![Page 1: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/1.jpg)
CORPORATE SECURITY IN THE
ERA OF SMART DEVICES
FELIX KAKK ESIAPE – MAY 2014
![Page 2: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/2.jpg)
OUTLINE
What is a Smart Device?
Smart device Penetration in Ghana
What are Ghanaians doing on smart devices?
Risk to the Corporate
Controls
Conclusion
![Page 3: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/3.jpg)
WHAT IS A SMART DEVICE?
ISACA Presentation – May 2014
![Page 4: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/4.jpg)
What is a Smart Device?
An electronic device generally connected to other devices or
networks via different protocols such as Bluetooth-NFC-WiFi-
3G-etc. that can operate to some extent interactively and
autonomously (Collins Dictionary)
A device programmed so as to be capable of some
independent action (Oxford Dictionary)
Eg. Phones, Tablets, Tv etc
![Page 5: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/5.jpg)
SMART DEVICE PENETRATION
IN GHANA
ISACA Presentation – May 2014
![Page 6: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/6.jpg)
Smart device Penetration in Ghana
An International Telecoms Union report ranked Ghana as the
first in Africa with more people using or connected to mobile
broadband.
An estimated 16m mobile phones are used in this country with
25m citizens, with many owning more than one SIM card.
A Telecoms Analyst attributed Ghana’s outstanding
international rating in mobile broad-band penetration to the
increasing use of smart-phones in the country.
![Page 7: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/7.jpg)
WHAT ARE GHANAIANS DOING
ON SMART DEVICES?
ISACA Presentation – May 2014
![Page 8: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/8.jpg)
What are Ghanaians doing on smart
devices?
Social Media
Downloading Apps for varied purposes
Browsing
Accessing Corporate emails
File movement(as usb sticks)
Mobile Banking / Mobile Money
![Page 9: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/9.jpg)
RISK TO THE CORPORATE
ISACA Presentation – May 2014
![Page 10: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/10.jpg)
Risk to the Corporate
Social Media/Apps/File movement/Browsing
A typical corporate network has a Firewall, Spam filters,
IDS/IPS, Proxy Servers to secure the network
A user using a smart phone has access to the internet via a
telco whose internet usage policy is not the same as the
corporate
Plugging in the phone to the usb port of the corporate PC
exposes the corporate if the phone has been compromised
![Page 11: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/11.jpg)
Risk to the Corporate
Accessing Corporate emails Risk of data leakage resulting from device theft or
loss
Unintentional disclosure of data due to phone
functionality
![Page 12: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/12.jpg)
Risk to the Corporate
Mobile Banking / Mobile Money Bearer channel
Interaction with the Bank
![Page 13: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/13.jpg)
Bearer channel
SMS Banking
![Page 14: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/14.jpg)
Bearer channel
IVR,USSD
Data carried within the communication layer is not itself
encrypted.
![Page 15: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/15.jpg)
Bearer channel
J2ME, WAP, S@T
WAP allows for GPRS session to be opened
Session encrypted by GSM communication layer and
then banking website
Similar threat as internet banking
![Page 16: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/16.jpg)
J2ME, WAP, S@T
J2ME uses same channel as WAP
Have additional security on the app on the handset
hence data entered in app can be encrypted
consumer needs to establish that the application is
being downloaded from the correct source
S@T is the most secured
Bank loads its own encryption keys onto the SIM card
with the bank’s own developed application
![Page 17: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/17.jpg)
J2ME, WAP, S@T
consumer’s data can be stored on the SIM Card and the
consumer can be authenticated on the handset prior to
having to carry any data across the mobile network
The data is also encrypted prior to leaving the handset
and only decrypted using the banks encryption keys
within the bank
![Page 18: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/18.jpg)
Interaction with the Bank
SOAP (Simple Object Access Protocol) Or REST
(Representational State Transfer)?
WS-Security -While SOAP supports SSL (just like REST) it also
supports WS-Security which adds some enterprise security
features.
WS-AtomicTransaction - Need ACID Transactions over a
service, you’re going to need SOAP. While REST supports
transactions, it isn’t as comprehensive and isn’t ACID compliant.
WS-ReliableMessaging - SOAP has successful/retry logic built
in and provides end-to-end reliability even through SOAP
intermediaries.
![Page 19: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/19.jpg)
CONTROLS
ISACA Presentation – May 2014
![Page 20: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/20.jpg)
Controls
When charging your phone in a corporate environment,
put it off.
Security awareness training
Use S@T as the bearer channel for your mobile banking
as much as possible
Use SOAP with WS-Security implemented on integration
with telcos that requires sensitive transactions
![Page 21: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/21.jpg)
CONCLUSION
ISACA Presentation – May 2014
![Page 22: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/22.jpg)
Conclusion
Smartphones are an incredible tool for a whole range
of people and their use will proliferate. However,
smartphone security is lagging ten years behind the
growth curve, especially as they are so easily lost or
stolen.
Smartphones carry with them the risks of any computer
on a network and at the same time cross the divide
between voice and data, which brings security risks of
its own. For an organization to remain secure, smart
phones need to come within the sphere of the security
policy, their use needs to be regulated and active steps
should be taken to employ them securely.
![Page 23: CORPORATE SECURITY IN THE ERA OF SMART DEVICES - ISACA · CORPORATE SECURITY IN THE ERA OF SMART DEVICES ... with many owning more than one SIM card. ... CONTROLS ISACA Presentation](https://reader031.vdocuments.site/reader031/viewer/2022022507/5acbb4997f8b9a875a8bb52c/html5/thumbnails/23.jpg)
THANK YOU
ISACA Presentation – May 2014