1 / 29

Mobile Device Security

Mobile Device Security. Dr. Charles J. Antonelli Information Technology Security Services School of Information The University of Michigan 2008. Roadmap. Introduction: Securing private data Threats to data Securing data Demonstration. Demo participation. Laptop

eros
Download Presentation

Mobile Device Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Device Security Dr. Charles J. AntonelliInformation Technology Security ServicesSchool of Information The University of Michigan2008

  2. Roadmap • Introduction: Securing private data • Threats to data • Securing data • Demonstration

  3. Demo participation • Laptop • Windows with Admin authority • Native boot, or • Via VMware Server or Player • No network connectivity required • Flash drive • Lexar Jump Drive Secure II • MAIS logo optional

  4. Demo prerequisites • Required • Basic Windows user skills • Nice to have • Windows Power User or better • System administration experience

  5. Meet the instructor • Research in distributed systems, file systems, and security • At U-M Center for Information Technology Integration since 1989 • Faculty in SI & EECS • Teaching • ITS 101 Theory and Practice of Campus Computer Security • SI 630 Security in the Digital World, SI 572 Database Applications Programming • EECS 280 C++ Programming, 482 Operating Systems, 489 Computer Networks; ENGR 101 Programming and Algorithms; SI 654 Database Applications Programming • DCE Internals, SHARE UNIX filesystem tours, … • Research • Advanced packet vault • SeRIF secure remote invocation framework

  6. Meet the class • Name • Unit • How many GB do you have on mobile devices? • How many of those GB are sensitive data?

  7. Introduction

  8. Motivation • Protecting the confidentiality, integrity, and availability of the University information assets is not only good business … … it is required by federal and state laws and by contractual requirements

  9. Information Security Regulations • Family Educational Rights and Privacy Act (FERPA) • Gramm-Leach-Bliley Act (GLBA) • Health Insurance Portability and Accountability Act (HIPAA) • Payment Card Industry Data Security Standard (PCI-DSS) • State Notification Laws • Sarbanes-Oxley Act (SOX) • Federal Information Security Management Act (FISMA)

  10. Private Personal Information • What is PPI? • Information that can be used to individually identify, contact, or locate a person, or may enable disclosure of this information • Aggregation may expose PPI – name and home address; SSN and bank account number; unique name and date of birth • Requirements relating to PPI • Non-public (“sensitive”) information that can be linked to an individual must be appropriately protected and handled on a “need to know” basis • Unauthorized disclosure of non-public PPI may harm an individual or the University • Regulatory requirement • Data Classification Guidelines https://www.itss.umich.edu/umonly/dataClass.php

  11. PPI Examples (GLBA) • Social Security Number • Credit Card Number • Account Numbers • Account Balances • Any Financial Transactions • Tax Return Information • Driver’s License Number • Date/Location of Birth 

  12. PPI Examples (FERPA) • Grades / Transcripts • Class lists or enrollment information • Student Financial Services information • Athletics or department recruiting information • Credit Card Numbers • Bank Account Numbers • Wire Transfer information • Payment History • Financial Aid • Grant information / Loans • Student Tuition Bills • Ethnicity • Advising records • Disciplinary records 

  13. PPI Examples (HIPAA) • Patient Names • Street Address, City, Country, Zip Code • Dates related to individuals  • Phone Numbers • Social Security Number • Account Numbers • Patient admission date • Patient discharge date • Medical record number • Patient number: Facility assigned • Unique patient number: ORS assigned • Procedure dates • Carrier codes (Insurance/HMO Name) • Patient zip‐code • Health care professional ID • Health care facility ID • Fax number • Health plan beneficiary numbers • Email addresses • Internet Protocol Address Numbers (IP  addresses) • Web Universal Resource Locators (URLs) • Device identifiers and serial numbers • Certificate/License numbers • Vehicle identification numbers and serial  numbers • Full face photographic images and any  comparable images • Biometric identifiers such as finger and voice prints • Any other unique identifying number,  characteristic, or code. 

  14. Threats to data

  15. Threats • Fundamental threats • Loss of data • Compromise of data • Basic vulnerabilities • To the data • To the device where the data reside • To the data in transit

  16. Threats to data • Type of data • Patient • Administrative • Research • Image • Threats • Corruption • Compromise • Online (malware) • Lost encryption key • ITAR/outlawed encryption

  17. Threats to mobile devices • Devices • Laptops/tablets • Flash drives • PDAs • Cell phones • Digital cameras • Threats • Loss • Coercion • Confiscation • Theft

  18. More motivation http://www.privacyrights.org/ar/ChronDataBreaches.htm

  19. Securing Data

  20. Countermeasures • Protect data at rest • Encryption • Protect data in transit • Encryption • Protect the mobile device • Physical security http://safecomputing.umich.edu/MDS/

  21. Protecting data at rest • Data in permanent storage • Disk, tape, flash, optical • Standards-based solution: • Strong symmetric encryption • Accept no substitutes • Issue: key management • Key distribution • Key escrow

  22. Secret-Key (Symmetric Encryption) Alice Bob k k sender receiver encryption decryption P C C P Ek Dk

  23. Protecting data at rest • Free & built-in encryption: • Windows • Bitlocker • Encrypting File System (EFS) • Mac OS X • Encrypted disk image (Disk Utility) • FileVault • Linux • TrueCrypt (some assembly required)

  24. Protecting data at rest • Some suggested third-party products: • Pointsec for PC and Pointsec for Pocket PC: Encryption software for PCs and Pocket PC devices. File, folder and full disk encryption. • SecureDoc and SecureDoc PDA: Encryption software for PCs and Pocket PC devices. File, folder and full disk encryption • DESlock+: File and folder encryption for PCs. • NMS for PC: File, folder and disk encryption for PCs. • PKWARE SecureZIP: File and folder encryption for PCs and Unix/Linux. • SafeBoot: File, folder and disk encryption for PCs. • PGP Desktop: File, folder (and optionally, disk encryption on PCs) encryption for PCs, Macs, and Unix/Linux. • GNU Privacy Guard (http://www.gnupg.org/) http://www.stanford.edu/group/security/securecomputing/mobile_devices.html

  25. Protecting data in transit • Free & built-in encryption • VPN • Cisco VPN client (ITCom) • Mac OS X VPN client • SSH & SCP • SSH Secure Shell (U-M Blue Disk) • Data encryption • See “protecting data at rest”

  26. Protect the mobile device • Secure the device • Lock it up, lock it down, out of sight • Secure the data on the device • Password protect a laptop • Remote wiping of data • DataDefense (Iron Mountain) • Data encryption • See “protecting data at rest” • Be aware of travel-related restrictions • Exporting crypto (ITAR) • Inpection & confiscation

  27. Demonstration

  28. Securing data on Flash Drives • Encrypted container on the flash drive • Software on flash drive encrypts and decrypts data in the container on the fly • User-supplied password • Demonstration: Lexar Jump Drive Secure II http://www.safecomputing.umich.edu/tools/download/securityshorts_encrypt_thumbdrive.pdf

  29. Questions?

More Related