Operational flexibility. ◦ Employees can carry out their work function away from their desk. Employee satisfaction. ◦ Employees can use devices that they enjoy using

20 BYOD - Challenges Privacy issues. ◦ Mobile Device Management (MDM) system may require accessing/processing of personal data. ◦ Employee consent should be obtained before MDM is deployed ◦ Employee’s personal data may be lost if device data needs to be wiped. Cost issues. ◦ Whether reimburse employee-owned devices and data/voice usage. ◦ Additional cost for implementing MDM and for handling the support of BYOD users ◦ Tax implications for reimbursement

21 BYOD – Technological Approaches Virtualization ◦ Provide remote access to computing resources. ◦ No organization’s data/application processing on the personal devices Walled garden: ◦ Organization’s data or application processing are contained in a secure application that is segregated from personal data. Limited separation: ◦ Organization’s data and/or application processing are comingled with personal data and/or application processing, but policies are enacted to ensure minimum security controls.

22 BYOD – Areas that Policies should Address Eligibility ◦ Who is allowed to use personal devices Allowed devices ◦ Minimum specifications for OS and application support, performance and other device-specific criteria. ◦ Desktop virtualization eliminates these considerations. Service availability ◦ The specific services the organization wants to make available on BYO devices Rollout ◦ Teach employees about responsibilities like how data is allowed to be accessed, used, and stored. Cost sharing. ◦ Whether to provide full or partial stipends towards the personal devices. ◦ Who will pay for network access outside the organization firewall. Security and compliance. ◦ Use desktop virtualization ◦ Disable printing or access to client-side storage. ◦ Ensure antivirus/antimalware is installed and updated. ◦ Network access control ◦ mechanism to terminate access to data and apps from BYO device if device is lost or stolen, or employee leaves the organization Device support and maintenance. ◦ how various support and maintenance tasks will be addressed and paid for.

23 Components of BYOD Policies Acceptable use policy for email, Internet, mobile device, etc. Security policies such as mobile, encryption, password, anti-virus, etc. Wireless access policy Remote access policy Remote working policies Privacy policies Employee code of conduct Incident response policies

24 Sample Policies CIO council provided the following sample policies: ◦ Policy and guidelines for government-provided mobile device usage ◦ Bring your own device – policy and rules of behavior ◦ Mobile information technology device policy ◦ Wireless communication reimbursement program ◦ Portable wireless network access device policy Reference: CIO council, Bring Your Own Device – A toolkit to support federal agencies Implementing Bring Your Own Device (BYOD) programs. https://cio.gov/wp-https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf

25 BYOD – Case Studies The Department of the Treasury’s Alcohol and Tabacco Tax and Trade Bureau (TTB) implemented a virtual desktop The U.S. Equal Employment Opportunity Commission implemented a BYOD pilot The State of Delaware implemented BYOD and achieved cost savings Reference: CIO council, Bring Your Own Device – A toolkit to support federal agencies Implementing Bring Your Own Device (BYOD) programs. https://cio.gov/wp-https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf

Download ppt "Mobile Policy. Overview Security Risks with Mobile Devices Guidelines for Managing the Security of Mobile Devices in the Enterprise Threats of Mobile."

Similar presentations

© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo for Call Center Call Center on a Stick Ceedo for Call Center Presentation.

© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo for Call Center Call Center on a Stick Ceedo for Call Center Presentation.
!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.
Bring Your Own Device (BYOD) Security By Josh Bennett & Travis Miller.

Bring Your Own Device (BYOD) Security By Josh Bennett & Travis Miller.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Managed Infrastructure. 2 ©2015 EarthLink. All rights reserved. IT resources are under pressure… is it time to rethink the IT staffing model? Sources:

Managed Infrastructure. 2 ©2015 EarthLink. All rights reserved. IT resources are under pressure… is it time to rethink the IT staffing model? Sources:
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.
Security Controls – What Works

Security Controls – What Works
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Similar presentations

Ads by Google