About Us | Contact Us
View Cart

Bring Your Own What?

By Dan Hadaway | Tuesday, March 12, 2013 - 2 Comments

A five step process to control Portable Device Risk!

Right off the bat, let me acknowledge that yes, I’m using the term “portable device” instead of “mobile device.” I have reasons. But hey, I still referenced the BYOD buzzword in my title . . . did it catch your attention? That’s because when we see that buzzword, it makes us feel like partying!

Unfortunately, the risk exposure created by portable devices is no party. Some of us have already let the cat out of the bag. That fact, coupled with the intrusive nature of the necessary controls, requires an expenditure of what little political capital ISO’s have left. Let’s face it: the compliance burden saddling our management teams has intensified in the last two years, and they simply want to use their mobile phones to ease that burden. That we information security people add more “yes, but’s” to the picture can be irritating.

Still, the risk is there. We can’t escape the two differences between portable devices and all the other systems we’ve been protecting: 1) they are portable, and 2) they connect to many different wireless networks. They can be lost, and man-in-the-middle attacks are more likely. Thus, if we’re going to issue bank-owned devices to our management team, and especially if we’re going to let them “Bring Your Own Device” (BYOD), we need to control that risk.

Let’s start by summarizing the top half-dozen vulnerabilities that lead to that risk, and their corresponding controls:

  • Lost or Stolen Devices: The best way to control this is by requiring screen lock on the device and implementing an ability to remotely wipe the device. Both are easy to do, even if you can’t afford to invest in “Mobile Device Management” applications (MDM.) If you use Microsoft Exchange, you can use Exchange ActiveSync (EAS) to require screen lock and implement remote wipe. However, don’t do this without adequate awareness training. It will only work if your team members know to report the lost device, and they’ll want to know in advance that they could lose their pictures, apps, and music!
  • Vulnerable Apps: People fall in love with their smart phones because they can choose from hundreds of thousands of apps and quickly and easily install them on their phones from anywhere at anytime. And it would be political suicide to prevent smart phone users from installing those apps. But these apps can have the same vulnerabilities (and more) as the application vulnerabilities we have been fighting in the non-portable world. The best control for this is application whitelisting, where somebody with experience chooses which apps can and can not be installed on the device. This control, however, doesn’t come free with Exchange ActiveSync (EAS), and thus many smaller banks are relying upon awareness training until Mobile Device Management (MDM) reaches the late majority (and thus lower cost) phase of adoption. Meanwhile, as always, one important control is to keep portable operating systems and apps updated and, unlike our internal network, where we have our vaunted patch management systems, we have to rely upon awareness training to remind our employees to install those updates. MDM applications will do that for us, if we can afford the investment at this time.
  • Fraudulent Apps: Especially in the non-Apple world (but don’t buy into the myth that Apple is free of malware risk), the bad guys are reverse engineering good apps (like Angry Birds) and using that to insert Trojans that can do things like forward text messages (and thus compromise many new two-factor authentication systems), monitor use of sensitive systems (and thus learn how to log into mobile banking sites), and even take pictures of you and your work area (and thus . . . . ??). The controls? Again, application whitelisting is the most graceful, but since EAS does not offer this, awareness training will have to suffice for those awaiting the lower price of MDM.
  • Malware: The same issues exist that have always existed, and we are even starting to see malware in the Apple marketplace, though I agree that Apple does a better job of controlling their apps. But Zeus has given birth to Zitmo (Zeus in the Mobile), and the attacks are directed squarely at American banks. Just like vulnerable and fraudulent apps, the attacks are orchestrated and meant to steal credentials and authorization numbers. The controls are malware on non-Apple devices, and awareness training to make sure everybody knows what the malware will look and act like, and to use anti-malware.
  • Smishing: If you think phishing has a high likelihood, smishing (like phishing using SMS, or text messaging, as the medium) is even more likely. I’ve already had a client experience a smishing attack, and it wasn’t pretty. The bad guys texted a message to everybody in the area that appeared to come from the bank. The text message said, “your account has been locked. To unlock it call (901) xxx-yyyy.” When you called that number, an automated attendent asked for online banking usernames and passwords. Unlike phishing, where law enforcement has developed a decent level of cooperation to assist in bringing the phish site down, smishing requires us to work with the good old phone company. Beware the 901 area code! Awareness training is the most important control.
  • Man-in-the-Middle Attacks: Traffic sniffing has always been a vulnerability, but since our portable devices can connect to the wild wild west using Bluetooth, Cellular, 3 and 4G, WiFi, and other wireless capabilities, the likelihood of this attack vector on portable devices is much higher. This is especially true because in almost every case, the network is configured by novices. The control: teach your team how to configure their home wireless access point to NOT broadcast the SSID, to use WPA2 encryption, and to leverage MAC Filtering.

Notice that awareness training was listed as a control in all six of the above vulnerabilities. It is the most important control, especially in the quickly evolving mobile technologies. Usually, you can fish for your users, or you can teach them to fish. In this case, I’d suggest you have no choice.

Having run through the top six vulnerabilities GENERICALLY, I am now ready to go over my five point plan for mitigating portable device risk.

  1. Conduct a risk assessment. There’s a reason I capitalized “generically” in the last sentence above. My top six vulnerabilities do not necessarily mean they are your top six vulnerabilities. You need to roll up your sleeves and focus in on a drill-down risk assessment this time. The process, especially if multi-disciplinary, will lower the political capital costs, and will allow you to prioritize controls. Of course, a good risk assessment always starts with a solid asset inventory, and in the case of Portable Devices, we believe you should include both issued (bank-owned) and authorized (employ owned . . . .BYOD) devices. It’s why we use Portable Device instead of Mobile Device in our template titles . . . . we want to exude we’re talking about all devices that can leave the bank and connect wirelessly, not just smart phones and iPads. Our risk assessment templates list as many as 29 vulnerabilities for smart phones, and we break the assets into wireless access points, tablet pc’s, smart phones, and laptops.
  2. Develop the non-technical policies. This is where you really need to leverage the FFIEC’s requirement that risk measurement be a multi-disciplinary approach. It’s already going to be hard enough to ask your management team members, when the cat is already out of the bag, to restrict the applications or amount of email they store on their phones. If you involve them in the risk assessment, they will already know why when you show them what. The policy should achieve the following objectives:
    1. Define what you mean by portable device, including both issued and authorized devices.
    2. Define who gets to have issued devices and who gets to have authorized devices. Some of our clients are doing this in their employee handbook and then referring out to the IT Governance Program for those lucky ones getting issued or authorized priviledges.
    3. Define the non-technical controls which are required in order to maintain the priviledge of having an issue or authorized device.
    4. Establish an agreement between the bank and the employee which codifies the employee’s contractual obligation to enforce the non-technical controls, and which gives the bank the right and responsibility to audit portable devices (whether issued or authorized.)
  3. Develop the technical configuration standards. Our templates scale from Exchange ActiveSync to more robust Mobile Device Management tools. Beyond guidelines for the configuration of your MDM approach, your configuration standards should also establish who does the auditing, how the auditing is done, the importance of the auditing, and how often the auditing is done.
  4. Conduct an Awareness Training meeting for all employees issued and/or authorized. The training should have three components: The risks, the controls, and the agreement.
  5. Audit the devices. You should audit every device annually, and randomly audit at least 25% of authorized devices. Our mobile devices security kit includes an audit checklist for wireless access points, smart phones, tablet pc’s, and laptops.

Like anything else, portable device security requires layers of security and not silver-bullet controls. But the above fix step process should put you in a position where you are adequately managing portable device risk.

So in five simple steps . . . . okay, they’re not really simple . . . . but in five steps you can substantially mitigate the risk exposure of BYOD and other portable devices. If you need starting points, you might consider checking our our Mobile Devices Security Kit or, better yet, come to our workshop on March 27th!

2 Responses to “Bring Your Own What?”

Comment from Karen
Time 03/14/2013 at 2:22 pm

Excellent food for thought. No, the steps are not simple. But we must be all about Risk Management. #5 might be just a ‘lil’ touchy. 🙂

Comment from Dan Hadaway
Time 03/14/2013 at 5:05 pm

Hi Karen,

You are right about #5 (ability to audit BYOD devices) being touchy, especially if we’ve already let the cat out of the bag! But if, for those who don’t already have authorization to BYOD, if it’s presented as an “as long as we get to . . . . ” I’m hoping it will not require you to expend as much political capital.

Meanwhile, Mobile Device Management (MDM) applications truly do audit the BYOD device and, since it is not owned by the bank, you should at least establish in policy that you have the right to audit the device (because that’s technically what MDM is doing).

Thanks for this comment!

Dan

Latest News
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]
    Dubious app store subscriptions bring in hundreds of millions of dollars in revenue… An article review. When it comes to malicious applications you’re probably familiar with things like malware and ransomware, and you have ways to avoid them.  Modern desktop and smartphone operating systems have built-in malware detection tools, and some web browsers even automatically […]
    Another Manifesto A supply-chain manifesto by the author of Never Say Never: A Password Manifesto! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . [Sssshh.  Turn out the lights.  Let’s lower our inner voices, as I have something to propose that might be a bit […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    While malware and security exploits continue to make headlines, the majority of reported security incidents involve phishing… An article review. With all the attention given recently to security incidents involving software exploits and high-profile malware attacks, it would be easy to believe that they represented the most likely incidents you may encounter in the wild.  […]
    Implementing Protective DNS could help your organization avoid attack… An article review. Noting the risks still associated with the Domain Name System (DNS), the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released new guidance on the selection and use of a Protective DNS service (PDNS). The guidance, released in […]