Security Architecture for Mobile Computing and Internet of Things (IoT)
Sukumar Nayak, Chief Technologist Cloud Services Integration & Automation
Date Created: 10/28/2015Date last updated: 11/17/2015
2
Objective: Provide an overview of Security Architecture for Mobile Computing and IoT.Scope:
• Motivation• Scope of Mobile Computing and Internet of Things (IoT)• Growth trends• Factors that Influence Mobile Security Solution• Mobile Security Reference Architecture• Mobile Infrastructure Components• The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI)• Potential Vulnerabilities for Mobile applications and mitigation strategies• Security Controls• Mobile Security Tools & Technologies• Q&A
Agenda
3
Audience Poll
Technologist, CTO
Finance, CFO
Audit, CFO
Security & Compliance, CISO, CCO
What is your primary role at your company?
IT Operation, CIO
Business Services, Executive
Consultant, Entrepreneur
What is your level of experience with Mobile Development?
What is your level of experience with DevOps?
What is your level of experience with Cloud environment?
What is your level of experience with Big Data environment?
Evaluating
5+ years
1-3 years
3-5 years
Government, Nonprofit Org
4
Motivation
“Companies rarely fail because of poor financial controls, but they fail frequently due to their inability to understand and address disruptive technologies, market fluctuations, changing customer expectations, and competitive pressures.”
2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong
URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
5
Scope of Mobile Computing and Internet of Things (IoT)Mobile Computing Definition:• Human–computer interaction by which a computer
is expected to be transported during normal use.
• Technology that allows collection / transmission of data, voice and video via a computer or any other wireless enabled device without having to be connected to a fixed physical link.
• Scope:• Hardware / Devices• Software• Communication
Internet of Things (IoT) Definition:• Network of physical objects or "things" embedded
with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data.
• It allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy and economic benefit.
• Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.
• Scope: • Hardware / Devices, Software, Communication
6
Mobile Computing & IoT Trends
2000 2010 2020 2030+
RFID tags: Supply-Chain & Logistics. ex: smart routing, inventory management, and prevention of supply-chain leakage
Surveillance, security, healthcare, transport, tolls, food safety, document management. ex: cameras, sensors, tags, wearables, smart-phones, smart-cards, smart-houses, wearables.
Locating people, vehicles, and everyday objects. ex: geo-location sensors, GPS, smart-houses, consumable sensors.
Teleoperation & telepresence: Ability to monitor and control distant objects. Miniaturization, power efficient electronics, and available spectrum. Software agents and advanced sensor fusion ex: cognitive & humanized computing, remote controlled drones.
7
Scope of Mobile Computing and Internet of Things (IoT)
Mobile Computing Networks
Smartphones
Cloud
Internet of Things
Smartphone technology everywhere
Self-learning Cloud
Internet of Everything
Humanized technology everywhere
Pervasive ComputingUbiquitous Computing
Cognitive ComputingHumanized Computing
Emerging futureCurrently evolving
Vehicle Tracking Device Surveillance Cameras Smart House AutomationTemperature/Occupancy/Flow/Light/Humidity/Smoke/Fire Sensors Humanized Computing
Geolocation Sensors
8
The vision of cognitive / humanized computingCurrent Medical Computing Cognitive Computing
• Electronic Medical Records• Latest research findings• Best practice recommendations on treatments• Personal genomics data• Multiple observations from the patient• Observations from personal environment & history
• Understand medical records content• Understand research publications• Able to discern new patterns• Able to suggest experiments• Explain hypothesis to humans• Able to modify theories, and learn• Human-like machine intelligence
• Software that emulates more of the brain
• Computer transitioning from “Dumb machines” to “Trusted Partners”
• Computers that have common sense• Systems that understand natural language
• Enabling “hybrid intelligence”• Humans and computers working better together
9
Internet of Things (IoT)Industry sectors Types of Applications Types of Devices
IT CRM, ERP, SCM, HR, Finance Servers, Storage, Network, PCs, Desktops, Laptops, Smartphones, Switches, Routers, PBXs, Embedded Systems
Manufacturing Planning, Scheduling, Distribution, Discrete / Process Engineering
Compressors, Conveyors, Pumps, Pipelines, Motors, Turbines, Fabrication Assembly, Packaging
Retail & Hospitality Inventory Management, Order Management, Incident Management, Service Management
Receiving, Store, RFID Tags, Point-of-Sales, Cash Register, Workforce Management, Vending Machines
Logistics / Transportation
Planning, Scheduling, Loading, Unloading, Bill of Lading, Delivery Tracking
Vehicles, Storage, Put Away, Tracking, Maintenance, RFID Tags
Healthcare & Lifesciences
Patient Care, Testing, Health Monitoring, Imaging Wearables, MRIs, PDAs, Telemedicine, Surgical equipment, Monitors, Implants, Bio-sensors
Energy Supply & Demand Management, Drilling, Purification, Storage, Transport
Turbines, Windmills, UPS, Batteries, Generators, Compressors, Cells, Meters, Drills
Home Care Education, Convenience, Entertainment, Safety Digital Cameras, Appliances, Gaming, Audio / Video Systems, Vehicles, Smart homes, Alarms, Refrigerators, Sprinklers
Construction Commercial / Residential Buildings Management HVAC, Transport, Fire and Safety, Lights / Power / Water Control, Access Control
Public Sector Safety, Security, Emergency Response, Surveillance, Environmental, Weather
Tanks, Trucks, Cars, Vans, Fighter Planes, Ambulances, Fire Trucks, Satellites, Spaceships, Ships, Beacons, Weather Sensors
10
IoT Growth Predictions
Source: Hewlett Packard Enterprise Community 2015 report http://community.hpe.comI-Scoop IoT report http://www.i-scoop.eu/internet-of-things/
Automotive$202B
Healthcare$69B
Consumer electronics
$445B
Utilities$36B
Manufacturing$99B
11
IoT Security Vulnerabilities Research Findings
Source: Hewlett Packard Enterprise IoT Research Findings URL: http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdfComputer World: http://www.computerworld.com/article/2476543/cybercrime-hacking/researchers-find-about-25-security-vulnerabilities-per-internet-of-things-device.html
90% of devices collected at least one piece of personal information via the device, the cloud or, it’s mobile application.
80% of devices, their cloud & mobile application components failed to require passwords of a sufficient complexity and length.
Researchers find about 25 security vulnerabilitiesper IoT device.
Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS and weak credentials.
70% of devices, their cloud and mobile application enable an attacker to identify valid user accounts through account enumeration.
70% of devicesused unencrypted network service.
12
Securing Mobile EnterpriseChief Information Officer (CIO) / Chief Information Security Officer (CISO)• Mitigate security risks across the enterprise i.e. people, process, devices, applications, content and transactions• Monitor & Manage enterprise security across all endpoints
Manage the mobile devices BYOD, BYOA, secure email and document sharing.Enroll, provision, configure, retire, lock/wipe lost devices.Fingerprint devices i.e. unique device IDs.Enforce Security Compliance: passcode, encryption, jailbreak / root detection
Secure file and document sharing across mobile devices and employees.Restrict copy, paste & share.Validate Integrations with other sources.Secure access to enterprise data. Data separation, Leakage, Encryption, Scan, Automation.
Instrument applications with security protection by design.Identify vulnerabilities in new and existing applications; and integration among the applications.Secure Development & Application Management Platforms. ex: IDE, Scanning, App Wrapping, SDK Container, Whitelist / Blacklist Applications
Secure mobile transactions between employees, customers, partners, and suppliers.Access: Mobile Access Management, Identity Federation & API ConnectivityTransactions: Mobile Fraud Management, Browser Security / URL Filtering, IP Velocity.
Device Security Content Security Application Security Transaction Security
Security IntelligenceCollect, Correlate, and Visualize mobile security data ex: events, incidents, log data, and detect anomaly. Manage vulnerability and proactive threat avoidance. Mobile Security Information and Event Management (SIEM), Log Analysis, and data mining.
IT Operations Line-of-BusinessApp Developers Security Specialists
13
Factors that Influence Mobile Security SolutionCriteria Considerations
1. Type of Users Employees, Customers, Partners, Suppliers.
2. Types of DevicesForm factors: Smartphones (low end), handheld PDAs, Ultra-Mobile PCs, Tablet PCs.OS: Android/Google Devices, BlackBerry, iOS/Apple Device, Palm, WebOS.Browsers: WAP-based, Feature Phones, Smartphones, iPhones.
3. Mobile Devices Features User owned varied device types or BYOD or Company defined deviceex: Device register, locate, lock or wipe capabilities
4. Services used by mobile app Central or, distributed compute, Service-enabled or, legacy access
5. Types of access Intranet/extranet or, internet; Is a VPN required?
6. Number of usersSmall (10-100), medium (1000s) or, large (many thousands); Known or, unknown number; Is it necessary to protect surges of workload/requests? Is it necessary to protect against denial of service attacks?
7. Authentication User authentication, Device authentication, Application authentication
8. Authorization
User authorization; Does the user need to be authorized to access Mobile Enterprise Application Platform (MEAP); Limit access when mobile user connects from unsecure network; Limit access based on mobile user location; What authorization token will be used e.g. OAuth, SAML
14
Factors that Influence Mobile Security SolutionCriteria Considerations
9. Audit Should access to specific application be audited? What information needs to be Audited e.g. mobile user id, device location, resource accessed, device id
10. ConfidentialityWhat is the nature of the data? Does the data in transit need to be encrypted? What hardware offload capabilities are currently used for SSL/TLS? Is the data stored on the device? Does data on the device need to be encrypted?
11. Integrity Does the integrity of the data in transit need to be protected?
12. Existing security infrastructure
Will the existing security infrastructure be reused for securing mobile access? What components and products are used in the existing security infrastructure? e.g. Security gateway, User registry, Identity management and mapping, Network security, Digital certificates, Security intelligence solution
13. Security standardsWhat company standards need to be respected e.g. limits on encryption algorithms or authentication protocols, FIPS-140; What industry & government standards need to be respected e.g. PCI-DSS, HIPAA, FIPS 140, FedRAMP, FISMA
15
Camera
Microphone
GPS
Bluetooth/NFC
Tethering
802.11a/b/g/n
Cellular
USB
Virtual OS (optional)
Managed Apps
Managed Apps
Untrusted Apps
White Listed Apps
MDM Plugin
Encrypted Storage
Unencrypted Storage
Mobile Device
Mobile Security Reference Architecture (MSRA)
Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
Voice/Unified Capabilities
Web Applications
E-mail Databases
Virtual Desktop/Apps
SEIM / Log Correlation
…
Enterprise Core Services
Gate
way
& S
ecur
ity S
tack
Identity & Access Management (IAM)
Mobile Device Manager (MDM)
Mobile Application Manager (MAM)
Virt
ual P
rivat
e N
etw
ork
(VPN
)
Enterprise Mobile Services
Mobile Application Store(s) (MAS)
Mobile Application Gateway (MAG)
Intr
usio
n De
tect
ion
Syst
em (I
DS)
Data
Loss
Pre
vent
ion
(DLP
)
Mobile Application Stores(s)
Mobile Application Gateways
External Facing Mobile Services
External Application Store(s)
Cellular Networks
Wireless Ethernet Networks
Network TrafficLog Data
Legend:
16
Mobile Infrastructure Components• Virtual Private Networks (VPNs)• Intrusion Detection System (IDS)• Data Loss Prevention (DLP)• Identity and Access Management (IAM)• Mobile Device Management (MDM)• Mobile Application Management (MAM)• Mobile Application Store (MAS)• Mobile Application Gateway (MAG)• Gateway and Security Stack (GSS)
17
Mobile Virtual Private Networks (mVPNs)
Enterprise Network
Gate
way
& S
ecur
ity S
tack
A mobile virtual private network (mobile VPN or mVPN) provides mobile devices with access to network resources and software applications on their home network, when they connect via other wireless or wired networks.
Functions: Persistence, Roaming, Application compatibility, Security, Acceleration, Strong authentication
Management Functions: Management console, Policy management, Quality of service, Network Access Control, Mobility Analytics, Monitoring & Notification
18
Intrusion Detection System (IDS)IDS activities
Prevention Intrusion Monitoring
Intrusion Detection Response
Simulation Analysis Notification
IoTComponents(Sensor nodes, smart physical
objects)
Database (IDS Configuration)
Database (IDS Knowledge DB)
Attack Response Module
Sensor & AnalyzerPattern matching algorithms
Information Collection Policy
Event GeneratorSet of Events
(Syslogs, System Stats, Network Packets)
Detection Policy
Response Policy
System Information
Protected System
Audit Trails & Network Monitoring
Monitoring & Notification Actions
Information Collection Detection Response
IDS Components
19
Data Loss Prevention (DLP)Data
GovernanceRegulatory
Requirements
Data Classifications
Policies
Tools / Technologies
Discovery / Monitoring / Notification
Education / Training
Intelligence / Analytics
Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.
Methods for DLP: Text analysis, Metatagging, monitoring, blocking via Gateway server, or native mobile app or backing content management into applications.
20
Identity and Access Management (IAM)
Source: http://blog.cmlgroup.com/identity-access-management-iam/Source: https://it.ubc.ca/what-identity-and-access-management
21
Mobile Device Management (MDM)
Mobile Device Management
Decentralized Global Services
No One Solution or, Provider
Performance Management / Support
More Employee Choice
No Dominant Platform
Increasing Smartphone Adoption
More Worker Mobility
Changing Business Styles
Corporate Data Risk
Business Continuity Planning
Mobile Device Management Challenges for CIOs source: Gartner
22
Mobile Application Management (MAM)
• Enterprise Application Store• Application Distribution / Delivery• Application Policies• Application Whitelists / Blacklists• Application Security• Application updates & patch management• User authentication & authorization• Version checking• Push services• Reporting, Monitoring & Tracking• Wrapping, Secure Container, SDK• Licensing• Billing• Internal App Storage• Bulk purchase
Mobile Application Management (MAM)
• Over-the-air updates• Remote Configuration and Provisioning• Device Security• Backup & Restore• Network Usage and Support• Remote Login, Lock and Wipe• Device Provisioning & De-provisioning (Retire)• Software Installation• Certificate Authority & On-device encryption• PIN enforcement• Support mVPN• Restrict Wireless• Enable / Disable Camera• Stop Email Forwarding• Prevent Automated Cloud Backup
Mobile Device Management
23
Mobile Application Store (MAS) Key Features
Source: VisionMobile research URL: http://www.visionmobile.com/blog/2008/11/the-mobile-application-store-phenomenon/
24
Mobile Application Gateway (MAG)A Mobile Application Gateway (MAG) is a piece of software that provides application-specific network security for mobile application infrastructures. The purpose of a MAG is to act as a network proxy, accepting connections on behalf of the application’s network infrastructure, filtering the traffic, and relaying the traffic to mobile application servers. This proxy relationship allows the MAG to apply application layer filters to network traffic, providing focused security designed to protect the mobile application service.
Following are the mobile security functions associated with MAGs.• Personnel and Facilities Management• Monitoring and Auditing
25
Gateway and Security Stack (GSS)The unique dual-connected nature (cellular and wireless Ethernet) of mobile devices makes them ideal platforms for circumventing traditional network security boundary protections. To prevent damage to the enterprise from a compromised mobile device, access to the enterprise must be restricted through one or more known network routes (i.e., Gateways) and inspected by standard network defenses such as stateful packet inspection, intrusion detection, and application and protocol filters. These standard defenses are collectively known as a “filter stack” because they serve to filter unwanted network traffic and are usually configured in a “stack” with traffic traversing each filter in sequence. The GSS typically functions at the session and below layers of the OSI network model.
Following are the mobile security functions associated with the Gateway and Security Stack.• Content Filtering• Packet Filtering• Traffic Inspection
26
Mobile Security Functions• Personnel and Facilities Management• Identity and Access Management• Application and Data Security• Device Management• Secure Communications• Continuous Monitoring and Auditing• Security Intelligence / Reporting• Incident Response
27
Mobile Security Functions• Personnel and Facilities Management
• Training• Physical Controls
• Identity and Access Management• Identity and Access Management Mechanisms• Authorization• Network Access Control
• Application and Data Security• Digital Asset Protection• Diagnostic Data Management (DDM)
• Device Management• Host Security• Configuration• Software Validation and Patch Management
• Secure Communications• Continuous Monitoring and Auditing
• Traffic Inspection• Packet Filtering• Content Filtering• Logging
• Security Intelligence / Reporting• Incident Response
28
The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI)
Source: The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page
Authenticator
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
ExceptionHandling
Logger
IntrusionDetector
SecurityConfiguration
Ente
rpris
e Se
curit
y AP
I (ES
API)
Cust
om E
nter
pris
e W
eb A
pplic
atio
ns
Exis
ting
Ente
rpris
e Se
curit
y Se
rvic
es /
Li
brar
ies
Browser Web Server App Server DB Server
Gate
way
& S
ecur
ity S
tack
1. Authenticate the users
2. Authorize the users
4. Session Management 5. Audit Logs
6. Protect the reserved data
8. Error Handling
6. Protect the reserved data3. Prevent “Parameter manipulation”
OWASP Overview of Security Controls
3. Data Validation
7. Secure Config Management
29
OWASP Top 10
Source: The Open Web Application Security Project (OWASP) 2013 Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10
OWASP Top Ten 2013 How does it work OWASP
ESAPI
A1- InjectionInjection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Encoder
A2-Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
Authenticator,User, HTTPUtils
A3-Cross-Site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Validator, Encoder
A4-Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
AccessReferenceMap
A5-Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
SecurityConfiguration
30
OWASP Top 10
Source: The Open Web Application Security Project (OWASP) 2013 Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10
OWASP Top Ten 2013 How does it work OWASP
ESAPI
A6-Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
Encryptor, EncryptedProperties
A7-Missing Function Level Access Control
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
AccessController, AccessReferenceMap
A8-Cross-Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
User (csrftoken)
A9-Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
IntrusionDetector
A10-Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Validator
31
Mobile Threat Model
Spoofing
Repudiation
Denial of Service (DoS)
Improper Session Handling
Social Engineering
Weak Authentication
Weak Authorization
Malicious Application
Untrusted NFC Tag or Peer
Malicious QR Code
Missing Device
MalwareClient Side Injection
Toll Fraud
Crashing Apps
Excessive API Usage DDoS
Push Notification Flooding
Tampering
Modifying Local Data
Insecure WiFinetwork
Carrier Network Breach
Information Disclosure
Malware
Backward Breach
Reverse Engineering Apps
Lost Device
Elevation of Privilege
Sandbox Escape
Weak Authorization
Compromised Device
Compromised Credentials
Make Unauthorized Purchases
Push Apps Remotely
Flawed Authentication
Rooted Jailbroken Rootkits
Source: OWASP Top 10 Mobile Risks Jack Mannino URL: http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks
32
Possible vulnerabilities of mobile web applications• Information Disclosure• SSL Weakness• Configuration management weakness• Old, backup and unreferenced files• Access to Admin interfaces• HTTP methods enables, XST permitted, HTTP Verb• Credentials transport over an encrypted channel• User enumeration• Guessable user account• Bypassing authentication schema• Vulnerable remember password weak password
reset• Logout function• Browser cache weakness• Bypassing Session Management Schema, Weak
Session Token
• Cookies not secure• Session Fixation• Exposed sensitive session variables• Cross-Site Request Forgery (CSRF)• Path Traversal• Bypassing authorization schema• Privilege Escalation• Bypassable business logic• Reflected Cross-Site Scripting (XSS), Stored XSS,
Document Object Model (DOM) XSS• Cross Site Flashing• SQL, LDAP, ORM, XML, SSI, Code Injection• OS Commanding• Buffer overflow• Locking Customer Accounts• Buffer Overflows• WSDL Weakness
33
Possible vulnerabilities of mobile web applications
Source: Mobile Top 10 2014 OWASP URL: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_RisksURL: http://www.net-security.org/secworld.php?id=14556
34
Mitigating Common Mobile Devices Threats• Software-based threats and mitigations• Exploitation of vulnerable mobile OS• Web-based threats and mitigations• Network-based threats and mitigations• Physical threats and mitigations• Mobile device threats to the enterprise and mitigations• User-based threats and mitigations• Service provider-based threats and mitigations
Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
35
Mitigating Common Mobile Devices Threats• Software-based threats and mitigations
• Malware threats• Exploitation of vulnerable mobile OS
• Exploitation of Vulnerable Mobile Application• Web-based threats and mitigations
• Mobile Code• Drive-by Downloads• Exploitation of Vulnerable Browser
• Network-based threats and mitigations• Voice/Data Collection Over the Air• Voice/Data Collection Over the Network• Manipulation of Data in Transit• Data Exposure Through RF Emission• Connection to Untrusted Service• Jamming• Flooding• GPS/Geolocation
• Physical threats and mitigations• Loss of Device• Physical Tamper• Device-Specific Features• Supply Chain• Mobile Peripherals
• Mobile device threats to the enterprise and mitigations• Access to enterprise resources
• User-based threats and mitigations• Social engineering• Classified information spill• Incident involving mobile device features• Theft/misuse of Services• Tracking
• Service provider-based threats and mitigations• Location tracking• Usage behavior tracking via applications• Routing/forwarding• Data ownership and retention
Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
36
Policy Issues When Adopting Mobile DevicesMobile Device:
• Accreditation• Acquisition• Provisioning• Configuration, Monitoring, and Control• Service Management• Security Management• Expense Management• Customer Care• Retirement and Reuse
Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
37
Security Information Event Management (SIEM) Tools• AccelOps• AlienVault Unified Security Management (USM)• BlackStratus Log Strom, SIEM Strom, Compliance Strom• EMC RSA• EventTracker• Hewlett Packard Enterprise ArcSight & Fortify• IBM QRadar Platform• Intel Security McAfee Enterprise Security Manager,
Event Receiver (ERC) & Enterprise Log Manager• LogRhythm• Micro Focus (NetIQ)• Securonix• SolarWinds Log & Event Manager (LEM)• Spunk• Trustwave
Growth areas for Mobile Security:• Event Management, Monitoring & Notification• Log Analysis & Data mining
38
OWASP Security Guidelines, Tools and Technologies
Automated Security Verification• Vulnerability Scanners• Static Analysis Tools• Fuzzing
AppSec Education:• Flawed Applications
• Learning Environments
• LiveCD
• SiteGenerators
Web Goat: WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
Security Architecture:• ESAPI: Enterprise Security API
CSRFGuard: A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
ESAPI: Enterprise Security API
AntiSamy: A library for HTML and Cascading Style Sheets (CSS) encoding.
AppSensor: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications.
Secure Coding:• AppSec Libraries
• ESAPI Reference Implementation
• Guards and Filters
Orizon: A source code static analysis tool like findbugs, pmd or their commercial counterpart such as Fortify SCA or IBM Rational Ounce 6 (formerly known as Ounce 6 by Ounce labs).
O2: Defines how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Application Security Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
LAPSE+: Is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications.
Manual Security Verification Tools:• Penetration Testing Tools
• Code Review Tools
AppSec Management:• Reporting Tools
WebScarab: Web security tool & framework for analyzing applications that communicate using the HTTP and HTTPS.
SWF Intruder: first tool specifically developed for analyzing and testing security of Flash applications at runtime.
SQL Ninja: A Perl tool, helps a penetration tester to gain a shell on a system running Microsoft SQL server, exploiting a web application resulted vulnerable to SQL Injection.
SQL Map: Automated Audit tool
DirBuster: Directory & File names tool
Before Development Define & Design Development Deploy & Maintenance
39
Security Testing Tools and TechnologiesDynamic Scanners:AcunetixArachniBurp SuiteHP WebinspectIBM Security AppScan StandardIBM Secruity AppScane EnterpriseMovituna Security NetsparkerNTO SpiderOWASP Zed Attack ProxyTenable NessusSkipfishw3aF
Static Scanners:FindBugsIBM Security AppScan SourceHPE Fortify SCAMicrosoft CAT.NETBrakeman
SaaS Testing Platforms:WhiteHatVeracodeQualysGuard WAS
IDS/IPS and WAF:DenyAllF5ImpervaMod_SecuritySnort
Defect Trackers:Atlassian JIRAMicrosoft Team Foundation ServerMozilla Bugzilla
Known Vulnerable Component Scanner:Dependency Check
40
Conclusion• Explosion of Mobile Devices, Internet of Things (IoT) and interconnection among them will
continue due to value-add efficiencies and economics.
• Cloud is key enabler to support Mobile & IoT growth.
• Cloud is all about secured services architecture, design, development, deployment, and management.
• Security Architecture, Risk Management & Audit practices are at the center for Mobile, IoT, Agile, DevOps, and Cloud Management transformation.
41
Definitions of Key Terms & Acronyms• ADFS: Active Directory Federated Services• CADF: Cloud Auditing Data Federation• CSA: Cloud Security Alliance• CSCC: Cloud Standards Customers Council• CSS: Cascading Style Sheets• DMTF: Distributed Management Task Force• ENISA: European Network and Information Security Agency• GRC: Global Regulatory Compliance• LDAP: Lightweight Directory Access Protocol • LTPA: Lightweight Third Party Authentication is a single-sign on (SSO) credential format intended for use in distributed, multiple
application server environments.• NIST: National Institute of Standards and Technology• NIST CC SRA: Cloud Computing Standard Reference Architecture• Payment Card Industry Data Security Standard (PCI DSS)• SAML: Security Authorization Markup Language• SCIM: System for Cross-domain Identity Management • WAP: Wireless Application Protocol• XSS: Cross-Site Scripting
42
References & Credits
43
Reference URLs• The Open Web Application Security Project (OWASP)
• CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
• NIST Cloud Computing Standards Roadmap
• Detailed CSA TCI Reference Architecture
• NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
• URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
• CRCnetBASE: http://www.crcnetbase.com/action/showPublications?display=bySubject&category=40001730&collapse=40001730
• FedRAMP: https://www.fedramp.gov/
• FISMA: http://www.dhs.gov/federal-information-security-management-act-fisma
• Mobile security reference architecture MSRA URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
• IBM mobile security architecture URL: http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a/f7f18938e631eb6986257da2007729a8/$FILE/Mobile%20Security%20Guide%20and%20Security%20Reference%20Architecture.pdf
• Open web security architecture project OWSAP URL: https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet
[email protected]@gmail.com240.506.2305linkedin.com/in/sukumarnayak/
45
Backup
46
Internet of Things
47
The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI)
14 Modules
Source: The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page