Topics. Ensuring Security on Mobile Devices

Similar documents
Securing Today s Mobile Workforce

Deliver Strong Mobile App Security and the Ultimate User Experience

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Copyright

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Mobile Security / Mobile Payments

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

with Advanced Protection

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

10 FOCUS AREAS FOR BREACH PREVENTION

Exposing The Misuse of The Foundation of Online Security

C1: Define Security Requirements

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Keep the Door Open for Users and Closed to Hackers

Integrated Access Management Solutions. Access Televentures

Effective Strategies for Managing Cybersecurity Risks

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

ARM European Technical Symposium The security challenges that IoT and Mobile Computing Devices are facing. Pierre Garnier, COO

Mobile Device Security. Image from

Protect Your Organization from Cyber Attacks

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Computer Security Policy

LET S TALK MONEY. Fahad Pervaiz. Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson

Securing Cloud Computing

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Review Kaspersky Internet Security - multi-device 2015 online software downloader ]

Achieving End-to-End Security in the Internet of Things (IoT)

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Whitepaper on AuthShield Two Factor Authentication with SAP

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0


Privileged Account Security: A Balanced Approach to Securing Unix Environments

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Anatomy of an Enterprise Mobile Security Incident

6 Vulnerabilities of the Retail Payment Ecosystem

Security Communications and Awareness

Bank Infrastructure - Video - 1

The University of Queensland

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

MOBILE THREAT LANDSCAPE. February 2018

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

Troubleshooting and Cyber Protection Josh Wheeler

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

The Realities of Data Security and Compliance: Compliance Security

SECURING DEVICES IN THE INTERNET OF THINGS

Best Practices Guide to Electronic Banking

Security Communications and Awareness

CYBER RESILIENCE & INCIDENT RESPONSE

THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

MOBILE SECURITY OVERVIEW. Tim LeMaster

How Breaches Really Happen

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Security Solutions. Overview. Business Needs

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

What is Zemana AntiLogger?

Authentication Technology for a Smart eid Infrastructure.

THE POWER OF TECH-SAVVY BOARDS:

Authentication Methods

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

90% of data breaches are caused by software vulnerabilities.

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

CYBER SECURITY OPERATION CENTER

Part 1: Anatomy of an Insider Threat Attack

mhealth SECURITY: STATS AND SOLUTIONS

Cybersecurity Auditing in an Unsecure World

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Leadership. 25 years leading in cyber. 165,000 trained since ,000+ students annually

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Who We Are! Natalie Timpone

Protecting Health Information

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Security Awareness, Training and Education Catalog

Best Practices in Securing a Multicloud World

Vulnerabilities in online banking applications

Trusted Computing Group

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

Securing Devices in the Internet of Things

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

CSWAE Certified Secure Web Application Engineer

Transcription:

Ensuring Security on Mobile Devices It is possible right?

Topics About viaforensics Why mobile security matters Types of security breaches and fraud Anticipated evolution of attacks Common mistakes that developers make How to anticipate and prevent security flaws Conclusion

About viaforensics I m not Andrew Hoog Mobile security, forensics researchers Key tech leaders: Hoog, Cannon, Zdziarski Books, trainings, research papers, news, congressional staff briefing Key products and services: appsecure, liveforensics, AFLogical, viaextract, and Santoku

Why Mobile Device Security Matters Necessity of security - given Importance and growth of mobile Fed study: 20% used mobile banking in 2011, up to 30% will use mobile banking by 2013; Source: http://www.federalreserve.gov/econresdata/mobile-device-report-201203.pdf

Why Mobile Device Security Matters Problems in mobile security to date Rapid growth with little security Trojan/malicious apps, phishing/smishing Perception many consumers unsure Potential for much greater harm Worm or one-click exploit, widespread infection Rapid increased adoption + platforms in flux Potential for pervasive, undetected theft of data

Near-field Data Heist Contactless Credit Cards

Contactless Credit Cards Problem Stories from Channel 4, BBC Watchdog Card info used to make purchases from Amazon UK Not a new problem, but mobiles facilitate exploit Illustrates how ease of use can introduce security risk

Google Wallet Problems Google Wallet leverages NFC on some devices Connects to credit, prepaid cards Leverages secure element on device Significant growing pains so far: viaforensics found excess private data stored Zvelo cracked user PIN Thesmartphonechamp found prepaid card problem

Mobiles as a Target of Attack Mobile is different NAND Memory New mobile OS s, frequent updates Traverse more networks, install more apps Mobile devices are a target Rich target handling banking, email, GPS, PII, PHI Both personal and corporate data Highly connected and can store large datasets Security standards, tools still emerging

Anatomy of a Mobile Attack

Categories of cyber attacks Espionage Goal: Compromise classified materials Approach: Highly sophisticated and targeted Impact: Severe, threat to security Prevention: Complex, expensive Corporate Theft Consumer/Identity Theft Goal: Steal trade secrets, IP and more Approach: Sophisticated, company and individual targeted Impact: High, financial or R&D loss Prevention: Strong security & policies Goal: Financial theft, identity theft Approach: Trivial to sophisticated, broad or company targeted Impact: Small and wide Prevention: Secure mobile development, education

Types of breaches Lost or stolen device Phishing/Smishing Clickjacking Trojan or Malicious apps Man-in-the-middle Man-in-the-mobile Worm

Security Breach Accounting 2012 DBIR, Verizon with USSS and foreign LE Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012-press_en_xg.pdf

Evolution of Attacks Platforms have been compromised repeatedly The quantity and value of information stored and transacted on mobiles is rapidly increasing Attacks follow the money Experts anticipate growth in both broad and targeted attacks on mobile

Reality Check It s about the DATA Most data is handled by apps Ergo, it s about the APPS App security is mobile security Don t we trust device passcodes and encryption?» no

Device Security? viaforensics Mobile Security Risk Report First line of defense Complex passcodes Keychain data protection Remote wipe But secure sensitive data at app level, and assume a hostile environment Do not rely solely on platform security

Apps: Common Problems Authentication: Authentication bypass, lack of multi-factor, session state vulnerability, Insecure data on device: Caching, logging, stored without encryption, improper encryption, ios keychain Network Issues: Improper SSL or storage encryption, MITM vulnerability, SSLstrip Service/Server Vulnerability: Brute force susceptible, server resource exposure, lack of server-side validation Code vulnerabilities: Reverse engineering, debugging

Widespread ios Infection Demo Demonstrates risk to apps on ios platform Discovered by Jonathan Zdziarski Not a way to infect; but steal important data from many apps ios foundation classes hijacked Most apps sensitive data vulnerable One attack could steal credentials and more Potential for pervasive data theft across apps

Secure Mobile App Development Yes, there is such a thing Takes more time, skill and money than the alternative Focus on security before, during and after development Education is Key Testing is Key

Recommendations Integrate security from design phase Maintain traditional security controls Attack your apps Test like black hat Test after updates (platform, app) Use latest mobile techniques and tools

Anticipate and Prevent Anticipate attacks Expect your app to be reverse engineered Expect your back-end services to be attacked Expect your users to be targeted & devices compromised Prevent damage Prevent your data from being exposed Prevent your app from being compromised Prevent attackers from gaining elevated access

Education Resources Secure mobile development resources are increasing Industry technical training viaforensics/comptia certification OWASP Resources Mobile Security Books Zdziarski, Hoog, others

Secure Mobile Dev: 42+ Best Practices FREE Report: https://viaforensics.com/42bp Avoid insecure data caching Avoid simple logic Be aware of the keyboard cache Properly validate SSL/TLS ios-specific issues Android-specific issues

Testing Resources Internal Train existing security engineers Santoku Linux Project External Specialized mobile app security assessment viaforensics appsecure Find mobile expertise Expert, red team mobile assessment

Back to that Fed Study Consumers perception that mobile banking and mobile payments are unsecure is currently one of the primary impediments to adoption. If consumers perception of security issues changes whether due to actual or perceived improvements adoption rates may significantly increase.

Conclusion There is great benefit in mobile for enterprises and consumers, but Mobile attacks are likely to increase Mobile security has been bumpy Consumer trust of mobile security is not strong Secure mobile development is key Education and Testing Anticipate and Prevent Raise the standard and assure consumers

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback