(BYOD) Security

advertisement
AITP Cloud Conference
October 29, 2015
Bring Your Own Device
(BYOD) Security
Presenter: Thomas (Tom) Gresham,
IT Security Supervisor, Unified Port of San Diego
Presentation Contents
• Overview of BYOD
• Associated Risks
• Physical Security & Mitigation
• Malicious Code & Mitigation
• Insider Threat & Mitigation
• Ancillary Concerns
• Q&A
BYOD SECURITY
BYOD Overview
History of mobile device use in the workplace
1990s - In the 1990s, businesses and government
agencies first used mobile devices such as pagers
and flip phones to improve voice communication
and basic text messaging while employees were
away from the desk.
Response time for information
requests is near real-time through
email and text services as
employees travel or work from home.
Image courtesy of Motorola
BYOD SECURITY
BYOD Overview
According to a 2014
study conducted by the
Pew Research Center,
“58% of American
adults now own a
smartphone of some
kind, up from 35% in the
spring of 2011.”
Image Courtesy of Pew Research Center
BYOD SECURITY
BYOD Overview
Mobile Device Benefits
•
Communication – Mobile devices, particularly smartphones, allow for
the real-time communication of data outside of the traditional office
setting. Response time for information requests is near real-time
through email and text services as employees travel or work from
home.
•
Remote Management – Smartphone applications have been developed
to reach back to organization databases providing interfaces similar to
those traditionally found on desktop computers. These apps allow users
to not only generate reports within agency databases but also
manipulate systems controlling functions such as financial transactions,
manage IT systems and can even tie into physical access controls such
as gates, door and HVAC systems.
BYOD SECURITY
BYOD Overview
Mobile Device Costs
1.Equipment Costs – According to the Wall Street Journal, the average cost
of an iPhone as of February 2015 was $687.
2.Ongoing Costs – Monthly plans often reach upwards of $100/month
depending on data plan.
3.In-House Assets – A traditional mobile device management (MDM)
infrastructure, licensing and training may be needed.
BYOD SECURITY
BYOD Overview
Blackberry Enterprise Infrastructure
Image Courtesy of Research In
Motion (RIM) Inc.
Managing an in-house infrastructure, such as a Blackberry Enterprise Server (BES)
farm, requires hardware, licensing and staff training.
BYOD SECURITY
BYOD Overview
The adoption of BYOD
As a cost saving measure, companies began to leverage employee owned
smartphones to access their corporate network. In 2009, Intel began
officially allowing non-IT issued devices to access secure company email,
calendar and documents in 2009. This practice is known as Bring Your Own
Device (BYOD).
BYOD Benefits:
1.
Organization savings on equipment and ongoing voice/data plans
2.
Empowers employees with choice in the hardware platform
3.
Employees do not need to carry two mobile devices at work
BYOD SECURITY
Associated Risks
Many organizations are adopting the Bring Your Own Device
(BYOD) approach as a cost-savings measure, however, the
risks introduced by such programs are serious and can be
costly if programs are not implemented correctly. Mobile
devices increase an organization’s attack surface. While
many security risks exist, three areas stand out as critical to
any mobile device program including BYOD.
• Physical Security
• Malicious Code
• Insider Threat
BYOD SECURITY
Risk – Physical Security
Loss & Theft
By nature, mobile
devices are of a smaller
form factor than laptops,
thus they are more
prone to loss or theft.
Image courtesy of Consumer Reports
According to a 2014 study by Consumer Reports, “More than 3.1 million
smartphones were stolen just in America during 2013.” The report also revealed
that 34% of individuals did not even have a simple 4-digit passcode protecting
their information.
BYOD SECURITY
Risk – Physical Security
Unauthorized Disclosure – While the loss of a mobile device incurs a
financial loss, sensitive information contained within may be
compromised.
The employee’s organization is now exposed to potential liability as
sensitive information may be disclosed in an unauthorized manner.
The National Institute of Standards and Technology (NIST) highlights the
risk of the physical environment within special publication 800-124. “It is
assumed that mobile devices will be acquired by malicious parties who
will attempt to recover sensitive data either directly from the devices
themselves or indirectly by using the devices to access the
organization’s remote resources.”
BYOD SECURITY
Risk Mitigation – Physical Security
• Security Awareness Training – Proper training on the handling of
mobile devices is essential for all personnel who intend to use either
organizational assets or personal assets in a BYOD setting.
• Technical Controls can reduce risk through mandatory settings via an
MDM architecture.
• PIN Codes
• Device Encryption (physical, file or virtual)
• Remote Data Wiping
• Geofencing
• Data & Application Backups
BYOD SECURITY
Risk – Mobile Device Malware
Malware, originally thought to only target
desktop computers has evolved rapidly in
response to the growing popularity of mobile
technology. According to a study
Image
courtesy of
3SC World
•
Threat Actors: Identifying the motivation for creating malware for smart devices is paramount to have
a better understanding of its behavior and can be used to develop targeted detection strategies. Such
goals include: identify theft, fraud, spamming, espionage, data theft and sabotage.
•
Attack Vector: Malware creators can use a variety of techniques to distribute malicious applications
and infect devices, from self-propagation mechanisms based on vulnerabilities and misconfigurations,
to simply tricking the user into installing it by means of social engineering techniques.
•
Privilege Elevation: Once the malicious code is installed on the device, it often needs to acquire
enough privileges to carry out its goals. This is automatic in many cases, as the user might already
have granted them to the app, whereas in other cases technical vulnerabilities and/or
misconfigurations are exploited.
BYOD SECURITY
Risk – Mobile Device Malware
The anti-virus company, Sophos, indicated in 2014, an estimated 2000
Android malware samples were discovered daily.
Image courtesy of Sophos Inc.
BYOD SECURITY
Risk – Mobile Device Malware
G Data Software AG released a
study that indicates a large spike in
malware samples targeting Android
devices. Between 2012 and 2013,
the number of distinct malware
samples nearly tripled.
Image courtesy of G Data Software AG
According to Kaspersky Lab, the
most frequently detected threats on
Android devices can be broken
down into three main groups: SMS
Trojans, adware, and exploits to
gain root access.
Image courtesy of Kaspersky Lab
BYOD SECURITY
Risk – Mobile Device Malware
Mobile Device Malware – Often, these attacks are targeting stored
credentials and using them to facilitate access to more sensitive data as
users are increasingly embedding authentication credentials into their
devices such as banking site login and password information.
•
WireLurker – In 2014, Palto Alto Networks discovered
the malware. WireLurker monitors any iOS device
connected via USB with an infected OS X computer.
WireLurker is capable of stealing a variety of
information from the mobile devices it infects and
regularly requests updates from the attackers command
and control server.
Image courtesy of Apple France
•
Masque Attack – In July 2014, FireEye mobile security
researchers have discovered that an iOS app installed
using enterprise/ad-hoc provisioning could replace
another genuine app installed through the App Store.
The attacker can steal user's banking credentials by
replacing an authentic banking app with malware that
has an identical name. The malware can even access
the original app's local data, which wasn't removed
when the original app was replaced.
BYOD SECURITY
Image courtesy of TechFerb
Risk – Mobile Device Malware
Recent News – According to Macworld, in September of 2015, Apple pulled several iOS
apps from the App Store after security researchers discovered malware in some of the
store’s top apps.
It’s unclear just how many apps were infected with malicious code. Palo Alto Networks, the
security firm that discovered the breach, estimates 39 apps were affected. Most of the apps
are hugely popular in China, like messaging app WeChat, Uber rival Didi Kuaidi, train ticket
app Railway 12306, business card scanner CamCard, and stock trading service
Tonghuashun. A Chinese security company is pinning the number of infected apps at 300+.
“To protect our customers, we’ve removed the apps from the App Store that we know have
been created with this counterfeit software,” Apple spokeswoman Christine Monaghan told
the New York Times.
Consequences of Malware – An infected app might prompt a user to re-enter a user ID and
password in a phishing attempt. It might ask for iCloud details. The malware is capable of
accessing a user’s clipboard, which has dire ramifications for people who use password
managers.
BYOD SECURITY
Risk Mitigation – Mobile Device Malware
Security Policy & Training – Training users on security awareness can assist in the
prevention of malware infections. Policy can reinforce user behavior through punitive
actions.
Technical Controls
•
Sandboxing can also be used to isolate the damage of malware installed on the usercontrolled portion of a BYOD device.
•
Network Access Control (NAC) allows a BYOD device to be assessed prior to connection.
•
Data Loss Prevention (DLP) can be implemented through Virtual Private Network (VPN)
technology
•
Further protection may be added through MDM such as the hardening of a device with
security configuration settings that leverage application black lists or disable the capability
for users to install software all together.
•
A whitelist is a list of discrete entities, such as hosts, email addresses, network port numbers,
runtime processes, or applications that are authorized to be present or active on a system according
to a well-defined baseline.
•
A blacklist is a list of discrete entities that have been previously determined to be associated with
malicious activity.
BYOD SECURITY
Risk – Insider Threat
Mobile devices can also facilitate threats from
employees and insiders.
Data Exfiltration
Image courtesy of GovInfo Security
•
Removable Memory – Exfiltration of sensitive data can be accomplished through
smartphone misuse by copying large amounts of sensitive information to the
device’s secure digital (SD) memory card, or by using the device to transmit data
to external accounts.
•
Tethering – Synchronizing mobile devices to desktops can also be used to
exfiltrate data if other countermeasures are absent such as the disabling of USB
ports on organizational desktop computers.
These activities can be used surreptitiously by circumventing monitoring
technologies such as data loss prevention (DLP) or classification marking
detection as these controls are most often deployed only at network
perimeters.
BYOD SECURITY
Risk – Insider Threat
Jailbreaking – The intentional modification of the iOS
operating system, usually via specialized software on
a connected PC/Mac, letting an iPhone or iPad run
“uncontrolled" apps and features.
Risks associated with Jailbreaking
Image courtesy
of imore.com
•
Jailbreaking disables the "sandboxing" feature of iOS, a key part of the operating
system's security architecture. Apps now have access to perform elevated functions on
the iOS and other apps.
•
Jailbreaking allows the installation of unapproved apps, i.e. those that have not been
reviewed for publishing on the App Store
•
According to Apple, jailbreaking as a violation of the warranty agreement.
BYOD SECURITY
Risk – Insider Threat
Data Interception / Eavesdropping
•
A determined and capable malicious insider can leverage off-the-shelf applications
to compromise a mobile device to silently monitor conversations, intercept text
messages, email, physically track a device and even take photos via the camera
while remaining undetected.
•
With a BYOD program, this particular threat poses a greater risk as the personal
computing space of a mobile device may be less protected. An insider can easily
install such as application on a phone if the phone was physically accessible.
Spy Applications
Spy on Calls
Read SMS Messages
Access Address Book
Listen to Live Calls
Read MMS Messages
Access Calendar
Record Calls
Send Fake SMS Messages
Access Notes
Call Logs
Record Facetime Video
Read Emails
Listen to Phone Surroundings
Spy on App Passwords
View and Track GPS
Record Phone Surroundings
Take Pictures
Hide from App List
BYOD SECURITY
Risk Mitigation – Insider Threat
1. MDM – MDM mitigates against insider threats by performing
configurations via device policies. Such hardware policies can disable
high risk functions such as downloading of restricted applications,
removing required passcode screens, wiping jailbroken phones, etc.
2. USB Lockdown – Disabling or limiting USB connections to desktop
computers can prevent the exfiltration of data through synchronizing
activities.
3. Continuous Auditing – Automatic reporting through MDM or Security
Information and Event Management (SIEM) systems can provide
oversight on otherwise surreptitious activities
WARNING – Unless an MDM can manage the personal operating space of a
BYOD device, interception or other harmful software may be installed.
BYOD SECURITY
Ancillary Concerns
Legal Liability – Employers will assume legal, security,
reputational, and other business-related risks when their
employees use a device for both personal and work-related
purposes.
If the employer becomes involved in litigation or an
investigation, certain employees may be required to turn over
a personal device if it contains relevant data. If this happens,
to what extent are the personal contents of the device
available for others to see?
Image courtesy of the State
of California
Employers must consider business interests when creating a
BYOD policy. These can overlap with legal obligations, or
they may be completely separate.
Privacy Concerns – What if an employee uses a mobile health app to monitor a medical
condition? How private are personal email accounts, messages, photos, calendars,
etc.?
Employers must clearly articulate expectations of privacy in any BYOD policy and
agreement that is understood and accepted by the participating employee.
BYOD SECURITY
Final Recommendations
1. Build a well-defined BYOD Policy
•
Define the governing regulations for the protection of data, e.g. HIPPA, CJI, PCI DSS.
•
What security measures are needed (passcode protection, jailbroken/rooted devices, antimalware apps, encryption, device restrictions, iCloud backup). What apps are forbidden? IP
scanning, data sharing, spy apps?
•
Is there an Acceptable Usage Policy for employee devices with corporate data? What data is
collected from employees’ devices? What personal data is never collected?
2. Choose an MDM platform wisely
•
Monitor the private-side “health” of BYOD devices.
•
Implement app whitelisting on the organization-side and blacklist on the private-side.
•
Ensure sandboxing of organization data limits interaction with private data.
3. Implement insider threat countermeasures
•
Lock-down USB synchronization.
•
Review audit logs, reports and implement a multi-tier app approval workflow.
BYOD SECURITY
Questions?
Thank You
Download