This presentation was given at the Western Independent Banker's 2012 Technology Conference in San Diego, CA.

1. BYOD:
Device Control in the
Wild, Wild, West
September 25th, 2012

2. About the Speaker
• Chief Security Officer, Q2ebanking
• Former CIO for multi-billion financial institution
• 13 years industry exp. in Information Technology & Security
• CISSP® (Certified Information Systems Security Professional)
• Published & quoted in American Banker, ABA Banking
Journal, BankInfoSecurity.com, CIO Magazine,
ComputerWorld, Credit Union Times
• Speaker/evangelist - InfoSec World, Innotech, ComputerWorld
SNW, BAI PaymentsConnect, regional banking conferences

3. Agenda
• Changing mobile landscape
• Drivers behind BYOD(evice)
• Considering threat agents
• Implementing a BYOD program
• policies, technologies, privacy
• Summary & QA

4. Mobile Tidal Wave
• 300,000 apps developed in 3 years
• 1.2 billion mobile web users
• 8 trillion SMS messages sent last year
• 35 billion value of apps downloaded
• 86.1 billion mobile payments made in 2011
• 1.1 billion mobile banking customers (2015)

5. BYOD:
Bring Your Own Device
formally advocates use of personal or non-company
issued equipment to accessing corporate resources
& data
obligates IT to ensure jobs can be performed with an
accept- able level of security

6. Business Benefits
• Cut operating costs by eliminating support
- Operating system support
- Application support
- Access support
• Reduce device hardware costs & procurement
• Remove productivity barriers (flexible work styles)
• Extend applications to offsite/traveling employees
• Increase employee satisfaction through programs
• On-demand, whenever, wherever, multiple channels

8. BYOR(isk)
• Understand the risks
being introduced
• Industry is coming to
terms with security
concerns that exist
around unsecured mobile
devices/smartphones
• Conduct a risk
assessment to identify
address the different
threat agents

9. Protect What?
From whom? or what?
and How?

10. BYOD presents a NEW
problem...
...well, not really

11. The “Human” Problem
• Increased use of social media, coupled with the ubiquity of
ecommerce, has fueled growth in socially engineered schemes
waged for financial gain
• According to the Anti-Phishing Working Group, there are
presently about 30,000 to 35,000 unique phishing campaigns
every month, each targeting hundreds of thousands to millions
of email users
• Anytime a user is asked to make a voluntary decision, phishing
schemes will work, because humans are easy to manipulate
➡ this a social problem, not a technical problem.

12. Do you really believe
that you control your
endpoints?

13. Device Control
• How many of you have local admin rights on
your computer?
• How many of you are able to take your
computer and browse the Internet freely
away from the network?
• How many of you disallow PST files - do
prevent users from taking data?
• How many of you are doing mobile device
management?

14. How do you manage a device
that you don’t control?

15. Get out in Front
Reactive approaches result in ad hoc programs
Are you prepared to answer
this question from your CEO:
“what security did we have on
the device when he lost it?”

16. Understand your Data
What are you protecting?
• How sensitive is your data?
• How is your sensitive data used?
• What compliance and/or regulations
exist?

17. Focus Group:
Computer Security

18. Jailbreaking Devices
• Why? for functionality or to
get paid apps for free
• “Jailbreaking” or “rooting
destroys the security model
• Jailbreaking techniques leave
the device with a standard
root password that may grant
admin-level access to an
app...(and attacker or
malware)
• Convenience at the sake of
security

19. Mobile Malware

20. Mobile Malware
• Researchers identify
first instance of mobile
malware in 2004
• More than 80 infected ex. Gozi
apps have been
removed from Google
Play since 2011
• Android malware has
infected more than
250,000 users

21. QR Codes
• QR codes surfacing
containing malicious links
• First case confirmed by
Kaspersky Labs last year -
mobile malware used to http://siliconangle.com/blog/
send premium SMS
2011/10/21/infected-qr-malware-
surfaces-on-smartphones-apps/
messages

22. Which one is evil?

24. Not the Device
• Over focused on the • Data in motion
endpoint and device (network)
• ...it’s the data stupid! • Data presentation
(application)
• Data at rest
(data stores/shares)

25. Establish Policies
• Will a formal agreement between the institution and the
BYOD user (EULA) specify allowed activities and the
consequences for breaking the agreement?
• Create policies before procuring devices
• Do your BYOD policies address?
• the use of consumer apps
• services such as cloud storage
> Box.net, Dropbox, SpiderOak, Evernote, SkyDrive, iCloud
• Communicate the privacy policy to employees and make
it clear what data you can & cannot collect from their
mobile devices

26. MDM Solutions
• What are you trying to protect
• Address four key areas:
1) standardization of service, not device
• consistent set of security controls across different
platforms while providing the same level of service
2) common delivery methods
3) intelligent access controls - role, group, etc.
4) data containment
• encryption
• partitioning
• sandboxing

27. Questions to Consider
• Which devices will be supported?
• What is the risk profile of the employee/group using the devices?
• Does the institution have the ability to require and install
applications to the device(s), such as remote wipe and/or virus/
malware software?
• Can the institution require a “business only secure partition” on
the mobile device?
• Mandatory or will the organization bend for certain users?
• What happens if the device is compromised? Will your
institution be able to perform any forensics?
• When should we say no?

28. Balancing User Privacy
• Is ‘sandboxing’ or ‘partitioning’ sufficient
to maintain separate personas?
• Is there a reasonable expectation of
privacy?
✓should the organization be able to
read messages?
✓should the organization be able to
perform a full wipe of the device?
• State specific privacy laws (ex CA/MA)
may prevent corporations from even
viewing non-corporate data

29. Policy + Technology
• Policies alone not sufficient - Technology ensures enforcement
• Many solutions, but requirements should include:
✓simple self-enrollment --> complexity increases non-
compliance
✓over-the-air updating
✓ability to selectively wipe data on the device
• corporate apps, email, and documents must be protected
by IT if the employee decides to leave the organization
✓management of the OS patch/update process
✓reporting & alerting --> devices that are non-compliant

30. COMPLIANCE

31. Legal Issues
• Big question surrounds legal issues -- agreements
between employees and employer -- and placing a
company-owned agent on an employee’s handset
• It’s the start of whole new relationship between
mobile device users, in dual roles as individual
consumer and employee, and the company for
which they work.
• Unresolved questions?
• e-discovery, Culpability, Liability
• ex: combined mailboxes

32. Summary
• Understand the mobile landscape of your device
population
• Policies and procedures should reflect the allowable usage
and the breadth and depth of security and control settings
• Consider how BYOD policies can be tested and validated
to ensure that security and controls have been
successfully implemented
• Threat landscape is continuously changing
• Risk assessments should be performed regularly to identify
threats and vulnerabilities

33. Thank You
if “?” >=
then
response_variable = ‘answer‘
else
response_variable = ‘thankyou’
end if;