Weak Spots Enterprise Mobility Management Dr. Johannes Hoffmann
Personal details TÜV Informationstechnik GmbH TÜV NORD GROUP Dr. Johannes Hoffmann IT Security Business Security & Privacy Main focus: Mobile Security, Application Security, Network Security, Industrial Security, SE Security 02.12.2015-1 -
Agenda 1. Why Mobile Security 2. Challenges 3. Case Study 4. How to securely integrate mobile devices? 5. How to verify correct integration? 02.12.2015-2 -
1. Why Mobile Security 02.12.2015-3 -
Mobile Security Overview 02.12.2015-4 -
Mobile Security? Mobile Security is mostly about Smartphones, Tablets, and their integration into existing environments Key factors are Devices are always at our side, ready to be used always on always connected Functionality easy to extend with apps 02.12.2015-5 -
Sample Mobile Use Cases 02.12.2015-6 -
2. Challenges 02.12.2015-7 -
Challenges Mobile devices are constant companions You can loose them They get stolen Prime target for attackers Vast amount of data, private and corporate Attackers can easily get monetary revenue (premium SMS etc.) Corporate vs private: BYOD, COPE, COBO? Who wants his private data to be corporate controlled? Who believes corporate data is safe on private devices? Who wants to carry two smartphones? 02.12.2015-8 -
More challenges All problems from classic IT also apply How to administrate and manage? How to integrate into network? Users usually have no or low knowledge of internals & security It should just work No reading, just tapping Smartphones, tablets and mobile security in general is a complex topic 02.12.2015-9 -
3. Case Study 02.12.2015-10 -
Case Study The Client A global player checks its infrastructure. 10k employees, worldwide sites 200+ smartphones on tested site ios and Android, used throughout all staff hierarchies MDM with integrated MAM and sane policies Detected Jailbreak results in remote wipe Activated device encryption Devices are (automatically) locked with secure PIN MDM externally hosted and administrated (SAAS) so far so good! 02.12.2015-11 -
Case Study First Security Problem Although multiple security measures were in place, some devices had an unlocked bootloader. We could boot our own kernel and ram disk We had full access to the phone We could eavesdrop the PIN or brute force it Impact: Full access to encrypted data (Credentials, Wi-Fi PSK, ) We could also disable MDM and other security features Use device on behalf of original user Access corporate data and even services Gather data for subsequent attacks (infrastructure accessed via corporate Wi-Fi) 02.12.2015-12 -
Case Study Second Security Problem Although a mutual certificate-based authentication between the mail proxy and the mobile device is required, Active Directory passwords could be eavesdropped. Security policy allows self signed certificates User must accept them Man-in-the-Middle attack doable with minor effort Attacker cannot communicate with mail proxy (no certificate) But mobile devices sends credentials via HTTP POST after accepting attackers certificate Reuse AD credentials elsewhere, e.g. VPN or webmail 02.12.2015-13 -
Case Study Summary Mobile devices are computers they are complex You have to find and close all vulnerabilities An attacker only has to find one vulnerability In this case one problem already occurred in the procurement process Even smartphones are complex devices, the integration into an existing network is complex. Users, many administrators and CISOs often do not recognize this complexity. 02.12.2015-14 -
4. How to securely integrate mobile devices? 02.12.2015-15 -
Other Thoughts even more challenges Cloud Provider What data is sent there? Is it encrypted? Who actually reads the EULA? What happens if the provider suddenly stops his service? Messaging services and social media Which data is sent where? Corporate secrets? EULA? Device features Hello Siri? Try to gather information while device is locked! Speech-To-Text: Where does it end up? (EULA!) Manufacturer ID and mobile device, who owns what? 02.12.2015-16 -
Enterprise Mobility Management Mobile Devices Mobile OS and OS Functions Secure Elements Apps Interfaces IT Infrastructure Security Architecture Business Applications Mobile Devices Internet Services Security Architecture Web Application Web Services Apps Mobile Solution Individual Solutions Hard und Software Components Apps und Services 02.12.2015-17 -
Mobile Strategy Consider every aspect What should employees be able to do? Which business use cases should be covered? BYOD, COPE, COBO MDM, MAM, MCM (Containerization) Choose devices and operating systems (if not BYOD) Integrate into existing network with security in mind Develop emergency plans, e.g. for lost devices Brief staff on usage and security implications Next to technical guidelines, develop organizational ones 02.12.2015-18 -
Mobile Strategy Find a fair balance between usability and security Employees should be able to use the devices Nobody likes to enter a long passphrase every 2 minutes Nobody wants to be monitored (at least when you ask them) Not every asset should be accessible on a mobile device If something should be kept top secret, treat it so! Some use-cases are not suited for mobile devices Find a fair balance between and security and comfort 02.12.2015-19 -
Where do Problems Occur? 02.12.2015-20 -
5. How to verify correct integration? 02.12.2015-21 -
Verify Secure Mobile Device Integration Set everything up, but do not roll it out yet Test the prototyped EMM integration Verify use cases are working Verify role and group policies Verify software setup and security measures Verify emergency scenarios are working as planned Verify staff knows what they are doing Test the prototype again, this time externally It s usually a fatal mistake to trust a system which you could not break but also built yourself! Fix everything (maybe test again), then roll it out 02.12.2015-22 -
TÜViT accompanies your Organization on the Way to a Secure Mobile Business World TÜViT offers testing and advisory services for all mobile security and EMM scenarios Health Check (without seal of approval) Assessment (with seal of approval) Test procedures based on international standards und best practices (OWASP, WASC, CESG, BSI) Technical and organizational test procedures Continuous monitoring and retesting (managed services) 02.12.2015-23 -
Penetration Tests Classification and Criteria Penetration test Information basis Black-Box Gray-Box White-Box Aggressivity Passively scanning Cautious Considering Aggressive Coverage Thorough Bounded Focused Approach Covered Obvious Access Network Physical Social Engineering Source Remote Local 02.12.2015-24 -
OWASP Mobile Top 10 Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage 5. Poor Authorization and Authentication 6. Broken Cryptography 7. Client Side Injections 8. Security Decisions via Untrusted Inputs 9. Improper Session Handling 10. Lack of Binary Protections 02.12.2015-25 -
Thank you very much for your attention! 02.12.2015-26 -
Contact Dr. Johannes Hoffmann Security Consultant IT Security +49 201 8999-562 j.hoffmann@tuvit.de 02.12.2015 www.tuvit.de