With the transition from mobile phones to mobile devices (such as iPhone, iPad, or Android) comes greater productivity with greater vulnerability. This presentation will explore the transition from phones to mobile devices along with the best practices in securing such devices and common uses in banking environments not yet commonly deployed. With proper compensating controls, the tactical advantages and productivity savings far out way the risks of deploying mobile devices, so why not explore the options that best fit your environment?
2. SCOTT SHARP
Chief Technology Officer for
Sharp BancSystems, Inc.
VP, Director of Information
Security for First Baird
BancShares, Inc.
CISSP, LPT, CHFI, CEH, MCITP,
RHCSA, CCNA, etc…
Part Banker / Part Geek
3. OVERVIEW & INTENT
Overview
Mobile Use
Statistics
Scary Facts
Mitigation & Best Practices
Automated Tools
Intent
Not to Scare, unless it helps motivate
Inform
4. MOBILE DEVICES ON THE RISE
Smart Phones are rapidly
replacing regular mobile phones;
Gartner reported 85% year-over-
year increase
Smart Phones and other mobile
devices are smaller, lighter, and
easier to take everywhere; with
similar capabilities to PC’s
PC’s have long been the target of
security audits while mobile is
being overlooked
5. IMPORTANCE OF MOBILE
How Important are mobile devices to your organization?
Where do you fit in?
What about BYOD?
Bring
Your
Own
Device
6. MOBILE DEVICE TYPES
Smart Phones
Apple
Android (Google)
Blackberry (RIM)
Microsoft
Other
Tablets
Apple
Android
Other Source: comScore (February 2012)
7. COMMON USES
In Financial Institutions: For Consumer:
Phones for Officers Mobile Banking
Web Based, read your logs
Board Room Automation
App Based
Web Delivery or USB
Email - ALL
Meeting Notes Text
Remote Workers Contacts
Customer Service Terminal Home, Mom, Hubby
Health
Customer Support
Social
Point Of Sale
Fun
8. CHALLENGES TO MOBILE
Security
Upgrades
Policy
Enforcement
Consistency
Training
User
Tech
9. WHY DOES SECURITY MATTER?
Would you conduct online banking and shopping on a PC without
an antivirus software installed?
Are you willing to remove antivirus, firewall, encryption and VPN
software on your workstation?
In the transition from Phones to Smart Phones; Why weren’t we
paying attention?
10. VULNERABILITY POINTS (1 OF 2)
Unencrypted Information
On Phone
Removable Memory Card
Responsible for data once received
Consumer Applications
Share more than needed
Unproductive behavior
Mobile Malware
Looks Fun, but designed to steal
Less on Apple, more on other
Weak Passwords or none at all
SMS Fuzzing
Discover device
Bluetooth/Wireless Interfaces
11. VULNERABILITY POINTS (2 OF 2)
GPS Location Services
Where are you now?
Camera, Video, Microphones
Theft from BYOD (Bring Your Own Device)
Internal Storage (USB or Cloud)
Equivalent to Thumb Drive, sometimes without plugging in!
Carrier Service Technicians
They have the key to the data!
Manufacturer Data Storage
Blackberry or others (banned in France)
Call Recording - SIP
Older Devices
Patched, Not Patched, Supported?
12. HACK DEMONSTRATION
Most Common Bluetooth Hack Tools:
Super Bluetooth Hack 1.08
Blue Scanner
Blue Sniff
BlueBugger
BTBrowser
BTCrawler
BlueSnarfing
13. TYPICAL DATA ON DEVICES
Loan Portfolios or Board Packages
Web Delivery or USB
Email
Different from PC, b/c of location
Contacts
Corporate Account Take Over (CATO)
Guidance – Reasonable Assumption
Certificates / Keys for VPN
Personal Data
Wait for later information
Blackmail
14. BREACH LAWS
http://www.ncsl.org/issues-research/telecom/security-breach-
notification-laws.aspx
Where the Customer is Located!
For Texas:
"breach of system security" means unauthorized
acquisition of computerized data that compromises the
security, confidentiality, or integrity of sensitive personal
information maintained by a person, including data that
is encrypted if the person accessing the data has the
key required to decrypt the data.
15. POST BREACH CLEAN-UP
Legal Representation
Investigation – Forensics
Regulatory
Reputational
Newspaper or Channel 5
Social Media / Internet
Identity Theft Solutions
Lawsuits
16. NOW FOR THE NOT SO SCARY
PART
Mitigating the Risk
Business Case w Risk Assessment
Policy
Agreements
Device Selection
Device Management
Configuration
Applications
Automated Solutions
Audit & Update Risk Assessment
17. MITIGATING – BUILD A CASE
Build a Business Case to Permit and/or Use Mobile Devices
Cost of Device
Cost of Compliance
Identify Users
Implementation Staff
Training?
Get Approval?
19. MITIGATING – DEVICE SELECTION
Apple
iPhone
Encrypted by Default
Encryption uncracked, keys are easy to obtain:
http://www.eweek.com/c/a/Security/iPhone-4-Encryption-Remains-Uncracked-But-
Password-Keys-Easy-to-Obtain-686228/
Better App Controls in iTunes
Likes to add Cloud Sync
Remote Wipe Capable
iPad
Same as iPhone
Bigger target for theft
20. MITIGATING – DEVICE SELECTION
Android – Phone & Tablet
Currently the Most Popular
Offers more Control & Faster Innovation
Not Encrypted by default
No Remote Wipe by default – look for highly regarded ―Mobile Defense‖ app
Location Services from some Vendors
Inconsistent Implementation of features
Vendor’s Choice
Open Source, but Supported
21. MITIGATING – DEVICE SELECTION
Others
Blackberry
Losing Market Share FAST!
Banned for Government use in some countries
Stores data in transit for 7 days
Expensive to Control
Blackberry Enterprise Server
Other Solutions to fill Gaps
Microsoft
Newer / Less Market Share
Stigma from previous versions
22. DEVICE RECOMMENDATIONS
Stick with Apple and/or Android
The more devices, the higher cost of ownership
Use Third Party Software/Services to fill Compliance Gaps
At the Least:
Remote Wipe
Password Protection (more than 4 number PIN)
Encryption (all storage & transmission)
Update device every 2 years
Support, but more importantly, Vulnerability Management
23. MITIGATING – DEVICE
MANAGEMENT
Common Configuration Controls for Devices:
Encryption (ENABLE, all Storage) Allow or prohibit simple password
Remote wipe (ENABLE) Password expiration (90 Days)
Enforce password on device Password history (5)
(ENABLE) Policy refresh interval (Daily)
Minimum password length (8 or
Optional:
biometic)
Minimum number of complex
Maximum failed password
characters in password
attempts before local wipe (10-15)
Require manual syncing while
Require both numbers and letters
roaming
(ENABLE)
Allow camera
Inactivity time in minutes (1 to 5
minutes) Allow web browsing
24. MITIGATING – DEVICE
MANAGEMENT
Less Common Configuration Controls for Devices:
Block access from unapproved App Management:
devices Whitelist Approved Apps
Block access from non-compliant Prevent Removal of Antivirus,
devices Firewall, etc.
Device Check-In Interval Block Non-Approved Apps
Ensure Device not Lost Manage App Access to Functions
Automatically Wipe Disable Access to GPS for
Social Apps
Prevent Wireless & Bluetooth
Enable/Disable GPS
Designated Staff Administer
Bluetooth Devices only Monitor Employee
Recover Phone
25. MITIGATING
Select the Controls that work best to protect your institution
Test Features & Controls
Monitor Usage & Compliance
Enforce Policy
Not much different than a PC, is it?
26. MITIGATING – TOOLS & AUDITS
Automated Solutions:
Symantec Mobile Management: http://www.symantec.com/mobile-
management
MaaS360 Mobile Device and App Management: http://www.maas360.com
Zenprise MobileManager: http://www.zenprise.com/products/zenprise-
mobilemanager
Good for Enterprise (GFE): http://www.good.com/products/good-for-
enterprise.php
Risk Assessment:
Consider New Controls
Before and After Audit
Audit:
In Scope Statement
27. CONCLUSION
Form an adoption Plan
Identify Users & Support
Agreements to Ensure Understanding
Identify Devices
Pick 1 or 2 devices to support at most
Identify Features
Control Device Features
Identify Apps
Require Security Apps for Antivirus, Firewall, Encryption, Remote Wipe, Tracking
Whitelist good, Blacklist everything else
Use Tools to Control and Monitor – Ensure Compliance
DOD Wipe prior to service or return
Test, Monitor, Audit
28. OUT OF SCOPE ADDITION
Note relating to Customers
Update Online Banking & Website Disclosures / Policies
PC/Computer = PC/Computer or Mobile Device
Additions to Website
Notification of Lost/Stolen Phone or other Device
Suspend Online Banking and Bill Pay Accounts
Change Password and/or Username
Invest in Mobile formatted Website
Quick links to ATM/Branch locations
Links to Online Banking Login
Even if Online Banking is not Mobile Enabled
Disclose mobile devices that work
29. ENDING REMARKS
Mobile is here to stay, will only increase
Secure through tools
through prohibition is only temporary
32. REFERENCES
Rashid, Fahmida Y. (2011) iPhone 4 Encryption Remains Uncracked, but Password Keys Easy to
Obtain. Retrieved from http://www.eweek.com/c/a/Security/iPhone-4-Encryption-Remains-
Uncracked-But-Password-Keys-Easy-to-Obtain-686228/
Parmar, Vivek (2010) 7 Most Popular Bluetooth Hacking Software To Hack Mobile Phones.
Retrieved from http://techpp.com/2010/06/30/7-most-popular-bluetooth-hacking-software-to-
hack-your-mobile-phone/
Notes on the implementation of encryption in Android 3.0. Retrieved from
http://source.android.com/tech/encryption/android_crypto_implementation.htm
Pinola, Melanie Install or Enable Remote Wipe on Your Smartphone Now. Retrieved from
http://mobileoffice.about.com/od/mobilesecurity/qt/smartphone-remote-wipe.htm
Bradley, Tony Lock Down Your Android Devices. Retrieved from
http://www.pcworld.com/businesscenter/article/209597/lock_down_your_android_devices.ht
ml
Choudhry, Shahab (2012) iPad in Banking – 7 Important Considerations. Retrieved from
http://www.propelics.com/ipad-in-banking-7-important-considerations/
Brownlow, Mark (2012) Smartphone statistics and market share. Retrieved from http://www.email-
marketing-reports.com/wireless-mobile/smartphone-statistics.htm
Oltsik, Jon (2010) Juniper Networks Bets on Mobile Device Security—and Beyond. Retrieved from
http://www.enterprisestrategygroup.com/2010/08/juniper-networks-bets-on-mobile-device-
security%E2%80%94and-beyond/
Shein, Omar (2012). Blackberry, Are we hacked?. Security Kaizen Magazine, Vol 2, Issue 5, 5-6.
Editor's Notes
WelcomeThank you for attending
When talking to auditors:Question – Mobile DevicesHow many answer No; knowing personal phonesAnswer Yes, but only address company devices
No one should be in bottom 14% b/c of BYOD
Stick with the most common
Share Experience:Officer Phones with Exchange (no USB or Cloud) Issued by Techs & Returned to TechsBoard Meetings on iPad Techs Load to Newsstand Enforce Policy
Email - explain, not a worry before, but once received, our responsibilityContacts - guidance suggests breach, reasonable to assume majority are customersgoldmine for CATO thieves