mobile devices for today's banking environment

32
MOBILE DEVICES IN TODAY’S BANKING ENVIRONMENT Scott Sharp

Upload: scott-sharp

Post on 11-Jan-2015

753 views

Category:

Technology


0 download

DESCRIPTION

With the transition from mobile phones to mobile devices (such as iPhone, iPad, or Android) comes greater productivity with greater vulnerability. This presentation will explore the transition from phones to mobile devices along with the best practices in securing such devices and common uses in banking environments not yet commonly deployed. With proper compensating controls, the tactical advantages and productivity savings far out way the risks of deploying mobile devices, so why not explore the options that best fit your environment?

TRANSCRIPT

  • 1. MOBILE DEVICES IN TODAYS BANKING ENVIRONMENTScott Sharp

2. SCOTT SHARP Chief Technology Officer forSharp BancSystems, Inc. VP, Director of InformationSecurity for First BairdBancShares, Inc. CISSP, LPT, CHFI, CEH, MCITP,RHCSA, CCNA, etc Part Banker / Part Geek 3. OVERVIEW & INTENT Overview Mobile Use Statistics Scary Facts Mitigation & Best Practices Automated Tools Intent Not to Scare, unless it helps motivate Inform 4. MOBILE DEVICES ON THE RISE Smart Phones are rapidlyreplacing regular mobile phones;Gartner reported 85% year-over-year increase Smart Phones and other mobiledevices are smaller, lighter, andeasier to take everywhere; withsimilar capabilities to PCs PCs have long been the target ofsecurity audits while mobile isbeing overlooked 5. IMPORTANCE OF MOBILE How Important are mobile devices to your organization? Where do you fit in? What about BYOD? BringYour Own Device 6. MOBILE DEVICE TYPES Smart Phones Apple Android (Google) Blackberry (RIM) Microsoft Other Tablets Apple Android OtherSource: comScore (February 2012) 7. COMMON USESIn Financial Institutions:For Consumer: Phones for Officers Mobile Banking Web Based, read your logs Board Room Automation App Based Web Delivery or USB Email - ALL Meeting Notes Text Remote Workers Contacts Customer Service Terminal Home, Mom, Hubby Health Customer Support Social Point Of Sale Fun 8. CHALLENGES TO MOBILE Security Upgrades PolicyEnforcement Consistency Training User Tech 9. WHY DOES SECURITY MATTER? Would you conduct online banking and shopping on a PC withoutan antivirus software installed? Are you willing to remove antivirus, firewall, encryption and VPNsoftware on your workstation? In the transition from Phones to Smart Phones; Why werent wepaying attention? 10. VULNERABILITY POINTS (1 OF 2) Unencrypted Information On Phone Removable Memory Card Responsible for data once received Consumer Applications Share more than needed Unproductive behavior Mobile Malware Looks Fun, but designed to steal Less on Apple, more on other Weak Passwords or none at all SMS Fuzzing Discover device Bluetooth/Wireless Interfaces 11. VULNERABILITY POINTS (2 OF 2) GPS Location Services Where are you now? Camera, Video, Microphones Theft from BYOD (Bring Your Own Device) Internal Storage (USB or Cloud) Equivalent to Thumb Drive, sometimes without plugging in! Carrier Service Technicians They have the key to the data! Manufacturer Data Storage Blackberry or others (banned in France) Call Recording - SIP Older Devices Patched, Not Patched, Supported? 12. HACK DEMONSTRATION Most Common Bluetooth Hack Tools: Super Bluetooth Hack 1.08 Blue Scanner Blue Sniff BlueBugger BTBrowser BTCrawler BlueSnarfing 13. TYPICAL DATA ON DEVICES Loan Portfolios or Board Packages Web Delivery or USB Email Different from PC, b/c of location Contacts Corporate Account Take Over (CATO) Guidance Reasonable Assumption Certificates / Keys for VPN Personal Data Wait for later information Blackmail 14. BREACH LAWS http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx Where the Customer is Located! For Texas: "breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. 15. POST BREACH CLEAN-UP Legal Representation Investigation Forensics Regulatory Reputational Newspaper or Channel 5 Social Media / Internet Identity Theft Solutions Lawsuits 16. NOW FOR THE NOT SO SCARYPART Mitigating the Risk Business Case w Risk Assessment Policy Agreements Device Selection Device Management Configuration Applications Automated Solutions Audit & Update Risk Assessment 17. MITIGATING BUILD A CASE Build a Business Case to Permit and/or Use Mobile Devices Cost of Device Cost of Compliance Identify Users Implementation Staff Training? Get Approval? 18. MITIGATING POLICY &AGREEMENT Policy Device Types Control Permission Monitoring Enforcement Agreement User Acknowledgement Understanding Acceptance Annually! 19. MITIGATING DEVICE SELECTION Apple iPhone Encrypted by Default Encryption uncracked, keys are easy to obtain:http://www.eweek.com/c/a/Security/iPhone-4-Encryption-Remains-Uncracked-But-Password-Keys-Easy-to-Obtain-686228/ Better App Controls in iTunes Likes to add Cloud Sync Remote Wipe Capable iPad Same as iPhone Bigger target for theft 20. MITIGATING DEVICE SELECTION Android Phone & Tablet Currently the Most Popular Offers more Control & Faster Innovation Not Encrypted by default No Remote Wipe by default look for highly regarded Mobile Defense app Location Services from some Vendors Inconsistent Implementation of features Vendors Choice Open Source, but Supported 21. MITIGATING DEVICE SELECTION Others Blackberry Losing Market Share FAST! Banned for Government use in some countries Stores data in transit for 7 days Expensive to Control Blackberry Enterprise Server Other Solutions to fill Gaps Microsoft Newer / Less Market Share Stigma from previous versions 22. DEVICE RECOMMENDATIONS Stick with Apple and/or Android The more devices, the higher cost of ownership Use Third Party Software/Services to fill Compliance Gaps At the Least: Remote Wipe Password Protection (more than 4 number PIN) Encryption (all storage & transmission) Update device every 2 years Support, but more importantly, Vulnerability Management 23. MITIGATING DEVICEMANAGEMENT Common Configuration Controls for Devices: Encryption (ENABLE, all Storage) Allow or prohibit simple password Remote wipe (ENABLE) Password expiration (90 Days) Enforce password on device Password history (5)(ENABLE) Policy refresh interval (Daily) Minimum password length (8 or Optional:biometic) Minimum number of complex Maximum failed passwordcharacters in passwordattempts before local wipe (10-15) Require manual syncing while Require both numbers and lettersroaming(ENABLE) Allow camera Inactivity time in minutes (1 to 5minutes) Allow web browsing 24. MITIGATING DEVICEMANAGEMENT Less Common Configuration Controls for Devices: Block access from unapproved App Management: devices Whitelist Approved Apps Block access from non-compliant Prevent Removal of Antivirus, devices Firewall, etc. Device Check-In Interval Block Non-Approved Apps Ensure Device not Lost Manage App Access to Functions Automatically Wipe Disable Access to GPS for Social Apps Prevent Wireless & Bluetooth Enable/Disable GPS Designated Staff AdministerBluetooth Devices only Monitor Employee Recover Phone 25. MITIGATING Select the Controls that work best to protect your institution Test Features & Controls Monitor Usage & Compliance Enforce PolicyNot much different than a PC, is it? 26. MITIGATING TOOLS & AUDITS Automated Solutions: Symantec Mobile Management: http://www.symantec.com/mobile- management MaaS360 Mobile Device and App Management: http://www.maas360.com Zenprise MobileManager: http://www.zenprise.com/products/zenprise- mobilemanager Good for Enterprise (GFE): http://www.good.com/products/good-for- enterprise.php Risk Assessment: Consider New Controls Before and After Audit Audit: In Scope Statement 27. CONCLUSION Form an adoption Plan Identify Users & Support Agreements to Ensure Understanding Identify Devices Pick 1 or 2 devices to support at most Identify Features Control Device Features Identify Apps Require Security Apps for Antivirus, Firewall, Encryption, Remote Wipe, Tracking Whitelist good, Blacklist everything else Use Tools to Control and Monitor Ensure Compliance DOD Wipe prior to service or return Test, Monitor, Audit 28. OUT OF SCOPE ADDITION Note relating to Customers Update Online Banking & Website Disclosures / Policies PC/Computer = PC/Computer or Mobile Device Additions to Website Notification of Lost/Stolen Phone or other Device Suspend Online Banking and Bill Pay Accounts Change Password and/or Username Invest in Mobile formatted Website Quick links to ATM/Branch locations Links to Online Banking Login Even if Online Banking is not Mobile Enabled Disclose mobile devices that work 29. ENDING REMARKS Mobile is here to stay, will only increase Secure through tools through prohibition is only temporary 30. QUESTIONS ? 31. CONTACT MEhttp://www.linkedin.com/in/[email protected]@[email protected](972) 979-2680 32. REFERENCESRashid, Fahmida Y. (2011) iPhone 4 Encryption Remains Uncracked, but Password Keys Easy toObtain. Retrieved from http://www.eweek.com/c/a/Security/iPhone-4-Encryption-Remains-Uncracked-But-Password-Keys-Easy-to-Obtain-686228/Parmar, Vivek (2010) 7 Most Popular Bluetooth Hacking Software To Hack Mobile Phones.Retrieved from http://techpp.com/2010/06/30/7-most-popular-bluetooth-hacking-software-to-hack-your-mobile-phone/Notes on the implementation of encryption in Android 3.0. Retrieved fromhttp://source.android.com/tech/encryption/android_crypto_implementation.htmPinola, Melanie Install or Enable Remote Wipe on Your Smartphone Now. Retrieved fromhttp://mobileoffice.about.com/od/mobilesecurity/qt/smartphone-remote-wipe.htmBradley, Tony Lock Down Your Android Devices. Retrieved fromhttp://www.pcworld.com/businesscenter/article/209597/lock_down_your_android_devices.htmlChoudhry, Shahab (2012) iPad in Banking 7 Important Considerations. Retrieved fromhttp://www.propelics.com/ipad-in-banking-7-important-considerations/Brownlow, Mark (2012) Smartphone statistics and market share. Retrieved from http://www.email-marketing-reports.com/wireless-mobile/smartphone-statistics.htmOltsik, Jon (2010) Juniper Networks Bets on Mobile Device Securityand Beyond. Retrieved fromhttp://www.enterprisestrategygroup.com/2010/08/juniper-networks-bets-on-mobile-device-security%E2%80%94and-beyond/Shein, Omar (2012). Blackberry, Are we hacked?. Security Kaizen Magazine, Vol 2, Issue 5, 5-6.