CONTEXT- AWARE SECURIT Y THROUGH RAIN RFID
ADVANCED ATTACKS AGAINST MOBILE/IOT DEVICES H A R D W A R E S O F T W A R E W I R E L E S S / N E T W O R K S Cold-Boot Attacks Chip-Extraction Side-Channel Attacks BIOS/UEFI Exploits App Vulnerability Scanning Reverse Engineering Privilege Escalation Attacks Advance Persistent Threats Man-in-the-Middle Attacks Over-the-Air Fuzzing Signature Tracking & Analytics Protocol Analysis 2
CHALLENGES FACING CURRENT MOBILE SECURITY APPROACHES + MOST MOBILE PLATFORMS ARE DEVELOPED FOR COMMERCIAL USE AND INCREASINGLY PROPRIETARY - Companies like Apple and Samsung are developing more and more isolated hardware and software that requires organizations to stay within their ecosystem resulting in single vulnerabilities inflicting system wide weaknesses. + MANY HIGHLY SECURE PLATFORMS FALL BEHIND AND ARE DIFFICULT TO UPGRADE - While some custom solutions offer high levels of security, they are difficult to update to new hardware and operating systems. Customized OS builds are difficult to maintain and require rebuilds when major changes are released. + MOST ORGANIZATIONS THINK TABLET = SMARTPHONE, INSTEAD OF TABLET = PC FOR SECURIT Y - My organizations still lower their security posture for tablets due to misunderstanding hardware capabilities. Tablets are now capable of being high performance machines with the same (or better) hardware than laptops. + MOST ORGANIZATIONS SECURIT Y PROFESSIONALS THINK DEFENSIVELY, NOT OFFENSIVELY - Many mobile security professionals focus on network and app-level security threats, often failing to understand most advanced offensive attackers focus on hardware, firmware, and OS-level vulnerabilities to defeat higher-level defenses. 3
DUE TO VULNERABILITIES, STRICT IT POLICIES ARE NEEDED EXAMPLE POLICIES FOR MOBILE/IOT SECURIT Y + Devices must be powered off when outside of organizationally controlled buildings + Devices can only connect to approved wireless networks + Device must have network and data-at-rest encryption + Data must be capable of being wiped remotely + Bluetooth, NFC, and other wireless communication capabilities must be disabled + Cameras, microphones, and other hardware must be disabled 4
THE ROLE OF CONTEXT IN ORGANIZATIONAL POLICIES + Contextual elements such as location play a critical role in organizational security policies for IT assets + Two major constraints exist with enforcing policies on IT assets: - Most rules/responses require manual user action - Contextual triggers are only available when the device is powered-on, post-boot, and user is authenticated ORGANIZATIONAL POLICIES PERSON/ACTOR/ASSET CONTEXTUAL TRIGGER RULE/RESPONSE 5
CONTEXT-AWARE SECURITY TRIGGERS R F I D WI-FI G P S B L U E T O O T H CONTEXTUAL TRIGGERS LOCATION/PROXIMIT Y DEVICE POWER STATE PERIPHERAL CONNECTIONS NET WORK ACCESS/AUTHENTICATION CORRELATED SECURIT Y RESPONSE BASED ON POLICY RULES USER PROXIMIT Y USER CREDENTIALS 6
Location-Specific Policy DISTRICT: DEFEND SOLVES TRADITIONAL MOBILE WEAKNESSES I m p i n j R F I D Ta g App/Files Operating System Vir tual Machine MOBILE DEVICE POLICY CONTROL Control access to VMs, HW features, networks, OS, applications, and data based on client s location policies Hyper visor I n t e l v P r o MOBILE DEVICE PROTECTION Enforce disk encryption, disable power controls, alert IT when devices leave authorized areas, and wipe data 7
DISTRICT: DEFEND LOCATION-BASED SECURITY (EXAMPLE) District 1: Hallway & Open Conference Rooms District 2: Typical User Work Spaces Start Test User Device Powered On WiFi/NIC Disabled Launch VM (Thick) Access to Basic Apps District 3: Sensitive Information Access Point District 0: Lobby & Exterior 8
DISTRICT: DEFEND LOCATION-BASED SECURITY (EXAMPLE) District 1: Hallway & Open Conference Rooms District 2: Typical User Work Spaces Start 8 Test User! NGT Search Alerts Data Finder WiFi/NIC Enabled Connect to Network Enable Full App Suite Access to Personal Files District 3: Sensitive Information Access Point District 0: Lobby & Exterior 9
DISTRICT: DEFEND LOCATION-BASED SECURITY (EXAMPLE) District 1: Hallway & Open Conference Rooms District 2: Typical User Work Spaces Start 8 Test User! NGT Search Alerts Data Finder WiFi Disabled/NIC Enabled Enable Full App Suite Launch VM (Thin) Access Secure Files District 3: Sensitive Information Access Point District 0: Lobby & Exterior 10
DISTRICT: DEFEND LOCATION-BASED SECURITY (EXAMPLE) District 1: Hallway & Open Conference Rooms District 2: Typical User Work Spaces Device Powered Off Full Encryption Disable Power On District 3: Sensitive Information Access Point District 0: Lobby & Exterior 11
SECURE LOCATION DATA VIA RAIN RFID + Location-based security provides the ability to automatically enforce organizational policies based on a mobile device s physical location OVERCOMING MISCONCEPTIONS + Why Passive RFID? - Does not actively transmit - Does not penetrate well through walls - Out-of-band and does not comingle with sensitive data - Allows for policy updates and tracking even when device is powered off RFID is unsecure for transferring sensitive data No sensitive data is being transmitted over RFID All data is management data and has signature/encryption RFID is susceptible to cloning or denial of service Passive RFID does not function well through walls Random number and nonce prevents replay 12
SIGNIFICANCE TO RAIN COMMUNITY AN ORGANIZATION S MOST VALUEABLE ASSET IS INFORMATION DRIVE ORGANIZATIONAL ADOPTION + Many organizations will not spend money on RFID infrastructure for dumb assets + Connected devices have access to sensitive information and networks higher security budget ESTABLISH NEW MARKETS + Global adoption of mobile devices has exceeded that of traditional desktops + Indoor, office environments (low ceilings) are untapped, yet in need of reliable asset management solutions EXPAND VENDOR ADOPTION + Booz Allen has worked to integrate RAIN RFID tags into two of the world s largest mobile hardware vendors + Promote informed devices that utilize data from RFID tags 13
NEAR AND LONG-TERM FOCUS NEAR-TERM PRIORITIES + Expand customer base beyond government into healthcare, oil & gas, and finance + Support partners in deploying RAIN RFID-embedded secure server technology (e.g., Intel AIR) + Deploy District: Detect asset analytics and management tool LONG-TERM PRIORITIES + Work with partners on smartphone solutions + Continue working with laptop and tablet OEMs to embed RAIN RFID tags into additional product lines 14
BOOZ ALLEN S DISTRICT: DETECT ANALYTICS & MGMT TOOL 15
OPPORTUNITIES IN RAIN RFID-RELATED TECHNOLOGY + Accurate real-time positioning in sub-10ft (3m) ceiling height + Low-cost (<$1,000), small footprint doorway reader capable of directional detection and independent writes for each direction + On-tag protections against advanced replay and cloning attacks + Embedded tags with I 2 C communications 16