Mobile devices boon or curse

Similar documents
Securing Today s Mobile Workforce

Protecting Health Information

10 FOCUS AREAS FOR BREACH PREVENTION

Mobile Devices prioritize User Experience

Teradata and Protegrity High-Value Protection for High-Value Data

Mobile Security using IBM Endpoint Manager Mobile Device Management

PCI Compliance Updates

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Cyber security tips and self-assessment for business

The Maximum Security Marriage: Mobile File Management is Necessary and Complementary to Mobile Device Management

How to Build a Culture of Security

Google Identity Services for work

PLATFORM CONVERGENCE JOURNEY

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Exposing The Misuse of The Foundation of Online Security

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

Integrated Access Management Solutions. Access Televentures

A practical guide to IT security

Say Yes to BYOD How Fortinet Enables You to Protect Your Network from the Risk of Mobile Devices WHITE PAPER

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

MOBILE SECURITY OVERVIEW. Tim LeMaster

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Anatomy of an Enterprise Mobile Security Incident

Lookout's cybersecurity predictions

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

White Paper Securing and protecting enterprise data on mobile devices

Securing Enterprise or User Brought mobile devices

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

Make security part of your client systems refresh

Six steps to control the uncontrollable

Trinity Multi Academy Trust

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Information UH Today"

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Deliver Strong Mobile App Security and the Ultimate User Experience

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Effective Strategies for Managing Cybersecurity Risks

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Salesforce1 Mobile Security White Paper. Revised: April 2014

Go mobile. Stay in control.

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Changing face of endpoint security

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Think Like an Attacker

In(sta)Security: Managing the BYOD Risk. Davi Ottenheimer flyingpenguin

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

CSci530 Final Exam. Fall 2011

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Quick Start Guide. PC, Mac, Android & ios

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Securing the SMB Cloud Generation

Compliance in 5 Steps

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

ANDROID PRIVACY & SECURITY GUIDE ANDROID DEVICE SETTINGS

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

2 User Guide. Contents

HikCentral V1.3 for Windows Hardening Guide

UNLOCKED DOORS RESEARCH SHOWS PRINTERS ARE BEING LEFT VULNERABLE TO CYBER ATTACKS

Mobility, Security Concerns, and Avoidance

Review Kaspersky Internet Security - multi-device 2015 online software downloader ]

Using the Secure MyApps Environment

Using the Secure MyApps Environment

How Cyber-Criminals Steal and Profit from your Data

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Session 5311 Critical Testing Programs for Security Operations

What is Eavedropping?

The Common Controls Framework BY ADOBE

The Data Breach: How to Stay Defensible Before, During & After the Incident

To Audit Your IAM Program

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

ANATOMY OF AN ATTACK!

Remote Desktop Security for the SMB

Vendor: CompTIA. Exam Code: Exam Name: CompTIA A+ Certification Exam (902) Version: Demo

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

A. The portal will function as an identity provider and issue an authentication assertion

Understanding IT Audit and Risk Management

Name of Policy: Computer Use Policy

MANAGING ENDPOINTS WITH DEFENSE- IN-DEPTH

External Supplier Control Obligations. Cyber Security

Verizon Software Defined Perimeter (SDP).

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

Operational Network Security

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Transcription:

Mobile devices boon or curse Oliver Ng - Director of Training Kishor Sonawane - India Lead Security Compass Consulting & Training

Consumerization According to Apple s chief operating officer, 65 percent of Fortune 100 firms are already deploying the ipad or piloting projects, and many analyst firms are predicting an explosion of tablet devices in the enterprise in 2011. http://www.mcafee.com/us/resources/reports/rp-cylab-mobile-security.pdf

Consumerization Blurring the line between work and personal As a company, you have choices: Provide employees with consumer-level devices Allow access to corporate assets from their personal devices But what are the implications?

What are the risks? Emails (personal or work) Archive Ability to send as employee Credentials to and locations of corporate assets Sensitive documents, contracts, agreements Contact lists Important for phishing, competitive risks

Lost Data Lost Media, 3 Stolen Media, 3 Stolen Computer, 5 Lost Drive, 2 Stolen Drive, 2 Stolen Tape, 1 Lost Computer, 1 Disposal Drive, 1 Lost Tape, 1 Stolen Laptop, 12 2010 incidents by breach type Source: datalossdb.org n:scenario for miwf

The situation

technolust CXO s sees the latest Android device launched, and he s a busy one. Loves the device and connects it for business and pleasure for: gmail.com company.com Secure document storage app

What are mobile threats? Lost or stolen phone Weakly programmed applications Malware Man in the middle attacks

Cases we ve seen 1. Case of the lost phone Default Email Client 2. Case of the broken app Encrypted document app 3. Case of the broken safe Custom email app for corporate

Case of the lost phone

Lost or stolen phone CXO loses phone 2 days later after setting it all up More likely to lose phone than a computer How do we normally mitigate against lost computers? Strong passwords Encryption (TrueCrypt, PGPDisk)

Strong Local Passwords Passwords can be circumvented with rooting or jailbreaking A phone can be compromised and returned (cloned)

Video Lockscreen bypass

File System Encryption Available on Blackberry Available as of ios 4, kind of API is for apps, not full disk encryption Available in Android 3.1+ 3.1 is for tablets only, not phones!

Case of the lost phone Android Email Client CXO didn t set lock screen, Uh oh. Easy access to data on phone At mercy of app security, this is still important! Android Gmail client does not require added authentication Gmail, GoogleApps mail could be compromised

Case of the lost phone Android Email Client Attacker finds out CXOs personal info and website credentials, easily searchable in the Android mail interface Defense: At minimum have keyguards, but still, not 100% solution

Case of the bad app How well is that app made? Can you trust it?

Mobile app development weaknesses Developers still have to learn secure code Why do we seem to forget web app security basics? Trust issues We trust apps too much because we trust our mobile

Case of the bad app Secure Doc App CXO needs to store documents. Buys a vendor app to securely download docs. App automatically expires document after a couple hours Vendor tells CXO that app only lets you read documents for predetermined time

Case of the dumb app Secure Doc App We gain file system access, look at expired document s last modified date Reset clock back to that date access granted to secure document! Defense: Can you trust vendor applications? Test.

Case of the broken safe Storage of information by apps, is it secure?

Case of the broken safe Custom email app Enterprise mail client requires the user to enter their credentials to check e-mail Must be kept somewhere, how? Look for shared preferences XML (rooted phone) # adb shell # cd data/com.<productname>/shared_prefs

Case of the broken safe Custom email app We found the credentials stored in the XML file, unencrypted Defense: Don t trust apps to protect your most sensitive credentials

Mobile Malware

Malware Android market, not checked This is a problem iphone app store, checked But nobody knows how

Malware Emerging threat but not clear yet 76% = increase in malware Q2 vs Q1 2011 (Mcafee) We see the most on Android Pirated apps / alternative markets Some has crept into the official Android Market, but quickly stamped out

Typical Android Malware Legitimate application is repacked to contain malware Attempts to root the device with exploit Sends phone data to command and control can grab data, send messages, make calls

Defense! Install from legitimate sources & trusted developers Spot the cues such as evil permissions Mobile antivirus such as Lookout Security Solutions like Mobile Active Defense (MAD) can help you to limit apps

Man in the Middle

Man in the Middle MITM happens in mobile! Funnel traffic through corporate VPN Now you have VPN credentials stored on phone MAD automatically routes traffic through their own VPN They may do some deep packet inspection on your traffic Is this a good thing?

Final thoughts

Final thoughts Assess risks as required for your business At minimum have key lock on the device Promote device policies and mobile management policy Don t forget, we learned all these issues before in web apps!

Final thoughts Have your security team review vendor apps As with desktop software, ask questions before purchasing for corporate deployment

iphone and Android ExploitMe Mobile Labs are here Will be out soon! http://labs.securitycompass.com

Questions? Oliver Ng - Director of Training Kishor Sonawane - India Lead Security Compass: http://www.securitycompass.com Contact us: training@securitycompass.com Follow: @securitycompass

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback