AITP Cloud Conference October 29, 2015 Bring Your Own Device (BYOD) Security Presenter: Thomas (Tom) Gresham, IT Security Supervisor, Unified Port of San Diego Presentation Contents • Overview of BYOD • Associated Risks • Physical Security & Mitigation • Malicious Code & Mitigation • Insider Threat & Mitigation • Ancillary Concerns • Q&A BYOD SECURITY BYOD Overview History of mobile device use in the workplace 1990s - In the 1990s, businesses and government agencies first used mobile devices such as pagers and flip phones to improve voice communication and basic text messaging while employees were away from the desk. Response time for information requests is near real-time through email and text services as employees travel or work from home. Image courtesy of Motorola BYOD SECURITY BYOD Overview According to a 2014 study conducted by the Pew Research Center, “58% of American adults now own a smartphone of some kind, up from 35% in the spring of 2011.” Image Courtesy of Pew Research Center BYOD SECURITY BYOD Overview Mobile Device Benefits • Communication – Mobile devices, particularly smartphones, allow for the real-time communication of data outside of the traditional office setting. Response time for information requests is near real-time through email and text services as employees travel or work from home. • Remote Management – Smartphone applications have been developed to reach back to organization databases providing interfaces similar to those traditionally found on desktop computers. These apps allow users to not only generate reports within agency databases but also manipulate systems controlling functions such as financial transactions, manage IT systems and can even tie into physical access controls such as gates, door and HVAC systems. BYOD SECURITY BYOD Overview Mobile Device Costs 1.Equipment Costs – According to the Wall Street Journal, the average cost of an iPhone as of February 2015 was $687. 2.Ongoing Costs – Monthly plans often reach upwards of $100/month depending on data plan. 3.In-House Assets – A traditional mobile device management (MDM) infrastructure, licensing and training may be needed. BYOD SECURITY BYOD Overview Blackberry Enterprise Infrastructure Image Courtesy of Research In Motion (RIM) Inc. Managing an in-house infrastructure, such as a Blackberry Enterprise Server (BES) farm, requires hardware, licensing and staff training. BYOD SECURITY BYOD Overview The adoption of BYOD As a cost saving measure, companies began to leverage employee owned smartphones to access their corporate network. In 2009, Intel began officially allowing non-IT issued devices to access secure company email, calendar and documents in 2009. This practice is known as Bring Your Own Device (BYOD). BYOD Benefits: 1. Organization savings on equipment and ongoing voice/data plans 2. Empowers employees with choice in the hardware platform 3. Employees do not need to carry two mobile devices at work BYOD SECURITY Associated Risks Many organizations are adopting the Bring Your Own Device (BYOD) approach as a cost-savings measure, however, the risks introduced by such programs are serious and can be costly if programs are not implemented correctly. Mobile devices increase an organization’s attack surface. While many security risks exist, three areas stand out as critical to any mobile device program including BYOD. • Physical Security • Malicious Code • Insider Threat BYOD SECURITY Risk – Physical Security Loss & Theft By nature, mobile devices are of a smaller form factor than laptops, thus they are more prone to loss or theft. Image courtesy of Consumer Reports According to a 2014 study by Consumer Reports, “More than 3.1 million smartphones were stolen just in America during 2013.” The report also revealed that 34% of individuals did not even have a simple 4-digit passcode protecting their information. BYOD SECURITY Risk – Physical Security Unauthorized Disclosure – While the loss of a mobile device incurs a financial loss, sensitive information contained within may be compromised. The employee’s organization is now exposed to potential liability as sensitive information may be disclosed in an unauthorized manner. The National Institute of Standards and Technology (NIST) highlights the risk of the physical environment within special publication 800-124. “It is assumed that mobile devices will be acquired by malicious parties who will attempt to recover sensitive data either directly from the devices themselves or indirectly by using the devices to access the organization’s remote resources.” BYOD SECURITY Risk Mitigation – Physical Security • Security Awareness Training – Proper training on the handling of mobile devices is essential for all personnel who intend to use either organizational assets or personal assets in a BYOD setting. • Technical Controls can reduce risk through mandatory settings via an MDM architecture. • PIN Codes • Device Encryption (physical, file or virtual) • Remote Data Wiping • Geofencing • Data & Application Backups BYOD SECURITY Risk – Mobile Device Malware Malware, originally thought to only target desktop computers has evolved rapidly in response to the growing popularity of mobile technology. According to a study Image courtesy of 3SC World • Threat Actors: Identifying the motivation for creating malware for smart devices is paramount to have a better understanding of its behavior and can be used to develop targeted detection strategies. Such goals include: identify theft, fraud, spamming, espionage, data theft and sabotage. • Attack Vector: Malware creators can use a variety of techniques to distribute malicious applications and infect devices, from self-propagation mechanisms based on vulnerabilities and misconfigurations, to simply tricking the user into installing it by means of social engineering techniques. • Privilege Elevation: Once the malicious code is installed on the device, it often needs to acquire enough privileges to carry out its goals. This is automatic in many cases, as the user might already have granted them to the app, whereas in other cases technical vulnerabilities and/or misconfigurations are exploited. BYOD SECURITY Risk – Mobile Device Malware The anti-virus company, Sophos, indicated in 2014, an estimated 2000 Android malware samples were discovered daily. Image courtesy of Sophos Inc. BYOD SECURITY Risk – Mobile Device Malware G Data Software AG released a study that indicates a large spike in malware samples targeting Android devices. Between 2012 and 2013, the number of distinct malware samples nearly tripled. Image courtesy of G Data Software AG According to Kaspersky Lab, the most frequently detected threats on Android devices can be broken down into three main groups: SMS Trojans, adware, and exploits to gain root access. Image courtesy of Kaspersky Lab BYOD SECURITY Risk – Mobile Device Malware Mobile Device Malware – Often, these attacks are targeting stored credentials and using them to facilitate access to more sensitive data as users are increasingly embedding authentication credentials into their devices such as banking site login and password information. • WireLurker – In 2014, Palto Alto Networks discovered the malware. WireLurker monitors any iOS device connected via USB with an infected OS X computer. WireLurker is capable of stealing a variety of information from the mobile devices it infects and regularly requests updates from the attackers command and control server. Image courtesy of Apple France • Masque Attack – In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store. The attacker can steal user's banking credentials by replacing an authentic banking app with malware that has an identical name. The malware can even access the original app's local data, which wasn't removed when the original app was replaced. BYOD SECURITY Image courtesy of TechFerb Risk – Mobile Device Malware Recent News – According to Macworld, in September of 2015, Apple pulled several iOS apps from the App Store after security researchers discovered malware in some of the store’s top apps. It’s unclear just how many apps were infected with malicious code. Palo Alto Networks, the security firm that discovered the breach, estimates 39 apps were affected. Most of the apps are hugely popular in China, like messaging app WeChat, Uber rival Didi Kuaidi, train ticket app Railway 12306, business card scanner CamCard, and stock trading service Tonghuashun. A Chinese security company is pinning the number of infected apps at 300+. “To protect our customers, we’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan told the New York Times. Consequences of Malware – An infected app might prompt a user to re-enter a user ID and password in a phishing attempt. It might ask for iCloud details. The malware is capable of accessing a user’s clipboard, which has dire ramifications for people who use password managers. BYOD SECURITY Risk Mitigation – Mobile Device Malware Security Policy & Training – Training users on security awareness can assist in the prevention of malware infections. Policy can reinforce user behavior through punitive actions. Technical Controls • Sandboxing can also be used to isolate the damage of malware installed on the usercontrolled portion of a BYOD device. • Network Access Control (NAC) allows a BYOD device to be assessed prior to connection. • Data Loss Prevention (DLP) can be implemented through Virtual Private Network (VPN) technology • Further protection may be added through MDM such as the hardening of a device with security configuration settings that leverage application black lists or disable the capability for users to install software all together. • A whitelist is a list of discrete entities, such as hosts, email addresses, network port numbers, runtime processes, or applications that are authorized to be present or active on a system according to a well-defined baseline. • A blacklist is a list of discrete entities that have been previously determined to be associated with malicious activity. BYOD SECURITY Risk – Insider Threat Mobile devices can also facilitate threats from employees and insiders. Data Exfiltration Image courtesy of GovInfo Security • Removable Memory – Exfiltration of sensitive data can be accomplished through smartphone misuse by copying large amounts of sensitive information to the device’s secure digital (SD) memory card, or by using the device to transmit data to external accounts. • Tethering – Synchronizing mobile devices to desktops can also be used to exfiltrate data if other countermeasures are absent such as the disabling of USB ports on organizational desktop computers. These activities can be used surreptitiously by circumventing monitoring technologies such as data loss prevention (DLP) or classification marking detection as these controls are most often deployed only at network perimeters. BYOD SECURITY Risk – Insider Threat Jailbreaking – The intentional modification of the iOS operating system, usually via specialized software on a connected PC/Mac, letting an iPhone or iPad run “uncontrolled" apps and features. Risks associated with Jailbreaking Image courtesy of imore.com • Jailbreaking disables the "sandboxing" feature of iOS, a key part of the operating system's security architecture. Apps now have access to perform elevated functions on the iOS and other apps. • Jailbreaking allows the installation of unapproved apps, i.e. those that have not been reviewed for publishing on the App Store • According to Apple, jailbreaking as a violation of the warranty agreement. BYOD SECURITY Risk – Insider Threat Data Interception / Eavesdropping • A determined and capable malicious insider can leverage off-the-shelf applications to compromise a mobile device to silently monitor conversations, intercept text messages, email, physically track a device and even take photos via the camera while remaining undetected. • With a BYOD program, this particular threat poses a greater risk as the personal computing space of a mobile device may be less protected. An insider can easily install such as application on a phone if the phone was physically accessible. Spy Applications Spy on Calls Read SMS Messages Access Address Book Listen to Live Calls Read MMS Messages Access Calendar Record Calls Send Fake SMS Messages Access Notes Call Logs Record Facetime Video Read Emails Listen to Phone Surroundings Spy on App Passwords View and Track GPS Record Phone Surroundings Take Pictures Hide from App List BYOD SECURITY Risk Mitigation – Insider Threat 1. MDM – MDM mitigates against insider threats by performing configurations via device policies. Such hardware policies can disable high risk functions such as downloading of restricted applications, removing required passcode screens, wiping jailbroken phones, etc. 2. USB Lockdown – Disabling or limiting USB connections to desktop computers can prevent the exfiltration of data through synchronizing activities. 3. Continuous Auditing – Automatic reporting through MDM or Security Information and Event Management (SIEM) systems can provide oversight on otherwise surreptitious activities WARNING – Unless an MDM can manage the personal operating space of a BYOD device, interception or other harmful software may be installed. BYOD SECURITY Ancillary Concerns Legal Liability – Employers will assume legal, security, reputational, and other business-related risks when their employees use a device for both personal and work-related purposes. If the employer becomes involved in litigation or an investigation, certain employees may be required to turn over a personal device if it contains relevant data. If this happens, to what extent are the personal contents of the device available for others to see? Image courtesy of the State of California Employers must consider business interests when creating a BYOD policy. These can overlap with legal obligations, or they may be completely separate. Privacy Concerns – What if an employee uses a mobile health app to monitor a medical condition? How private are personal email accounts, messages, photos, calendars, etc.? Employers must clearly articulate expectations of privacy in any BYOD policy and agreement that is understood and accepted by the participating employee. BYOD SECURITY Final Recommendations 1. Build a well-defined BYOD Policy • Define the governing regulations for the protection of data, e.g. HIPPA, CJI, PCI DSS. • What security measures are needed (passcode protection, jailbroken/rooted devices, antimalware apps, encryption, device restrictions, iCloud backup). What apps are forbidden? IP scanning, data sharing, spy apps? • Is there an Acceptable Usage Policy for employee devices with corporate data? What data is collected from employees’ devices? What personal data is never collected? 2. Choose an MDM platform wisely • Monitor the private-side “health” of BYOD devices. • Implement app whitelisting on the organization-side and blacklist on the private-side. • Ensure sandboxing of organization data limits interaction with private data. 3. Implement insider threat countermeasures • Lock-down USB synchronization. • Review audit logs, reports and implement a multi-tier app approval workflow. BYOD SECURITY Questions? Thank You