download slides - SecureWorld

August 30, 2012
10 AM PST
SecureWorld
Web Conference BYOD
1

Moderator
Rebecca Herold
CEO Rebecca Herold & Associates
2

Web Conference
Agenda
Dan Lohrmann
Chief Security Officer
State of Michigan
Roy Wattanasin
Information Security Officer
MITM
David C. Keating
Partner
Alston + Bird LLP
3

An Overview of BYOD
Michigan’s Perspective
Dan Lohrmann,
Michigan Chief Security Officer
August 30, 2012

A Closer Look . . . BYOD
The Good -
- Cost Effective
- Convenient
- Increased
Productivity
5

A Closer Look . . . BYOD
The Bad -
- Hard to
Secure
- Easy to Lose
- Hacker Target
6

A Closer Look . . . BYOD
The Ugly -
The Dreaded “B”
Word –
BREACH
7

The Survey Says . . .
• 40% of
Smartphone
Users Concerned
About Security
• 82% Have No
Security Installed
• 25% Don’t Know
How to Install
Source: NPD Group
Security
8

9
Trending

The Mobile Worker - Threat
• 35% of Breaches are
due to loss or theft
of mobile devices
– Most expensive
type of breach,
average of $258 per
record
– Investigation
difficult and costly
– Mobile devices an
easy target Source: Ponemon Institute 2011
10

Bring Your Own Device
(or Not)
Benefits
• Convenient, one
device to carry.
• Cost-effective.
• Increased productivity.
Risks
• Data storage liability.
• Easily lost or stolen.
• Support costs.
• Availability expectations, i.e.
overtime?
• Possible loss of personal
data.
• Possible loss of business
data.
Benefit
Risk
11

Bring Your Own Device
Intel predicts
Cloud Computing
that by 2016:
• 80% of workforce
will be using their
own personal
devices for work
(BYOD)
Cyber Security
Smartphones
12

• Only 24% of respondents had BYOD policies.
• 52% Relied on user education to manage risk.
SANS Analyst Program
According to March 2012
“BYOD Mobility Survey”
• Business needs to be able to rapidly update mobile policies to keep
up with technology changes.
• Top five items desired in a mobile solution are:
• Centralized functionality
• Logging, monitoring and reporting
• Ease of deployment
• Malware protection
• Configuration controls
Source: SANS Institute
13

BYOD Success . . .
• 71,825 Employees
• 50,538 Devices
• 100% BYOD
• Requirements:
– Encryption
– 10 Minute Timeout/Lock
– 4-Digit PIN to Unlock
– Remote Wipe
14

15
BYOD Chaos . . .

16
BYOD Chaos . . .

17
BYOD Chaos . . .

18
BYOD Chaos . . .

19
BYOD Chaos . . .

How to Balance the
Scales
• Develop, and enforce, strong use policies.
• Require strong password controls.
• Clearly define user responsibilities.
• Explain user risks up-front.
• Establish remote-wipe capability.
• Classify your data, and know where it is.
• Track your assets.
Benefit
• Implement Mobile Device Management (MDM).
Risk
20

What Can You Do?
• Endpoint Encryption
• Authentication Policies
• Awareness/Education
• AV/Malware Protection
• Access Controls
• Remote Wiping
• Forbid sensitive data on personal
devices
21

Education is KEY
• End User Awareness
– Acceptable Use
– Security Controls
– Clear Policies
• Business Awareness
– Who Has Access
– What’s Connected to the
Network
– Where is Data Located
22

Final Thoughts . . .
• Mobile computing is here to stay.
• Today’s security threats are NOT
tomorrow’s security threats –
business and IT must adapt.
• Education is KEY – business and
user!
• Be aware of your data portfolio.
• Engage your security team to
enable SECURE mobile computing.
23

Questions?
Dan Lohrmann, Michigan Chief Security Officer
lohrmannD@michigan.gov
Phone: 517-241-4090
www.michigan.gov/cybersecurity
24

The Mobile Threat Landscape
Roy Wattanasin, Information Security Officer, MITM
August 30, 2012

Interesting Statistics
• By the end of 2012, the number of mobile connected
devices will exceed the number of people on earth.
• By 2016, there will be 1.4 mobile devices per capita
• Mobile network connection speeds will increase 9-fold by
2016

2011 Vs. 2012

Apple IOS Vs. Android

Apple IOS Malware
• Few but, growing
• First known
malware
• July 2012
• Find and Call Trojan
(Spam and Spy)

Android Malware
• Over 2000+ Android known
trojans and growing
• First known malware
• August 2010
• Trojan-
SMS.AndroidOS.FakePlayer.a
(Trojan-SMS)
(Trendmicro)
(Trendmicro)

Threats
T1 – Applications T2 – Web Based T3 - Network T4 - Physical
Malware Phishing scams Network exploits Lost/stolen devices
Spyware Drive by downloads Wifi Sniffing Sensitive
information
Privacy Browser exploits Bluetooth / Cell Confidential
information
Vulnerable
applications
Other services

Key Points
• Find out what you want to protect
• Develop policies and regularly
update
• Encourage secure development
• Blacklist/whitelist applications
• Encrypt data (if possible)
• Data redaction
• Patching
• Awareness/training
• Vulnerability management
• Penetration testing
• Flexibility and improvements

Future of Mobile
Malware
• Targeted attacks
• ZitMo and SpitMo (Zeus and SpyEye in the Mobile)
• Data theft from mobile devices
• Subject geo-location tracking and services
• Malicious users exploiting vulnerabilities

Questions?
Roy Wattanasin
Information Security Officer
MITM
35

WWW.ALSTON.COM
Data Security Regulation and the New
Mobile Frontier
August 30, 2012
David C. Keating
Co-Leader, Privacy and Security Practice
Alston & Bird LLP
(404) 881-7355 (Atlanta)
(202) 239-3921 (Washington, DC)
(678) 463-2617 (Cell)
david.keating@alston.com

Exponential Growth of Mobile
Devices in Corporate Environments
• Consumerization of IT
• 89% have mobile devices connecting to
corporate networks (Checkpoint Survey Jan.
2012)
• 65% enable employee-owned devices
37

Security Challenges
• Culture and Corporate Policy
• 71% report increase in security incidents due to mobile
devices in past two years (Checkpoint Survey Jan.
2012)
– Lost and stolen devices
– Malware
– Device misuse
• 56% report sensitive data stored on mobile devices
(Ponemon Institute Study Jan. 2012)
• 38% report network access credentials (Checkpoint
Survey)
• Even basic security controls may not be in place
38

Gordon M. Snow
Assistant Director, Cyber Division
Federal Bureau of Investigation
April 12, 2011
“[T]he number and sophistication of cyber attacks
has increased dramatically over the past five years
and is expected to continue to grow.
The threat has reached the point that given
enough time, motivation, and funding, a
determined adversary will likely be able to
penetrate any system that is accessible directly
from the Internet.”

Regulatory Landscape:
Existing Regulation
• Federal Trade Commission Act - the
“Unfairness Prong”
• State Data Security Laws and Regulations
• State Data Breach Notification Laws
• State Sensitive Data Disposal Laws
42

Regulatory Landscape:
Existing Regulation
• Duty to Protect Corporate Trade Secrets
• Duty to Protect Corporate Networks
• HIPAA and the HITECH Act
• Gramm-Leach-Bliley Act
• Non-U.S. Data Protection Laws
43

Regulatory Landscape:
Emerging Standards
• FTC Enforcement Actions
• SEC Cyber Risk Disclosure Guidance
• State Attorneys General
• Standard of Care
– NIST SP 800-53, NIST SP 800-124
– Cloud Security Alliance Working Group
44

Implementing
Effective
Corporate Policy
• Extend Controls to Mobile Devices
• Manage the Authorization of Mobile Devices
– Diversity of Devices, Platforms and Development
Paths
• Awareness Gap
– People Love Toys
45

Corporate Policy:
Pitfalls
• Effective Consent to:
– Monitor Device Usage – ECPA, Wiretapping Laws
– Inspect Device Contents – ECPA, Stored
Communications Act, Trespass
– Delete Content on Devices – ECPA, Stored
Communications Act, Trespass, Conversion,
Negligence
• Third Party Providers; the Cloud
• Return of Devices for Repair or Exchange
46

WWW.ALSTON.COM
Data Security Regulation and the New
Mobile Frontier
August 30, 2012
David C. Keating
Co-Leader, Privacy and Security Practice
Alston & Bird LLP
(404) 881-7355 (Atlanta)
(202) 239-3921 (Washington, DC)
(678) 463-2617 (Cell)
david.keating@alston.com

Open Discussion
Dan Lohrmann
Chief Security Officer
State of Michigan
Roy Wattanasin
Information Security Officer
MITM
David C. Keating
Partner
Alston + Bird LLP
48

Closing Remarks
Rebecca Herold
The Privacy Professor
on
BYOD
49

Join us again November 29, 2012
Clean up on Aisle 9
Visit SecureWorldPost.com
for the latest security news and blogs
from industry leaders.
Thank you for joining today’s
web conference.
50