KEMBAR78
Re-Thinking BYOD Policy.pptx
tmbainjr131, profile picture
Uploaded bytmbainjr131
425 views

Re-Thinking BYOD Policy.pptx

The document discusses the challenges and strategies for developing a mobile security policy amidst the growing trend of Bring Your Own Device (BYOD) in the workplace. It highlights the importance of balancing security needs with employee autonomy and productivity, emphasizing risk assessment, compliance, and the need for comprehensive training. Additionally, it outlines best practices for application security, vulnerability management, and policy enforcement to mitigate security risks associated with personal devices used for work.

Downloaded 15 times
Forget About BYOD: Develop a Realistic Mobile Security Policy m  Bain   ector,  Product  Marke4ng   curity  Innova4on  
ector,  Product  Marke0ng,                                   curity  Innova0on   merly  with  Q1  Labs  (an  IBM  Company)   d  Applica0on  Security,  Inc.   0ve  blogger,  presenter   ,  Communica0ons,  RIC;  MS,  Interna0onal   a0ons/Public  Affairs,  UMASS   Thomas  Ba
YOD  Dilemma:     ts/Trends    vs  IT  Sec  Need   hy  it’s  a  security  risk   ifferences  Between  App  &  IT  Sec   olicy   remental  policy  construc0on   al-­‐world  policy  improvement   ecommenda0ons   eps  you  should  consider  
plication Security Experts +  Years  vulnerability  research     curity  Tes0ng  Methodology  adopted  by  SAP,                 croso,  Symantec   thors  of  8+  books   ducts and Services andards  -­‐  Best  Prac0ces   uca0on  -­‐  CBT  &  Instructor-­‐Led   sessment  -­‐  Soware  and  SDLC   ducing Application Security Risk 0cal  Vulnerability  Discovery   cure  SDLC  Rollout  
BYOD: Security Challenges are Emerging
ile  devices  help  employees  increase   uc0vity  –  staying  connected  is  not   y  op0onal  anymore!   ge  has  experienced  a  massive  up0ck:    of  today’s  workforce  is  using  a   rtphone  specifically  for  business  use.   struggling  to  keep  up  with  device   agement.   ility  by  its  nature  opens  up  a  larger   ck  surface  with  more  points  of  entry.   cult  to  measure  business  need   ugh  IT  Security  lens.   eloping  a  policy  isn’t  as  easy  as  it   ht  seem.  
s  lose  autonomy  with   rity  policies  that  aren’t  well-­‐ ned.   ormance  +  capabili0es  oen   mp  security  =  IT  headache.     s  expect  an  always-­‐on,   re  connec0on  and   0onality   e  to  market  pressures  hurt   rity:  But  good  architecture   backend  systems  can  help.   Frameworks  like  PhoneGap   get  to  market  quickly:  But  can  
%  use  the  same  smartphone  for   rk  and  for  personal  usage.   %  of  employed  adults  use  at   st  one  personally  owned   ctronic  device  for  business   rris  Interac0ve  survey,   ruary  2012)   %  of  employees  surveyed  use   bile  devices  to  run  line-­‐of-­‐ iness  applica0ons  (Ibid)   %  of  companies  allow  BYOD   ge  in  some  manner  (Aberdeen   up,  February  2011)  
%  of  companies  have  experienced   ata  breach  due  to  inadequate   ice  security  (Ponemon  survey,   2)   %  don’t  have  a  password  on  their   bile  phone.   %  stated  their  companies  couldn’t   cute  a  remote  wipe  if  lost  or   en.   %  said  mobile  security  has  not   n  addressed  with  them  by  IT.  
Device Security consistent  security  policies   ptop  encryp0on  bypass  mode   nmanageable  devices   ared  media  leakage   inimal  device  management   eadable  data  on  disposed-­‐of   evices   ter-­‐applica0on  data  leakage  
On Pace for Increased Incidents
Why is BYOD a Security Problem evice  turn-­‐over:  What  happens  to  the  old  device?     ew  devices:  Default  or  customized  setngs?   ow  can  you  know  everything  about  every  device?   ware  updates  –  user  vs  IT.   pp  Stores:  Approved  apps?     pplica0ons:   What  data  is  on  your  device?   What  enterprise  applica0ons  can  you  connect  to?   Which  apps  are  connected  to  other  apps?  EX:  Your  blog  app  is connected  to  your  CMS,  which  feeds  to  Twiger,  etc.    
bile Traditional nerabilities Vulnerabilities
BYOD: AppSec vs InfoSec Polic
Information Security Application Security Based Receptionist, IT Manager, • Architect, Developer, Tester etc • Application Roles and Privileges w to Rollout and Rollout of web application firewall and secure ement configuration of servers, development best practices databases, anti-virus, • Application Authentication checks communications, • Secure Design components certificates, etc. • Attack surface reduction • Code hardening • Data Encryption • Input validation ertise IT networking, database • How applications interact with environment ded to and computer/OS • How applications function and fail with respe ement configuration skills security • Software development skills w/ security over
Policy Statement Comparison etwork  Security  Control   Enable  SSL  on  the  web  server.   Don’t  transmit  sensi0ve  data  via  IM  chats.  (Actually  a  policy   statement  in  PCI-­‐DSS)   atabase  Security  Control   Configure  DB  server  so  sensi0ve  data  stores  are  encrypted.   hysical  Control   Shred  documents  that  contain  sensi0ve  data.   pplica<on  Security  Control   Encrypt  sensi0ve  data  during  transmission.   Web  facing  applica0ons  must  be  resilient  to  SQL  injec0on   agacks.  
SQL Injection Policy ✔  MINIMUM   uild  web  applica0ons  that  defend  against  SQL  injec0on  agacks.   ✔✔  BETTER   uild  web  applica0ons  that  defend  against  SQL  injec0on  agacks  by  sani4zing  all  use put.     ✔✔✔  GOOD   uild  web  applica0ons  that  defend  against  SQL  injec0on  agacks  by  sani0zing  all  use put  using  this  approved  sani4za4on  rou4ne.   ✔✔✔✔  EXCELLENT   …..plus   •  Soware  Developers  do  X   •  Soware  Testers  do  Y    
Protect Sensitive Data  MINIMUM   otect  sensi0ve  data.     ✔  BETTER   otect  sensi0ve  data  by  using  this  approved  encryp4on.   ✔✔  GOOD   otect  sensi0ve  data  by  using  this  approved  encryp0on  in  databases  that  store  and   ring  transmission  of  sensi4ve  data.   ✔✔✔ EXCELLENT   plus   •  Architects  define  algorithms.   •  Developers  never  write  their  own  crypto.   •  Test/QA  verifies  XYZ.  
Cross-Site Forgery MINIMUM   ate  applica0ons  that  are  resilient  to  Cross-­‐Site  Request  Forgery.     BETTER   ate  soware  applica0ons  that  are  resilient  to  CSRF  agacks  by  using  the  OWASP  Top RF  Cheat  Sheet.”     ✔✔  GOOD   ate  soware  applica0ons  that  are  resilient  to  CSRF  agacks  by  using  the  OWASP  Top CSRF  Cheat  Sheet”  and  implement  a  language-­‐appropriate  framework.     ✔✔✔ EXCELLENT   us   Use  challenge-­‐response.   QA  check  reference  headers.  
App Pen Testing icy:   Conduct  annual  tests  of  internet  facing  applica0ons.”   w  to  improve  it   pecify  the  type  of  test,  e.g.,  web  vulnerability   can,  source  code  review,  paper  audit,  etc.   ow  deep  should  it  go  /  What  should  be  tested?   Ø OWASP  Top  10  vulnerabili0es   efine  the  key  assets  you  are  trying  to  protect.   pecify  which  agacks  should  be  conducted.   Ø Threat  modeling  in  advance  can  guide  you  here.  
cy   Ensure  applica0ons  processing  data  properly  authen0cate   sers  through  central  authen0ca0on  systems  where   ossible.”     f  addi0onal  func0onality  is  needed,  coordinate   evelopment  with  Informa0on  Technology  Services.”     w  to  improve  it   ere  is  our  approved  authen0ca0on  library  <URL>.   emove  ambiguity.    “coordinate  with  ITS”   •  Rather,  obtain  wrigen  excep0on  for  using  any   authen0ca0on  mechanism  not  explicitly  approved  by   InfoSec  Office    
cy   QL  Injec0on  vulnerabili0es  must  be  prevented.”   e  OWASP   QL_Injec0on_Preven0on_Cheat_Sheet    for   commenda0ons.    to  improve  it   e  Parameterized  SQL  statements  and  stored   ocedures.   e  white-­‐lis0ng  to  constrain  user  input.   e  company-­‐approved  sanita0on  library,     und  here  <URL>.  
olicy   “Ensure  applica0ons  validate  input  properly  and  restric0vely,   allowing  only  those  types  of  input  that  are  known  to  be  correc …”examples  include,  but  are  not  limited  to,  cross-­‐site  scrip0ng buffer  overflow  errors,  and  injec0on  flaws.”     “…see  hgp://www.owasp.org  for  more.”     ow  to  improve  it   Use  this  input  sanita0on  rou0ne  <URL>.   Validate  Input  from  all  sources  For  Type,  Length,   Format,  and  Range.   Iden0fy  all  source  of  input  and  verify  validators     have  been  used  to  check  input.  
III. BYOD: Policy Development to Fit Your Business
onsider  risk  scenarios.   dapt  from  proven  or  trustworthy   models.   Measure  percep0on.   nderstand  roles,  privileges  and   what’s  in  place  today.   et  granular  with  your  ques0ons  &   onsidera0ons.   gure  out  a  strategy  for  tes0ng  your   pplica0ons.     olicy  enforcement.   aise  awareness/required  training.  
 an  inventory  of  your  high-­‐risk   ica0ons/mobile  applica0ons.   ermine  business  cri0cality.     t’s  your  agack  probability?    do  you  define  the  agack  surface?   sider  overall  business  impact.   re  does  compliance  factor  in?   t  are  the  security  threats?  
Trustworthy Sources
tudes  of  general  popula0on   ward  security  (suppor0ve,   agonis0c,  indifferent?)   tudes  of  general  popula0on   ward  management  (suppor0ve,   agonis0c,  indifferent?)     tudes  of  management  toward   urity?   at’s  the  percep0on  of  the  current   OD  policy?   e  there  been  related  security   dents?    
h  departments/groups/individuals    been  most  ac0ve  in  developing   ies?     here  been  any  previous   bora0on  between  policies  and   ors?   you  iden0fy  a  poten0al  champion(s)   pport  the  new  policy?     s  of  agreement  in  commonly   emented  controls  re:  policies?   ort  documents,  materials  and   ed  policies  should  be  cited  in  mobile   ce  policy.   w  who  has  access  to  what  and  how  
w  will  mobile  devices  be  used?   vices  assigned  to  one  person  or  shared?     hich  mobile  applica0ons  would  be  used?   hat  informa0on  is  accessible  through  mobile  devices?     hat  informa0on  will  be  stored  on  the  mobile  devices?     w  will  data  be  shared  to/from  and  between  mobile  devices?     ho’s  ul0mately  responsible  for  mobile  devices?     l  personal  ac0vi0es  on  company  devices  be  permiged?     hat  levels  of  support  are  expected?    
 sensi0ve  is  your  data?   t  kind  of  data  is  it?  PII,  customer   ,  credit  card  data,  proprietary,  IP,   subject  to  regulatory  mandates?   ch  ones?   duct  a  threat  model:   termine  threats   en0fy  poten0al  agacks   nderstand  the  frequency  &  severity   th  which  they  are  executed.  
Application Criteria hreat Sensitive Compliance Custo Lifespan ating Data Stringency Faci ier 1 Restricted Long High Ye ier 2 Private Mid Medium Ye ier 3 Public Short N/A No
Depth, Breadth, Frequency reat Static Dynamic Manual Pen Thre ting Analysis Analysis Test Mode Complete/ Complete/ Complete/ Compl Frequency Frequency Frequency Freque Required/Major Required/Major Required/Per Require er 1 code changes code changes Milestone Relea Suggested/ Required/ Required/Per Suggeste er 2 Monthly Quarterly Release Relea Optional/ Required/ Optional/As Option er 3 Quarterly Annually Needed Need
scribes  contextual,  technical  guidelines  on  how  security  should egrated  within  the  SDLC   y  phase,  role,  technology,  applica0on  type   everages  internal  secure  development  champion(s)  for  input   ps  to  compliance  mandates   nsiders  cri0cality  of  applica0on  and  data   equirements,  ac0vi0es  and  level  of  detail  needed  will  differ   s  clear  excep0on  policy   What  if  minimum  standards  can’t  be  met?  What  is  considered   cceptable?  Who  approves?   ludes  internally  built  and  third  party  applica0ons   flects  current  maturity  and  secure  development  skills   he  more  skilled,  the  less  explicit  you  need  to  be  with  policies  
u  need  management  buy-­‐in!   oad  strategy  vs  Targeted  strategy  roll-­‐out   n-­‐boarding:     Require  all  device  info  as  part  of  hiring  process  (especially   applica0ons)   Require  policy  training  up  front   quire  training  for  various  departments:   General  popula0on  receives  awareness  training   Technical  employees  receive  in-­‐depth  training   onitor  for  effec0veness  –  EX:  Deliver  training  or  reminder   hen  employee  is  out  of  compliance.    
Thank You!! tbain@securityinnova4on.com   TwiWer:  @tmbainjr1    

More Related Content

PDF
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
bySounil Yu
 
PDF
Streamlining AppSec Policy Definition.pptx
bytmbainjr131
 
PPTX
Allianz Global CISO october-2015-draft
byEoin Keary
 
PDF
2015 Cyber Security
byAllen Zhang
 
PPTX
Web security – everything we know is wrong cloud version
byEoin Keary
 
PPTX
The Teams Behind DevSecOps
byUleska
 
PPTX
Web security – application security roads to software security nirvana iisf...
byEoin Keary
 
PDF
Building secure mobile apps
byMartin Vigo
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
bySounil Yu
 
Streamlining AppSec Policy Definition.pptx
bytmbainjr131
 
Allianz Global CISO october-2015-draft
byEoin Keary
 
2015 Cyber Security
byAllen Zhang
 
Web security – everything we know is wrong cloud version
byEoin Keary
 
The Teams Behind DevSecOps
byUleska
 
Web security – application security roads to software security nirvana iisf...
byEoin Keary
 
Building secure mobile apps
byMartin Vigo
 

What's hot

PPTX
New Paradigms for the Next Era of Security
bySounil Yu
 
PPTX
Cyber Defense Matrix: Reloaded
bySounil Yu
 
PPTX
Three trends in cybersecurity
byAlexander Deucalion
 
DOCX
Dhishant -Latest Resume
byDhishant Abrol
 
PDF
Slide Griffin - Practical Attacks and Mitigations
byEnergySec
 
PDF
Enhancing Authentication to Secure the Open Enterprise
bySymantec
 
PDF
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
byEnergySec
 
PPTX
Cybersecurity Hands-On Training
byTonex
 
PDF
What’s the State of Your Endpoint Security?
byIBM Security
 
PPTX
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
bySounil Yu
 
PPTX
Ten Security Product Categories You've Probably Never Heard Of
byAdrian Sanabria
 
PPTX
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
byEnergySec
 
PPTX
Cyber Security Needs and Challenges
byHappiest Minds Technologies
 
PPTX
Jim Wojno: Incident Response - No Pain, No Gain!
bycentralohioissa
 
PPTX
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
byCODE BLUE
 
PDF
Attack Toolkits and Malicious Websites
bySymantec
 
PDF
Two-factor authentication- A sample writing _Zaman
byAsad Zaman
 
PDF
Stopping zero day threats
byZscaler
 
PPTX
Cyber Security protection by MultiPoint Ltd.
byRicardo Resnik
 
PPTX
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
bySounil Yu
 
New Paradigms for the Next Era of Security
bySounil Yu
 
Cyber Defense Matrix: Reloaded
bySounil Yu
 
Three trends in cybersecurity
byAlexander Deucalion
 
Dhishant -Latest Resume
byDhishant Abrol
 
Slide Griffin - Practical Attacks and Mitigations
byEnergySec
 
Enhancing Authentication to Secure the Open Enterprise
bySymantec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
byEnergySec
 
Cybersecurity Hands-On Training
byTonex
 
What’s the State of Your Endpoint Security?
byIBM Security
 
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
bySounil Yu
 
Ten Security Product Categories You've Probably Never Heard Of
byAdrian Sanabria
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
byEnergySec
 
Cyber Security Needs and Challenges
byHappiest Minds Technologies
 
Jim Wojno: Incident Response - No Pain, No Gain!
bycentralohioissa
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
byCODE BLUE
 
Attack Toolkits and Malicious Websites
bySymantec
 
Two-factor authentication- A sample writing _Zaman
byAsad Zaman
 
Stopping zero day threats
byZscaler
 
Cyber Security protection by MultiPoint Ltd.
byRicardo Resnik
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
bySounil Yu
 

Similar to Re-Thinking BYOD Policy.pptx

PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
PDF
The Darkside of Mobile Applications
byWirehead Technology
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PPTX
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
PDF
BYOD: Device Control in the Wild, Wild, West
byJay McLaughlin
 
PPTX
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
PPT
Sql securitytesting
byThilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Essentials of Web Application Security: what it is, why it matters and how to...
byCenzic
 
PPT
Security Testing for Mobile and Web Apps
byDrKaramHatim
 
PPT
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
byAlan Kan
 
PPTX
Outside the Office: Mobile Security
byMcKonly & Asbury, LLP
 
PDF
Appsec Introduction
byMohamed Ridha CHEBBI, CISSP
 
PPTX
Application Security TRENDS – Lessons Learnt- Firosh Ummer
byOWASP-Qatar Chapter
 
PDF
Designing your applications with a security twist 2007
byBlue Slate Solutions
 
PDF
Module 6.pdf
bySitamarhi Institute of Technology
 
PDF
Module 6.Security in Evolving Technology
bySitamarhi Institute of Technology
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
PDF
The Thing That Should Not Be
bymorisson
 
PDF
Unit 08: Security for Web Applications
byDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
PPTX
00. introduction to app sec v3
byEoin Keary
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
The Darkside of Mobile Applications
byWirehead Technology
 
The Future of Software Security Assurance
byRafal Los
 
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
BYOD: Device Control in the Wild, Wild, West
byJay McLaughlin
 
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
Sql securitytesting
byThilak Pathirage -Senior IT Gov and Risk Consultant
 
Essentials of Web Application Security: what it is, why it matters and how to...
byCenzic
 
Security Testing for Mobile and Web Apps
byDrKaramHatim
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
byAlan Kan
 
Outside the Office: Mobile Security
byMcKonly & Asbury, LLP
 
Appsec Introduction
byMohamed Ridha CHEBBI, CISSP
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
byOWASP-Qatar Chapter
 
Designing your applications with a security twist 2007
byBlue Slate Solutions
 
Module 6.pdf
bySitamarhi Institute of Technology
 
Module 6.Security in Evolving Technology
bySitamarhi Institute of Technology
 
OWASP Top Ten in Practice
bySecurity Innovation
 
The Thing That Should Not Be
bymorisson
 
Unit 08: Security for Web Applications
byDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
00. introduction to app sec v3
byEoin Keary
 

Recently uploaded

PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PPTX
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PDF
Data Structure - 12 Graph
byAndiNurkholis1
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
2025 October Patch Tuesday
byIvanti
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
Data Structure - 12 Graph
byAndiNurkholis1
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 

Re-Thinking BYOD Policy.pptx

  • 1.
    Forget About BYOD: Develop a Realistic Mobile Security Policy m  Bain   ector,  Product  Marke4ng   curity  Innova4on  
  • 2.
    ector,  Product  Marke0ng,                                   curity  Innova0on   merly  with  Q1  Labs  (an  IBM  Company)   d  Applica0on  Security,  Inc.   0ve  blogger,  presenter   ,  Communica0ons,  RIC;  MS,  Interna0onal   a0ons/Public  Affairs,  UMASS   Thomas  Ba
  • 3.
    YOD  Dilemma:     ts/Trends    vs  IT  Sec  Need   hy  it’s  a  security  risk   ifferences  Between  App  &  IT  Sec   olicy   remental  policy  construc0on   al-­‐world  policy  improvement   ecommenda0ons   eps  you  should  consider  
  • 4.
    plication Security Experts +  Years  vulnerability  research     curity  Tes0ng  Methodology  adopted  by  SAP,                 croso,  Symantec   thors  of  8+  books   ducts and Services andards  -­‐  Best  Prac0ces   uca0on  -­‐  CBT  &  Instructor-­‐Led   sessment  -­‐  Soware  and  SDLC   ducing Application Security Risk 0cal  Vulnerability  Discovery   cure  SDLC  Rollout  
  • 5.
  • 6.
    ile  devices  help  employees  increase   uc0vity  –  staying  connected  is  not   y  op0onal  anymore!   ge  has  experienced  a  massive  up0ck:    of  today’s  workforce  is  using  a   rtphone  specifically  for  business  use.   struggling  to  keep  up  with  device   agement.   ility  by  its  nature  opens  up  a  larger   ck  surface  with  more  points  of  entry.   cult  to  measure  business  need   ugh  IT  Security  lens.   eloping  a  policy  isn’t  as  easy  as  it   ht  seem.  
  • 7.
    s  lose  autonomy  with   rity  policies  that  aren’t  well-­‐ ned.   ormance  +  capabili0es  oen   mp  security  =  IT  headache.     s  expect  an  always-­‐on,   re  connec0on  and   0onality   e  to  market  pressures  hurt   rity:  But  good  architecture   backend  systems  can  help.   Frameworks  like  PhoneGap   get  to  market  quickly:  But  can  
  • 8.
    %  use  the  same  smartphone  for   rk  and  for  personal  usage.   %  of  employed  adults  use  at   st  one  personally  owned   ctronic  device  for  business   rris  Interac0ve  survey,   ruary  2012)   %  of  employees  surveyed  use   bile  devices  to  run  line-­‐of-­‐ iness  applica0ons  (Ibid)   %  of  companies  allow  BYOD   ge  in  some  manner  (Aberdeen   up,  February  2011)  
  • 9.
    %  of  companies  have  experienced   ata  breach  due  to  inadequate   ice  security  (Ponemon  survey,   2)   %  don’t  have  a  password  on  their   bile  phone.   %  stated  their  companies  couldn’t   cute  a  remote  wipe  if  lost  or   en.   %  said  mobile  security  has  not   n  addressed  with  them  by  IT.  
  • 10.
    Device Security consistent  security  policies   ptop  encryp0on  bypass  mode   nmanageable  devices   ared  media  leakage   inimal  device  management   eadable  data  on  disposed-­‐of   evices   ter-­‐applica0on  data  leakage  
  • 12.
    On Pace forIncreased Incidents
  • 13.
    Why is BYODa Security Problem evice  turn-­‐over:  What  happens  to  the  old  device?     ew  devices:  Default  or  customized  setngs?   ow  can  you  know  everything  about  every  device?   ware  updates  –  user  vs  IT.   pp  Stores:  Approved  apps?     pplica0ons:   What  data  is  on  your  device?   What  enterprise  applica0ons  can  you  connect  to?   Which  apps  are  connected  to  other  apps?  EX:  Your  blog  app  is connected  to  your  CMS,  which  feeds  to  Twiger,  etc.    
  • 14.
    bile Traditional nerabilities Vulnerabilities
  • 16.
    BYOD: AppSec vsInfoSec Polic
  • 17.
    Information Security Application Security Based Receptionist, IT Manager, • Architect, Developer, Tester etc • Application Roles and Privileges w to Rollout and Rollout of web application firewall and secure ement configuration of servers, development best practices databases, anti-virus, • Application Authentication checks communications, • Secure Design components certificates, etc. • Attack surface reduction • Code hardening • Data Encryption • Input validation ertise IT networking, database • How applications interact with environment ded to and computer/OS • How applications function and fail with respe ement configuration skills security • Software development skills w/ security over
  • 18.
    Policy Statement Comparison etwork  Security  Control   Enable  SSL  on  the  web  server.   Don’t  transmit  sensi0ve  data  via  IM  chats.  (Actually  a  policy   statement  in  PCI-­‐DSS)   atabase  Security  Control   Configure  DB  server  so  sensi0ve  data  stores  are  encrypted.   hysical  Control   Shred  documents  that  contain  sensi0ve  data.   pplica<on  Security  Control   Encrypt  sensi0ve  data  during  transmission.   Web  facing  applica0ons  must  be  resilient  to  SQL  injec0on   agacks.  
  • 19.
    SQL Injection Policy ✔  MINIMUM   uild  web  applica0ons  that  defend  against  SQL  injec0on  agacks.   ✔✔  BETTER   uild  web  applica0ons  that  defend  against  SQL  injec0on  agacks  by  sani4zing  all  use put.     ✔✔✔  GOOD   uild  web  applica0ons  that  defend  against  SQL  injec0on  agacks  by  sani0zing  all  use put  using  this  approved  sani4za4on  rou4ne.   ✔✔✔✔  EXCELLENT   …..plus   •  Soware  Developers  do  X   •  Soware  Testers  do  Y    
  • 20.
    Protect Sensitive Data  MINIMUM   otect  sensi0ve  data.     ✔  BETTER   otect  sensi0ve  data  by  using  this  approved  encryp4on.   ✔✔  GOOD   otect  sensi0ve  data  by  using  this  approved  encryp0on  in  databases  that  store  and   ring  transmission  of  sensi4ve  data.   ✔✔✔ EXCELLENT   plus   •  Architects  define  algorithms.   •  Developers  never  write  their  own  crypto.   •  Test/QA  verifies  XYZ.  
  • 21.
    Cross-Site Forgery MINIMUM   ate  applica0ons  that  are  resilient  to  Cross-­‐Site  Request  Forgery.     BETTER   ate  soware  applica0ons  that  are  resilient  to  CSRF  agacks  by  using  the  OWASP  Top RF  Cheat  Sheet.”     ✔✔  GOOD   ate  soware  applica0ons  that  are  resilient  to  CSRF  agacks  by  using  the  OWASP  Top CSRF  Cheat  Sheet”  and  implement  a  language-­‐appropriate  framework.     ✔✔✔ EXCELLENT   us   Use  challenge-­‐response.   QA  check  reference  headers.  
  • 22.
    App Pen Testing icy:   Conduct  annual  tests  of  internet  facing  applica0ons.”   w  to  improve  it   pecify  the  type  of  test,  e.g.,  web  vulnerability   can,  source  code  review,  paper  audit,  etc.   ow  deep  should  it  go  /  What  should  be  tested?   Ø OWASP  Top  10  vulnerabili0es   efine  the  key  assets  you  are  trying  to  protect.   pecify  which  agacks  should  be  conducted.   Ø Threat  modeling  in  advance  can  guide  you  here.  
  • 23.
    cy   Ensure  applica0ons  processing  data  properly  authen0cate   sers  through  central  authen0ca0on  systems  where   ossible.”     f  addi0onal  func0onality  is  needed,  coordinate   evelopment  with  Informa0on  Technology  Services.”     w  to  improve  it   ere  is  our  approved  authen0ca0on  library  <URL>.   emove  ambiguity.    “coordinate  with  ITS”   •  Rather,  obtain  wrigen  excep0on  for  using  any   authen0ca0on  mechanism  not  explicitly  approved  by   InfoSec  Office    
  • 24.
    cy   QL  Injec0on  vulnerabili0es  must  be  prevented.”   e  OWASP   QL_Injec0on_Preven0on_Cheat_Sheet    for   commenda0ons.    to  improve  it   e  Parameterized  SQL  statements  and  stored   ocedures.   e  white-­‐lis0ng  to  constrain  user  input.   e  company-­‐approved  sanita0on  library,     und  here  <URL>.  
  • 25.
    olicy   “Ensure  applica0ons  validate  input  properly  and  restric0vely,   allowing  only  those  types  of  input  that  are  known  to  be  correc …”examples  include,  but  are  not  limited  to,  cross-­‐site  scrip0ng buffer  overflow  errors,  and  injec0on  flaws.”     “…see  hgp://www.owasp.org  for  more.”     ow  to  improve  it   Use  this  input  sanita0on  rou0ne  <URL>.   Validate  Input  from  all  sources  For  Type,  Length,   Format,  and  Range.   Iden0fy  all  source  of  input  and  verify  validators     have  been  used  to  check  input.  
  • 26.
    III. BYOD: PolicyDevelopment to Fit Your Business
  • 27.
    onsider  risk  scenarios.   dapt  from  proven  or  trustworthy   models.   Measure  percep0on.   nderstand  roles,  privileges  and   what’s  in  place  today.   et  granular  with  your  ques0ons  &   onsidera0ons.   gure  out  a  strategy  for  tes0ng  your   pplica0ons.     olicy  enforcement.   aise  awareness/required  training.  
  • 28.
     an  inventory  of  your  high-­‐risk   ica0ons/mobile  applica0ons.   ermine  business  cri0cality.     t’s  your  agack  probability?    do  you  define  the  agack  surface?   sider  overall  business  impact.   re  does  compliance  factor  in?   t  are  the  security  threats?  
  • 29.
  • 30.
    tudes  of  general  popula0on   ward  security  (suppor0ve,   agonis0c,  indifferent?)   tudes  of  general  popula0on   ward  management  (suppor0ve,   agonis0c,  indifferent?)     tudes  of  management  toward   urity?   at’s  the  percep0on  of  the  current   OD  policy?   e  there  been  related  security   dents?    
  • 31.
    h  departments/groups/individuals    been  most  ac0ve  in  developing   ies?     here  been  any  previous   bora0on  between  policies  and   ors?   you  iden0fy  a  poten0al  champion(s)   pport  the  new  policy?     s  of  agreement  in  commonly   emented  controls  re:  policies?   ort  documents,  materials  and   ed  policies  should  be  cited  in  mobile   ce  policy.   w  who  has  access  to  what  and  how  
  • 32.
    w  will  mobile  devices  be  used?   vices  assigned  to  one  person  or  shared?     hich  mobile  applica0ons  would  be  used?   hat  informa0on  is  accessible  through  mobile  devices?     hat  informa0on  will  be  stored  on  the  mobile  devices?     w  will  data  be  shared  to/from  and  between  mobile  devices?     ho’s  ul0mately  responsible  for  mobile  devices?     l  personal  ac0vi0es  on  company  devices  be  permiged?     hat  levels  of  support  are  expected?    
  • 33.
     sensi0ve  is  your  data?   t  kind  of  data  is  it?  PII,  customer   ,  credit  card  data,  proprietary,  IP,   subject  to  regulatory  mandates?   ch  ones?   duct  a  threat  model:   termine  threats   en0fy  poten0al  agacks   nderstand  the  frequency  &  severity   th  which  they  are  executed.  
  • 34.
    Application Criteria hreat Sensitive Compliance Custo Lifespan ating Data Stringency Faci ier 1 Restricted Long High Ye ier 2 Private Mid Medium Ye ier 3 Public Short N/A No
  • 35.
    Depth, Breadth, Frequency reat Static Dynamic Manual Pen Thre ting Analysis Analysis Test Mode Complete/ Complete/ Complete/ Compl Frequency Frequency Frequency Freque Required/Major Required/Major Required/Per Require er 1 code changes code changes Milestone Relea Suggested/ Required/ Required/Per Suggeste er 2 Monthly Quarterly Release Relea Optional/ Required/ Optional/As Option er 3 Quarterly Annually Needed Need
  • 36.
    scribes  contextual,  technical  guidelines  on  how  security  should egrated  within  the  SDLC   y  phase,  role,  technology,  applica0on  type   everages  internal  secure  development  champion(s)  for  input   ps  to  compliance  mandates   nsiders  cri0cality  of  applica0on  and  data   equirements,  ac0vi0es  and  level  of  detail  needed  will  differ   s  clear  excep0on  policy   What  if  minimum  standards  can’t  be  met?  What  is  considered   cceptable?  Who  approves?   ludes  internally  built  and  third  party  applica0ons   flects  current  maturity  and  secure  development  skills   he  more  skilled,  the  less  explicit  you  need  to  be  with  policies  
  • 37.
    u  need  management  buy-­‐in!   oad  strategy  vs  Targeted  strategy  roll-­‐out   n-­‐boarding:     Require  all  device  info  as  part  of  hiring  process  (especially   applica0ons)   Require  policy  training  up  front   quire  training  for  various  departments:   General  popula0on  receives  awareness  training   Technical  employees  receive  in-­‐depth  training   onitor  for  effec0veness  –  EX:  Deliver  training  or  reminder   hen  employee  is  out  of  compliance.    
  • 38.
    Thank You!! tbain@securityinnova4on.com   TwiWer:  @tmbainjr1