This document discusses mobile security best practices for organizations. It covers the risks of mobile device use including data breaches from lost or stolen devices or malware. It provides tips for securing smartphones like using passwords and downloading apps only from official stores. Technologies for securing mobile users like VPNs and mobile device management are presented. The importance of employee security training and having proper policies for BYOD are emphasized.
5. Introductions
Tyler Wenger
• Helpdesk Technician
• Marketing Consultant
• Microsoft Technology Associate (MTA)
David Hammarberg
• Principal of Forensic Accounting
• Certified Fraud Examiner (CFE)
• Director of Information Technology
• CPA, MCSE, CISSP, CISA
• 16+ years of experience
6. Today’s Objective
• To better understand mobile technologies, the threats that
exist within a mobile / remote environment, how to avoid
and thwart those threats, and to understand your role
within mobile security.
7. Why Is This Important?
• Usage
• Time
• Accessibility
• Money
• Constantly Changing
• Data! Data! Data!
8. Takes Two To Be Secure
• Proper Security measures need to be put in place by the IT
department to keep mobile users secure.
• Proper employee security training needs to be place.
9. Agenda
• An overview of the smartphone / tablet industry
• An understanding of what mobile technologies are being used by
small to medium size organizations
• An understanding of the increased risk of mobile technology
• An understanding of mitigation strategies for risks associated with
mobile technologies. What is your mobility strategy?
• Living in a mobile world: practical steps and real questions
11. Smartphone Statistics
• Research estimates more than six billion smartphone users by 2020
• Over 50% of smartphone users grab their smartphone immediately after waking
up
• 84% of mobile users utilize the same smartphone for business and personal use
• Mobile email opens have grown by 180% in the last three years
• Mobile will likely account for 50% of all digital ad spend in 2016 (worth $100B)
Data from https://www.impactbnd.com/blog/mobile-marketing-statistics-for-2016 and https://www.sophos.com/en-
us/security-news-trends/security-trends/malware-goes-mobile.aspx
12. Smartphones
• All-In-One Devices
• Super Computers
• Limitless Mobility
• Size
• Physical security
• Unique Operating Systems (OS)
• Apple (iOS)
• Android
• Windows
• Mobile Fragmentation
• Susceptible to attacks
• App Based, web-based, or SMS/Text Message-based
13. Apple vs. Android
• Android
• Global popularity and open approach
• Open source vs proprietary
• Lack of control of its potential integrations
• Apple
• Control the entire ecosystem
• Software, hardware, firmware
• App Transport Security (ATS)
• Secures user data sent via Apps
• "The majority of enterprises still feel it is easier for them to secure their
enterprise data on the iOS platform.” - Mobile Analyst Dionisio Zumerle
14. 7 Tips for Smartphone Security
1. Use a PIN or Password
2. Download Apps only from trusted stores
• Apple App Store
• Google Play Store
3. Keep your Operating System and Apps Update
4. Log Out of sites / apps after completing transactions
5. Turn off Wi-Fi and Bluetooth when not in use
6. Backup your data
7. Avoid giving out personal information
15. Secure Technology Options for Mobile
Users
• Citrix
• VPN – Company to User
• Cloud based – Connection to the Cloud Server
• MDM – Mobile Device management Solutions
16. What Are The Risks?
• Data breach caused by:
• Unsecure connections
• Lost or stolen mobile devices
• Unauthorized users
• Compromised devices connecting to the network
• Malware incident
17. Three Most Common Mobile Security
Breaches
1. Device loss / Theft
• Theft of all pertinent data
• Expensive international calls
• In app purchases
2. Malware
• Spam email contacts
• Infect other devices
• Harvest Passwords (secure password products?)
3. Unsecured Networks
• Rogue Wi-Fi Networks
• Tricks people into joining wrong network at airports, stations, or coffee shops
• More common in Asia than in US / Europe
18. Real Life Examples
• Mobile phishing and ransomware
• Using an infected mobile device to infiltrate nearby devices
• Cross-platform banking attacks
• Cryptocurrency mining attacks
19. Mobility Driving Business and IT
Change
• Forcing organizations to have BYOD policy and plan; provide
employee device choice
• Anytime, anywhere, any device access now standard
• Heightened importance of social business interactions
• Need to factor in considerations across the business not just IT- HR,
Legal, Security, Finance, Telco Plans.
20. Mobile Security and Management
• Protection of privacy and confidential information
• Policies for client-owned smartphones and tablets
• Visibility, security & management of mobile platform requirements
21. Mobile Strategy Helps You Make The Right
Choice
1. Understand current state and strategic direction.
2. Understand user profiles and their security requirements
3. Analyze gaps
4. Define recommendations and solution outline
5. Build road map
22. Key Areas You Need to Address
• Devices: Which device types and form factors should be supported and do I
have a need for special types of devices?
• Governance: What are the policies, guidelines and programs for mobile users
and bring-your-own devices? (BYOD)
• Support: What is the best way to support my users?
• Mobile Applications: What mobile applications do I have today and what is
the best way to roll out additional applications in the future?
• IT Infrastructure: What tools do I need in place to allow me to effectively
manage my mobile devices?
• Network: What type of network access will my users require? Cellular
Carrier? Corporate Wi-Fi?
• Security: What security policies should be in place to ensure the safety of my
corporate assets?
23. Bring Your Own Device (BYOD) -
Policy
• What are you trying to achieve?
• Define, document and publish your "Bring Your Own Device" (BYOD) Policy
• You need input from a number of departmental functions:
• IT
• HR
• Legal
• Security
• Finance
• Your network carrier(s)
• Entitlement
• Which employees are eligible for business devices (Corporate liable)?
• Which employees bring their own?
• What data, functions, applications will be accessed?
• Which devices will you support?
24. Mobile Device Management (MDM)
• Advanced mobile device management (MDM) functions are
designed to enhance security and usability of mobile devices
• Software that secures, monitors, manages and supports mobile devices
• Over-the-air distribution of applications, data and configuration settings
• Supports company-owned and employee-owned devices
25. Dual Factor Authentication
• Requires multiple factors for authentication
• Uses multiple combinations of the following…
• Something you know (username, password, PIN, etc.)
• Something you have (smartphone, Token Device, key fab, etc.)
• Something you are (fingerprint, retinal scan, voice recognition, etc.)
• Requires an extra step, but “an ounce of prevention is worth a
pound of cure.”
27. Security Awareness
• Employees are the largest risk to the organization.
• Employees can circumvent the best security policies.
• What is your organization doing to train your employees?
30. How Do I Know If My Device Is
Infected?
• Decreased performance
• Slow operation and function
• Poor battery life
• Device gets exceptionally hot for no reason
• Device turns on by itself
• Applications open / close on their own
• Downloaded items/apps without your permission
• Phone log shows calls you didn’t make
• Emails sent to unknown addresses
31. My Device Is Lost / Stolen! Now What?
• Ensure that you cannot find it
• Notify your organization’s IT Department
• Wipe the phone remotely via iCloud or other remote solutions
• Contact Law Enforcement
32. Simple Steps to Mobile Security
• Physical security – Know where your device is at!
• Use strong username and password controls
• Alphanumeric codes may be the best option
• Keep Operating System and Apps up-to-date
• Equip your device with Anti-malware software
• Turn Wi-Fi off when in public settings
• Do Not automatically join networks
• Wireless Hotspot for Laptops
• Encrypt your device
• Think when opening emails (social engineering)
• Set device to wipe contents after specified number of failed login attempts
33. Questions?
Tyler Wenger
• Helpdesk Technician
• Marketing Consultant
• Microsoft Technology Associate (MTA)
• TWenger@macpas.com
David Hammarberg
• Principal of Forensic Accounting
• Certified Fraud Examiner (CFE)
• Director of Information Technology
• CPA, MCSE, CISSP, CISA
• DHammarberg@macpas.com
35. Questions?
• Documents:
• https://www.nist.gov/cyberframework
• NIST Cybersecurity Framework website
• http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf
• Maturity model
• https://www.sans.org/media/critical-security-controls/critical-controls-
poster-2016.pdf
• SANS Top 20 Critical Security Controls
36. Questions?
Tyler Wenger
• Helpdesk Technician
• Marketing Consultant
• Microsoft Technology Associate (MTA)
• TWenger@macpas.com
David Hammarberg
• Principal of Forensic Accounting
• Certified Fraud Examiner (CFE)
• Director of Information Technology
• CPA, MCSE, CISSP, CISA
• DHammarberg@macpas.com
Editor's Notes
This is what we hope each of you gets out of this webinar. This is the mission and the goal.
As we go throughout this webinar I will be giving more of a personal approach to mobile security while Dave will be looking through the lens of an organization and how organizational management approaches mobile security.
Users are spending more time, using more devices, doing more things, accessing more data and spending more money on mobile devices than ever before and that trend looks like it will continue for the foreseeable future. Marketers are pouring money into mobile advertising, developers are spending lots of money on app development, and that’s why Apple and Google consistently are the two most valuable companies in the world. If there is money involved, you can bet that hackers, phishers, and cyber attackers will be playing in that space as well.
People are becoming mobile and if you, your organization, or your vendors are not ready you could experience some serious problems.
This industry is constantly changing, adapting, moving forward. Must be prepared for what is going on now as well as what is going to come in the next 5-10 years. For sake of this presentation, we are going to focus on what is going on now.
Most important reason is to secure data. Hackers are trying to get your data (SSN, EIN, Address, Phone Number, Credit card Number, bank account information, usernames, passwords, etc.)
Devices always change
People always bringing new devices into the network
20 years ago computers as phones would have been unthinkable, 10 years ago a computer as a watch would have been hard to believe. But where will we go next? I know Under Armour and some other athletic fashion wear companies are investing in wearable technology. I wouldn’t be surprised in 3-7 years you put on a t-shirt and you can view apps, heart rate, other biometric information right from your sleeve. Mobile technology is constantly evolving
I just want to go over a few interesting statistics that I found and briefly discuss why I think each of these is important and how it applies to today’s webinar.
6 Billion users – mass quantity = plenty of opportunities for hackers and attackers to do what they want to do
50% when wake up – around us 24/7. using them, typing on them, calling on them, streaming music on them, they never leave our side.
84% important for organizations as more and more users meshing personal and business devices….I would think that’s also similar to laptops for personal and business use
Mobile email opens – if I’m an attacker I am salivating at this statistic, more changes for social engineering and to phish end users into clicking on bad links which is why social engineering is extremely important.
100B – important because again there is a lot of money in this realm and attackers are trying to make money
All In One Devices – Used as a phone, to send text messages, to take pictures, stream and play music, to browse the internet, as a GPS, to control temp / lighting in your house, can edit videos, check email, scan documents, see where your friends and family are at that exact moment, save and access info to secure cloud storage, access bank account information / deposit a check, now with NFT can be used as a payment solution (Apple Pay), and the list goes on and on. This makes the security of these devices extremely important.
Limitless mobility – use them at work, in your car, in your bed, on the toilet, at a concert, etc. there is no limit to where you can use these devices. Makes physical security challenging.
OS - Mobile device fragmentation is a phenomenon that occurs when some mobile users are running older versions of an operating system, while other users are running newer versions.
Studies have found that a much larger percentage of mobile malware targets Android over iOS, the software that runs Apple’s devices. That’s primarily due to Android’s huge global popularity and its open approach. Much easier to try and “hack” via an app or Android software than on iOS.
App Transport Security, or ATS, is a feature that Apple debuted in iOS 9. When ATS is enabled, it forces an app to connect to web services over an HTTPS connection rather than HTTP, which keeps user data secure while in transit by encrypting it.
The “S” in HTTPS helpfully stands for secure and you’ll often see it appear in your browser when logging into your banking or email accounts. But mobile apps often aren’t as transparent with users about the security of their web connections, and it can be hard to tell whether an app is connecting via HTTP or HTTPS.
Enter ATS, which is enabled by default for iOS 9. However, developers can still switch ATS off and allow their apps to send data over an HTTP connection — until the end of this year, that is. (For technical crowd: ATS requires TLS v 1.2, with exceptions for already encrypted bulk data, like media streaming.)
Apple originally set the mandate for Apps to be in compliance with ATS HTTPS for January 1, 2017 > date has been extended and last I heard they had not set a new compliance date
Apple securely controls which apps are available on its App Store, strictly reviewing all apps to avoid allowing malware through
**After all, it only takes one piece of perfectly formed iOS malware to do as much damage as thousands of copycat Android threats. And both platforms are equally at risk from social engineering, where hackers use more personal methods to target your logins and data.
A multitude of threats to Android could be greatly eliminated if all users upgraded their mobile phones to the latest version of the OS. The inconsistency of Android devices across old versions plays into the hands of malware creators, so it’s crucial to keep your own devices up to date.
Apple does not have the same problem, as each release of iOS quickly reaches its users, due to the fact that iOS updates are big events that prompt mass upgrades. This means that consequential security scares are rare enough to be big news when they occur. While there are drawbacks to Apple’s tight grip over everything that occurs on its OS, there’s no doubt it makes for a more secure environment for casual users.
Overall, Apple has more of an overarching defense against threats. Android is more of the Wild-West, but with the right safeguards and good decision making (installing trusted apps, having an app that runs security analysis for threats, etc.) Android can be secure as well
2. Use a pin, password or pattern to lock your phone
Setting this up is easy. For most Android™ devices, go to your Location & Security Settings for instructions. iOS users can find these functions in the General options of their settings.
3. Download apps only from trusted stores
If you’re browsing for a new game or something more productive, use places such as Google Play™. Make sure you check ratings and reviews if they are available, and read the app’s privacy policy to see exactly what phone features it will have access to if you download.
4. Back up your data
This is more about protecting and restoring your information should disaster strike. With Backup Assistant Plus and Verizon Cloud, you can save your contacts, music, pictures, videos and documents to the cloud.
5. Keep your operating system and apps updated
There are typically periodic updates to both of these that not only add new features, but also offer tightened security.
6. Log out of sites after you make a payment
If you bank or shop from your smartphone, log out of those sites once your transactions are complete. Other tips include not storing your usernames and passwords on your phone and avoiding transactions while you are on public Wi-Fi.
7. Turn off Wi-Fi and Bluetooth® when not in use
You think of them as ways to connect to something, but thieves can use them to connect to your device and access files.
8. Avoid giving out personal information
That text message that looks to be from your bank may not be. If you get requests via email or text for account information from any business, contact the business directly to confirm the request. The same advice goes for tapping links in unsolicited emails or texts
Question: Safe to connect to public Wi-Fi? Starbucks, Panera, airport, stores, etc.?
Just like the PC scams, bad guys are using social engineering through mobile apps and SMS text messages, which take advantage of human behavior and trust to gain access to data or infiltrate businesses, to make people click on links. Malware then ends up on the user’s PC.
“If they can make you believe a message is from a trusted source, chances are you will click,” says Stu Sjouwerman, cofounder of security training company KnowBe4 LLC in Clearwater, Fla. “This trick has been used with email, instant messaging, social networks, and [now] they are even spoofing SMS text messages.” Even email messages, when opened on a mobile device, can infect laptops and enterprise systems. Sjouwerman advises mobile users to check for red flags. “If you click on an email message from a mobile app without checking for anything suspicious, you might download malware and infect your PC, so think before you click!”
When working inside a company to identify vulnerabilities, pentester and mobile security expert Georgia Weidman recently asked herself from a hacker’s perspective, “wouldn’t it be nice if we could just walk into the network with a compromised phone and have direct network access” by way of a client side attack or social engineering. She concluded that in many cases you can.
“An infected mobile device allows you to breach an organization's perimeter and directly attack the devices on the network instead of having to break in some other way, you've already got direct network access,” Weidman says.
Consider a simple scenario. An Android device has been infected with the Smartphone-Pentest-Framework, or SPF Agent. The unsuspecting user thinks it’s an official news app, for instance, and thinks nothing of it, but it is also communicating with an SPF console that’s giving thieves access to mobile device data. That device is sharing Wi-Fi with the laptop sitting nearby, and the thief is also able to breach the laptop, which contains company information or access to corporate systems.
“If I have control of their mobile devices, I can go the traditional route like stealing their contacts or sending text messages to a premium number, but also if the device is connected to a Wi-Fi network I can attack additional systems on that network from the infected phone,” she explains. “Whether I’m connected to my home Wi-Fi, work Wi-Fi or Starbucks Wi-Fi, if there are any devices with vulnerabilities on that network, I can potentially exploit them directly from the infected mobile device.”
Gangs are also using malware on PCs to infiltrate mobile phones in hybrid attacks on user’s banking accounts, according to John Shier, security advisor at Sophos. A piece of malware dropped on the user’s laptop can detect when the user is surfing his banking website. Dubbed a “man in the browser” attack – the spying is all done in browser memory “so they can intercept your banking credentials before they get encrypted and sent across the wire,” he explains. Adding to the scam, thieves put up a warning message, such as “for increased security, download this app,” and they ask for the user’s phone number and email address to send an SMS to their phone or to download a link. “You click on the SMS and download the app, and they basically own your desktop and your phone,” he says.
Wondering why your mobile device is losing battery power too quickly or why it feels overheated? You might have cryptocurrency mining malware on your device. The malware infiltrates mobile devices in search of digital currencies, like Bitcoin, Litecoin and Dogecoin.
Found mostly in Android devices, the apps were injected in many cases with the CPU mining code from a legitimate Android cryptocurrency mining app. The miner is started as a background service once it detects that the affected device is connected to the internet. By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous digital currency mining pool.
“The reality is that the capabilities on the phone aren’t as great as they are in a big server or mainframe attacks,” says Kohavi. “But it’s a trial and error for these organized criminals to be able to put their foot into an area and then leverage that and see what they can get out of it.”
Now transition into organizational perspective of mobile technology and how a mobile strategy can help your organization
You are saying you should have an actual document?
Dave highlight some possible security awareness solutions
Difficult to truly determine but here are a few possible factors that may inform you that you have malware or some sort of virus on your device. Applies to laptops, smartphones, tablets, etc.
Difficult to truly determine but here are a few possible factors that may inform you that you have malware or some sort of virus on your device. Applies to laptops, smartphones, tablets, etc.
Difficult to truly determine but here are a few possible factors that may inform you that you have malware or some sort of virus on your device. Applies to laptops, smartphones, tablets, etc.
Find My iPhone and other apps / tracking tokens can help track your device. Make sure it isn’t trapped under the sofa
Can use remote tools to wipe your phone remotely
Should be handled with law enforcement as if it was your purse or wallet (if stolen)
Alphanumeric – combines letters and numbers so it is more secure. Don’t make it easy “Tylerwenger1”
A few ideas: mix letters of something meaningful with numbers that you will remember
Physical security – everything below won’t matter if you don’t know where your device is located or who has access to it
Password managers (LastPass, Keeper, Dashlane, 1Password, TrueKey, etc.)
Antimalware software – especially important for Android users
Wife – in iOS Settings > Wi-Fi > bottom option to ask to join networks
Can swipe up from the bottom of the screen at anytime and click the Wi-Fi icon to turn it off
Wireless Hotspot to tether your computer and phone (coffee shop)…will use data so be smart, but more secure than joining the public Wi-Fi.
Encrypt: Software for laptops, iTunes can encrypt a backup
Wipe after failed login attempts: can be managed by MDM or organizational management solutions
Can I actually get Malware or a virus on my iPhone?
A = Virtually impossible for malware or a virus to penetrate iOS due to Apple’s proprietary nature and the security of their system. It is possible something could get onto your iPhone, but through a web browser would be the only real way, Apps protected by ATS and by Apple’s unwillingness for open source developing.