Feb 11 2013

BYOD security measures for mobility

Category: Mobile SecurityDISC @ 9:22 pm
BYOD Usage

BYOD Usage (Photo credit: IntelFreePress)

BYOD security controls for mobility

These days smart phones certainly add additional risk to Bring Your Own Device (BYOD) to office. Like it or not Bring Your Own Device is a growing trend at all scales and levels. An important thing to understand is that today’s user like and prefer to use their own devices and applications at work.

As we know some organizations have pretty strict policies around Bring Your Own Device. When it comes to BYOD, it should be addressed in structured manner considering information security policies and procedures. Utilize IT Governance framework to align the with business goals. In this regard, an organization may have to amend some of their own policies to allow BYOD instead of making user to circumvent the potential existing policies. Security professional must reassess their current Bring Your Own Device policies to find new balance which work for users and also match the organization business objectives and security needs.

Organizations of all sizes are dealing with the – mobility – before they even have had adequate time to manage the risks: How do we secure the systems and data accessed broadly by employees’ mobile devices?

  • State of Security – Which mobile platforms will organizations support in 2013, and how do they rate their state of mobile security? Perform a thorugh risk assessment with mobility in scope
  • Policy – What formal policies do organizations have in place for concerns such as inventory, mobile device/application management and data/device encryption? Update your policies and procedures to cover mobility
  • Controls – What security controls are in place to manage and secure identity and access management, content and the use of third-party applications? Implement mobility controls based on risk assessment
  • Metrics – How do organizations measure the tangible business results of mobile initiatives, including cost-savings and improved productivity? Metrics measures improvement and effectiveness of controls. Best way to show you are maintaining and improving mobility controls over time to auditor and business suite.  


Considerations for BYOD Policies, Controls and Metrics

• Address the allowed and supported mobile platform for user community
• Address stolen and misplaced devices to avoid data loss
• Address remote access to corporate resources which should be secure using (TLS, SSL)
• Also address exceptions in remote access where application does not support TLS or SSL
• Address the use Implicit authorization instead of traditional explicit authorization
• Implicit authorization uses SIM based Extensive Auth Protocol (EAP)
• Implicit authorization is less risky than explicit authorization in BYOD

Related articles

Tags: BYOD, Extensible Authentication Protocol, Information Security, Remote access, Smartphone, Transport Layer Security

Nov 01 2012

10 reasons to ponder before using your smartphone for banking

Category: Smart PhoneDISC @ 11:55 am


 

Mobile Payment Security

01) There is no clear legislation that sets out your rights to receive a refund if your bank account is fraudulently emptied due to mobile bank app insecurity. The burden of proof seems to be on the user to protect their handset, operating system, software, mobile operator infrastructure and everything else in the “chain” of the transaction.

02) Of course you want to be able to use WiFi hotspots, this means you are in most cases operating on an insecure wireless network. It’s so easy for “bad guys” to sniff the air with a free utility and read your details.

03) Most users have not even set up a basic passcode on their devices (smartphones). Therefore if some gets access to the device, they have potentially access to their bank account.

04)  Most app stores do not test the security of apps. It is very easy for the “bad guys” to put Malware in the apps that can steal information from your device or other apps on your phone/device (e.g. banking app). Or it can happen when the app updates.

05) Most Smartphone device users have not installed security software on their device. Therefore they have less security than comparing to a laptop or PC with security software installed.

06) The average Smartphone users does not regularly perform OS (Operating System) updates. Many of these updates are critical security patches.

07) Due to performance issues, many of the lower cost handset manufacturers are disabling security features in order to improve performance of the device.

08) Malware on the Android platform smartphone alone has gone up over 400% in the last year

09) The technology that keeps apps separate on device does not separate them out into private sandboxes. This means that one app can read the details stored in another app without much difficulty.

10) ) If you check the T&C’s (terms and conditions) from  local  banking app and they may  want you to grant permission for the app to know your phone location (GeoIP).

Related articles

Tags: Android, Geolocation, Malware, Operating system, Personal computer, Security, Smartphone, Wi-Fi