download slides - SecureWorld
download slides - SecureWorld
download slides - SecureWorld
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
August 30, 2012<br />
10 AM PST<br />
<strong>SecureWorld</strong><br />
Web Conference BYOD<br />
1
Moderator<br />
Rebecca Herold<br />
CEO Rebecca Herold & Associates<br />
2
Web Conference<br />
Agenda<br />
Dan Lohrmann<br />
Chief Security Officer<br />
State of Michigan<br />
Roy Wattanasin<br />
Information Security Officer<br />
MITM<br />
David C. Keating<br />
Partner<br />
Alston + Bird LLP<br />
3
An Overview of BYOD<br />
Michigan’s Perspective<br />
Dan Lohrmann,<br />
Michigan Chief Security Officer<br />
August 30, 2012
A Closer Look . . . BYOD<br />
The Good -<br />
- Cost Effective<br />
- Convenient<br />
- Increased<br />
Productivity<br />
5
A Closer Look . . . BYOD<br />
The Bad -<br />
- Hard to<br />
Secure<br />
- Easy to Lose<br />
- Hacker Target<br />
6
A Closer Look . . . BYOD<br />
The Ugly -<br />
The Dreaded “B”<br />
Word –<br />
BREACH<br />
7
The Survey Says . . .<br />
• 40% of<br />
Smartphone<br />
Users Concerned<br />
About Security<br />
• 82% Have No<br />
Security Installed<br />
• 25% Don’t Know<br />
How to Install<br />
Source: NPD Group<br />
Security<br />
8
9<br />
Trending
The Mobile Worker - Threat<br />
• 35% of Breaches are<br />
due to loss or theft<br />
of mobile devices<br />
– Most expensive<br />
type of breach,<br />
average of $258 per<br />
record<br />
– Investigation<br />
difficult and costly<br />
– Mobile devices an<br />
easy target Source: Ponemon Institute 2011<br />
10
Bring Your Own Device<br />
(or Not)<br />
Benefits<br />
• Convenient, one<br />
device to carry.<br />
• Cost-effective.<br />
• Increased productivity.<br />
Risks<br />
• Data storage liability.<br />
• Easily lost or stolen.<br />
• Support costs.<br />
• Availability expectations, i.e.<br />
overtime?<br />
• Possible loss of personal<br />
data.<br />
• Possible loss of business<br />
data.<br />
Benefit<br />
Risk<br />
11
Bring Your Own Device<br />
Intel predicts<br />
Cloud Computing<br />
that by 2016:<br />
• 80% of workforce<br />
will be using their<br />
own personal<br />
devices for work<br />
(BYOD)<br />
Cyber Security<br />
Smartphones<br />
12
• Only 24% of respondents had BYOD policies.<br />
• 52% Relied on user education to manage risk.<br />
SANS Analyst Program<br />
According to March 2012<br />
“BYOD Mobility Survey”<br />
• Business needs to be able to rapidly update mobile policies to keep<br />
up with technology changes.<br />
• Top five items desired in a mobile solution are:<br />
• Centralized functionality<br />
• Logging, monitoring and reporting<br />
• Ease of deployment<br />
• Malware protection<br />
• Configuration controls<br />
Source: SANS Institute<br />
13
BYOD Success . . .<br />
• 71,825 Employees<br />
• 50,538 Devices<br />
• 100% BYOD<br />
• Requirements:<br />
– Encryption<br />
– 10 Minute Timeout/Lock<br />
– 4-Digit PIN to Unlock<br />
– Remote Wipe<br />
14
15<br />
BYOD Chaos . . .
16<br />
BYOD Chaos . . .
17<br />
BYOD Chaos . . .
18<br />
BYOD Chaos . . .
19<br />
BYOD Chaos . . .
How to Balance the<br />
Scales<br />
• Develop, and enforce, strong use policies.<br />
• Require strong password controls.<br />
• Clearly define user responsibilities.<br />
• Explain user risks up-front.<br />
• Establish remote-wipe capability.<br />
• Classify your data, and know where it is.<br />
• Track your assets.<br />
Benefit<br />
• Implement Mobile Device Management (MDM).<br />
Risk<br />
20
What Can You Do?<br />
• Endpoint Encryption<br />
• Authentication Policies<br />
• Awareness/Education<br />
• AV/Malware Protection<br />
• Access Controls<br />
• Remote Wiping<br />
• Forbid sensitive data on personal<br />
devices<br />
21
Education is KEY<br />
• End User Awareness<br />
– Acceptable Use<br />
– Security Controls<br />
– Clear Policies<br />
• Business Awareness<br />
– Who Has Access<br />
– What’s Connected to the<br />
Network<br />
– Where is Data Located<br />
22
Final Thoughts . . .<br />
• Mobile computing is here to stay.<br />
• Today’s security threats are NOT<br />
tomorrow’s security threats –<br />
business and IT must adapt.<br />
• Education is KEY – business and<br />
user!<br />
• Be aware of your data portfolio.<br />
• Engage your security team to<br />
enable SECURE mobile computing.<br />
23
Questions?<br />
Dan Lohrmann, Michigan Chief Security Officer<br />
lohrmannD@michigan.gov<br />
Phone: 517-241-4090<br />
www.michigan.gov/cybersecurity<br />
24
The Mobile Threat Landscape<br />
Roy Wattanasin, Information Security Officer, MITM<br />
August 30, 2012
Interesting Statistics<br />
• By the end of 2012, the number of mobile connected<br />
devices will exceed the number of people on earth.<br />
• By 2016, there will be 1.4 mobile devices per capita<br />
• Mobile network connection speeds will increase 9-fold by<br />
2016
2011 Vs. 2012
Apple IOS Vs. Android
Apple IOS Malware<br />
• Few but, growing<br />
• First known<br />
malware<br />
• July 2012<br />
• Find and Call Trojan<br />
(Spam and Spy)
Android Malware<br />
• Over 2000+ Android known<br />
trojans and growing<br />
• First known malware<br />
• August 2010<br />
• Trojan-<br />
SMS.AndroidOS.FakePlayer.a<br />
(Trojan-SMS)<br />
(Trendmicro)<br />
(Trendmicro)
Threats<br />
T1 – Applications T2 – Web Based T3 - Network T4 - Physical<br />
Malware Phishing scams Network exploits Lost/stolen devices<br />
Spyware Drive by <strong>download</strong>s Wifi Sniffing Sensitive<br />
information<br />
Privacy Browser exploits Bluetooth / Cell Confidential<br />
information<br />
Vulnerable<br />
applications<br />
Other services
Key Points<br />
• Find out what you want to protect<br />
• Develop policies and regularly<br />
update<br />
• Encourage secure development<br />
• Blacklist/whitelist applications<br />
• Encrypt data (if possible)<br />
• Data redaction<br />
• Patching<br />
• Awareness/training<br />
• Vulnerability management<br />
• Penetration testing<br />
• Flexibility and improvements
Future of Mobile<br />
Malware<br />
• Targeted attacks<br />
• ZitMo and SpitMo (Zeus and SpyEye in the Mobile)<br />
• Data theft from mobile devices<br />
• Subject geo-location tracking and services<br />
• Malicious users exploiting vulnerabilities
Questions?<br />
Roy Wattanasin<br />
Information Security Officer<br />
MITM<br />
35
WWW.ALSTON.COM<br />
Data Security Regulation and the New<br />
Mobile Frontier<br />
August 30, 2012<br />
David C. Keating<br />
Co-Leader, Privacy and Security Practice<br />
Alston & Bird LLP<br />
(404) 881-7355 (Atlanta)<br />
(202) 239-3921 (Washington, DC)<br />
(678) 463-2617 (Cell)<br />
david.keating@alston.com
Exponential Growth of Mobile<br />
Devices in Corporate Environments<br />
• Consumerization of IT<br />
• 89% have mobile devices connecting to<br />
corporate networks (Checkpoint Survey Jan.<br />
2012)<br />
• 65% enable employee-owned devices<br />
37
Security Challenges<br />
• Culture and Corporate Policy<br />
• 71% report increase in security incidents due to mobile<br />
devices in past two years (Checkpoint Survey Jan.<br />
2012)<br />
– Lost and stolen devices<br />
– Malware<br />
– Device misuse<br />
• 56% report sensitive data stored on mobile devices<br />
(Ponemon Institute Study Jan. 2012)<br />
• 38% report network access credentials (Checkpoint<br />
Survey)<br />
• Even basic security controls may not be in place<br />
38
Gordon M. Snow<br />
Assistant Director, Cyber Division<br />
Federal Bureau of Investigation<br />
April 12, 2011<br />
“[T]he number and sophistication of cyber attacks<br />
has increased dramatically over the past five years<br />
and is expected to continue to grow.<br />
The threat has reached the point that given<br />
enough time, motivation, and funding, a<br />
determined adversary will likely be able to<br />
penetrate any system that is accessible directly<br />
from the Internet.”
Regulatory Landscape:<br />
Existing Regulation<br />
• Federal Trade Commission Act - the<br />
“Unfairness Prong”<br />
• State Data Security Laws and Regulations<br />
• State Data Breach Notification Laws<br />
• State Sensitive Data Disposal Laws<br />
42
Regulatory Landscape:<br />
Existing Regulation<br />
• Duty to Protect Corporate Trade Secrets<br />
• Duty to Protect Corporate Networks<br />
• HIPAA and the HITECH Act<br />
• Gramm-Leach-Bliley Act<br />
• Non-U.S. Data Protection Laws<br />
43
Regulatory Landscape:<br />
Emerging Standards<br />
• FTC Enforcement Actions<br />
• SEC Cyber Risk Disclosure Guidance<br />
• State Attorneys General<br />
• Standard of Care<br />
– NIST SP 800-53, NIST SP 800-124<br />
– Cloud Security Alliance Working Group<br />
44
Implementing<br />
Effective<br />
Corporate Policy<br />
• Extend Controls to Mobile Devices<br />
• Manage the Authorization of Mobile Devices<br />
– Diversity of Devices, Platforms and Development<br />
Paths<br />
• Awareness Gap<br />
– People Love Toys<br />
45
Corporate Policy:<br />
Pitfalls<br />
• Effective Consent to:<br />
– Monitor Device Usage – ECPA, Wiretapping Laws<br />
– Inspect Device Contents – ECPA, Stored<br />
Communications Act, Trespass<br />
– Delete Content on Devices – ECPA, Stored<br />
Communications Act, Trespass, Conversion,<br />
Negligence<br />
• Third Party Providers; the Cloud<br />
• Return of Devices for Repair or Exchange<br />
46
WWW.ALSTON.COM<br />
Data Security Regulation and the New<br />
Mobile Frontier<br />
August 30, 2012<br />
David C. Keating<br />
Co-Leader, Privacy and Security Practice<br />
Alston & Bird LLP<br />
(404) 881-7355 (Atlanta)<br />
(202) 239-3921 (Washington, DC)<br />
(678) 463-2617 (Cell)<br />
david.keating@alston.com
Open Discussion<br />
Dan Lohrmann<br />
Chief Security Officer<br />
State of Michigan<br />
Roy Wattanasin<br />
Information Security Officer<br />
MITM<br />
David C. Keating<br />
Partner<br />
Alston + Bird LLP<br />
48
Closing Remarks<br />
Rebecca Herold<br />
The Privacy Professor<br />
on<br />
BYOD<br />
49
Join us again November 29, 2012<br />
Clean up on Aisle 9<br />
Visit <strong>SecureWorld</strong>Post.com<br />
for the latest security news and blogs<br />
from industry leaders.<br />
Thank you for joining today’s<br />
web conference.<br />
50