Auditing Mobile Devices / BYOD

advertisement

ONE DEVICE TO RULE THEM ALL!

1993

2013

1

AUDITING

MOBILE DEVICES / BYOD

N S A A I T C O N F E R E N C E

O C T O B E R 2 , 2 0 1 4

2

AGENDA

Mobile Devices / Smart Devices

Implementation Models

Risks & Threats

Audit Program

Q&A

Resources

3

WHAT ARE MOBILE DEVICES TODAY?

Primary features:

Wireless network interface for internet access.

Local built-in (non-removable) data storage.

Operating system that is not a full-fledged desktop/laptop operating system.

Apps available through multiple methods.

Built-in features for synchronizing local data.

Optional features:

Wireless personal area network interfaces (e.g., Bluetooth).

Cellular network interfaces.

GPS (Global Positioning System)

Digital camera.

Microphone.

Storage

SP 800-124

4

WHAT ARE MOBILE/SMART DEVICES?

5

MICHIGAN’S ENVIRONMENT

6

BENEFITS OF MOBILE DEVICES

Increased workforce productivity.

Improved customer service.

Improved turnaround times for problem resolution.

Increased business process efficiency.

Employee retention.

In 2014 the average number of connected devices per knowledge worker will reach an average of 3.3 devices

- Cisco

7

IMPLEMENTATION MODELS

Traditional

Bring Your Own Device (BYOD)

Corporately Owned,

Personally Enabled (COPE)

8

BYOD

TRENDING WITH USERS

9

BYOD

TRENDING WITH EMPLOYERS

BYOD in the Enterprise-A Holistic Approach, ISACA JOURNAL, Volume 1, 2013

10

BYOD

ISACA IMPLEMENTATION CONSIDERATIONS

The key word for BYOD implementation is

LIMIT

:

LIMIT

number of supported device models to the most secure ones.

LIMIT

number of users which are allowed to BYOD.

LIMIT

number of applications and data available for BYOD.

11

MOBILE THREATS/RISKS

Lack of User

Knowledge

Malicious

Apps

Data

Leakage

12

LACK OF USER KNOWLEDGE

SECURING THE DEVICE

9 in 10 Americans use their smartphones for work.

40% don’t password protect their smartphones.

51% of Americans connect to unsecured wireless networks on their smartphone.

48% don’t disable Bluetooth discoverable mode.

CISCO 2013 Study

13

LACK OF USER KNOWLEDGE

THREAT ANALYSIS

14

MALICIOUS APPS

WHAT’S TRENDING?

GAO September 2012 Report found that:

Mobile malware grew by 155% in 2011.

3 out of 10 Android owners are likely to encounter a threat on their device each year as of 2011.

And it just keeps growing!!!

15

MALICIOUS APPS

WHAT CAN THEY DO?

Once your device has been infected, attackers can:

• send location, send contact info, send and read SMS messages, place phone calls, silently download files, open the browser and more ...

16

MALICIOUS APPS

WHAT ARE THEY DOING?

SYMANTEC – Internet Security Threat Report 2014

17

MALICIOUS APPS

WHEN GOOD APPS GO BAD

1) A legitimate developer creates an application.

3) A malicious developer repackages the application with a malware.

5) A user downloads the application containing the malware.

2 The developer uploads the application to a website.

4) The malicious developer uploads the application to a third-party app store where users can download it for free.

6) The malicious developer can control the phone remotely and access the user's sensitive information including address book, e-mails, text messages, location, files, and also place calls.

“Better Implementation of Controls for Mobile Devices Should Be Encouraged” – [GAO-12-757] page 19

18

MALICIOUS APPS

CAN YOU TRUST YOUR APP STORE?

Aug 28, 2014

Microsoft Removes 1,500 Fake Apps From

Windows Store

19

MALICIOUS APPS

Android APPS

WEBROOT - Mobile Threat Report 2014

20

MALICIOUS APPS

iOS (Apple) APPS

WEBROOT - Mobile Threat Report 2014

21

MICHIGAN’S ENVIRONMENT

22

MICHIGAN’S ENVIRONMENT

23

DATA LEAKAGE

ITS ALL ABOUT THE DATA

The fundamental issue underlying protecting information on mobile devices is data leakage.

“If users didn’t copy sensitive information to their phones, laptops, thumb drives, and other devices, controlling for breaches would be much simpler.”

24

REGULATORY COMPLIANCE

Health Insurance Portability and Accountability Act

(HIPAA)

Payment Card Industry – Data Security Standards

(PCI-DSS)

Freedom of Information Act (FOIA)

Privacy Laws

25

MOBILE SECURITY SOLUTIONS

Mobile Device Management Systems (MDM)

Enterprise Sandbox

Mobile Antivirus

Secure Browser

Data Loss Prevention (DLP)

26

MDM SYSTEMS

MONITOR AND CONTROL

Example of MaaS360 Dashboard

27

MDM SYSTEMS

UNDERSTAND YOUR ENVIRONMENT

Example of MaaS360 Reports

28

MICHIGAN’S ENVIRONMENT

29

MOBILE DEVICE SECURITY AUDIT

WOULD YOU LIKE TO TAKE A SURVEY?

Validate MDM Data

Device make/model

Operating system version

Understand the Environment

How devices are used

Who owns the devices

What data is accessed and stored on devices

Sent to all Mobile Device users (~10,000 in total)

50% started, 43% finished

30

MOBILE DEVICE SECURITY AUDIT

TELL ME HOW YOU REALLY FEEL

31

MOBILE DEVICE SECURITY AUDIT

Audit Objectives:

To assess the effectiveness of DTMB's efforts to establish a governance structure and provide guidance regarding mobile device security.

To assess the effectiveness of DTMB’s efforts to design, implement, and enforce the secure configuration of mobile devices.

To assess the effectiveness of DTMB's efforts to ensure that only authorized devices access the State's information technology resources.

32

AUDIT PROGRAMS

ISACA

Mobile Computing Security

Audit/Assurance Program (2010)

BYOD Audit /Assurance Program (2012)

SANS

Mobile Device Security Checklist

CIS

• iOS & Android Benchmarks

33

AUDIT PROGRAMS

ISACA

Mobile Security:

Policies

Risk Management

Device Management

Training

Access Controls

Stored Data

Malware Avoidance

Secure Transmission

BYOD:

Policies

Risk Management

Device Management

Training

Device Layer Security

Legal

Tech. & User Support

Governance

34

POLICIES

Audit Objective: Policies have been defined and implemented to assure protection of enterprise assets.

Policy Definition Control:

Policies have been defined to support a controlled implementation of mobile devices.

35

RISK MANAGEMENT

Audit Objective: Management processes assure that risks associated with mobile computing are thoroughly evaluated and that mobile security risk is minimized.

Risk Assessments Control: Risk assessments are performed prior to implementation of new mobile security devices, and a continuous risk monitoring program evaluates changes in or new risks associated with mobile computing devices.

Risk Assessment Governance Control: The executive sponsor is actively involved in the risk management of mobile devices.

36

DEVICE MANAGEMENT

Audit Objective 1: Mobile devices are managed and secured according to the risk of enterprise data loss.

Tracking Control: Mobile devices containing sensitive enterprise data are managed and administered centrally.

--------------------------------

Audit Objective 2: Mobile devices are managed and secured according to the risk of enterprise data loss.

Provisioning/De-provisioning Control: Mobile devices containing sensitive enterprise data are set up for each user according to their job description and managed as their job function changes or they are terminated.

37

TRAINING

Audit Objective: Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them.

Mobile Computing Awareness Training Control: Mobile computing awareness training is ongoing and is based on the sensitive nature of the mobile computing devices assigned to the employee or contractor.

----------------

Audit Objective: Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them.

Mobile Computing Awareness Governance Control: Mobile computing awareness includes processes for management feedback to understand the usage and risks identified by device users.

38

ACCESS CONTROLS

Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss.

Access Control: Access control rules are established for each mobile device type, and the control characteristics address the risk of data loss.

39

STORED DATA

Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss.

Encryption Control: Encryption technology protects enterprise data on mobile devices and is administered centrally to prevent the loss of information due to bypassing encryption procedures or loss of data due to misplaced encryption keys.

40

STORED DATA

Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss.

Data Transfer Control: Data transfer policies are established that define the types of data that may be transferred to mobile devices and the access controls required to protected sensitive data.

-----------------

Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss.

Data Retention Control: Data retention polices are defined for mobile devices and are monitored and aligned with enterprise data retention policies, and data retention is executed according to policy.

41

MALWARE AVOIDANCE

Audit Objective: Mobile computing will not be disrupted by malware nor will mobile devices introduce malware into the enterprise.

Malware Technology

Control: Malware prevention software has been implemented according to device risk.

42

SECURE TRANSMISSION

Audit Objective: Sensitive enterprise data are protected from unauthorized access during transmission.

Secure Connections Control: Virtual private network

(VPN), Internet Protocol Security (IPSec), and other secure transmission technologies are implemented for devices receiving and/or transmitting sensitive enterprise data.

43

BYOD AUDIT PROGRAM

WHY OH WHY DIDN’T I TAKE THE BLUE PILL?

Legal

Audit Objective: BYOD procedures comply with legal requirements and minimize the organization’s exposure to legal actions.

Tech. & User Support

Audit Objective: A help desk or similar support function has been established to process technical and user issues.

Governance

Audit Objective: BYOD is subject to oversight and monitoring by management.

44

POTENTIAL AUDIT ISSUES IDENTIFIED

Governance Structure

Roles & Responsibilities

Policies & Procedures

Device Configuration

Encryption

Password requirements

Patch Management

MDM Enrollment

Inventory

Decentralized

45

Q

uestions

C. Robert Kern II, C.I.S.A.

Principal IT Audit Supervisor

State of Michigan

Office of the Auditor General

201 N Washington Sq

Suite 600

Lansing, MI 48913

(517) 334-8050 ext. 1247 rkern@audgen.michigan.gov

46

RESOURCES

BankInfoSecurity, BYOD: Get Ahead of the Risk, Intel

CISO: Policy, Accountability Created Positive Results,

January 2012

Center for Internet Security (CIS) Apple iOS 6 Benchmark v1.0.0

Center for Internet Security (CIS) Apple iOS 7 Benchmark v.1.0.0

Center for Internet Security (CIS) Google Android 2.3

Benchmark v.1.1.0

47

RESOURCES

Center for Internet Security (CIS) Google Android 4

Benchmark v.1.0.0

Digital Services Advisory Group and Federal Chief

Information Officers Council, Bring Your Own Device, A

Toolkit to Support Federal Agencies Implementing Bring

Your Own Device (BYOD) Programs, August 2012

Gartner, Gartner Says Consumerization Will Drive At Least

Four Mobile Management Styles, November 2011

Gartner, Magic Quadrant for Mobile Device

Management, May 2012

48

RESOURCES

ISACA BYOD audit/assurance program

ISACA eSymposium BYOD Opportunities and Risks –

Securing Mobile Devices and Remote Access

Technology in your Enterprise

ISACA Mobile Computing Security Audit/Assurance

Program (Oct 2010)

ISACA Securing mobile devices using COBIT® 5 for information security

49

RESOURCES

ISACA Securing Mobile Devices White Paper

Marble Security

National Institute of Standards and Technology, Special

Publication 800-124 Revision 1 (Draft), Guidelines for

Managing and Securing Mobile Devices in the

Enterprise, July 2012

National Institute of Standards and Technology, Special

Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011

50

RESOURCES

NIST Special Publication 800-124: Guidelines on Cell

Phone and PDA Security

SANS

Mobile

Device Security Checklist

51

Download