1993
2013
1

N S A A I T C O N F E R E N C E
O C T O B E R 2 , 2 0 1 4
2

• Mobile Devices / Smart Devices
• Implementation Models
• Risks & Threats
• Audit Program
• Q&A
• Resources
3

Primary features:
• Wireless network interface for internet access.
• Local built-in (non-removable) data storage.
• Operating system that is not a full-fledged desktop/laptop operating system.
• Apps available through multiple methods.
• Built-in features for synchronizing local data.
Optional features:
• Wireless personal area network interfaces (e.g., Bluetooth).
• Cellular network interfaces.
• GPS (Global Positioning System)
• Digital camera.
• Microphone.
• Storage
SP 800-124
4

5

6

• Increased workforce productivity.
• Improved customer service.
• Improved turnaround times for problem resolution.
• Increased business process efficiency.
• Employee retention.
In 2014 the average number of connected devices per knowledge worker will reach an average of 3.3 devices
- Cisco
7

•
•
•
8

TRENDING WITH USERS
9

TRENDING WITH EMPLOYERS
BYOD in the Enterprise-A Holistic Approach, ISACA JOURNAL, Volume 1, 2013 10

ISACA IMPLEMENTATION CONSIDERATIONS
The key word for BYOD implementation is
:
• LIMIT number of supported device models to the most secure ones.
• LIMIT number of users which are allowed to BYOD.
• LIMIT number of applications and data available for BYOD.
11

Lack of User
Knowledge
Malicious
Apps
Data
Leakage
12

SECURING THE DEVICE
• 9 in 10 Americans use their smartphones for work.
• 40% don’t password protect their smartphones.
• 51% of Americans connect to unsecured wireless networks on their smartphone.
• 48% don’t disable Bluetooth discoverable mode.
CISCO 2013 Study
13

THREAT ANALYSIS
14

WHAT’S TRENDING?
GAO September 2012 Report found that:
• Mobile malware grew by 155% in 2011.
• 3 out of 10 Android owners are likely to encounter a threat on their device each year as of 2011.
15

WHAT CAN THEY DO?
Once your device has been infected, attackers can:
• send location,
• send contact info,
• send and read SMS messages,
• place phone calls,
• silently download files,
• open the browser and more ...
16

WHAT ARE THEY DOING?
SYMANTEC – Internet Security Threat Report 2014
17

WHEN GOOD APPS GO BAD
1) A legitimate developer creates an application.
3) A malicious developer repackages the application with a malware.
5) A user downloads the application containing the malware.
2 The developer uploads the application to a website.
4) The malicious developer uploads the application to a third-party app store where users can download it for free.
6) The malicious developer can control the phone remotely and access the user's sensitive information including address book, e-mails, text messages, location, files, and also place calls.
“Better Implementation of Controls for Mobile Devices Should Be Encouraged” – [GAO-12-757] page 19
18

CAN YOU TRUST YOUR APP STORE?
Aug 28, 2014
Microsoft Removes 1,500 Fake Apps From
Windows Store
19

Android APPS
WEBROOT - Mobile Threat Report 2014
20

iOS (Apple) APPS
WEBROOT - Mobile Threat Report 2014
21

22

23

ITS ALL ABOUT THE DATA
The fundamental issue underlying protecting information on mobile devices is data leakage.
“If users didn’t copy sensitive information to their phones, laptops, thumb drives, and other devices, controlling for breaches would be much simpler.”
24

• Health Insurance Portability and Accountability Act
(HIPAA)
• Payment Card Industry – Data Security Standards
(PCI-DSS)
• Freedom of Information Act (FOIA)
• Privacy Laws
25

• Mobile Device Management Systems (MDM)
• Enterprise Sandbox
• Mobile Antivirus
• Secure Browser
• Data Loss Prevention (DLP)
26

MONITOR AND CONTROL
Example of MaaS360 Dashboard 27

UNDERSTAND YOUR ENVIRONMENT
Example of MaaS360 Reports 28

29

WOULD YOU LIKE TO TAKE A SURVEY?
• Validate MDM Data
• Device make/model
• Operating system version
• Understand the Environment
• How devices are used
• Who owns the devices
• What data is accessed and stored on devices
• Sent to all Mobile Device users (~10,000 in total)
• 50% started, 43% finished
30

TELL ME HOW YOU REALLY FEEL
31

Audit Objectives:
• To assess the effectiveness of DTMB's efforts to establish a governance structure and provide guidance regarding mobile device security.
• To assess the effectiveness of DTMB’s efforts to design, implement, and enforce the secure configuration of mobile devices.
• To assess the effectiveness of DTMB's efforts to ensure that only authorized devices access the State's information technology resources.
32

• ISACA
• Mobile Computing Security
Audit/Assurance Program (2010)
• BYOD Audit /Assurance Program (2012)
• SANS
• Mobile Device Security Checklist
• CIS
• iOS & Android Benchmarks
33

ISACA
Mobile Security:
• Policies
• Risk Management
• Device Management
• Training
• Access Controls
• Stored Data
• Malware Avoidance
• Secure Transmission
BYOD:
• Policies
• Risk Management
• Device Management
• Training
• Device Layer Security
• Legal
• Tech. & User Support
• Governance
34

Audit Objective: Policies have been defined and implemented to assure protection of enterprise assets.
• Policy Definition Control:
Policies have been defined to support a controlled implementation of mobile devices.
35

Audit Objective: Management processes assure that risks associated with mobile computing are thoroughly evaluated and that mobile security risk is minimized.
• Risk Assessments Control: Risk assessments are performed prior to implementation of new mobile security devices, and a continuous risk monitoring program evaluates changes in or new risks associated with mobile computing devices.
• Risk Assessment Governance Control: The executive sponsor is actively involved in the risk management of mobile devices.
36

Audit Objective 1: Mobile devices are managed and secured according to the risk of enterprise data loss.
• Tracking Control: Mobile devices containing sensitive enterprise data are managed and administered centrally.
--------------------------------
Audit Objective 2: Mobile devices are managed and secured according to the risk of enterprise data loss.
• Provisioning/De-provisioning Control: Mobile devices containing sensitive enterprise data are set up for each user according to their job description and managed as their job function changes or they are terminated.
37

Audit Objective: Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them.
• Mobile Computing Awareness Training Control: Mobile computing awareness training is ongoing and is based on the sensitive nature of the mobile computing devices assigned to the employee or contractor.
----------------
Audit Objective: Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them.
• Mobile Computing Awareness Governance Control: Mobile computing awareness includes processes for management feedback to understand the usage and risks identified by device users.
38

Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss.
• Access Control: Access control rules are established for each mobile device type, and the control characteristics address the risk of data loss.
39

• Encryption Control: Encryption technology protects enterprise data on mobile devices and is administered centrally to prevent the loss of information due to bypassing encryption procedures or loss of data due to misplaced encryption keys.
40

Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss.
• Data Transfer Control: Data transfer policies are established that define the types of data that may be transferred to mobile devices and the access controls required to protected sensitive data.
-----------------
Audit Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss.
• Data Retention Control: Data retention polices are defined for mobile devices and are monitored and aligned with enterprise data retention policies, and data retention is executed according to policy.
41

Audit Objective: Mobile computing will not be disrupted by malware nor will mobile devices introduce malware into the enterprise.
• Malware Technology
Control: Malware prevention software has been implemented according to device risk.
42

Audit Objective: Sensitive enterprise data are protected from unauthorized access during transmission.
• Secure Connections Control: Virtual private network
(VPN), Internet Protocol Security (IPSec), and other secure transmission technologies are implemented for devices receiving and/or transmitting sensitive enterprise data.
43

WHY OH WHY DIDN’T I TAKE THE BLUE PILL?
Legal
• Audit Objective: BYOD procedures comply with legal requirements and minimize the organization’s exposure to legal actions.
Tech. & User Support
• Audit Objective: A help desk or similar support function has been established to process technical and user issues.
Governance
• Audit Objective: BYOD is subject to oversight and monitoring by management.
44

• Governance Structure
• Roles & Responsibilities
• Policies & Procedures
• Device Configuration
• Encryption
• Password requirements
• Patch Management
• MDM Enrollment
• Inventory
• Decentralized
45

C. Robert Kern II, C.I.S.A.
Principal IT Audit Supervisor
State of Michigan
Office of the Auditor General
201 N Washington Sq
Suite 600
Lansing, MI 48913
(517) 334-8050 ext. 1247 rkern@audgen.michigan.gov
46

• BankInfoSecurity, BYOD: Get Ahead of the Risk, Intel
CISO: Policy, Accountability Created Positive Results,
January 2012
• Center for Internet Security (CIS) Apple iOS 6 Benchmark v1.0.0
• Center for Internet Security (CIS) Apple iOS 7 Benchmark v.1.0.0
• Center for Internet Security (CIS) Google Android 2.3
Benchmark v.1.1.0
47

• Center for Internet Security (CIS) Google Android 4
Benchmark v.1.0.0
• Digital Services Advisory Group and Federal Chief
Information Officers Council, Bring Your Own Device, A
Toolkit to Support Federal Agencies Implementing Bring
Your Own Device (BYOD) Programs, August 2012
• Gartner, Gartner Says Consumerization Will Drive At Least
Four Mobile Management Styles, November 2011
• Gartner, Magic Quadrant for Mobile Device
Management, May 2012
48

• ISACA BYOD audit/assurance program
• ISACA eSymposium BYOD Opportunities and Risks –
Securing Mobile Devices and Remote Access
Technology in your Enterprise
• ISACA Mobile Computing Security Audit/Assurance
Program (Oct 2010)
• ISACA Securing mobile devices using COBIT® 5 for information security
49

• ISACA Securing Mobile Devices White Paper
• Marble Security
• National Institute of Standards and Technology, Special
Publication 800-124 Revision 1 (Draft), Guidelines for
Managing and Securing Mobile Devices in the
Enterprise, July 2012
• National Institute of Standards and Technology, Special
Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011
50

• NIST Special Publication 800-124: Guidelines on Cell
Phone and PDA Security
• SANS Mobile Device Security Checklist
51