Mobile Devices and Wireless Tracy Jackson Liz Nenni Matt Hinson Chris Eiben
What is a Mobile Device/Wireless? Mobile Device: a device that is easy to use, enables remote access to business networks and the internet, and enables quick transfer of data. Mobile Device: a device that is easy to use, enables remote access to business networks and the internet, and enables quick transfer of data. Wireless Communication: the transfer of information over a distance without the use of electrical conductors or wires Wireless Communication: the transfer of information over a distance without the use of electrical conductors or wires
What are some examples of Mobile Devices? Laptops Laptops Cell Phones Cell Phones PDAs PDAs Flash Drives Flash Drives Bluetooth Bluetooth Mouse/Keyboard Mouse/Keyboard Mp3 Players Mp3 Players Garage Door Opener Garage Door Opener GPS GPS Cordless phone Cordless phone Cameras Cameras Graphing Calculator Graphing Calculator Nintendo Wii (game controllers) Nintendo Wii (game controllers)
How does Wireless Work? Wireless networks Wireless networks use electromagnetic radiation as their means of transmitting data through space. An access point (AP) device is physically connected to the LAN (typically a router) The AP has an antenna and sends and receives data packets through space A wireless device then connects to the WLAN using its transmitter to connect to the AP, and then to the LAN.
Survey
Growing Popularity Used for day to day activities Used for day to day activities Affordable Affordable Necessary to keep up with competitors using the same technology Necessary to keep up with competitors using the same technology Convenient Size Convenient Size
What are the Advantages? Enhanced productivity Enhanced productivity Portability: Stay connected even away from home or office, resulting in a more flexible work life Portability: Stay connected even away from home or office, resulting in a more flexible work life
Risk: Physical theft/loss of device Laptop theft accounted for 50% of reported security attacks. CSI, The 12th Annual Computer Crime and Security Survey, 2007 Laptop theft accounted for 50% of reported security attacks. CSI, The 12th Annual Computer Crime and Security Survey, 2007 Lost or stolen laptops and mobile devices are the most frequent cause of a data breach, accounting for 49% of data breaches in Ponemon Institute, U.S. Costs of a Data Breach, November 2007 Lost or stolen laptops and mobile devices are the most frequent cause of a data breach, accounting for 49% of data breaches in Ponemon Institute, U.S. Costs of a Data Breach, November 2007
Mitigation Cable Locks Cable Locks Never leave hardware unattended Never leave hardware unattended Make hardware as inconspicuous as possible Make hardware as inconspicuous as possible Invest in tracking/recovery software Invest in tracking/recovery software
Risk: Data loss/leakage 7 out of 10 government mobile devices are unencrypted. Government Accountability Office (GAO), IT Security: Federal Agency efforts to encrypt sensitive information are under way, but work remains, June out of 10 government mobile devices are unencrypted. Government Accountability Office (GAO), IT Security: Federal Agency efforts to encrypt sensitive information are under way, but work remains, June 2008 The cost of recovering from a single data breach now averages $6.3M - thats up 31 percent since 2006 and nearly 90 percent since Ponemon Institute, U.S. Costs of a Data Breach, November 2007 The cost of recovering from a single data breach now averages $6.3M - thats up 31 percent since 2006 and nearly 90 percent since Ponemon Institute, U.S. Costs of a Data Breach, November 2007
Wireless networks Infrastructure Mode Infrastructure Mode Ad-hoc mode Ad-hoc mode
Specific Threats to Wireless Networks Unauthorized use of service Unauthorized use of service Jamming Jamming Constant Jamming Constant Jamming Deceptive Jamming Deceptive Jamming
Mitigation Encryption Encryption Authentication Authentication
Common Sense Solutions Understand what is really at risk Understand what is really at risk Take controls seriously Take controls seriously Dont be too trusting of people Dont be too trusting of people Use technology for help Use technology for help TEST! TEST!
IS Auditing Guideline – Mobile Computing Planning Planning Obtain information regarding: intended use (business transactions or personal productivity), technology used, risk analysis, and policies used to manage computing Obtain information regarding: intended use (business transactions or personal productivity), technology used, risk analysis, and policies used to manage computing Conduct interviews and document analysis Conduct interviews and document analysis If a 3rd party is used to outsource IS or business function, review the agreement If a 3rd party is used to outsource IS or business function, review the agreement Relate risks to the criticality of the information stored on the mobile devices Relate risks to the criticality of the information stored on the mobile devices
Risk Analysis Auditor should consider the following when performing the risk analysis: Auditor should consider the following when performing the risk analysis: Privacy – examine protocols and procedures that protect sensitive information on mobile devices (such as physical access controls) Privacy – examine protocols and procedures that protect sensitive information on mobile devices (such as physical access controls) Authentication – certificate indicated verification by a certification authority Authentication – certificate indicated verification by a certification authority 2 Factor Authentication – verifies that the device and the end user are authorized 2 Factor Authentication – verifies that the device and the end user are authorized Data Integrity – detect changes in content or message during storage or transmission Data Integrity – detect changes in content or message during storage or transmission Non Repudiation – user cannot deny processing a transaction Non Repudiation – user cannot deny processing a transaction Confidentiality and Encryption – using algorithms to transform data Confidentiality and Encryption – using algorithms to transform data Unauthorized Use Unauthorized Use
Work Plan & Performance Work Plan Work Plan Auditor documents how risks threaten business, security, and IS objectives, and the controls put in place to address the risks Auditor documents how risks threaten business, security, and IS objectives, and the controls put in place to address the risks Identify weaknesses Identify weaknesses Performance of Audit Performance of Audit If control weaknesses exist, additional procedures may be necessary If control weaknesses exist, additional procedures may be necessary Consider discussing the audit with stakeholders prior to issuing report Consider discussing the audit with stakeholders prior to issuing report
Auditing Wireless Networks Access control, transmission control, viruses, and monitoring access points are important risks to consider Access control, transmission control, viruses, and monitoring access points are important risks to consider Firewall generally secures information but WLAN creates new challenges because it easier to access. Therefore control is more important. Firewall generally secures information but WLAN creates new challenges because it easier to access. Therefore control is more important. (Ex) If an employee were to bring in an unauthorized router in to work, unauthorized users could potentially access the network from outside the building (Ex) If an employee were to bring in an unauthorized router in to work, unauthorized users could potentially access the network from outside the building Access Point (AP) – security of APs is crucial for wireless network auditing, consider unauthorized access, unauthorized APs, improperly configured APs, and Ad Hoc networks Access Point (AP) – security of APs is crucial for wireless network auditing, consider unauthorized access, unauthorized APs, improperly configured APs, and Ad Hoc networks An Auditor might walk around the building looking for markings left on the ground by hackers indicating a spot in range of a wireless network An Auditor might walk around the building looking for markings left on the ground by hackers indicating a spot in range of a wireless network Wireless auditor – an automated system that detects anomalies Wireless auditor – an automated system that detects anomalies
Sources Business Risks and Mobile Devices.pdf Business Risks and Mobile Devices.pdf Business Risks and Mobile Devices.pdf Business Risks and Mobile Devices.pdf Case-Study-IT-Asset-Security-Tool-Helps-Healthcare- Provider-Track-97-of Case-Study-IT-Asset-Security-Tool-Helps-Healthcare- Provider-Track-97-of Case-Study-IT-Asset-Security-Tool-Helps-Healthcare- Provider-Track-97-of Case-Study-IT-Asset-Security-Tool-Helps-Healthcare- Provider-Track-97-of Laptops.pdf Laptops.pdf Laptops.pdf IS Audit Guideline Mobile Computing.pdf IS Audit Guideline Mobile Computing.pdf IS Audit Guideline Mobile Computing.pdf IS Audit Guideline Mobile Computing.pdf Risk and Control in Wi-Fi.pdf Risk and Control in Wi-Fi.pdf Risk and Control in Wi-Fi.pdf Risk and Control in Wi-Fi.pdf Securing Laptops.pdf Securing Laptops.pdf Securing Laptops.pdf Securing Laptops.pdf Tips for Protecting Laptops.pdf Tips for Protecting Laptops.pdf Tips for Protecting Laptops.pdf Tips for Protecting Laptops.pdf What Every IT Auditor Should Know About Wireless.pdf What Every IT Auditor Should Know About Wireless.pdf What Every IT Auditor Should Know About Wireless.pdf What Every IT Auditor Should Know About Wireless.pdf