Embed Size (px)
Citation preview
Copyright - 2008 Movidan, Inc. All rights reserved. 1
“Don’t think, however, that we have lost our taste for risk. We remain prepared to lose $6 billion in a single event, if we have been paid appropriately for assuming that risk. We are not willing, though, to take on even very small exposures at prices that don’t reflect our evaluation of loss probabilities…Our behavior here parallels that which we employ in financial markets: Be fearful when others are greedy, and be greedy when others are fearful.”
Warren Buffett, 2006 Shareholder Letter3
Copyright - 2008 Movidan, Inc. All rights reserved. 2
Risk Management in a Mobile World
Presented by Bruce Christofferson
Copyright - 2008 Movidan, Inc. All rights reserved. 3
Agenda
Introduction Definitions Security Program Parts Risk Management Framework Smartphone Risk Evaluation Criteria Smartphone Controls to Implement Now Wrap Up
Copyright - 2008 Movidan, Inc. All rights reserved. 4
Introduction
Security Program developer for several wireless telecom providers
Developed the Risk Management program for Cingular
Founded the Mobile Technology Security Center at AT&T
Now consulting at another Seattle area wireless telecom provider
Copyright - 2008 Movidan, Inc. All rights reserved. 5
Definitions Feature vs. Smartphones
Feature phone – simple PIM and browser, limited capability Smartphone – full-featured PIM, browser, and other
applications
Mobile Worker Regularly works out of office or on the road
Company-Owned vs. Personally-Owned Smartphones
Defined by who owns the smartphone at the end of the day
Copyright - 2008 Movidan, Inc. All rights reserved. 6
Survey Questions
A smartphone with company data – either personally or company owned?
Support mobile workers with smartphones?
Only allow company-owned smartphones to hold sensitive data?
Have clear policies and requirements governing the use of those smartphones?
Know what to do if your smartphone is lost or stolen?
Copyright - 2008 Movidan, Inc. All rights reserved. 7
In the News
Good News…
“By 2010, smartphones will be primary tool of mobile workforce…” Ray Kurzweil, 2007 RSA conference
“Size and Growth of Smartphone Market Will Exceed Laptop Market for Next Five Years”
Smartphone OS-based phones will grow at more than a 30% compound annual growth rate for the next five years globally…
Instat.com, 11/13/2007
Not so good news…
“Mobile malware very active in first quarter of 2008” Kaspersky, SC Magazine, 5/12/08
“McAfee warns of mobile-malware threat” ZD Net Asia, 2/13/08
Copyright - 2008 Movidan, Inc. All rights reserved. 8
Consider the Smartphone
Device size - a vulnerability
Pointsec Mobile Technologies, Taxi Study 2005 6 month period 85,619 mobile phones 21,460 PDAs
Pointsec Mobile Technologies, London Taxi Study 2006 6 Months 54,874 mobile phones 4,718 handheld PDAs
British Crime Survey, 2006 800,000 people were the victim of mobile phone theft 90 percent of these phones are generally barred from active use within 48 hours
Copyright - 2008 Movidan, Inc. All rights reserved. 9
“Don’t think, however, that we have lost our taste for risk. We remain prepared to lose $6 billion in a single event, if we have been paid appropriately for assuming that risk. We are not willing, though, to take on even very small exposures at prices that don’t reflect our evaluation of loss probabilities…Our behavior here parallels that which we employ in financial markets: Be fearful when others are greedy, and be greedy when others are fearful.”
-Warren Buffett, 2006 Shareholder Letter3
Copyright - 2008 Movidan, Inc. All rights reserved. 10
A Security Program’s Parts
Metrics (Risk, Domain, Enterprise)
Business Needs and
Requirements
Processes
Defense
Reporting
Security Architecture
Risk ManagementPolicy and Standards
Data
Applications
Endpoints
Hosts
Network
SDLC
I dentity Management
Vulnerability Management
Threat Management
Security Assurance
whose eff orts lead to
Security Services
determine engagement of
Copyright - 2008 Movidan, Inc. All rights reserved. 11
A Security Program’s Parts
Metrics (Risk, Domain, Enterprise)
Business Needs and
Requirements
Processes
Defense
Reporting
Security Architecture
Risk ManagementPolicy and Standards
Data
Applications
Endpoints
Hosts
Network
SDLC
I dentity Management
Vulnerability Management
Threat Management
Security Assurance
whose eff orts lead to
Security Services
determine engagement of
Copyright - 2008 Movidan, Inc. All rights reserved. 12
Risk Management FrameworkRisk
I dentified?RMP & Risk Accepted?
Appeal Accepted?
No
Yes
Yes
Notifi cations; End
TerminateProject
No
Yes
Risk Assessment
Request (I ntake)
Risk AssessmentPerf ormed
Risk Mitigation Plan (RMP) Developed (iterative)
MitigationTracking
Risk and RMP Review
By Management
Copyright - 2008 Movidan, Inc. All rights reserved. 13
Risk Management Framework
Risk I dentified?
RMP & Risk Accepted?
Appeal Accepted?
No
Yes
Yes
Notifi cations; End
TerminateProject
No
Yes
Risk Assessment
Request (I ntake)
Risk AssessmentPerf ormed
Risk Mitigation Plan (RMP) Developed (iterative)
MitigationTracking
Risk and RMP Review
By Management
Copyright - 2008 Movidan, Inc. All rights reserved. 14
Definitions
Risk Management Risk Vulnerability Exploit Threat Likelihood Impact Security Control
Copyright - 2008 Movidan, Inc. All rights reserved. 15
Smartphone Risk Evaluation OS/platform security Bypassing security features Remote “lock-down” Security Management Malware attacks Apps certified, signed, and/or verified Policy setting granularity Easily wiped or killed OS extensibility Peripheral protection Device security implementation Over-The-Air (OTA) or hardwired management
Copyright - 2008 Movidan, Inc. All rights reserved. 16
Risk Calculations
Copyright - 2008 Movidan, Inc. All rights reserved. 17
Risk Management Framework
Risk I dentified?
RMP & Risk Accepted?
Appeal Accepted?
No
Yes
Yes
Notifi cations; End
TerminateProject
No
Yes
Risk Assessment
Request (I ntake)
Risk AssessmentPerf ormed
Risk Mitigation Plan (RMP) Developed (iterative)
MitigationTracking
Risk and RMP Review
By Management
Copyright - 2008 Movidan, Inc. All rights reserved. 18
Risk/Reward Equation
Copyright - 2008 Movidan, Inc. All rights reserved. 19
Basic Smartphone Security Controls Strong passwords Device lock after period of inactivity Device wipe after X number invalid login attempt Data store encryption that supports eDiscovery
regulations Assess, control, and audit the download of third-party
applications Implement and enforce written smartphone security
policies Develop a lost/stolen device process Create awareness program to help users understand
their responsibilities in protecting sensitive company information
Copyright - 2008 Movidan, Inc. All rights reserved. 20
Other Security Control Considerations Anti-Malware Software Everyone should play by the same rules A Mobile VPN and your perimeter Regulatory and contractual requirements Location based services (LBS) Personally owned vs. company owned phones
Copyright - 2008 Movidan, Inc. All rights reserved. 21
Wrap Up
Bruce Christofferson, CISSP, CISA, [email protected]
425-239-9184
