Auditing Mobile Devices / BYOD

Report
ONE DEVICE TO RULE THEM ALL!
1993
2013
1
AUDITING
MOBILE DEVICES / BYOD
NSAA IT CONFERENCE
OCTOBER 2, 2014
2
AGENDA
• Mobile Devices / Smart Devices
• Implementation Models
• Risks & Threats
• Audit Program
• Q&A
• Resources
3
WHAT ARE MOBILE DEVICES TODAY?
Primary features:
Optional features:
• Wireless network interface for
internet access.
• Wireless personal area network
interfaces (e.g., Bluetooth).
• Local built-in (non-removable)
data storage.
• Cellular network interfaces.
• Operating system that is not a
full-fledged desktop/laptop
operating system.
• Apps available through multiple
methods.
• GPS (Global Positioning System)
• Digital camera.
• Microphone.
• Storage
• Built-in features for synchronizing
local data.
SP 800-124
4
WHAT ARE MOBILE/SMART DEVICES?
5
MICHIGAN’S ENVIRONMENT
6
BENEFITS OF MOBILE DEVICES
• Increased workforce productivity.
• Improved customer service.
• Improved turnaround times for problem resolution.
• Increased business process efficiency.
• Employee retention.
In 2014 the average number
of connected devices per
knowledge worker will reach
an average of 3.3 devices
- Cisco
7
IMPLEMENTATION MODELS
• Traditional
• Bring Your Own Device (BYOD)
• Corporately Owned,
Personally Enabled (COPE)
8
BYOD
TRENDING WITH USERS
9
BYOD
TRENDING WITH EMPLOYERS
BYOD in the Enterprise-A Holistic Approach, ISACA JOURNAL, Volume 1, 2013
10
BYOD
ISACA IMPLEMENTATION CONSIDERATIONS
The key word for BYOD implementation is LIMIT:
• LIMIT number of supported device models to the most
secure ones.
• LIMIT number of users which are allowed to BYOD.
• LIMIT number of applications and data available for BYOD.
11
MOBILE THREATS/RISKS
Lack of User
Knowledge
Malicious
Apps
Data
Leakage
12
LACK OF USER KNOWLEDGE
SECURING THE DEVICE
• 9 in 10 Americans use their smartphones for work.
• 40% don’t password protect their smartphones.
• 51% of Americans connect to unsecured wireless networks on their
smartphone.
• 48% don’t disable Bluetooth discoverable mode.
CISCO 2013 Study
13
LACK OF USER KNOWLEDGE
THREAT ANALYSIS
14
MALICIOUS APPS
WHAT’S TRENDING?
GAO September 2012 Report found that:
• Mobile malware grew by 155% in 2011.
• 3 out of 10 Android owners are likely to
encounter a threat on their device
each year as of 2011.
And it just keeps growing!!!
15
MALICIOUS APPS
WHAT CAN THEY DO?
Once your device has been infected, attackers can:
•
•
•
•
•
•
send location,
send contact info,
send and read SMS messages,
place phone calls,
silently download files,
open the browser and more ...
16
MALICIOUS APPS
WHAT ARE THEY DOING?
SYMANTEC – Internet Security Threat Report 2014
17
MALICIOUS APPS
WHEN GOOD APPS GO BAD
1) A legitimate
developer creates an
application.
2 The developer
uploads the application
to a website.
3) A malicious
developer repackages
the application with a
malware.
4) The malicious developer
uploads the application to
a third-party app store
where users can download
it for free.
5) A user downloads the
application containing
the malware.
6) The malicious developer can control the
phone remotely and access the user's
sensitive information including address
book, e-mails, text messages, location, files,
and also place calls.
“Better Implementation of Controls for Mobile Devices Should Be Encouraged” – [GAO-12-757] page 19
18
MALICIOUS APPS
CAN YOU TRUST YOUR APP STORE?
Aug 28, 2014
Microsoft Removes 1,500 Fake Apps From
Windows Store
19
MALICIOUS APPS
Android APPS
WEBROOT - Mobile Threat Report 2014
20
MALICIOUS APPS
iOS (Apple) APPS
WEBROOT - Mobile Threat Report 2014
21
MICHIGAN’S ENVIRONMENT
22
MICHIGAN’S ENVIRONMENT
23
DATA LEAKAGE
ITS ALL ABOUT THE DATA
The fundamental issue
underlying protecting
information on mobile
devices is data leakage.
“If users didn’t copy sensitive
information to their phones,
laptops, thumb drives, and
other devices, controlling for
breaches would be much
simpler.”
24
REGULATORY COMPLIANCE
• Health Insurance Portability and Accountability Act
(HIPAA)
• Payment Card Industry – Data Security Standards
(PCI-DSS)
• Freedom of Information Act (FOIA)
• Privacy Laws
25
MOBILE SECURITY SOLUTIONS
• Mobile Device Management Systems (MDM)
• Enterprise Sandbox
• Mobile Antivirus
• Secure Browser
• Data Loss Prevention (DLP)
26
MDM SYSTEMS
MONITOR AND CONTROL
Example of MaaS360 Dashboard 27
MDM SYSTEMS
UNDERSTAND YOUR ENVIRONMENT
Example of MaaS360 Reports 28
MICHIGAN’S ENVIRONMENT
29
MOBILE DEVICE SECURITY AUDIT
WOULD YOU LIKE TO TAKE A SURVEY?
• Validate MDM Data
• Device make/model
• Operating system version
• Understand the Environment
• How devices are used
• Who owns the devices
• What data is accessed and stored on devices
• Sent to all Mobile Device users (~10,000 in total)
• 50% started, 43% finished
30
MOBILE DEVICE SECURITY AUDIT
TELL ME HOW YOU REALLY FEEL
31
MOBILE DEVICE SECURITY AUDIT
Audit Objectives:
• To assess the effectiveness of DTMB's efforts to establish a
governance structure and provide guidance regarding
mobile device security.
• To assess the effectiveness of DTMB’s efforts to design,
implement, and enforce the secure configuration of mobile
devices.
• To assess the effectiveness of DTMB's efforts to ensure that
only authorized devices access the State's information
technology resources.
32
AUDIT PROGRAMS
• ISACA
• Mobile Computing Security
Audit/Assurance Program (2010)
• BYOD Audit /Assurance Program (2012)
• SANS
• Mobile Device Security Checklist
• CIS
• iOS & Android Benchmarks
33
AUDIT PROGRAMS
ISACA
Mobile Security:
•
•
•
•
•
•
•
•
Policies
Risk Management
Device Management
Training
Access Controls
Stored Data
Malware Avoidance
Secure Transmission
BYOD:
•
•
•
•
•
•
•
•
Policies
Risk Management
Device Management
Training
Device Layer Security
Legal
Tech. & User Support
Governance
34
POLICIES
Audit Objective: Policies have been defined and
implemented to assure protection of enterprise
assets.
• Policy Definition Control:
Policies have been
defined to support a
controlled
implementation of
mobile devices.
35
RISK MANAGEMENT
Audit Objective: Management processes assure that risks
associated with mobile computing are thoroughly
evaluated and that mobile security risk is minimized.
• Risk Assessments Control: Risk assessments are
performed prior to implementation of new mobile
security devices, and a continuous risk monitoring
program evaluates changes in or new risks associated
with mobile computing devices.
• Risk Assessment Governance Control: The executive
sponsor is actively involved in the risk management of
mobile devices.
36
DEVICE MANAGEMENT
Audit Objective 1: Mobile devices are managed and secured
according to the risk of enterprise data loss.
• Tracking Control: Mobile devices containing sensitive
enterprise data are managed and administered centrally.
-------------------------------Audit Objective 2: Mobile devices are managed and secured
according to the risk of enterprise data loss.
• Provisioning/De-provisioning Control: Mobile devices
containing sensitive enterprise data are set up for each user
according to their job description and managed as their job
function changes or they are terminated.
37
TRAINING
Audit Objective: Employees and contractors
utilizing enterprise equipment or receiving or
transmitting enterprise sensitive information receive
initial and ongoing training relevant to the
technology assigned to them.
Mobile Computing Awareness Training Control: Mobile computing awareness
training is ongoing and is based on the sensitive nature of the mobile
computing devices assigned to the employee or contractor.
---------------Audit Objective: Employees and contractors utilizing enterprise equipment or
receiving or transmitting enterprise sensitive information receive initial and
ongoing training relevant to the technology assigned to them.
•
•
Mobile Computing Awareness Governance Control: Mobile computing
awareness includes processes for management feedback to understand the
usage and risks identified by device users.
38
ACCESS CONTROLS
Audit Objective: Access control is assigned to and
managed for mobile security devices according to
their risk of enterprise data loss.
• Access Control: Access
control rules are
established for each
mobile device type, and
the control characteristics
address the risk of data
loss.
39
STORED DATA
Audit Objective: Access control is assigned to and
managed for mobile security devices according to
their risk of enterprise data loss.
• Encryption Control: Encryption
technology protects enterprise
data on mobile devices and is
administered centrally to
prevent the loss of information
due to bypassing encryption
procedures or loss of data due
to misplaced encryption keys.
40
STORED DATA
Audit Objective: Access control is assigned to and managed for
mobile security devices according to their risk of enterprise data loss.
• Data Transfer Control: Data transfer policies are established that
define the types of data that may be transferred to mobile devices
and the access controls required to protected sensitive data.
----------------Audit Objective: Access control is assigned to and managed for
mobile security devices according to their risk of enterprise data loss.
• Data Retention Control: Data retention polices are defined for mobile
devices and are monitored and aligned with enterprise data
retention policies, and data retention is executed according to
policy.
41
MALWARE AVOIDANCE
Audit Objective: Mobile computing will not be
disrupted by malware nor will mobile devices
introduce malware into the enterprise.
• Malware Technology
Control: Malware
prevention software has
been implemented
according to device risk.
42
SECURE TRANSMISSION
Audit Objective: Sensitive enterprise data are
protected from unauthorized access during
transmission.
• Secure Connections Control: Virtual private network
(VPN), Internet Protocol Security (IPSec), and other
secure transmission technologies are implemented
for devices receiving and/or transmitting sensitive
enterprise data.
43
BYOD AUDIT PROGRAM
WHY OH WHY DIDN’T I TAKE THE BLUE PILL?
Legal
• Audit Objective: BYOD procedures comply with legal
requirements and minimize the organization’s exposure to
legal actions.
Tech. & User Support
• Audit Objective: A help desk or similar support function has
been established to process technical and user issues.
Governance
• Audit Objective: BYOD is subject to oversight and
monitoring by management.
44
POTENTIAL AUDIT ISSUES IDENTIFIED
• Governance Structure
• Roles & Responsibilities
• Policies & Procedures
• Device Configuration
•
•
•
•
Encryption
Password requirements
Patch Management
MDM Enrollment
• Inventory
• Decentralized
45
Questions
C. Robert Kern II, C.I.S.A.
Principal IT Audit Supervisor
State of Michigan
Office of the Auditor General
201 N Washington Sq
Suite 600
Lansing, MI 48913
(517) 334-8050 ext. 1247
[email protected]
46
RESOURCES
• BankInfoSecurity, BYOD: Get Ahead of the Risk, Intel
CISO: Policy, Accountability Created Positive Results,
January 2012
• Center for Internet Security (CIS) Apple iOS 6 Benchmark
v1.0.0
• Center for Internet Security (CIS) Apple iOS 7 Benchmark
v.1.0.0
• Center for Internet Security (CIS) Google Android 2.3
Benchmark v.1.1.0
47
RESOURCES
• Center for Internet Security (CIS) Google Android 4
Benchmark v.1.0.0
• Digital Services Advisory Group and Federal Chief
Information Officers Council, Bring Your Own Device, A
Toolkit to Support Federal Agencies Implementing Bring
Your Own Device (BYOD) Programs, August 2012
• Gartner, Gartner Says Consumerization Will Drive At Least
Four Mobile Management Styles, November 2011
• Gartner, Magic Quadrant for Mobile Device
Management, May 2012
48
RESOURCES
• ISACA BYOD audit/assurance program
• ISACA eSymposium BYOD Opportunities and Risks –
Securing Mobile Devices and Remote Access
Technology in your Enterprise
• ISACA Mobile Computing Security Audit/Assurance
Program (Oct 2010)
• ISACA Securing mobile devices using COBIT® 5 for
information security
49
RESOURCES
• ISACA Securing Mobile Devices White Paper
• Marble Security
• National Institute of Standards and Technology, Special
Publication 800-124 Revision 1 (Draft), Guidelines for
Managing and Securing Mobile Devices in the
Enterprise, July 2012
• National Institute of Standards and Technology, Special
Publication 800-144, Guidelines on Security and Privacy
in Public Cloud Computing, December 2011
50
RESOURCES
• NIST Special Publication 800-124: Guidelines on Cell
Phone and PDA Security
• SANS Mobile Device Security Checklist
51

similar documents