Mobile Devices
• Mobile phones
• Smartphones
• Tablet devices (iPad, Tab, etc..)
• Laptops, Notebooks, Netbooks
Smartphones
• Ability to install and run advanced applications
• Productivity tool for enterprise users
• Susceptible to malware and other attacks
• Keyboard or Touchscreen interface• Feature large screens, powerful
memory, processors• Application marketplace:
iTunes(Apple), Ovi (Nokia), Android (Google)
Laptops & Netbooks
• Primarily used in enterprise environments
• OS: MS, Linux and Mac
• Variety of resources & knowledge in deploying device for enterprise use
Smartphone Operating Systems
• Apple iOS:
• Based on Mac OS X
• Runs on iPhone, iPad, iPod, and Apple TV
• Massive usage enforce enterprises to adopt new mobile device strategies
• More than 500K Apps through Apple Store
• Tight control of HW & SW
• Very secured system (no malwares)
• No AntiVirus Apps
Smartphone Operating Systems
• RIM BlackBerry OS
• Research In Motion
• De facto standard for enterprise (BES)
Authentication
Security of data in transit
Security of the device itself
• BlackBerry 7 : BlackBerry Tablet OS
Smartphone Operating Systems
• Google Android
• Open source OS with many contributors
• Based on Linux
• Thousands of Apps
• Can be found on variety of Handset vendors (Motorola, Samsung, Dell, HTC, and more)
• Lack of policing on marketplace
• More malware found
• Comprehensive security need on device
Smartphone Operating Systems
• Microsoft Windows Mobile & Windows Phone
• Windows Mobile:
Until version 6.5
Targeted towards enterprise
Many built-in security features
• Windows Phone 7:
Different than 6.5
Primarily for consumer use
Missing features such as: VPN, on-device encryption
Smartphone Operating Systems
• Nokia Symbian
• Prior licensees: Sony, Ericsson,
Samsung, others
• Have been on the market for several years
• Wide security solutions available
• Several malware also available
• Nokia announces transition from Symbian to Windows Phone 7
Smartphone Operating Systems
• Other OS:
• HP Palm webOS: Pre 2
• MeeGo: 2010, Linux-based, Nokia
• Samsung bada: Samsung Wave smartphone
Smartphones
• Software Applications
Enterprise apps (CRM, SAP, etc)
Tools and Utilities (Calc, Weather, compass, etc)
Games
Contacts & Calendars
Smartphones
• On Device Features
Powerful processor
Memory
Storage (Internal & External)
Camera (Still & Video)
Touchscreen
Bluetooth
Why NOW? Consider RISKs
• The power & advance of the device
• Users started to use their devices at work
• Corporates started to use it instead of laptop
• More malware started to appear
• Connectivity to public Wi-Fi
• Bluetooth connection
• Jailbreak the device (iPhone)
• Open source OS (Android)
Policies
• Policy for physical device protection
• Policy for device backup and restore
• Policy for device provisioning
• Application Policy
Policy for Backup & Restore
• User owned:
Backup on desktop or Cloud (Mobile me)
Backup SD cards separately
Ensure to practice the restore
• Corporate owned:
Automated backup and on regular basis
SD cards are not allowed
Inform helpdesk if device lost or stolen
Backup agent on device should not be disabled
Policy for device provisioning
• Upgrade, downgrade, install software
• Upgrade profile settings
Password, VPN, encryption, email
• Decommission the mobile device
Lost, theft, policy violation
Application Policy
White-list of approved
applicationsProfile
settings for approved
applications
User notification
of application policy
violations
Enterprise Management of Mobile Devices
• Mobile Device Management (MDM)
• Over The Air (OTA)
• Exchange ActiveSync (EAS)
• BlackBerry Enterprise Server (BES)
Enterprise Management of Mobile Devices
• Commands from MDM can be send across to all end devices in one of two ways:
• SMS:Available everywhere
Downside: It is available only for 3G/4G devices
• Push notification:Internet based communication channel
Sender knows whether end destination received notification
Downside: It requires Internet access
Enterprise Management of Mobile Devices
• Implement password policies
Password required
Mini length
Password complexity
Password aging
Password history
Idle timeout
Max number of incorrect passwords
Enterprise Management of Mobile Devices
• Applications management
Install required apps
Remove prohibited apps
Control downloading from apps market/stores
Create whitelist or blacklist apps
Monitor violation of apps policy
Enterprise Management of Mobile Devices
• Encrypt data
Enforce data encryption
Install encryption tool for devices with no encryption built-in
Encrypt SD card in case allowed
Prevent using SD card if not permitted
Enterprise Management of Mobile Devices
• Restrict device functionality
Screen capture
Clipboard operations
Bluetooth access
Use of device camera
Access to Gmail or Yahoo emails
Enterprise Management of Mobile Devices
• Configure network settings
Remote access using IPSec VPN
Remote access using SSL VPN
Use default Wi-Fi
Smartphone security components
• On device Anti-X protection
• Backup and restore capabilities
• Loss or theft protection
• Firewall protection
• Bluetooth protection
On device Anti-X protection
• Antispyware
• Antivirus
• Antiphishing
• Antispam
• Required for open source OS and jailbreak
Backup and Restore capabilities
• User owned devicePersonal files, including videos and photos
Call log and contact information
Apps and app settings
SMS messages
Email and calendar information
Phone settings
• Corporate ownedMDM solution
Loss or Theft protection
• Report the loss/theft of device
• Locate the device using GPS
• Remotely lock the device
• Remotely set off a loud alarm
• Remotely wipe the device
Firewall protection
• Prevent unauthorised external connections to the device
• Monitor and block internal applications to communicate with the outside world
• Select solution with less power consumption
Bluetooth protection
• Disable bluetooth by default
• Use bluetooth firewall (Fruit Mobile)
• Tethering protection
42
Summary for Addressing Smartphone RISKs
Policy
Up-to-date
AV/OS/Apps
Access Control
Device Mngmt
Up-to-date
AV/OS/Apps
Encryption
Secure Transmission
Awareness
Risks
Mitigation
Legend Keys:
Online Information Sources
• www.isaca.org
• www.sans.org
• www.darkreading.com
• www.f-secure.com
• www.infosec.co.uk
• www.icsa.net
• www.cert.org
Mobile Security Vendors
• www.air-watch.com
• www.good.com
• www.juniper.net/pulse
• www.mobileactivedefense.com
• www.mcafee.com
• www.mobileiron.com
• www.sybase.com
• www.symantec.com