security awareness training: mobile devices
DESCRIPTION
In a bring-your-own-device (BYOD) workplace, mobile security depends largely on the user behind the device. Strong security policies, the right technology and employee education enable your organization to protect sensitive corporate data on mobile devices. Learn how to educate employees on the importance of mobile security best practices: - Develop security awareness training for users - Address employee privacy concerns and fears - Highlight pitfalls of jailbreaking or rooting a device - Teach users to create strong passwords and identify mobile threatsTRANSCRIPT
Security Awareness Training: Mobile Devices
November 20, 2014 10:00 AM PST/1:00 PM EDT
Sponsored by:
Join the conversation on Twitter - #SWwebcon
Web Conference Overview In a bring-your-own-device (BYOD) workplace, mobile security depends largely on the user behind the device. Strong security policies, the right technology and employee education enable your organization to protect sensitive corporate data on mobile devices. During today’s program, our experts will discuss how to educate employees on the importance of mobile security best practices.
#SWwebcon
Barbara Endicott-Popovsky Director, Center of Information Assurance and Cybersecurity at the University of Washington
Moderator
Barbara Endicott-Popovsky, Ph.D., CRISC, is Director for the Center of Information Assurance and Cybersecurity at the University of Washington and the Academic Director for the Masters in Infrastructure Planning and Management in the Urban Planning Department of the School of Built Environments.
#SWwebcon
Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III
Web Conference Agenda – Featured Presenters
#SWwebcon
Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University David Lingenfelter Information Security Officer MaaS360, an IBM Company
Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III
Featured Presenter
Sandy Bacik, author and former CSO, has over 16 years direct information security experience in the areas of IT Audit, BCP/DR, Incident Response, Physical Security, Privacy, Regulatory Compliance, Policies/Procedures, Operations and Management. She also has an additional 15 years in Information Technology Operations.
#SWwebcon
Sandy Bacik, CISSP, ISSMP, CISM, CGEIT
Security Professional
Limiting Risk of Personal Mobility
#SWwebcon
Agenda
♦ What is personal mobility? ♦ What are the risks of personal mobility? ♦ How can you protect a personal mobile device? ♦ BYOD / BYOT in an enterprise environment
7 #SWwebcon
How Phone Communications Have Changed
8
Switchboard with old desk phone Portable
phone Old cell phone
More modern cell phone Smartphone
How Computing Has Changed?
9
Main frame and terminal
Desktop computer
Laptop
Tablet Smartphone PDA
How a Personal Mobile Device can be used?
♦ Pros: – Can be used to save a life – Can be used to access and store information – Can be used to communicate via many options – voice, text, email,
and video
♦ Cons – May be damaged, lost or stolen – Can be used to access, store and communicate inappropriate
material – Can disrupt the home or work environment – Camera functions can lead to child protection and data protection
issues with regard to inappropriate capture, use or distribution of images
10
So, My Mobile Device is Not Secured By Default? ♦ Applications downloaded on mobile phones and tablets
have the ability to broadcast: – Your location – Private conversations – Pictures – Banking information – And other sensitive data, even when these mobile devices are not
in use ♦ Growing potential for increasing risk related to data or
personal security and privacy
11 #SWwebcon
Rooted?
♦ Rooting is a device hack that provides users with unrestricted access to the entire file system of the mobile device.
♦ Jailbreaking, another term for rooting, is a device hack that provides users with unrestricted access to the entire file system of their mobile devices.
♦ Rooted, or jailbroke, on a mobile device means it has been compromised by malware or a bad guy.
♦ The mobile device may be more vulnerable to malicious apps and stability issues.
12 #SWwebcon
How Safe is Your Personal App Store?
♦ Every vendor and provider has a different privacy policy and end user license agreement.
♦ Committed to protecting customers and their data, and also to providing greater transparency into the unique level of protection they offer customers.
♦ Recognize that customers want and need access to apps that do not infringe on their privacy or impact their security.
13 #SWwebcon
Some Mobility Security Applications to Consider ♦ Find my phone ♦ Data backup ♦ Encrypted texting, phone calls, and emails ♦ Whole device encryption ♦ Secure password storage ♦ Call blocking ♦ Identity protection ♦ Anti-virus ♦ Anti-malware ♦ Website filtering ♦ Firewall
14 #SWwebcon
BYOD / BYOT IN AN ENTERPRISE
15 #SWwebcon
Personally Owned Device Risk to the Enterprise
♦ Uncontrolled endpoints ♦ Data leakage ♦ Malware ♦ Spam ♦ Lost device and data ♦ Communication interception ♦ Unsecured access ♦ Liability
16 #SWwebcon
What You Need to Implement Personal Mobility?
♦ Mobile Device Management (MDM) – Allows MYC to enforce corporate policies and validate security
settings ♦ Secure Mobile Messaging
– Allows MYC to store corporate email in an encrypted container on the device
♦ Mobile Application Platform – Allows MYC to provide a set of tools and applications to users
♦ Perimeter, network, and host protections, including monitoring
♦ USER TRAINING - COMMUNICATION
17 #SWwebcon
Published MYC Mobile Policies and Procedures
♦ Policy: MYC Owned Mobile Devices ♦ Procedure: Requesting a MYC Owned Mobile Device ♦ Procedure: Non-MYC-Owned Device Minimum Security
Standard ♦ Form: MYC Stewardship Agreement (Non-MYC-owned
Devices) ♦ Training course: training for a non-MYC-owned device
♦ Communicate, communicate, communicate
♦ Privacy of personal mobility
18 #SWwebcon
Tie Your Mobility Practices into Other Documents
♦ Code of Conduct ♦ Computer System Security ♦ Employee Conduct ♦ Protection of Confidential Information and Trade Secrets ♦ Electronic Information and Communication Policy ♦ Dissemination of Information ♦ Information Security
19 #SWwebcon
User Responsibilities Include, But Are Not Limited To ♦ You may connect to the BYOD wireless network but are
prohibited from connecting to the CORPNET or GUESTNET wireless network.
♦ You may not connect the personal device to the MYC network via MYC VPN.
♦ You may not forward MYC sponsored or owned phone numbers to a personal device.
♦ You are responsible for the protection of the MYC information asset being accessed by adhering to all MYC policies and procedures.
♦ You are responsible for all expenses and communication plans on the personal device except as agreed to for MYC approved international travel.
20
User Responsibilities Include, But Are Not Limited To ♦ You will allow MYC IT to install mobile device security standards
on the personal device, including encryption and password protection.
♦ You are prohibited from ‘jail breaking’ or otherwise circumventing the built-in security of a personal device after MYC mobile device security standards have been installed.
♦ You agree that MYC will not be held liable should anything happen to the personal device.
♦ You will notify IT within 48 hours of loss of your personal device. ♦ You will protect all passwords which enable access to MYC
assets. If you suspect a compromise, you will change the password immediately and advise the IT Help Desk.
21 #SWwebcon
Strategy Summary
♦ Manage and protect what matters to the enterprise ♦ Pay attention to service delivery to the business
community ♦ Be clear on roles, responsibilities, and ownership
♦ Ensure users understand what can happen ♦ Train for users – over communicate ♦ Integrate into your environment documents or a program
22 #SWwebcon
Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III
Thank You!
#SWwebcon
Questions?
Featured Presenter
Dr. Margaret Leary, CISSP, CIPP/G, CRISC, is a Professor of IT/Cybersecurity at Northern Virginia Community College and George Mason University. She serves as the Director, Curriculum of the National CyberWatch Center and has been a member of the NCC Leadership Team for the past 8 years.
#SWwebcon
Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University
25
Mobile Device Security: Expanding Threats
Dr. Margaret Leary
CISSP, CIPP/G, CRISC
#SWwebcon
Expanding Mobile Threats
• Mobile threats are expanding globally – Financially-motivated attacks – Malware – Cross-platform threats
• Many of these new threats leverage traditional PC-type malware
• While most (90%) are Android, iPhone attacks are on the rise
26
#SWwebcon
Malware Attacks • Malware much greater threat than loss of phone –
yet most BYOD policies are focused on loss or theft of phone
• Sophos Labs reports seeing more than 2,000 pieces of mobile malware every day*. In some countries, mobile devices are attacked more than PCs. – Denial of Service Attacks – turning smartphones into
bots on a botnet or placing them at risk of ransomware
– Attacks on Confidentiality – attacker remotely enabling microphone or camera
*http://www.sophos.com/en-us/threat-center/mobile-security-threat-report.aspx
27
What If?
• Your connected smartphone is used as a conduit to inject malware into your car?
• Your phone is connected to a health monitoring device, and that health information is disclosed, or worse, modified by an attacker?
• Your smartphone is connected to your smart home?
28
#SWwebcon
The Problem
• The same threats exist for mobile devices as those with PCs
• Increased connectivity • Too trusting of a user • Current market dynamics
29
#SWwebcon
Common Mobile Application Development Mistakes
• Insecure data storage • Weak server side controls • Insufficient transport layer protection • Poor authentication and authorization
mechanisms • Insufficient testing
30
Common Mobile Application Development Solutions
• Encrypt! • Security should use a “layered” approach • Use SSL/TLS (HTTPS) to encrypt the session • Don’t store passwords in plain text • Generate credentials securely • Test, test, and test again!!!
– https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Mobile_Security_Testing
31
#SWwebcon
Additional Countermeasures
• Train your users AND your app developers! • Develop a Secure Mobile Application
Development Policy for developers • Keep patches updated • Keep phones in lockers or bags • Think twice about any app you download
32
#SWwebcon
Thank You!
#SWwebcon
Questions?
Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University
Featured Presenter
David has over 20 years experience with risk management, information security, compliance, policy development and currently heads security and compliance at Fiberlink Communications.
#SWwebcon
David Lingenfelter Information Security Officer MaaS360, an IBM Company
Balancing Security and Opportunity in the Mobile Era Tackling Mobile Security with a Layered Defense David Lingenfelter @Simply_Security
#SWwebcon
New = Scary
36 #SWwebcon
Old = Comfortable
37 #SWwebcon
Change is inevitable
38 #SWwebcon
Mobile technologies are more empowering
39
of employed adults use at least one personally-owned mobile device for business
Mobile workers will use at least one business-focused app this year
yearly increase in revenue from people using mobile devices to purchase items.
But security threats are even greater
40
Threats on your employees
Threats on your customers
of financial apps on Android have been hacked
of Top 100 Android apps have been hacked
annual cost of crime
IT’s role and Focus has Changed
Many different use cases within a
single company
Corporate Owned BYOD Shared Devices Cart Devices Kiosk Devices Data Leakage Apps Blacklisting URL filtering SharePoint/EFSS Intranet Access
41
These Don’t Help…
42
• Compliance • Rules/Regulations • Privacy • Intellectual Property • Legal
#SWwebcon
Embrace The New Normal
43
Mobile is becoming THE IT platform
Go beyond enabling these new devices
– Mobile utilization of corporate network/resources – Separation of corporate & personal apps/data – App management & security (and app dev assist) – Identity, context and more sophisticated policy
#SWwebcon
So what does it take to Enable all of this…
#SWwebcon
…and the Right Technology
• Mobile Device Management
• Mobile App Management
• Mobile Content Management
• Mobile Enterprise Gateway
• File Edit, Sync, and Share
#SWwebcon
MaaS360 Layered Approach
Secure the Device
Secure the Content
Secure the App
Secure the Network
Separating Corporate and Personal Lives
#SWwebcon
Secure the Device
Dynamic security and compliance features continuously monitor devices and take action.
47 #SWwebcon
Secure the Container: Mail & Content An office productivity app with email, calendar, contacts, & content
48
Secure the App
15
Enhancing private and public app security through (SDK or wrapping) code libraries and policies
Secure the Network
A fully-functional web browser to enable secure access to corporate intranet sites and enforce compliance of policies
50 #SWwebcon
When you do this, expect great things
Gaming and Entertainment • Need – Reduce drink wait times • Solution – Locked down tablet with
enterprise app • Outcome - Reduce drink times from 20
minutes to 4 minutes with a single managed tablet and app.
• Ended up also using tablets to check in guests
51 #SWwebcon
When you do this, expect great things
52
Highly Regulated Industry • Need – Secure email • Solution – Implement secure email
container • Outcome – Meet regulatory requirements
• Now also delivers sensitive documents
#SWwebcon
When you do this, expect great things
53
Education • Need – Help students with learning
disabilities • Solution – iPads with customized policies
for each student • Outcome – Unique learning environment
to suit a large spectrum of student abilities
• Improved quality of life
#SWwebcon
Being Productive and Secure
54
MaaS360 Trusted Workplace™
Continuously assess context & usage Real-time controls of entitlements Secure Data-at-rest, in-motion, & in-use
Enterprise access controls Native controls or container BYOD privacy protections
MaaS360 Secure Productivity Suite
Secure Mail
File Sync, Edit & Share
App Security & Management
Enterprise
Gateway
Why Customers Choose MaaS360
Easiest to Deploy and Scale Mobile Device, App, and Content Management & Security platform For organizations that are…
• Embracing multi-OS environments (iOS, Android, Windows Phone) • Allowing Bring-Your-Own-Device (BYOD) programs • Developing and deploying mobile apps (public and private) • Enabling corporate content on mobile devices securely (push and
pull) • AND MORE….
55
Wrap-up • Unlocking productivity with Apps and Content • Capabilities exists today to Enable • Take a Layered approach for Security You can do it now, Empower Users Build Trust Do it with IBM MaaS360
David Lingenfelter @simply_security
#SWwebcon
Thank You!
#SWwebcon
Questions?
David Lingenfelter Information Security Officer MaaS360, an IBM Company
Sandy Bacik Security Professional CISSP, ISSMP, CISM, CGEIT, CHS-III
#SWwebcon
Margaret Leary Professor of IT/Cybersecurity Northern Virginia Community College and George Mason University David Lingenfelter Information Security Officer MaaS360, an IBM Company
Open Discussion
Barbara Endicott-Popovsky Director, Center of Information Assurance and Cybersecurity at the University of Washington
Closing Remarks
Thoughts on Security Awareness Training: Mobile Devices
#SWwebcon
Thank you MaaS360 for making today’s program possible!
SecureWorldExpo.com
Visit us for the latest security news and blogs from industry leaders.
Thank you for attending today’s web conference. Join us on December 4 for
“Target One Year Later: What Have We Learned?”
Questions? Idea for a topic? Contact Tom Bechtold – [email protected] #SWwebcon