exactly the same, but different - issa...
TRANSCRIPT
![Page 1: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/1.jpg)
1
Exactly the Same, but Different
Shayne Champion, CISSP, CISA, GSEC, ABCP
Program ManagerGO Cyber SecurityTVA
v 1.0
![Page 2: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/2.jpg)
2
Agenda
� Define Mobile Device Security
o Similarities
o Differences
� Things you Should be Doing
![Page 3: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/3.jpg)
3
Mobile Device Security
“There is no question that mobile security will eventually equal – if not surpass – PC security as a threat to IT departments.”Denise Culver, Heavy Reading Mobile Networks Insider
![Page 4: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/4.jpg)
4
Mobile Device vs. Computers:SIMILARITIES
![Page 5: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/5.jpg)
5
Definitions: Level Setting
Com·put·er [kuhm-pyoo-ter] : An electronic device designed to accept data, perform prescribed mathematical and logical operations at high speed, and display the results of these operations.
Mo·bile De·vice [moh-buhl dih-vahys] :A portable, wireless computing device that is small enough to be used while held in the hand; a hand-held.
Source: http://dictionary.reference.com/browse/computer
![Page 6: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/6.jpg)
6
![Page 7: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/7.jpg)
7
NEWS FLASH:
MobileDevices
AREComputers!!!
Sources: http://nordhaus.econ.yale.edu/prog_030402_all.pdf http://www.anandtech.com/show/4215/apple-ipad-2-benchmarked-dualcore-cortex-a9-powervr-sgx-543mp2/2http://www.slashgear.com/ipad-2-benchmarks-blast-competition-show-less-than-1ghz-processor-speed-13139678/
…and we can do something about that, can’t we?
![Page 8: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/8.jpg)
8
Same Kind of Different…
Same kind of security controls you *should* use anyway:� Encryption� NAC� DLP� AV / Malware� Inventory Management� Controlled Admin Privileges� Port & Service Management
![Page 9: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/9.jpg)
9
Similarity: Order of Magnitude
Risk from an OSI perspective:
� Most risk shifting to applications
� Lower-level layers becoming relativelymore ‘tame’
Source: http://www.sans.org/top-cyber-security-risks/trends.php
![Page 10: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/10.jpg)
10
Define: Metadata
Metadata : Data that defines or describes another piece of data.
Metadata may reveal more about you, your organization, or your devices than you realize. Many devices, such as your computer, camera, or smart phone, automatically embed metadata in any digital files they create.
Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf
![Page 11: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/11.jpg)
11
Metadata
Some examples of metadata include:� File creation date and time� The address or geographic location where the file was created� Your name, organization’s name, and computer’s name or IP address� The names of any contributors to the document or their comments� Type of camera you are using and its settings when the photo was
taken� Type of audio or video recording device you are using and its settings
when a recording was taken� Make, model, and service provider of your smart phone
Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf
![Page 12: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/12.jpg)
12
Metadata Solutions
Metadata Tools:
� Document Inspector : http://preview.tinyurl.com/3996c2a
� EXIF Metadata Explanation: http://preview.tinyurl.com/775mbxc
� Free Metadata Extraction Tool: http://meta-extractor.sourceforge.netor http://preview.tinyurl.com/aueb4
� Disabling Geo-location for Smartphone Camerashttp://preview.tinyurl.com/3v4xznm
Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf
![Page 13: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/13.jpg)
* ( + )=
13
Unsecured WAP – Sidejack Math
� Sidejacking - A well-known Wi-Fi hotspot attack that takes advantage of websites that don’t use SSL/TLS encryption correctly by pirating the legitimate user’s cookies and using those in the attacker’s session (session hijacking)
� Firesheep – A Mozilla Firefox plug-in that automates session hijacking attacks over unsecured Wi-Fi networks. The packet sniffer analyzes traffic between a Wi-Fi router and a person’s laptop or smartphone and captures the session cookie ("point-and-click" sidejacking)
Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012http://searchnetworking.techtarget.com/answer/Be-aware-of-Wi-Fi-security-to-deal-with-Firesheep-at-public-hotspots
![Page 14: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/14.jpg)
14
Mobile Device vs. Computers:DIFFERENCES
![Page 15: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/15.jpg)
15
Risk Remediation
Mobile Device risks are the same as many of the risks we already face everyday. For example…
Source: http://www.youtube.com/watch?v=I4_qg22Onak&feature=related
![Page 16: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/16.jpg)
16
Difference 1: BYOD
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012 http://www.networkworld.com/news/2012/041712-byod-258264.html?page=3
How do you handle user-owned devices?� Applications� Data Ownership� Encryption
NetworkWorld BYOD Survey:65.3% necessary tools not in place46.2% increased end user productivity5.7% said it lead to breech, while 66.7% said no 47.2% increased end users' ability to work from home
SANS Survey:
![Page 17: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/17.jpg)
17
Difference 2: SMS
SMS: Short Messaging Service, or text messages
Common Vulnerabilities:
1) SMS of Death2) Midnight Raid Business Card Attack3) SMS Tokens4) Smishing Attacks
Source: http://www.infosecisland.com/blogview/12656-The-SMS-of-Death-Mobile-Phone-Attack-Explained.htmlhttp://www.csoonline.com/article/491200/3-simple-steps-to-hack-a-smartphone-includes-video-
![Page 18: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/18.jpg)
18
SANS Survey: Platform Support
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
![Page 19: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/19.jpg)
19
SANS Survey: Platform Support
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
![Page 20: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/20.jpg)
20
Each platform – even within the same OS – have unique characteristics, default settings, and/or vulnerabilities:
� PIN settings– Service Carrier– Like default passwords on
routers or admin accounts� iPhone / iPad batteries
Scope: Android Fragmentation� 281+ different products� 850,000 daily activations� 300,000,000+ total devices
Sources: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdfhttp://en.wikipedia.org/wiki/Comparison_of_Android_devices
Difference 3: Hardware / Carrier
![Page 21: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/21.jpg)
21
Hardware / Carrier: PIN Codes
Ten numbers represent 15% of all cell phone pass codes
Sources: Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-a-good-password/.Retrieved 8 July 2011.
http://www.phonearena.com/news/Do-you-use-one-of-the-most-common-lock-PINs_id19533
![Page 22: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/22.jpg)
22
Hardware / Carrier: PIN Codes
Ten numbers represent 15% of all cell phone pass codes:
1) 12342) 00003) 25804) 11115) 5555
Sources: Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-a-good-password/. Retrieved 8 July 2011.
http://www.phonearena.com/news/Do-you-use-one-of-the-most-common-lock-PINs_id19533
6) 5683 (spells 'LOVE')7) 08528) 22229) 121210) 1998
Other popular choices include Year of birth & Year of graduation (social triangulation!).
![Page 23: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/23.jpg)
23
PIN Code >>> Data Loss
CASE STUDY: VERIZON WIRELESS
Corporate Support Web Page
How do I access my Voice Mail to retrieve messages?� To access your Voice Mail, press "*VM" (*86), then "SEND." Follow
the prompts to enter your password and retrieve your messages. If you press "*VM" (*86) and hear your own or a system greeting, press the # key to interrupt the greeting and follow the prompts to enter your password and retrieve your messages.
Source: http://support.verizonwireless.com/clc/faqs/Features and Optional Services/faq_voice_mail.html
![Page 24: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/24.jpg)
24
Difference 4: Caller ID / ANI
ANI : Automatic Number Identification (NAC for cell phones)
Masquerading as the target cell number, threat actors may be able to steal unsecured data. Possible vectors include:
� VXML� Social Engineering� Orange Box Spoofing
Sources: http://wiki.docdroppers.org/index.php?title=ANI_and_Caller_ID_Spoofing#So.2C_just_what_is_ANI.3Fhttp://www.ncvc.org/src/AGP.Net/Components/DocumentViewer/Download.aspxnz?DocumentID=44055
![Page 25: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/25.jpg)
25
Social Engineering: Telco
Social Hack Scenario:You pick up the phone, at the dial tone call 10102880
AT&T Automated Operator: "AT&T,�to�place�a�call…"�Enter 800-646-0000
AT&T Automated Operator: "Thank�you�for�using�AT&T"�<RING>�
Telus: This�is�the�Telus�operator,�Lisa�speaking.�(or,�This�is�the�Telus�operator,�what�number�are�you�calling�from?)�
You: Hi�Lisa,�This�is�the�Telus�technician,�you�should�see�an�ANI�failure�on�your�screen,�I'm�calling�from�[number to spoof] I�need�you�to�place�a�test�call�to�[number to call]
Telus: Thank�you�from�Telus�
Source: http://wiki.docdroppers.org/index.php?title=ANI_and_Caller_ID_Spoofing#So.2C_just_what_is_ANI.3F
![Page 26: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/26.jpg)
26
Threat Actors
The APT in action…
Source: http://www.youtube.com/watch?v=ETMkub3NwK0
![Page 27: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/27.jpg)
27
Application Vulnerabilities
� Native to many mobile OS (smart phone & tablet)Mobile Device Management (MDM)
� Default Permissions may be invasivee.g., Apple log file stores all visited geo-locations
� Open Web Application Security Consortium (OWASP)https://www.owasp.org/index.php/Mobile
Source: http://en.wikipedia.org/wiki/Mobile_device_management
“Application security is the next big trend in penetration testing… which means it’s already the big trend for hackers.”Joe McCray, Strategic Security LLC
![Page 28: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/28.jpg)
28
Lessons Learned
Top 5 from the 2012 SANS Mobile Device Security Summit
1) Jailbreaking & Rooting is BAD for mobile device security
2) The OWASP Mobile Top 10 is going to be just as important
3) Mobile Threats are an evolving, moving target; security teams have to be quick to adapt to new mobile technology
4) Mobile Device Management (MDM) solutions are a requirement for any deployment
5) Apple iOS devices are preferred over Android in the enterprise
Source: http://www.infosecisland.com/blogview/20752-Top-5-Things-Learned-at-the-SANS-Mobile-Device-Security-Conference
![Page 29: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/29.jpg)
Mike Jones, Symantec
29
Things You Should Be Doing
“For many professionals, the mobile phone has become a mobile office.”
Mike Jones, Symantec
![Page 30: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/30.jpg)
30
Control Starts at the Policy
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
![Page 31: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/31.jpg)
31
Mobile Policy Best Practices
� Think from a threat controls perspective:
o Consider capabilities of mobile devices and apps in your environment
o Identify threat vectors & mitigate
o Identify non-technically enforceable controls and address with administrative policies & awareness
� Assess how mobile devices are already managed
� Use existing policies as a guideline
� Consider how to test successful control implementation
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
![Page 32: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/32.jpg)
32
2012 Top 5 Mobile Security Threats
1) Geolocation exploits2) Excessive Permissions3) Mobile Application Vulnerabilities4) Unsecure Wi-Fi5) Lost and Stolen Devices
Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012
![Page 33: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/33.jpg)
33
Mobile Risk Management Tools
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
![Page 34: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/34.jpg)
34
Protecting the Mobile Executive
Considerations for your Mobile Policy / Best Practices:
� USER EDUCATION
� Physical Security
� Leave it at Home– Clean Loaner Devices– Prepaid Cellular devices– Blank SIM cards– * + Google Voice
Source: http://threatpost.com/en_us/slideshow/How%20to%20Avoid%20Getting%20Hacked%20While%20Traveling?page=0
� Fear Public Wireless– Use Conference WAPs– Corporate VPNs
� 2G = No E!
� Don’t Blab
![Page 35: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/35.jpg)
35
Its About the Basics
Verizon Business 2011 Data Breach Investigations Report (DBIR)
Analysis of 2011 attacks determined that:
� 83% were targets of opportunity
� 92% were not highly difficult
� 95% were avoidable through simple or intermediate controls
Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
![Page 36: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/36.jpg)
SANS Top 20 Controls (v 3.1)
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Laptops, Workstations, & Servers
4: Continuous Vulnerability Assessment & Remediation
5: Malware Defenses
6: Application Software Security
7: Wireless Device Control
8: Data Recovery Capability
9: Security Skills Assessment and Appropriate Training to Fill Gaps36
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11: Limitation and Control of Network Ports, Protocols, and Services
12: Controlled Use of Administrative Privileges
13: Boundary Defense
14: Maintenance, Monitoring, and Analysis of Security Audit Logs
15: Controlled Access Based on the Need to Know
16: Account Monitoring and Control
17: Data Loss Prevention
18: Incident Response Capability
19: Secure Network Engineering
20: Penetration Tests and Red Team Exercises
![Page 37: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/37.jpg)
37
Summary
� Mobile Devices vs. Computerso Similarities (yes Forrest, they are computers)
o Differences� SMS� Native Metadata� Hardware / Carrier Issues (PINs, etc)� Sidejacking� Application Vulnerabilities
� Things you Should be Doingo Policieso User Educationo Protect the Execso SANS Top 20 <-> Top 5 Mobile
![Page 38: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/38.jpg)
38
Questions
![Page 39: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/39.jpg)
39
New Mobile Security Tools
“Bleeding Edge” Mobile Security Solutions
![Page 40: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/40.jpg)
40
New Mobile Security Tools
Can you hear me NOW, punk?!?
![Page 41: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/41.jpg)
41
New Mobile Security Tools
AndroidSecurity
If you need to ask, you don’t need to know.
Really.
Source:http://www.techrepublic.com/photos/obscure-costumes-at-emerald-city-comic-con-2012/6357085?seq=24&tag=thumbnail-view-selector;get-photo-roto
![Page 42: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/42.jpg)
42
New Mobile Security Tools
Sometimes Simple Security = Great Solutions…
![Page 43: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/43.jpg)
43
New Mobile Security Tools
Hot from the UK: Less Mobile = Harder to Steal
![Page 44: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/44.jpg)
44
New Mobile Security Tools
Old School Tech
![Page 45: Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP](https://reader034.vdocuments.us/reader034/viewer/2022042307/5ed390ffa1895f794116ab19/html5/thumbnails/45.jpg)
45
New Mobile Security Tools
Keeping ahead of the Technology Curve…
Source:http://www.techrepublic.com/photos/obscure-costumes-at-emerald-city-comic-con-2012/6357085?seq=24&tag=thumbnail-view-selector;get-photo-roto