SlideShare a Scribd company logo

Mobile security blunders and what you can do about them

Ben Rothke, profile picture
Ben Rothke

The document discusses mobile security issues organizations face and recommendations to address them. It notes that mobile devices are increasingly prevalent in businesses but many lack adequate security practices and tools. Common problems include loss/theft of devices, malware infections, and intellectual property losses. The document recommends organizations implement mobile device management, extend security policies to mobile devices, conduct security audits, and use encryption and other best practices. It also provides an overview of security tools and trends organizations should consider.

Technology
1 of 20
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Mobile security blunders and what you can do about them Ben Rothke, CISSP CISA BT Global Services Senior Security Consultant
About me…. • Ben Rothke (too many certifications) • Senior Security Consultant – British Telecom • Frequent writer and speaker • Author - Computer Security: 20 Things Every Employee Should Know BT Americas Inc. 2
Show me the methodology… • How do you currently handle? – Smartphones – iPads – wireless devices BT Professional Services 3
Serious security • In your organization - how does management spell security? • Have they deployed adequate: – staff – budget – processes – oversight BT Professional Services 4
Why does this matter? • Wi-fi is everywhere • mobility is a business • today’s mobile device is necessity really a desktop • the perimeter is porous • mobile devices are walking • compliance pressures data breaches • consumerized technologies • mobile are here to stay convenience/benefits are • past approaches aren’t obvious working • attackers focusing on • social media will be mobile devices ubiquitous • weak mobile security • misconfigurations BT Professional Services 5
Real-world problems • loss and theft • malware infections • intercepted network traffic • intellectual property losses • no adequate data backups • users not being held responsible for security • slew of new applications creating risks… BT Professional Services 6
Scary numbers • 2010 Information Week Mobile Device Management and Security Survey – 87% say smartphones will become more predominant in their business – Security is biggest reason (73%) for deploying mobile device management (MDM) – Why organizations haven’t deployed MDM: • Not enough IT staff to support it – 61% • Too few mobile devices – 34% • Too expensive – 32% • Don’t see the need – 26% BT Professional Services 7
Recent issues I’ve come across BT Professional Services 8
Why do we have these problems? • mobile devices are new/complex • unauthorized usage difficult to prevent • improper implementation of controls • unstructured files all around • failed security policies • people not thinking about their choices BT Professional Services 9
Lots of devices out there to consider • If it’s got network connectivity and storage, secure it: – smartphones – dumbphones – tablets – netbooks – laptops – mobile storage – wireless networks BT Professional Services 10
Security audit • What’s being stored where • passwords • encryption • malware protection • data backups • VPN, rdp, gotomypc, etc. • wifi weaknesses BT Professional Services 11
Mobile security best practices • Management and security – Build management and security into the entire mobile security product life cycle – ensure management tools for mobile devices are interoperable with other management infrastructure • Policy – Extend enterprise security policies to mobile and wireless – use technologies that provide comparable controls. • wireless- and mobile-optimized versions of network access control, IDS/IPS, VPN, firewall, data encryption, IDM, DLP, etc. 12
Mobile security best practices • Security as a requirement – Ensure security is a required purchasing consideration for all mobile and wireless technology and services – require security provisions as a component of all RFP BT Professional Services 13
BlackBerry security best practices • Any BlackBerry containing corporate data should be managed under BlackBerry Enterprise Server (BES) or comparable platform – Unmanaged devices can be set by users to be vulnerable to login, sync and data access attacks – managed BlackBerrys can be guaranteed to comply with strict policies • Ensure you have a uniform set of security capabilities across all models that can be managed and audited to a guaranteed level of compliance – Good news: All BlackBerry models have a common security architecture, so this is relatively easy BT Professional Services 14
iPad/iPhone best practices • Do they exist? – Applications cannot be considered fully secure until they use Apple Data Protection APIs • today, only a few applications support them today. – of the built-in Apple applications, only Mail currently supports the Data Protection API to protect message data/attachments – require employee-owned devices to be secured and managed by the enterprise – deny access to jailbroken or modified devices – restrict sensitive data exported to these devices – use complex passcodes – automatically wipe data after multiple failed login attempts BT Professional Services 15
Since no one listens to best practices • At a bare minimum: – All mobile devices should have policies enabled that require passwords – high priority to encryption on devices where sensitive data will be stored. – over-the-air kill features used where supported – integrated into vulnerability and configuration management processes BT Professional Services 16
Tools that can help • Native security • MobileIron • ActiveSync • Trust Digital • Lookout • Good Technology • BlackBerry BES – Enterprise • Mobile Active Defense – Government • 42Gears BT 17
Future trends • little knowledge needed • more internal breaches • more elaborate hacks • more directed hacks • physical attacks (stolen devices) • broadened attack surfaces • mobile business apps • Wikileaks • directed spear phishing Copyright (c) 2007, Principle Logic, 18 LLC - All Rights Reserved
Keys to information security success 1. Getting the right people 2. Focusing on core issues 3. Proper testing 4. Effective metrics 5. Policies and processes 6. Right technologies 7. Incident response 8. Architecture BT Professional Services 19
Contact info… • Ben Rothke, CISSP CISA • Senior Security Consultant • BT Professional Services • www.linkedin.com/in/benrothke • www.twitter.com/benrothke • www.slideshare.net/benrothke BT Professional Services 20

More Related Content

PPTX
Bring Your Own Device (BYOD)
k33a
 
PPTX
An Introduction on Design and Implementation on BYOD and Mobile Security
Sina Manavi
 
ODP
Byod
Asifulla Azad
 
PPTX
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Information Security Awareness Group
 
PDF
IOT & BYOD – The New Security Risks (v1.1)
Rui Miguel Feio
 
PPTX
BYOD (Bring Your Own Device)
Michael W. Chitwa
 
PPTX
BYOD (Bring Your Own Device) Risks And Benefits
Modis
 
PPTX
BYOD: Bring Your Own Device Implementation and Security Issues
Harsh Kishore Mishra
 
Bring Your Own Device (BYOD)
k33a
 
An Introduction on Design and Implementation on BYOD and Mobile Security
Sina Manavi
 
Byod
Asifulla Azad
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Information Security Awareness Group
 
IOT & BYOD – The New Security Risks (v1.1)
Rui Miguel Feio
 
BYOD (Bring Your Own Device)
Michael W. Chitwa
 
BYOD (Bring Your Own Device) Risks And Benefits
Modis
 
BYOD: Bring Your Own Device Implementation and Security Issues
Harsh Kishore Mishra
 

What's hot (20)

PPTX
Isaca tech session 19 feb 2013 securing mobile devices rev
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
PDF
Bring Your Own Device (BYOD)
Murray Security Services
 
PDF
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
Katedra Informatologii. Wydział Dziennikarstwa, Informacji i Bibliologii, Uniwersytet Warszawski
 
PDF
Byod security
Denise Bailey
 
PDF
Designing a Base Building Network – The Integrator's Role
NJ_OTI
 
PDF
Smarter Commerce Summit - IBM MobileFirst Services
Chris Pepin
 
PDF
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
AugmentedWorldExpo
 
PPTX
Aalto cyber-10.4.18
japijapi
 
PDF
How to Manage the Great BlackBerry Migration
Troy C. Fulton
 
PDF
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
CableLabs
 
PPTX
Preparing an Effective BYOD or Mobility Strategy
Logicalis Australia
 
PDF
Mobile Security in 2013
Troy C. Fulton
 
PPTX
Cybersecurity-Real World Approach FINAL 2-24-16
James Rutt
 
PPTX
Protecting IIoT Endpoints - an inside look at the Industrial Internet Securit...
team-WIBU
 
PDF
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati
 
PPTX
Security For Business: Are You And Your Customers Safe
woodsy01
 
PDF
Its not ITs problem
Shiva Bissessar
 
PDF
Innovative software solutions for industry 4.0 (English+Mandarin)
Ishay Tentser
 
PPTX
Business Case Of Bring Your Own Device[ BYOD]
Md Yousup Faruqu
 
PDF
Cybercrime Bill 2014: Due Diligence
Shiva Bissessar
 
Isaca tech session 19 feb 2013 securing mobile devices rev
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Bring Your Own Device (BYOD)
Murray Security Services
 
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
Katedra Informatologii. Wydział Dziennikarstwa, Informacji i Bibliologii, Uniwersytet Warszawski
 
Byod security
Denise Bailey
 
Designing a Base Building Network – The Integrator's Role
NJ_OTI
 
Smarter Commerce Summit - IBM MobileFirst Services
Chris Pepin
 
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
AugmentedWorldExpo
 
Aalto cyber-10.4.18
japijapi
 
How to Manage the Great BlackBerry Migration
Troy C. Fulton
 
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
CableLabs
 
Preparing an Effective BYOD or Mobility Strategy
Logicalis Australia
 
Mobile Security in 2013
Troy C. Fulton
 
Cybersecurity-Real World Approach FINAL 2-24-16
James Rutt
 
Protecting IIoT Endpoints - an inside look at the Industrial Internet Securit...
team-WIBU
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati
 
Security For Business: Are You And Your Customers Safe
woodsy01
 
Its not ITs problem
Shiva Bissessar
 
Innovative software solutions for industry 4.0 (English+Mandarin)
Ishay Tentser
 
Business Case Of Bring Your Own Device[ BYOD]
Md Yousup Faruqu
 
Cybercrime Bill 2014: Due Diligence
Shiva Bissessar
 
Ad

Viewers also liked (18)

PDF
La nécessité de la dlp aujourd’hui un livre blanc clearswift
Ben Rothke
 
PDF
Securing your presence at the perimeter
Ben Rothke
 
PDF
Rothke computer forensics show 2010
Ben Rothke
 
PDF
Securing your presence at the perimeter
Ben Rothke
 
PPTX
Rothke rsa 2013 - the five habits of highly secure organizations
Ben Rothke
 
PDF
Lessons from ligatt from national cyber security nationalcybersecurity com
Ben Rothke
 
PPTX
Rothke rsa 2013 - deployment strategies for effective encryption
Ben Rothke
 
PPTX
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Ben Rothke
 
PPTX
E5 rothke - deployment strategies for effective encryption
Ben Rothke
 
PDF
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Ben Rothke
 
PDF
Interop 2011 las vegas - session se31 - rothke
Ben Rothke
 
PDF
The Cloud is in the details webinar - Rothke
Ben Rothke
 
PDF
The Need for DLP now - A Clearswift White Paper
Ben Rothke
 
PDF
Lessons from ligatt
Ben Rothke
 
PDF
Infosecurity Needs Its T.J. Hooper
Ben Rothke
 
PDF
Locking down server and workstation operating systems
Ben Rothke
 
PPTX
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
PDF
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
Ben Rothke
 
Securing your presence at the perimeter
Ben Rothke
 
Rothke computer forensics show 2010
Ben Rothke
 
Securing your presence at the perimeter
Ben Rothke
 
Rothke rsa 2013 - the five habits of highly secure organizations
Ben Rothke
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Ben Rothke
 
Rothke rsa 2013 - deployment strategies for effective encryption
Ben Rothke
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Ben Rothke
 
E5 rothke - deployment strategies for effective encryption
Ben Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Ben Rothke
 
Interop 2011 las vegas - session se31 - rothke
Ben Rothke
 
The Cloud is in the details webinar - Rothke
Ben Rothke
 
The Need for DLP now - A Clearswift White Paper
Ben Rothke
 
Lessons from ligatt
Ben Rothke
 
Infosecurity Needs Its T.J. Hooper
Ben Rothke
 
Locking down server and workstation operating systems
Ben Rothke
 
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Ad

Similar to Mobile security blunders and what you can do about them (20)

PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
PDF
Embracing iot in the enterprise
Gabriella Davis
 
PDF
Protecting Data on Laptops
Product Marketing Services
 
PDF
Cyber security general perspective a
marukanda
 
PDF
Best practices for mobile enterprise security and the importance of endpoint ...
Chris Pepin
 
PPTX
Security Testing for IoT Systems
Security Innovation
 
PDF
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
PPTX
Mobile Application Security
Lenin Aboagye
 
PPTX
Mobile application securitry risks ISACA Silicon Valley 2012
Symosis Security (Previously C-Level Security)
 
PPTX
Richard_Hayton_SUPPORTING_ANY_DEVICE_IT-tinget_2014
Conference_by_EVRY
 
PPTX
Internet of Things: Dealing with the enterprise network of things
Huntsman Security
 
PPTX
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 
PPTX
Outside the Office: Mobile Security
McKonly & Asbury, LLP
 
PPTX
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Security
 
PDF
BYOD: Device Control in the Wild, Wild, West
Jay McLaughlin
 
PPTX
Bitzer Mobile TiECON 2013 Pitch Indus Khaitan
Indus Khaitan
 
PPTX
The New frontiers in Information Security
Vineet Sood
 
PDF
WSO2Con EU 2015: IoT in Finance
WSO2
 
PDF
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Ben Rothke
 
PDF
Information Security for Small Business
Julius Clark, CISSP, CISA
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Embracing iot in the enterprise
Gabriella Davis
 
Protecting Data on Laptops
Product Marketing Services
 
Cyber security general perspective a
marukanda
 
Best practices for mobile enterprise security and the importance of endpoint ...
Chris Pepin
 
Security Testing for IoT Systems
Security Innovation
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
Mobile Application Security
Lenin Aboagye
 
Mobile application securitry risks ISACA Silicon Valley 2012
Symosis Security (Previously C-Level Security)
 
Richard_Hayton_SUPPORTING_ANY_DEVICE_IT-tinget_2014
Conference_by_EVRY
 
Internet of Things: Dealing with the enterprise network of things
Huntsman Security
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 
Outside the Office: Mobile Security
McKonly & Asbury, LLP
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Security
 
BYOD: Device Control in the Wild, Wild, West
Jay McLaughlin
 
Bitzer Mobile TiECON 2013 Pitch Indus Khaitan
Indus Khaitan
 
The New frontiers in Information Security
Vineet Sood
 
WSO2Con EU 2015: IoT in Finance
WSO2
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Ben Rothke
 
Information Security for Small Business
Julius Clark, CISSP, CISA
 

More from Ben Rothke (11)

PDF
Rothke effective data destruction practices
Ben Rothke
 
PDF
Infotec 2010 Ben Rothke - social networks and information security
Ben Rothke
 
PDF
Rothke stimulating your career as an information security professional
Ben Rothke
 
PDF
Ben Rothke - Effective Data Destruction Practices
Ben Rothke
 
PDF
Ben Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke
 
PDF
Virtualization, Cloud Computing And The Pci Dss
Ben Rothke
 
PDF
Ben Rothke RSA PK 2010
Ben Rothke
 
PDF
Rothke Using Kazaa To Test Your Security Posture
Ben Rothke
 
PDF
In Sync Network Time Ben Rothke
Ben Rothke
 
PDF
Rothke Securing Your Wireless Access Network
Ben Rothke
 
PDF
Rothke Articles
Ben Rothke
 
Rothke effective data destruction practices
Ben Rothke
 
Infotec 2010 Ben Rothke - social networks and information security
Ben Rothke
 
Rothke stimulating your career as an information security professional
Ben Rothke
 
Ben Rothke - Effective Data Destruction Practices
Ben Rothke
 
Ben Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke
 
Virtualization, Cloud Computing And The Pci Dss
Ben Rothke
 
Ben Rothke RSA PK 2010
Ben Rothke
 
Rothke Using Kazaa To Test Your Security Posture
Ben Rothke
 
In Sync Network Time Ben Rothke
Ben Rothke
 
Rothke Securing Your Wireless Access Network
Ben Rothke
 
Rothke Articles
Ben Rothke
 

Recently uploaded (20)

PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
August Patch Tuesday
Ivanti
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
August Patch Tuesday
Ivanti
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
project resource management chapter-09.pdf
ssuser00e6e21
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
The various Industrial Revolutions .pptx
bandileshozi3
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 

Mobile security blunders and what you can do about them

  • 1. Mobile security blunders and what you can do about them Ben Rothke, CISSP CISA BT Global Services Senior Security Consultant
  • 2. About me…. • Ben Rothke (too many certifications) • Senior Security Consultant – British Telecom • Frequent writer and speaker • Author - Computer Security: 20 Things Every Employee Should Know BT Americas Inc. 2
  • 3. Show me the methodology… • How do you currently handle? – Smartphones – iPads – wireless devices BT Professional Services 3
  • 4. Serious security • In your organization - how does management spell security? • Have they deployed adequate: – staff – budget – processes – oversight BT Professional Services 4
  • 5. Why does this matter? • Wi-fi is everywhere • mobility is a business • today’s mobile device is necessity really a desktop • the perimeter is porous • mobile devices are walking • compliance pressures data breaches • consumerized technologies • mobile are here to stay convenience/benefits are • past approaches aren’t obvious working • attackers focusing on • social media will be mobile devices ubiquitous • weak mobile security • misconfigurations BT Professional Services 5
  • 6. Real-world problems • loss and theft • malware infections • intercepted network traffic • intellectual property losses • no adequate data backups • users not being held responsible for security • slew of new applications creating risks… BT Professional Services 6
  • 7. Scary numbers • 2010 Information Week Mobile Device Management and Security Survey – 87% say smartphones will become more predominant in their business – Security is biggest reason (73%) for deploying mobile device management (MDM) – Why organizations haven’t deployed MDM: • Not enough IT staff to support it – 61% • Too few mobile devices – 34% • Too expensive – 32% • Don’t see the need – 26% BT Professional Services 7
  • 8. Recent issues I’ve come across BT Professional Services 8
  • 9. Why do we have these problems? • mobile devices are new/complex • unauthorized usage difficult to prevent • improper implementation of controls • unstructured files all around • failed security policies • people not thinking about their choices BT Professional Services 9
  • 10. Lots of devices out there to consider • If it’s got network connectivity and storage, secure it: – smartphones – dumbphones – tablets – netbooks – laptops – mobile storage – wireless networks BT Professional Services 10
  • 11. Security audit • What’s being stored where • passwords • encryption • malware protection • data backups • VPN, rdp, gotomypc, etc. • wifi weaknesses BT Professional Services 11
  • 12. Mobile security best practices • Management and security – Build management and security into the entire mobile security product life cycle – ensure management tools for mobile devices are interoperable with other management infrastructure • Policy – Extend enterprise security policies to mobile and wireless – use technologies that provide comparable controls. • wireless- and mobile-optimized versions of network access control, IDS/IPS, VPN, firewall, data encryption, IDM, DLP, etc. 12
  • 13. Mobile security best practices • Security as a requirement – Ensure security is a required purchasing consideration for all mobile and wireless technology and services – require security provisions as a component of all RFP BT Professional Services 13
  • 14. BlackBerry security best practices • Any BlackBerry containing corporate data should be managed under BlackBerry Enterprise Server (BES) or comparable platform – Unmanaged devices can be set by users to be vulnerable to login, sync and data access attacks – managed BlackBerrys can be guaranteed to comply with strict policies • Ensure you have a uniform set of security capabilities across all models that can be managed and audited to a guaranteed level of compliance – Good news: All BlackBerry models have a common security architecture, so this is relatively easy BT Professional Services 14
  • 15. iPad/iPhone best practices • Do they exist? – Applications cannot be considered fully secure until they use Apple Data Protection APIs • today, only a few applications support them today. – of the built-in Apple applications, only Mail currently supports the Data Protection API to protect message data/attachments – require employee-owned devices to be secured and managed by the enterprise – deny access to jailbroken or modified devices – restrict sensitive data exported to these devices – use complex passcodes – automatically wipe data after multiple failed login attempts BT Professional Services 15
  • 16. Since no one listens to best practices • At a bare minimum: – All mobile devices should have policies enabled that require passwords – high priority to encryption on devices where sensitive data will be stored. – over-the-air kill features used where supported – integrated into vulnerability and configuration management processes BT Professional Services 16
  • 17. Tools that can help • Native security • MobileIron • ActiveSync • Trust Digital • Lookout • Good Technology • BlackBerry BES – Enterprise • Mobile Active Defense – Government • 42Gears BT 17
  • 18. Future trends • little knowledge needed • more internal breaches • more elaborate hacks • more directed hacks • physical attacks (stolen devices) • broadened attack surfaces • mobile business apps • Wikileaks • directed spear phishing Copyright (c) 2007, Principle Logic, 18 LLC - All Rights Reserved
  • 19. Keys to information security success 1. Getting the right people 2. Focusing on core issues 3. Proper testing 4. Effective metrics 5. Policies and processes 6. Right technologies 7. Incident response 8. Architecture BT Professional Services 19
  • 20. Contact info… • Ben Rothke, CISSP CISA • Senior Security Consultant • BT Professional Services • www.linkedin.com/in/benrothke • www.twitter.com/benrothke • www.slideshare.net/benrothke BT Professional Services 20