WIXLIB

MOBILE TECHNOLOGY PANEL WEBINARfrom an organizational standpoint fromsecurity, then identifying those sets ofpolicies and applying to those sets of devicesthat you plan on supporting or allowing usersto bring in.HARKINS: Dan, how can an organizationleverage BYOD successes across other keycompliance areas?leverage this opportunity to eliminate staticpasswords and expand dynamic credentialsacross the enterprise and the entire Internet,everyone will benefit. It will provide anefficient way to collaborate and exchangeideas and information but provide thesecurity we all want and need.HARKINS: I totally agree. Ahmed, anycomments from you on that?DATOO: One of the biggest things is achange in mindset. Often times we see, forexample, companies approach BYOD verysimilarly to how they approached corporateowned laptops and one of the commonmistakes I see for example is pass codes.People want individuals to have pass codeson the devices and they want them to be thesame as the laptop: eight characters, a capitalletter and a special character. And all it takesis one executive to be in the car, because let’sface it, people end up checking e-mail orSMS in the car and have to enter in that passcode once before that pass code gets changed.The idea comes back to identifying up-front,from a policy standpoint and from a securitystandpoint, what’s the minimum requirementFORD: The organizations are just nowstarting to think about BYOD. They’re reallyalready behind the curve. You’ve got to getahead of this, and that means you have tostart thinking about not just BYOD todayfrom a policy perspective, but what arethe next trends that are out there? Get outthere and communicate with your peersand different roundtable sessions. ISSA hasa mobile group. If you’re involved in U.S.federal government, it has mobile groups.Find out what mistakes they have made soyou don’t make them again. What have theyfound that has been very successful andthen start small. Don’t start big when you’retrying to leverage what other organizationshave done because every organization hastheir own unique challenges with how theyhandle data and how the data owners areresponsible for them. Again, I really goback to an enterprise architecture processbecause that’s going to help start identifyingwhere the data reference model is so you canunderstand how that data’s moving around tothe different technologies. You’ll know whatenterprise applications you’re using and thenhow to move those enterprise applications tothat mobile environment.HARKINS: I think that makes a ton of sense.One of the things that we’ve seen with BYOsuccesses is the power of the small wins inthis space. I think you can leverage thosesuccesses as well from a security team tomove the security team to be more than justbeing perceived as the “no” organization,and essentially kind of run to the riskieritems in order to shape the path of the riskand manage the risk in order to capture thebenefit. Then again, look at that from othercompliance areas and say, “These things thatInformation Security Media Group 20125

MOBILE TECHNOLOGY PANEL WEBINAR“You’re never done [with your policy] because thetechnologies are changing, the usages continue to changeand the legal and regulatory landscape change.”MALCOLM HARKINS, INTELhave been ‘off limits’ in the past, can we lookat risk differently and in a way that allows usto be more progressive toward some itemsbut still manage the risk because we’ve seenthe ability to do that with the BYO model?”FORD: When you know where the data is,you know what types of security measuresyou have to put in place. When it comesto risk, it’s about getting the risk to anacceptable level for the data owners to feelcomfortable as to how their data’s being usedand shared amongst the organization or evenbetween different organizations.DATOO: I would love to share an example ofa BYOD success as it relates to compliance.We have a customer that’s in the aerospaceindustry and they have engineers thatmanually print out the blueprints of anairplane when they go to inspect the airplane.They’re regulated by FAA requirementsto at the end of the inspection physicallydestroy the blueprints because should theseblueprints get in the wrong hands, it couldbe a huge national security concern. They’rerequired to destroy these documents. Itturns out that this organization was fined 17 million last year because of not actuallycarrying this out. You get an engineer whogets pulled from inspecting one planeto another and forgets to destroy thesedocuments, and these documents are thick.So they started looking at mobile as a wayof, “How do we use mobile to change thedelivery model?”One of the ideas is they actually handedeach of the engineers an iPad and then thoseenterprises got a capability to securely deliver6files to these devices. What they did is theydelivered these blueprints electronically tothe users. The users are ecstatic because it’sjust a pain to go and shred these documents,and then they were able to put policy controlson the documents delivered to automaticallyremove the documents after a certain timeperiod. There’s an example of a BYOD successthat’s able to address a specific compliancerelated requirement that not only ends upsaving the organization money, but actuallymakes the end users happier because you’remaking their job easier.HARKINS: That’s a great thing to build offof. A question came in for me around howone calculates return on investment of aBYOD initiative. I think the example youjust gave is a perfect way to look at that usecase. Again, there’s paper savings, there’s timesavings. It’s more eco-friendly because you’renot having the paper. You’re not having thedestruction of the paper cost. I’m an oldfinance guy and so for me, traditionallycalculating that return on investment, cash isking. Follow the cash when you’re calculatingyour ROI first.It’s certainly not free to do this so there’sincremental cost for providing and essentiallyregistering and authorizing those deviceson your network, getting legitimized andconnected in. But if you’ve already startedlooking at it and go, “I’m not having to payfor the device, the user is. I’m not havingto pay for the service, the user is,” you canfollow the money and do that basic cashanalysis.Ahmed, with the example you gave, there’sInformation Security Media Group 2012some savings with printers, paper and thattype of stuff. The other thing that we’ve donein terms of calculation of our return oninvestment at Intel is we’ve looked at trying tomeasure qualitatively the extra effort or workthat we might get from employees and we’vedone that by looking at mail sent or otherthings like that, and surveying the users.What we’ve found with the BYOD usersis we’re seeing about an extra 57 minutesfrom our users of extra work per week thatindividuals were doing because they couldwork real-time to check a message, check acalendar, do something that made them moreproductive. The productivity benefit we’veseen is just about 60 minutes a week.Dan, what are the most compellingchallenges for regulated industries andgovernments with regard to BYOD?FORD: I think it’s really a combinationof technical, regulatory and policy. I’ll gotechnical first. It goes back down to datamanagement and really the risks to thecompromise of confidentiality, integrity andavailability to that data. It’s about trust. Wehave to be able to trust when we’re bringingup any of these mobile devices that assecurity professionals we know that nothingon that device has been compromised.We’ve seen just recently at RSA last weekthese devices no longer need to be rootedor jailbroken to have an attack and/orcompromise to confidentiality and integrity.Zero days don’t have to exist, this notion ofthe half-day exploit where a vulnerabilityexists out in the wild, a patch is availablebut it’s never been distributed either due tothe relationship between the manufacturer

MOBILE TECHNOLOGY PANEL WEBINARand Abuse Act. The legal aspect needs to getmodified out there in order to improve uponwhat the new minimally acceptable standardfor devices is, especially when it comes togovernment data. As part of the regulations,how are we going to continuously monitorthe risk profiles that organizations have saidis acceptable to them, because tomorrow itchanges? I think that goes again right backto the policy. You’re supposed to be having apolicy, following a policy, updating a policyand then also that rolls back down to thetechnical challenges when new laws havebeen established, policies get updated and thetechnical implementation needs to occur.HARKINS: Ahmed, anything from yourperspective around those challenges forregulated industries and governments?and the carrier or the user just hasn’t beenprompted to have to download it, or theyignore it.What we see in the trend is that a bad actorwill purchase a list of vulnerabilities for anoperating system. For this example, we’ll justtake Android 2.2 because there have beenupdates. We know 2.3 - all the way I thinkto 2.3.9 - but there are particular system filesthat can be easily modified by a browserexploit on there and then you can turn thatdevice back into essentially a zombie in a waywhere you’re going to use the microphoneand the camera. You’ll be able to see and hearall the conversations going back and forth,the text messages and the e-mails, all becausethe user didn’t update or the manufacturerdidn’t push out the update yet.Then, not just from the technical side, we alsogot the regulatory compliance. Things arechanging very fast. Today, the main thing thatpeople always go back to when they’re tryingto prosecute individuals for things like I justdescribed goes back to the Computer FraudDATOO: From a regulated industry andgovernment standpoint, there’s a wholehost of issues. I think it comes down to datasecurity. Often times folks in government,healthcare and financial services have awhole host of highly sensitive informationthat could come in the form of e-mails asattachments. We start talking to folks that areusing iPads in lieu of laptops and the numberone end-user requirement we hear about is,“How do I get documents to the device?”They will subscribe to fraud-based serviceslike a dropbox or a box.net and now all of asudden you have sensitive information that’sout on the cloud, and when an employeeleaves you can wipe the device clean, butyou’ve got information that exists outside.So I think there are some challenges.Interestingly enough, it’s not just about data;it’s also around applications.An example I like to give is in the financialservices space. In financial services, froma regulatory standpoint, they’re requiredto have an audit log of all SMS messages aswell as all e-mail, because you don’t wantsome people sending insider informationand providing insider trading information.There are these sets of questions that arestarting to emerge around BYOD whereif a person ends up using Facebook onInformation Security Media Group 20127

MOBILE TECHNOLOGY PANEL WEBINAR“What I see is an opportunity to focus on securing the user byleveraging the mobile device for security, what’s called bringyour-own-token.”BENJAMIN WYRICK, VASCOtheir application, Facebook has an e-mailcomponent and its got a message componentso what are the regulatory concerns andcompliance requirements for folks in thefinancial services industry around Facebook?It’s a personally owned device. They shouldbe allowed to use whatever application theywant, but there are these regulatory concerns.There’s some complexity that’s starting toemerge as it relates to BYOD and regulatedindustries. Typically what we’ve seen is someorganizations embrace BYOD. But also,organizations that are starting to move tocorporate-owned devices where they’re justbuying devices on behalf of the employee,they can start dictating sets of controls on thedevice.HARKINS: I think you’re right, and evenwhat Ahmed had said with regard to thefinancial industry, I had a dialog with apeer about two weeks ago, and with theirBYO initiative they have had to disable SMStexting on their phones because the wayin which the implementation worked withthat device, they couldn’t retain it. In thatindustry, with the audit logging and some ofthe retaining of communications, they hadto disable that on the phone, which againpresents a lot of unique challenges.FORD: Ahmed brings up a good point,utilizing third-party applications likedropbox. I don’t think a lot of peopleknow the ramifications of that from a legalperspective. When you hand over data to athird party, that data is no longer subject tothe Fourth Amendment here in the UnitedStates. That data can go and be accessed aspart of an investigation without the needof a warrant, when you willingly hand thatdata over to a third party. That’s one of theother challenges that I’m seeing going acrossdifferent legal circles out there in D.C. Ithink it’s important for people to understandthat aspect as well, and kind of going backto it’s all about trusting. Ahmed brought upapplications. Are they trusted applications?How do we keep in a BYOD environmentseparate from what’s business vs. personal? Ithink that’s a great way that Fixmo is able tocome in and help that out as well.WYRICK: As we talk to our clients andwe listen to the market, we need to find away to get employees to accept their newsecurity responsibilities by enabling themand providing them the ability to protectthemselves across all their online identities.This is an area that has really been openfor a long time, an area for improvement.It’s been divided far too long and BYODis an opportunity to unify personal andprivate lives at least as far as the Internetand application usage is concerned.Extending this unity toward security andto authentication and allowing them tocontrol and secure any and all of their onlineaccounts with strong authentication is goodfor them and I think it’s good for the entireInternet ecosystem.8Benjamin, given those complexities, how dowe get employees to accept their new securityresponsibilities, because obviously they’regoing to have to play a part in this too?HARKINS: I think that makes sense. One ofthe things that we’ve talked about internallyInformation Security Media Group 2012when we started our journey was we’ve allheard the consumerization of the enterprisebut as we start looking at the policies, as westart looking at the expectation of employees,as we start looking at the technology we’regoing to be using to secure them, we’re inessence enterprising the consumer. As wedo that, we actually can up the level of theirbroader security, both at work and at homeand at play, and change the behaviors andget them to think about things differently.One of the things that we’ve seen out of thatand I’ve had discussions with some peerson this is when somebody owns the device,lost and stolen rates tend to be less. I thinkthat accountability for the device and theusage of it - if you adopted it right and setthe right expectations and essentially trustthe employees to act appropriately - we’veseen the employees accept that kind of newsecurity responsibility.FORD: One of the things that’s interestingabout this question is they say there are newsecurity responsibilities. I don’t really thinkthey’re new. I think that they are the exactsame responsibilities they’ve always neededto have when it comes to handling theirenterprise data. What’s funny about this isthat just last year the Wall Street Journal hadan article stating that smart phone users werethree times more likely to be susceptible tophishing attacks then they would have beenif it came from their traditional computingenvironment. We’ve been trained for the last10-15 years about spam, [not opening] upe-mails if you don’t know who it was from,and we’ve gotten a lot better, a lot moremature, in that enterprise security to where

MOBILE TECHNOLOGY PANEL WEBINARe-mail or any types of web surfing that they’redoing from the enterprise perspective, peoplehave gotten a comfort zone.I don’t think it’s necessarily new security. Ithink they need to be re-educated that thesedevices are the same but they are less mature.Therefore you have to be extra vigilant whenyou’re going to be utilizing these devices forwork and personal. There’s that fine line that Ithink just needs to be a re-education to theseusers.things: the maturity of the product type andit’s predictability on how the risk posture’sgoing to be after applying counter-measures.That’s kind of difficult with where we are inthe mobile-computing world today. I kindof equate the maturity level back to the PCmarket in the late 90s, early 2000s. We hadantivirus. We had this little firewall calledBlackICE. One of my favorite organizationsout there called Cult of the Dead Cow - youmay not be familiar with them - they madethis little program called Back Orifice andproductive, right? The example I gave aboutdropbox and box.net, I don’t think it’s a userthinking, “I want to have access to all thesecorporate documents so if I were to leave,I can take it to the competitors.” I think theuser just wants to be more productive. I thinkwhen users start downloading some of theseapps that may be malicious in nature, theydownload it out of ignorance. They don’tknow that it’s necessarily malicious and theydon’t know the ramifications or implications,and so I think one of the key things whenyou start developing a BYOD strategy is thenotion of trust but verify. Trust your endusers to do the right things, but have somemechanisms in place to make sure that ifthere’s a vulnerability that’s identified on theAndroid marketplace - as there has been you have a mechanism to identify which ofthe 50,000 devices out there actually havethis application running. One of the biggestchallenges that’s emerging - at least from athreat perspective - is the ignorant user.“One of the biggest things is a change inmindset.”AHMED DATOO, ZENPRISEHARKINS: I think that’s a perfect lead-in tothe next question we just got, which is, how isthe mobile threat landscape evolving?WYRICK: I can address that from theauthentication and security side. Of coursewe spend a lot of time focusing on the newthreats and how those are evolving and whatwe see from mobile is that it really follows thePC in terms of threats, but at a quicker pace.The PC gave everyone - security companiesand the hackers - a bit of an experience tolearn from. We’re seeing reports on man-inthe-mobile here recently, or really malwarebeing placed on these phones to interceptmessages; things like SMS, for example,used to deliver one-time passwords orpasswords in general. I think it’s importantthat as companies look at bring-your-owndevice and using this for other things likesecurity, we look to secure and harden theseapplications like most banks and otherfinancial institutions are already doing.FORD: A lot of my colleagues have heardme say this many times before. From myperspective security is really about twothis allowed these bad actors to install remoteaccess tools on devices where they could geta shell and be able to really do whatever theywanted with these machines, and these thingswere on Windows 95, 98, 2000, even NT andXP. That’s something that we’re seeing now, asBenjamin just mentioned, about them gettingtext messages and they go and click on thatlink and all of a

enterprise now has obligations if that's being used for corporate purposes to be able to get access physically to the device and logically in some circumstances. Benjamin, how does BYOD change the traditional way organizations provide security? WYRICK: I think BYOD creates an opportunity for simplifying the enterprise authentication architecture.