BYOD - ISACA - Final 20130223 Vorapoj Lookmaipun.pdf
Content
2/23/2013
BY VORAPOJ LOOKMAIPUN
CISA, CISM, CRISC, CISSP [email protected]
Agenda
• • • • Security Cases What is BYOD Best Practice Case Study
1
2/23/2013
Zeus
• Botnet designed for Financial Crime • Compose of – Zeus Builder • Create Zeus bot – Zeus Admin (C&C Command and Control) • Web Dashboard Page – Zeus bot • Collecting system configuration data • Collecting transaction and personal information • Web injective • Etc.
ZITMO (Zeus in the mobile)
• • • • Banking malware to steal from your bank account Infection Threat Analysis
2
2/23/2013
ZITMO (Zeus in the mobile)
ZITMO (Zeus in the mobile)
3
2/23/2013
ZITMO (Zeus in the mobile)
ZITMO (Zeus in the mobile)
4
2/23/2013
Trojan Genimi
• BOT , C&C • Baseball Superstars 2010 • Threat – Intercept inbound SMS, – Send SMS, – Restart Packages – Access GPS location – Access browser history – Etc.
iOS malware
• iKee – 1st worm on iPhone – Nov 2009, – Attack Jailbreak device • Use SSH default password vulnerability to distribute on network
5
2/23/2013
IT Trend in 2013
6
2/23/2013
Consumer driven IT
7
2/23/2013
BYOD
• • • • Bring Your Own Device Bring Your Own Applications Bring Your Own Data Bring Your Own Friends
8
2/23/2013
Gartner CIO agenda 2012
What is BYOD?
BYOD = Bring Your Own Device • The recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers, and databases. • An alternative strategy that allows employees, business partners and other users to use a personally selected and purchased client device to execute applications and access data. • Mobile innovation is now driven by consumer markets than by business markets
9
2/23/2013
BYOD
• What are the challenges for IT? – Protecting sensitive data – Support – Security • How does BYOD benefit the organization – Increase Flexibility – Empower Employees and Increase worker productivity – Overall Cost Saving
Traditional vs BYOD Concept
Components Devices Traditional End user computing Structure and Standardized – Typically PC, laptops and Blackberry devices Standardized BYOD Concept
Applications & Operating System Devices Management
Heterogeneous – PC’s, laptops, Macs, tablets & smartphones Heterogeneous – Various Applications, Operating Systems, even form factors Endpoint Security, Systems, Minimal control or no control and Asset Management are at all used and in full control
10
2/23/2013
BYOD Pro & Con
Pros Business
Business adopting a BYOD policy can save on buying costly desktop devices. Also, saving terms of maintaining and supporting computer devices with the hiring of IT support staff. With the cost savings, business could take advantage by investing in other technology, or other areas of business. Employees tend to take better care of self owned property/devices Employee can decide which devices that they prefer, which in turn would increase employee morale and productivity. As BYOD devices are mobile devices, employees could work resources and application anywhere and anytime which in turn improves productivity. Employees are now empowered to work more efficiently and be more productive, instead of corporate-owned devices.
Cons
Without proper BYOD policies and technologies in place a business or computer risks exposing classified information. Information will not be as secure as it would be on a device exclusively controlled by the company. Devices brought in by employees likely face in compatibility issues. IT departments may need to spend extra time troubleshooting various devices, and looking for best solutions to issues Due to security issues, the employees often do not have true full control over their devices. The company they work for would need to ensure that proprietary and private information is secure at all times. It is an out-of-pocket expense for the employees. They would be responsible for repairs it their devices were damaged or broken at work. Without proper security measures, BYOD could mean BYO”Malware to the office”, which eventually causes damage to organization
Employees
BYOD Pro & Con
11
2/23/2013
BYOD Goal
• To balance conflict goals – Social – Keep employees happy – Business – Keep process running effectively – Financial – Manage costs – Risk management – Stop bad things from happening
Mobile Infrastructure
12
2/23/2013
BYOD Strategy
• The mobile experience for customers, employees and partners. • How will they transact, be informed and be serviced?
Demand Supply Governance and Risks
• Which technologies, resources and partner will deliver the mobile experience?
• Who needs to be involved, who is providing the funding, and how will risks be mitigated?
13
2/23/2013
BYOD Pro & Con
• Security Risks & Concerns – Business – Employees • Technical Solution to reduce BYOD risk?
BEST PRACTICE
14
2/23/2013
BYOD Security Blueprint
App Store Mobile Device Security Network Access Control Wireless Access Point Safe mobile device configurations Safe mobile device provisions Safe access channel for mobile device
Guest
Limited
Full
BYOD Security Blueprint
App Store Mobile Device Security Network Access Control Wireless Access Point Safe mobile device configurations Safe mobile device provisions Safe access channel for mobile device
Guest
Limited
Full
15
2/23/2013
WIFI Security
• WIFI Threats
WIFI Security
• Change SSID Default • Hide SSID Broadcast • Strong Encryption – WPA/WPA2 • Strong Password (Wifi Router Admin) • Enable Router Firewall • Disable Auto Connect (option)
16
2/23/2013
BYOD Security – ISACA Framework
• Remote Access – Connect to enterprise via WIFI to enterprise network via VPN or IPSec – WIFI use WPA2 or better
Network Access Control
17
2/23/2013
Network Access Control Strategy
Embrace Contain Block Disregard = Allow everyone to BYOD for almost everything = Allow some people to use some devices to access some resources = Not allow = No change
BYOD NAC
• Contain – Sample Access Control Policies • Allow Internet access • Allow access to email, calendar and contacts (such as via Exchange Active Sync) • Allow access to some corporate applications • Block access to sensitive intellectual property and data
18
2/23/2013
BYOD NAC
• Contain – Network Access Level • Limited access Zone, restrict access to applications & data • Support Wireless LAN and Wired LAN • Limit access according to user’s role (by integrating with Active Directory) • Server Based Computing (such as VDI and Windows Terminal Server) • SSL VPN • Firewall, wireless controller or any Layer 3 network component that accepts ACLs
BYOD NAC
• Embrace – Sample Endpoint Control and Security Policies • Required MDM agents for tablets and smartphones • Required DLP agents for tablets and smartphones • Maintain current OS levels and patches for Windows PCs and Apple OS X devices • Require security agents for Windows PCs and Apple OS X devices (such as NAC, Endpoint protection, DLP) – Network Access Level • Allow personal owned endpoints that compliant with security policies to access the corporate network.
19
2/23/2013
BYOD NAC
• Moving From Contain Embrace – Gain CIO Support – Partner With the Mobile Team – Begin with Contain Policies – Slowly Evolve to an Embrace Approach
BYOD NAC
20
2/23/2013
BYOD NAC – ISACA Framework
• Network Access Control – SSL/TLS or VPN – Active Directory – 2nd Factor Authentication
Mobile Device Security
Security Level
(Weak to Strong)
Security Criteria Air Gap Geo Location Policy Enforcement Mobile Device Encryption Mobile Content Control Mobile Device Lock Down Sandbox, Container, Wrapper Password Management Do Nothing
7 6 5 4 3 2 1 0
21
2/23/2013
Mobile Device Security
• 0 – Do nothing – Don’t know what they have in the organization. – Blackberry system is security built-in environment, locked down devices and management was handled invisibly in a data center with BES.
Mobile Device Security
• 1 – Password Management – Required Passcode – Minimum Password Length – Password Expiration – Password History
22
2/23/2013
Mobile Device Security
• 2- Sandboxes, Containers & Wrappers – Memory Isolation, memory protection from OS collapse – app-wrapper VPN capability rather entire device
Mobile Device Security
• 3 - Mobile Device Lock Down – Device identity authentication • CA-based handshaking with AD to create mobile workforce provisioning, management and reporting. – Always-on VPN • VoIP traffic must be encrypted • WIFI traffic must be encrypted • The user cannot bypass the VPN
23
2/23/2013
Mobile Device Security
• 4 - Mobile Content Control – Begin with harden stateful inspection mobile firewall:services, ports, process, users/groups – Centralize management mobile firewall, make entire mobile population becomes invisible to the internet and attacker – Application Black Listing - SIEM – Check Jailbreak, Root
Mobile Device Security
• 5 - Mobile Device Encryption – Device level encryption to protect data at rest, OS level – Do not allow sensitive data to reside at rest on the mobile device, • Using Critrix-like tool to access corporate resources • Treat mobile device as GUI dump terminal and encrypted traffic • Application Wrapping
24
2/23/2013
Mobile Device Security
• 6 - Geo-Location Policy Enforcement – GPS or tower-based resolution enforcement – Integrate mobile firewall and policy with highly granular resolution with 3 meters
25
2/23/2013
Mobile Device Security
• 7 - Air Gap – Two devices – Users have one mobile device for business and one for work. – Make mobile device full as secure as fully compliant desktop computer; Andriod and iOS – More expensive, depend on worth of
Mobile Device Security
• 7 - Air Gap BYOD Personal/Business data intermingled on device? Personal Privacy in Jeopardy? Compliance Risk? Company potentially liable for personal data loss? Who is liable for breached company data? Who is liable for compromised personal data? Yes Yes Yes Yes Unknown Unknown Air Gap No No No No Company Not Applicable
26
2/23/2013
MDM Product
MDM Product
27
2/23/2013
BYOD Security – ISACA Framework
• Device Access Restriction – Strong password – 2nd authentication factor – Password expired in every 90 days – Device lock after 3 unsuccessful password attempts – Data permission & access is aligned with data classification – Data accessibility and permission is within user job function and data classification
BYOD Security – ISACA Framework
• Device security – Explicit permission to Wipe data – Encryption and data protection at least AES 128 bits or 3DES 168 bits • Remote Access – Bluetooth discoverable is disable – Bluetooth connect with previously pair devices – Connect to enterprise network via VPN or IPSec – Connect to enterprise via WIFI to enterprise network via VPN or IPSec
28
2/23/2013
BYOD Security – ISACA Framework
• Malware Protection – Antivirus installed – Firewall
BASELINE SECURITY FEATURE
29
2/23/2013
Baseline Security Feature (Andriod)
• Andriod 2.2
– Password policies: required, minimum length, alphanumeric, maximum attempts – Maximum inactivity time lock (idle time)
•
Andriod 3.0
– Password policies: complexity, minimum letters/characters/symbols, expiration, history – Full file system encryption – Data Execution Protection (DEP) using ARM XN
•
Andriod 4.0
– Support for Microsoft Exchange ActiveSync (EAS) v.14(Exchange Server 2010) and EAS certificates – Automatic sync to be disable while roaming – Disable camera – Keychain API – Address space layout randomization (ALSR) to help protect system and third-party apps from exploitation due to memory management issues – VPN API and underlying secure credential storage
Baseline Security Feature (Andriod)
• Device Security – Basis access locks :- passcode, pattern lock, face recognition – Lock after timeout and wife after retry limit – Bluetooth and Wi-Fi access controls – SIM card password • Andriod devices should not be allowed to host business data and apps without under control of MDM tool, that provides access control policies, proactive status reporting and root detection.
30
2/23/2013
Baseline Security Feature (iOS)
• Encryption – Always-on AES hardware storage encryption – Configuration profiles that can be encrypted and locked to a device, with removal requiring an administrative password – iTunes backups that can be encrypted and password-protected at the user’s discretion – Native S/MIME email support Certificates – Certificate enrollment can be linked to a company’s public-key infrastructure and certificate authority – Certificates can be required for virtual private network (VPN) connections – Online Certificated Status Protocol (OCSP) facilitates certificate revocation – Simple Certificate Enrollment Protocol (SCEP) establishes opt-in policy controls at the user device – Exchange Active Sync (EAS) and VPN client access can be set to require a device certificate
•
Baseline Security Feature (iOS)
• Apps – JavaScript VM App Isolation – Jailbreak-proof App Keychain – Address Space Layout Randomization – Safari Private Browsing and anti-phishing policies – Enterprise-installed apps installed/removed by MDM tools • Embedded VPN – L2TP, IPsec, PPTP and SSL are natively supported. – Proxy configuration is supported in Safari and by a VPN configuration profile – VPN can autoconnect to bring up a tunnel only if a resource is requested
31
2/23/2013
Baseline Security Feature (iOS)
• Endpoint Policies – Apple provides email controls for app-generated messages and forwarding policies. Combined with EAS, this servers as an introductory over the air (OTA) management solution. – Additional local device security policies may be administered on a tethered connection using iPhone Configuration Utility (IPCU), or can be delivered OTA by email, a Web URL and third-party MDM tools – Apple Configurator can help IT administrators to mass configure and supervisor iOS devices by means of a tethered connection – Apple’s MDM API provides lots of policy functions to third-party developers
BYOD CASE STUDY
32
2/23/2013
Case Study
• Financial service company – 100,000 endpoint devices – 200 location – Anticipate approximate 10,000 employee owned smartphones, tablets and laptops.
Case Study
• Use Case 1. Employee-owned Tablet/Smartphone 2. Employee owned Windows Laptop 3. Employee owned MacBook Laptop
33
2/23/2013
Case Study
• Use Case 1 – Employee – Owned Tablet/Smartphone Policies - Install MDM agent for the device to gain access to wireless BYOD network Action - If MDM agent is detected, Citrix like agents is used to grant access to subset of applications on the corporate network. - If MDM agent is not detected, the device is positioned on the guest network, and is limited to internet access only. - Jailbroken iOS devices and rootkitted Andriod are denied access to network, including guest network.
Case Study
• Use Case 2 – Employee Brings Own Windows Laptop – Policies • Up-to-date patches are required. • Up-to-date antivirus signatures are required. • Disk Encryption is required. • Specific ports must be blocked via a personal firewall (such as Telnet/SSH) • Mobile Endpoint enable for checking configuration status • Data Loss Prevention agent is required.
34
2/23/2013
Case Study
• Use Case 2 – Employee Brings Own Windows Laptop – Actions • If Windows laptop is compliant with all policy criteria, it is granted full access to corporate network. • If Windows laptop is non compliant with one or more policies, it is positioned on the guest network and is limited to internet access only. (The user must register at the guest Web Portal)
Case Study
• Use Case 3 – Employee Brings Own MacBook Laptop – Policies • It must be running OS 10.5 or later • MDM agent must be enabled • Vontu DLP agent is required. – Actions: • If compliant with all policy, it is granted full access to the corporate network. • If not compliant with all policies, it is positioned to guest network and limited to internet access only.
35
2/23/2013
Case Study
• 3 Phases project – 1st phase • A pilot project, 200 IT staff brought personally owned devices to work. • 6 months • Refine the Web registration portal • Address minor product integration issues with MDM agent,
Case Study
• 3 Phases project – 2nd phase • Support 1,000 employee-owned devices • Employee in IT risk management and risk compliance department included • Assess the end-user experience and overall performance of the solution. • Define and monitor role based access. • 1 years period
36
2/23/2013
Case Study
• 3 Phases project – 3rd phase • Support all employee and contractors • By year end 2014
Case Study
• Results – 80% employee have chosen to comply with corporate policies and install required MDM agent and other software in their mobile devices. – Users who choose not to comply with policy, must register devices at guest portal on daily basis, and are allow only internet access. – (August 2012) approximately 1,000 employee owned devices are present on corporate network on a regular basis. • Contractor represent 85% of the non corporate devices • Smartphones and tablets 10% of non corporate devices • Macbooks are 5% of non corporate devices
37
2/23/2013
Case Study
• Results – The company did not add full disk encryption to support BYOD initiative. There are Endpoint service consultants are on-site and support broader NAC project. – Policy enforcement has gone smoothly. For example• 5 employees reports that they lost their personally owned device, then these devices were immediately wipe clean, the entire devices. • The employees had signed waivers agreeing to the remote wipe policy, because the policy was communicate clearly, the employees (grudgingly) accepted the fact that they lost personal content.
What is the right answer?
• Air Gap. Two devices. • I want my mobile work as homogenous as possible. iOS plus a select best of breed Andriods. • Lock-down, VPN, firewall and content filtering • Full Disk Encryption • VDI • ????
38
2/23/2013
BYOD Security Blueprint
App Store Mobile Device Security Network Access Control Wireless Access Point Safe mobile device configurations Safe mobile device provisions Safe access channel for mobile device
Guest
Limited
Full
WIFI Security
• Change SSID Default • Hide SSID Broadcast • Strong Encryption – WAP/WPA2 • Strong Password (Wifi Router Admin) • Enable Router Firewall • Disable Auto Connect (option)
39
2/23/2013
Network Access Control Strategy
Contain Embrace Block Disregard = Permit some users to use some personally owned devices = Permit all users to use some personally owned devices = Prohibit all personally owned devices in workplace = Ignore the issue; do not establish any BYOD policies
Mobile Device Security
Security Level
(Weak to Strong)
Security Criteria Air Gap Geo Location Policy Enforcement Mobile Device Encryption Mobile Content Control Mobile Device Lock Down Sandbox, Container, Wrapper Password Management Do Nothing
7 6 5 4 3 2 1 0
40
2/23/2013
Easy Mobile Security
• • • • • Lock code Lock when idle Complex password Remote wipe capability Device Encryption
41
BY VORAPOJ LOOKMAIPUN
CISA, CISM, CRISC, CISSP [email protected]
Agenda
• • • • Security Cases What is BYOD Best Practice Case Study
1
2/23/2013
Zeus
• Botnet designed for Financial Crime • Compose of – Zeus Builder • Create Zeus bot – Zeus Admin (C&C Command and Control) • Web Dashboard Page – Zeus bot • Collecting system configuration data • Collecting transaction and personal information • Web injective • Etc.
ZITMO (Zeus in the mobile)
• • • • Banking malware to steal from your bank account Infection Threat Analysis
2
2/23/2013
ZITMO (Zeus in the mobile)
ZITMO (Zeus in the mobile)
3
2/23/2013
ZITMO (Zeus in the mobile)
ZITMO (Zeus in the mobile)
4
2/23/2013
Trojan Genimi
• BOT , C&C • Baseball Superstars 2010 • Threat – Intercept inbound SMS, – Send SMS, – Restart Packages – Access GPS location – Access browser history – Etc.
iOS malware
• iKee – 1st worm on iPhone – Nov 2009, – Attack Jailbreak device • Use SSH default password vulnerability to distribute on network
5
2/23/2013
IT Trend in 2013
6
2/23/2013
Consumer driven IT
7
2/23/2013
BYOD
• • • • Bring Your Own Device Bring Your Own Applications Bring Your Own Data Bring Your Own Friends
8
2/23/2013
Gartner CIO agenda 2012
What is BYOD?
BYOD = Bring Your Own Device • The recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers, and databases. • An alternative strategy that allows employees, business partners and other users to use a personally selected and purchased client device to execute applications and access data. • Mobile innovation is now driven by consumer markets than by business markets
9
2/23/2013
BYOD
• What are the challenges for IT? – Protecting sensitive data – Support – Security • How does BYOD benefit the organization – Increase Flexibility – Empower Employees and Increase worker productivity – Overall Cost Saving
Traditional vs BYOD Concept
Components Devices Traditional End user computing Structure and Standardized – Typically PC, laptops and Blackberry devices Standardized BYOD Concept
Applications & Operating System Devices Management
Heterogeneous – PC’s, laptops, Macs, tablets & smartphones Heterogeneous – Various Applications, Operating Systems, even form factors Endpoint Security, Systems, Minimal control or no control and Asset Management are at all used and in full control
10
2/23/2013
BYOD Pro & Con
Pros Business
Business adopting a BYOD policy can save on buying costly desktop devices. Also, saving terms of maintaining and supporting computer devices with the hiring of IT support staff. With the cost savings, business could take advantage by investing in other technology, or other areas of business. Employees tend to take better care of self owned property/devices Employee can decide which devices that they prefer, which in turn would increase employee morale and productivity. As BYOD devices are mobile devices, employees could work resources and application anywhere and anytime which in turn improves productivity. Employees are now empowered to work more efficiently and be more productive, instead of corporate-owned devices.
Cons
Without proper BYOD policies and technologies in place a business or computer risks exposing classified information. Information will not be as secure as it would be on a device exclusively controlled by the company. Devices brought in by employees likely face in compatibility issues. IT departments may need to spend extra time troubleshooting various devices, and looking for best solutions to issues Due to security issues, the employees often do not have true full control over their devices. The company they work for would need to ensure that proprietary and private information is secure at all times. It is an out-of-pocket expense for the employees. They would be responsible for repairs it their devices were damaged or broken at work. Without proper security measures, BYOD could mean BYO”Malware to the office”, which eventually causes damage to organization
Employees
BYOD Pro & Con
11
2/23/2013
BYOD Goal
• To balance conflict goals – Social – Keep employees happy – Business – Keep process running effectively – Financial – Manage costs – Risk management – Stop bad things from happening
Mobile Infrastructure
12
2/23/2013
BYOD Strategy
• The mobile experience for customers, employees and partners. • How will they transact, be informed and be serviced?
Demand Supply Governance and Risks
• Which technologies, resources and partner will deliver the mobile experience?
• Who needs to be involved, who is providing the funding, and how will risks be mitigated?
13
2/23/2013
BYOD Pro & Con
• Security Risks & Concerns – Business – Employees • Technical Solution to reduce BYOD risk?
BEST PRACTICE
14
2/23/2013
BYOD Security Blueprint
App Store Mobile Device Security Network Access Control Wireless Access Point Safe mobile device configurations Safe mobile device provisions Safe access channel for mobile device
Guest
Limited
Full
BYOD Security Blueprint
App Store Mobile Device Security Network Access Control Wireless Access Point Safe mobile device configurations Safe mobile device provisions Safe access channel for mobile device
Guest
Limited
Full
15
2/23/2013
WIFI Security
• WIFI Threats
WIFI Security
• Change SSID Default • Hide SSID Broadcast • Strong Encryption – WPA/WPA2 • Strong Password (Wifi Router Admin) • Enable Router Firewall • Disable Auto Connect (option)
16
2/23/2013
BYOD Security – ISACA Framework
• Remote Access – Connect to enterprise via WIFI to enterprise network via VPN or IPSec – WIFI use WPA2 or better
Network Access Control
17
2/23/2013
Network Access Control Strategy
Embrace Contain Block Disregard = Allow everyone to BYOD for almost everything = Allow some people to use some devices to access some resources = Not allow = No change
BYOD NAC
• Contain – Sample Access Control Policies • Allow Internet access • Allow access to email, calendar and contacts (such as via Exchange Active Sync) • Allow access to some corporate applications • Block access to sensitive intellectual property and data
18
2/23/2013
BYOD NAC
• Contain – Network Access Level • Limited access Zone, restrict access to applications & data • Support Wireless LAN and Wired LAN • Limit access according to user’s role (by integrating with Active Directory) • Server Based Computing (such as VDI and Windows Terminal Server) • SSL VPN • Firewall, wireless controller or any Layer 3 network component that accepts ACLs
BYOD NAC
• Embrace – Sample Endpoint Control and Security Policies • Required MDM agents for tablets and smartphones • Required DLP agents for tablets and smartphones • Maintain current OS levels and patches for Windows PCs and Apple OS X devices • Require security agents for Windows PCs and Apple OS X devices (such as NAC, Endpoint protection, DLP) – Network Access Level • Allow personal owned endpoints that compliant with security policies to access the corporate network.
19
2/23/2013
BYOD NAC
• Moving From Contain Embrace – Gain CIO Support – Partner With the Mobile Team – Begin with Contain Policies – Slowly Evolve to an Embrace Approach
BYOD NAC
20
2/23/2013
BYOD NAC – ISACA Framework
• Network Access Control – SSL/TLS or VPN – Active Directory – 2nd Factor Authentication
Mobile Device Security
Security Level
(Weak to Strong)
Security Criteria Air Gap Geo Location Policy Enforcement Mobile Device Encryption Mobile Content Control Mobile Device Lock Down Sandbox, Container, Wrapper Password Management Do Nothing
7 6 5 4 3 2 1 0
21
2/23/2013
Mobile Device Security
• 0 – Do nothing – Don’t know what they have in the organization. – Blackberry system is security built-in environment, locked down devices and management was handled invisibly in a data center with BES.
Mobile Device Security
• 1 – Password Management – Required Passcode – Minimum Password Length – Password Expiration – Password History
22
2/23/2013
Mobile Device Security
• 2- Sandboxes, Containers & Wrappers – Memory Isolation, memory protection from OS collapse – app-wrapper VPN capability rather entire device
Mobile Device Security
• 3 - Mobile Device Lock Down – Device identity authentication • CA-based handshaking with AD to create mobile workforce provisioning, management and reporting. – Always-on VPN • VoIP traffic must be encrypted • WIFI traffic must be encrypted • The user cannot bypass the VPN
23
2/23/2013
Mobile Device Security
• 4 - Mobile Content Control – Begin with harden stateful inspection mobile firewall:services, ports, process, users/groups – Centralize management mobile firewall, make entire mobile population becomes invisible to the internet and attacker – Application Black Listing - SIEM – Check Jailbreak, Root
Mobile Device Security
• 5 - Mobile Device Encryption – Device level encryption to protect data at rest, OS level – Do not allow sensitive data to reside at rest on the mobile device, • Using Critrix-like tool to access corporate resources • Treat mobile device as GUI dump terminal and encrypted traffic • Application Wrapping
24
2/23/2013
Mobile Device Security
• 6 - Geo-Location Policy Enforcement – GPS or tower-based resolution enforcement – Integrate mobile firewall and policy with highly granular resolution with 3 meters
25
2/23/2013
Mobile Device Security
• 7 - Air Gap – Two devices – Users have one mobile device for business and one for work. – Make mobile device full as secure as fully compliant desktop computer; Andriod and iOS – More expensive, depend on worth of
Mobile Device Security
• 7 - Air Gap BYOD Personal/Business data intermingled on device? Personal Privacy in Jeopardy? Compliance Risk? Company potentially liable for personal data loss? Who is liable for breached company data? Who is liable for compromised personal data? Yes Yes Yes Yes Unknown Unknown Air Gap No No No No Company Not Applicable
26
2/23/2013
MDM Product
MDM Product
27
2/23/2013
BYOD Security – ISACA Framework
• Device Access Restriction – Strong password – 2nd authentication factor – Password expired in every 90 days – Device lock after 3 unsuccessful password attempts – Data permission & access is aligned with data classification – Data accessibility and permission is within user job function and data classification
BYOD Security – ISACA Framework
• Device security – Explicit permission to Wipe data – Encryption and data protection at least AES 128 bits or 3DES 168 bits • Remote Access – Bluetooth discoverable is disable – Bluetooth connect with previously pair devices – Connect to enterprise network via VPN or IPSec – Connect to enterprise via WIFI to enterprise network via VPN or IPSec
28
2/23/2013
BYOD Security – ISACA Framework
• Malware Protection – Antivirus installed – Firewall
BASELINE SECURITY FEATURE
29
2/23/2013
Baseline Security Feature (Andriod)
• Andriod 2.2
– Password policies: required, minimum length, alphanumeric, maximum attempts – Maximum inactivity time lock (idle time)
•
Andriod 3.0
– Password policies: complexity, minimum letters/characters/symbols, expiration, history – Full file system encryption – Data Execution Protection (DEP) using ARM XN
•
Andriod 4.0
– Support for Microsoft Exchange ActiveSync (EAS) v.14(Exchange Server 2010) and EAS certificates – Automatic sync to be disable while roaming – Disable camera – Keychain API – Address space layout randomization (ALSR) to help protect system and third-party apps from exploitation due to memory management issues – VPN API and underlying secure credential storage
Baseline Security Feature (Andriod)
• Device Security – Basis access locks :- passcode, pattern lock, face recognition – Lock after timeout and wife after retry limit – Bluetooth and Wi-Fi access controls – SIM card password • Andriod devices should not be allowed to host business data and apps without under control of MDM tool, that provides access control policies, proactive status reporting and root detection.
30
2/23/2013
Baseline Security Feature (iOS)
• Encryption – Always-on AES hardware storage encryption – Configuration profiles that can be encrypted and locked to a device, with removal requiring an administrative password – iTunes backups that can be encrypted and password-protected at the user’s discretion – Native S/MIME email support Certificates – Certificate enrollment can be linked to a company’s public-key infrastructure and certificate authority – Certificates can be required for virtual private network (VPN) connections – Online Certificated Status Protocol (OCSP) facilitates certificate revocation – Simple Certificate Enrollment Protocol (SCEP) establishes opt-in policy controls at the user device – Exchange Active Sync (EAS) and VPN client access can be set to require a device certificate
•
Baseline Security Feature (iOS)
• Apps – JavaScript VM App Isolation – Jailbreak-proof App Keychain – Address Space Layout Randomization – Safari Private Browsing and anti-phishing policies – Enterprise-installed apps installed/removed by MDM tools • Embedded VPN – L2TP, IPsec, PPTP and SSL are natively supported. – Proxy configuration is supported in Safari and by a VPN configuration profile – VPN can autoconnect to bring up a tunnel only if a resource is requested
31
2/23/2013
Baseline Security Feature (iOS)
• Endpoint Policies – Apple provides email controls for app-generated messages and forwarding policies. Combined with EAS, this servers as an introductory over the air (OTA) management solution. – Additional local device security policies may be administered on a tethered connection using iPhone Configuration Utility (IPCU), or can be delivered OTA by email, a Web URL and third-party MDM tools – Apple Configurator can help IT administrators to mass configure and supervisor iOS devices by means of a tethered connection – Apple’s MDM API provides lots of policy functions to third-party developers
BYOD CASE STUDY
32
2/23/2013
Case Study
• Financial service company – 100,000 endpoint devices – 200 location – Anticipate approximate 10,000 employee owned smartphones, tablets and laptops.
Case Study
• Use Case 1. Employee-owned Tablet/Smartphone 2. Employee owned Windows Laptop 3. Employee owned MacBook Laptop
33
2/23/2013
Case Study
• Use Case 1 – Employee – Owned Tablet/Smartphone Policies - Install MDM agent for the device to gain access to wireless BYOD network Action - If MDM agent is detected, Citrix like agents is used to grant access to subset of applications on the corporate network. - If MDM agent is not detected, the device is positioned on the guest network, and is limited to internet access only. - Jailbroken iOS devices and rootkitted Andriod are denied access to network, including guest network.
Case Study
• Use Case 2 – Employee Brings Own Windows Laptop – Policies • Up-to-date patches are required. • Up-to-date antivirus signatures are required. • Disk Encryption is required. • Specific ports must be blocked via a personal firewall (such as Telnet/SSH) • Mobile Endpoint enable for checking configuration status • Data Loss Prevention agent is required.
34
2/23/2013
Case Study
• Use Case 2 – Employee Brings Own Windows Laptop – Actions • If Windows laptop is compliant with all policy criteria, it is granted full access to corporate network. • If Windows laptop is non compliant with one or more policies, it is positioned on the guest network and is limited to internet access only. (The user must register at the guest Web Portal)
Case Study
• Use Case 3 – Employee Brings Own MacBook Laptop – Policies • It must be running OS 10.5 or later • MDM agent must be enabled • Vontu DLP agent is required. – Actions: • If compliant with all policy, it is granted full access to the corporate network. • If not compliant with all policies, it is positioned to guest network and limited to internet access only.
35
2/23/2013
Case Study
• 3 Phases project – 1st phase • A pilot project, 200 IT staff brought personally owned devices to work. • 6 months • Refine the Web registration portal • Address minor product integration issues with MDM agent,
Case Study
• 3 Phases project – 2nd phase • Support 1,000 employee-owned devices • Employee in IT risk management and risk compliance department included • Assess the end-user experience and overall performance of the solution. • Define and monitor role based access. • 1 years period
36
2/23/2013
Case Study
• 3 Phases project – 3rd phase • Support all employee and contractors • By year end 2014
Case Study
• Results – 80% employee have chosen to comply with corporate policies and install required MDM agent and other software in their mobile devices. – Users who choose not to comply with policy, must register devices at guest portal on daily basis, and are allow only internet access. – (August 2012) approximately 1,000 employee owned devices are present on corporate network on a regular basis. • Contractor represent 85% of the non corporate devices • Smartphones and tablets 10% of non corporate devices • Macbooks are 5% of non corporate devices
37
2/23/2013
Case Study
• Results – The company did not add full disk encryption to support BYOD initiative. There are Endpoint service consultants are on-site and support broader NAC project. – Policy enforcement has gone smoothly. For example• 5 employees reports that they lost their personally owned device, then these devices were immediately wipe clean, the entire devices. • The employees had signed waivers agreeing to the remote wipe policy, because the policy was communicate clearly, the employees (grudgingly) accepted the fact that they lost personal content.
What is the right answer?
• Air Gap. Two devices. • I want my mobile work as homogenous as possible. iOS plus a select best of breed Andriods. • Lock-down, VPN, firewall and content filtering • Full Disk Encryption • VDI • ????
38
2/23/2013
BYOD Security Blueprint
App Store Mobile Device Security Network Access Control Wireless Access Point Safe mobile device configurations Safe mobile device provisions Safe access channel for mobile device
Guest
Limited
Full
WIFI Security
• Change SSID Default • Hide SSID Broadcast • Strong Encryption – WAP/WPA2 • Strong Password (Wifi Router Admin) • Enable Router Firewall • Disable Auto Connect (option)
39
2/23/2013
Network Access Control Strategy
Contain Embrace Block Disregard = Permit some users to use some personally owned devices = Permit all users to use some personally owned devices = Prohibit all personally owned devices in workplace = Ignore the issue; do not establish any BYOD policies
Mobile Device Security
Security Level
(Weak to Strong)
Security Criteria Air Gap Geo Location Policy Enforcement Mobile Device Encryption Mobile Content Control Mobile Device Lock Down Sandbox, Container, Wrapper Password Management Do Nothing
7 6 5 4 3 2 1 0
40
2/23/2013
Easy Mobile Security
• • • • • Lock code Lock when idle Complex password Remote wipe capability Device Encryption
41
