(pdf) yury chemerkin ita 2013
TRANSCRIPT
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
1/45
SECURITY COMPLIANCE CHALLENGES ON
YU
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
2/45
EXPERIENCED IN :
REVERSE ENGINEERING & AV
SOFTWARE PROGRAMMING & DOCUMENTATION
MOBILE SECURITY AND MDM
CYBER SECURITY & CLOUD SECURITY
COMPLIANCE & TRANSPARENCY
FORENSICS AND SECURITY WRITING
HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA
PARTICIPATION AT CONFERENCES
INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCONMOSCOW, HACTIVITY, HACKFEST
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC,
ICITST, CTICON (CYBERTIMES), DeepIntel/DeepSec, I-SOCIETY
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin
http://sto
-
strategy.com yury.s@che
http://www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com/http://sto-strategy.com/http://sto-strategy.com/mailto:[email protected]://sto-strategy.com/mailto:[email protected]://www.linkedin.com/in/yurychemerkinhttp://eforensicsmag.com/http://pentestmag.com/http://hakin9.org/mailto:[email protected]://sto-strategy.com/http://www.linkedin.com/in/yurychemerkin -
8/13/2019 (PDF) Yury Chemerkin Ita 2013
3/45
I. Opinions & Facts
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
4/45
Threats
Privacy
Compliance
Legal
Vendor lock-in
Open source / Open standards
Security
Abuse
IT governance
Ambiguity of terminology
Customization , security solu
Crypto anarchism
CSA, ISO, PCI, SAS 70
Typically US Location
Platform, Data, Tools Lock-In
Top clouds are not open-sou
Physical clouds more secure
Botnets and Malware Infect
Depends on organization ne
Reference to wide services,
Cloud Issues
Known Issues Known Solutions/Opi
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
5/45
Top clouds are not OpenSource
OpenStack is APIs compatible with Amazon EC2
andAmazon S3 and thus client applications written
for AWS can be used with OpenStack with minimal
porting effort, whileAzure is not
Platform lock-in
There are Import/Export tools to migrate from/toVMware, whileAzuredoesnthave
Data Lock-in
Native AWS solutions linked with Cisco routers to
upload, download and tunneling as well as 3rd party
storage like SMEStorage (AWS, Azure, Dropbox,
Google, etc.)
Tools Lock-in
Longing for an inter-cloud ma
industrial and built with comp
APIs Lock-In
Longing for inter-cloud APIs, h
known inter-OS APIs for PC, M
No Transparency
Weak compliance and transpa
and NDA relationships betwee
third party auditors and exper
Abuse
Abusing is not a new issue and
AWS Vulnerability Bulletins as
response and stay tuned
What is about Public Clouds
Some known facts about AWS & Azure in order to issues mention
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
6/45
"All Your Clouds are Belong to us Security Analysis of
Cloud Management Interfaces", 3rd CCSW, October 2011
A black box analysis methodology of AWS control
interfaces compromised via the XSS techniques,
HTML injections, MITM
[AWS] :: Reported SOAP Request Parsing Vulnerabilities
Utilizing the SSL/HTTPS only with certificate
validation and utilizing API access mechanisms
like REST/Query instead of SOAP
Activating access via MFA and creating IAM
accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509
Limiting IP access enhanced with API/SDK & IAM
The most dangerous code in the w
certificates in non-browser soft
Conference on Computer and Com
October 2012
Incorrect behavior in the SSL
mechanisms of AWS SDK for
[AWS] :: Reported SSL Certificate VaTools and SDKs
Despite of that, AWS has upd
services) to redress it
Clouds: Public vs. Private
Known security issues of Public Clouds and significant researches on
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
7/45
[AWS] :: Xen Security Advisories
There are known XEN attacks (Blue Pills, etc.)
No one XEN vulnerability was not applied to the
AWS, Azure or SaaS/PaaS services
Very customized clouds
[CSA] :: CSA The Notorious Nine Cloud Computing Top
Threats in 2013
Replaced a document published in 2009
Such best practices provides a least security
No significant changes since 2009, even examples
Top Threats Examples
1.0. Threat: Data Breaches // Cross-VM Side
Channels and Their Use to Extract private Keys,
7.0. Threat: Abuse of Cloud
Side Channels and Their Use
Keys
4.0. Threat: Insecurity Interf
Besides of Reality of CSA Threats
1.0 & 7.0 cases highlight how
e.g. AWS EC2 are vulnerable
1.0 & 7.0 cases are totally foc
cloud case (VMware and XEN
known way to adopt it to AW
4.0 case presents issues raise
not related to public clouds (e
SkyDrive) and addressed to in
Clouds: Public vs. Private
It is generally known, that private clouds are most secure There is no a POC to prove a statement
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
8/45
II. CSA Framework
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
9/45
CompliaModel
EnhancedSecurity
Model
BasicSecurityModel
CloudModel
Cloud CSACAIQ
MappingCSACMM
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
10/45
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
11/45
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
12/45
II. NIST Framework
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
13/45
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
14/45
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
15/45
Complementarity
NIST Enhance Control
Your own security control
Interchangeability
Replacing basic controls by enhanced controls
Expansibility
impact or support the implementation of a particular security control or control enha
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
NIST Framework
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
16/45
Basic controls arent applicable in case of
Information systems need to communicate with other systems across different policy
APT
Insiders Threats
Mobility (mobile location, non-fixed)
Single-User operations
Interchangeability
Replacing basic controls by enhanced controls Expansibility
impact or support the implementation of a particular security control or control enhancement
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
NIST Framework
Interchangeability
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
17/45
III. Clouds
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
18/45
Amazon Web Services
Generally IaaS
+SaaS, PaaSMicrosoft Azure
Generally PaaS
Recent changes IaaSBlackBerry Enterprise Service
Separated
Integrated with Office365
SaaS as a MDM solution
Clouds
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
19/45
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
20/45
BlackBer BlackBerry
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
21/45
Office
Office365
Cisco/Vo
Android, iOS
UnifiedManagement
BlackBer4,5,6,7
BlackBerryZ10/Q10,
Playbook
BES 10 BES 5
Officeintegration
UnifiedDevice
Platform
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
22/45
IV. Cloud & Compliance Specific
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
23/45
There is no one cloud
There is no one standard
What vision is adopted by cloud vendors?
What vision is adopted by cloud operators(3rd party)?
What is your way to use and manage cloud?
All of that reflected in the
There are many models and a
There are many ways to built alignment to
Virtualizing of anything able t
Data distribution, service distmanagement
Clear
compliance requirements
Cloud & Compliance Specific
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
24/45
The Goal is bringing a transparency of cloud controls and
features, especially security controls and features
Such documents have a claim to be up-to-date with
expert-level understanding of significant threats and
vulnerabilities
Unifying recommendations for all clouds
Up to now, it is the 3rd revision
All recommendations are linked with other standards
PCI DSS, ISO, COBIT
NIST, FEDRAMP
CSA own vision how it must be referred
Top known cloud vendors anno
compliance with it
Some of reports are getting old by no
Customers have to control their e
needs
Customers want to know whether itespecially local regulations and how f
Customers want to know whether i
transparency to let to build an approp
Cloud & Compliance Specific
There is no one cloud
There is no one standard
There are many models and architectu
There are many ways to built cloud in a
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
25/45
CAIQ/CCM provides equivalent of recommendations over
several standards, CAIQ provides more details on security
and privacy but NIST more specific
CSA recommendations are pure with technical details
It helps vendors not to have their solutions worked
out in details and/or badly documented It helps them to put a lot of references on 3rd party
reviewers under NDA (SOC 1 or SAS 70)
Bad idea to let vendors fills such documents
They provide fewer public details
They take it to NDA reports
Vendors general explanations mu
standards recommendations are extr
transparency
Clouds call for specific levels of a
reporting, security controlling and data
It is often not a part of SLA offe
It is outside recommendations AWS often falls in details with their arc
AWS solutions are very well to be in
standards and specific local regulations
NIST 800-53, or even Russian s
(however the Russian framew
framework)
Cloud & Compliance Specific
Compliance, Transparency, Elabo
Description DIFFERENCE (AWS vs. AZURE)Third Party Audits As opposed to AWS, Azure does not have a clearly defined statement whether their custo
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
26/45
Compliance: from Cloud Vendors viewp
Compliance, Transparency, Elabo
y pp , y
vulnerability test
Information System Regulatory
Mapping
AWS falls in details to comply it that results of differences between CAIQ and CMM
Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not
Retention Policy AWS points to the customersresponsibility to manage data, exclude moving between Availabil
ensures on validation and processing with it, and indicate about data historical auto-backup
Secure Disposal Not seriously, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only
Information Leakage AWS relies on AMI and EBS services, while Azure does on Integrity data
Policy,User Access, MFA No both have
Baseline Requirements AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMw
Encryption, Encryption Key
Management
AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure
Vulnerability / Patch Management AWS provides their customers to ask for their own pentest while Azure does not
Nondisclosure Agreements, ThirdParty Agreements
AWS highlights that they does not leverage any 3 rd party cloud providers to deliver AWS servicesthe procedures, NDA undergone with ISO
User ID Credentials Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requi
the AD to perform these actions
(Non)Production environments,
Network Security
AWS provides more details how-to documentsto having a compliance
Segmentation Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, whi
infrastructureon a vendor side
MobileCode AWS points their clients to be responsible to meet such requirements, while Azure points to build
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
27/45
Consumer Relationship only
Everything except SA-13 Location-aware technologies may be used to valida
authentication integrity based on known equipment locationVendor Relationship only
Requirements include technical and management solutions
Consumer Relationship shared with Vendor Include non-technical solutions only
Such policies, roles, procedures, trainingAll requirements cover SaaS, PaaS, IaaS cloud typesGeneral requirements onlyMissing details (like DoD)
Compliance: from CSAs viewpoint
Examination of CSA
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
28/45
Data Governance - Information Leakage (DG-07).
Security mechanisms shall be implemented to prevent data leakage refer
AC-2 Account Management
AC-3 Access Enforcement
AC-4 Information Flow Enforcement
AC-6 Least Privilege (the most correct reference) AC-11 Session Lock General requirements only
Security mechanisms shall be implemented to prevent data leakage missed in turn (no r
AC-7 Unsuccessful Login Attempts
AC-8 System Use Notification
AC-9 Previous Logon (Access) Notification
AC-10 Concurrent Session Control
Compliance: from CSAs viewpoint
Examination of CSA References NIST
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
29/45
Data Governance - Information Leakage (DG-07).
Security mechanisms shall be implemented to prevent data leakage also refers to ISO
A.10.6.2 Security of network services
A.10.6.2 refers to NIST in turn
CA-3 Information System Connections
SA-9 External Information System Services SC-8 Transmission Integrity
SC-9 Transmission Confidentiality
DG-07 should refer to PE-19 Information Leakage in fact
It could include the NIST requirement AC-6. Least Privilege too
A few of them applicable in case of Cloud MDM and should be extended by different to
Compliance: from CSAs viewpoint
Examination of CSA References ISO
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
30/45
Data Governance
NIST :: access control, media
management, etc.
Ownership / Stewardship
Classification
Handling / Labeling / Security Policy
Retention Policy
Secure Disposal
Non-Production Data
Information Leakage
Risk Assessments
Azures vision - Distribution of inform
CSA , ISO is better applicable t
NIST is applicable as a custom
Best way is adopt NIST enhanc
Need to remap CSA->NIST rev4
Technical / Access Contr
Attributes
Attribute Configuration
Permitted Attributes for
InfoSystems
Permitted Values and Ra
Cloud & Compliance Specifics. Examp
CSA Cloud :: Azure
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
31/45
Access Control
Account, Session Management
Access / Information Flow Enforcement
Least Privilege, Security Attributes
Remote / Wireless Access
AWSs Vision is not Data Distributio
NIST is better applicable than
NIST is applicable as a custom
There are many enhancement
Dynamic Account Creat
Restrictions on Use of S
Accounts
Group Account Request
Appovals/Renewals
Account Monitoring - At
e.g. :: log-delivery-write
Cloud & Compliance Specifics. Examp
NIST Cloud :: AWS
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
32/45
AWSs Vision is not Data Distribution, however
CSA :: Data Governance is applicable from the
resource-based viewpoint
Resource based policy Attached to
resource
AWSs Vision is not Data Distribution, however
NIST :: Access Control is applicable from the user-based viewpoint
Account based policy Attached to users
define that policy for MDM users to
access internal network resources
Combine with a mobile policy
Cloud & Compliance Specifics. Examp
CSA / NIST Cloud :: AWS
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
33/45
Device diversity
Configuration management
Software Distribution
Device policy compliance & enforcement
Enterprise Activation
Logging
Security Settings
Security Wipe, Lock
IAM
Make you sure to start managing security under
uncertain terms without AI
Refers to NIST-800-53 and other
Sometimes missed requirem
locking device, however it i
A bit details than CSA
No statements on permission man
Make you sure to start managing uncertain terms without AI
COMPLIANCE AND MDM
CSA Mobile Device Management: KeyComponents NIST-124
[ ]
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
34/45
= , , ,
set of OS permissions, set of device permissions, set
of MDM permissions, set of missed permissions (lack of
controls), set of rules are explicitly should be applied to gain
a compliance
= + ,
set of APIs , set of APIs that interact with sensitive data,
set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the set
should be empty set to get instead of , so
the matter how is it closer to empty. On another hand it should
find out whether assumptions , are true and if it is
possible to get .
Set of permissions < Set of activities ef
typical case < 100%,
ability to control each API = 100%
More than 1 permission per APIs >10
lack of knowledge about possi
improper granularity
[ DEVICE MANAGEMENT ]
Concurrency over native& additional security features The situation is very serio
MDM features
P
[ ]
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
35/45
GOALS - MOBILE RESOURCES / AIM OF ATTACK
DEVICE RESOURCES
OUTSIDE-OF-DEVICE RESOURCES
ATTACKS SET OF ACTIONS UNDER THE THREAT
APIs - RESOURCES WIDELY AVAILABLE TO CODERS
SECURITY FEATURES
KERNEL PROTECTION , NON-APP FEATURES PERMISSIONS - EXPLICITLY CONFIGURED
3RD PARTY
AV, FIREWALL, VPN, MDM
COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY
IN ALIGNMENT WITH COMPLIANCE TO
[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACKS VECTOR
AV, MDM,
DLP, VPN
Attacks
APIs
MDM feature
[ BLACKBERRY PERMISSIONS ]
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
36/45
[ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK BB 10 AIR SDK PB (ND
Background processing + +
BlackBerry Messenger - Calendar, Contacts + via invo
Camera + +
Device identifying information + +
Email and PIN messages + via invo
GPS location + +
Internet + +
Location +
Microphone + +
Narrow swipe up - +
Notebooks +
Notifications + +
Player - +
Phone +
Push +
Shared files + +
Text messages +
Volume - +
[
iOS
S i ]
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
37/45
[ iOS. Settings ]
Component Unit
Restrictions :: Native application
Safari
Camera, FaceTime
iTunes Store, iBookstoreSiri
Manage applications*
Restrictions :: 3rd application
Manage applications*Explicit Language (Siri)
Privacy*, Accounts*
Content Type Restrictions*
Unit subcomponents
Privacy :: Location Per each 3rd party app
For system services
Privacy :: Private Info
Contacts, Calendar, Reminders, P
Bluetooth Sharing
Twitter, Facebook
Accounts
Disables changes to Mail, Contacts, Calendars, iClou
Find My Friends
Volume limit
Content Type Restrictions
Ratings per country and regio
Music and podcasts
Movies, Books, Apps, TV show
In-app purchasesRequire Passwords (in-app purch
Game Center Multiplayer Games
Adding Friends (Game Center
Manage applications Installing Apps
Removing Apps
[ A d id P i i ]
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
38/45
ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,
ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM
ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,
ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_
MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT
TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET
,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE
VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL
PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_
PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,
BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA
MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO
NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M
ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C
LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE
TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN
OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC
TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_
PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE
ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P
ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK
GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T
OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_
PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN
MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_
OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_
CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE
R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L
OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_
SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,
READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET
ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
RD_AUDIO,REORDER_TASKS
,SET_ACTIVITY_WATCHER,SE
SET_ANIMATION_SCALE,SET
,SET_POINTER_SPEED,SET_P
ROCESS_LIMIT,SET_TIME,SET
ET_WALLPAPER_HINTS,SIGN
TUS_BAR,SUBSCRIBED_FEED
ITE,SYSTEM_ALERT_WINDOW
REDENTIALS,USE_SIP,VIBRAT
TINGS,WRITE_CALENDAR,W
TS,WRITE_EXTERNAL_STORA
STORY_BOOKMARKS,WRITE_
GS,WRITE_SETTINGS,WRITE_
RITE_SYNC_SETTINGS,WRITE
[ Android. Permissions ]
List contains ~150 permissions I have ever seen that on old BlackBerry
[ A d id P i i G ]
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
39/45
ACCOUNTS
AFFECTS_BATTERY
APP_INFO
AUDIO_SETTINGS
BLUETOOTH_NETWORK
BOOKMARKS
CALENDAR
CAMERA
COST_MONEY
DEVELOPMENT_TOOLS
DEVICE_ALARMS
DISPLAY
HARDWARE_CONTROLS
LOCATION
MESSAGES
MICROPHONE
NETWORK
PERSONAL_INFO
PHONE_CALLS
SCREENLOCK
SOCIAL_INFO
STATUS_BAR
STORAGE
SYNC_SETTINGS
SYSTEM_CLOCK
SYSTEM_TOOLS
USER_DICTIONA
VOICEMAIL
WALLPAPER
WRITE_USER_D
[ Android. Permission Groups ]
But there only 30 permissions groups Ihave everseen that on old BlackBerry
MDM
E d
d i i
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
40/45
CAMERA AND VIDEO
HIDE THE DEFAULT CAMERA APPLICATION
PASSWORD
DEFINE PASSWORD PROPERTIES
REQUIRE LETTERS (incl. case)
REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERS DELETE DATA AND APPLICATIONS FROM THE
DEVICE AFTER
INCORRECT PASSWORD ATTEMPTS
DEVICE PASSWORD
ENABLE AUTO-LOCK
LIMIT PASSWORD AGE
LIMIT PASSWORD HISTORY
RESTRICT PASSWORD LENG
MINIMUM LENGTH FOR TPASSWORD THAT IS ALLOW
ENCRYPTION
APPLY ENCRYPTION RULES
ENCRYPT INTERNAL DEVIC
TOUCHDOWN SUPPORT
MICROSOFT EXCHANGE SY
EMAIL PROFILES
ACTIVESYNC
MDM . Extendyour device security capa
Android CONTROLLEDFOUR GROU
MDM E t d d i it
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
41/45
BROWSER
DEFAULT APP,
AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
CAMERA, VIDEO, VIDEO CONF
OUTPUT, SCREEN CAPTURE, DEFAULT APP
CERTIFICATES (UNTRUSTED CERTs)
CLOUD SERVICES
BACKUP / DOCUMENT / PICTURE / SHARING
CONNECTIVITY
NETWORK, WIRELESS, ROAMING
DATA, VOICE WHEN ROAMING
CONTENT
CONTENT (incl. EXPLICIT)
RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
DIAGNOSTICS AND USAGE (SUBMISSION LOGS)
MESSAGING (DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHA
ONLINE STORE
ONLINE STORES , PURCHASES, PASSW
DEFAULT STORE / BOOK / MUSIC APP
MESSAGING (DEFAULT APP)
PASSWORD (THE SAME WITH ANDROID, NEW BLA
PHONE AND MESSAGING (VOICE DIALING)
PROFILE & CERTs (INTERACTIVE INSTALLATION)
SOCIAL (DEFAULT APP)
SOCIAL APPS / GAMING / ADDING FRI
DEFAULT SOCIAL-GAMING / SOCIAL-V
STORAGE AND BACKUP
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT (DEFAULT APP)
MDM . Extend your device security capa
iOS CONTROLLED16 GROUP
MDM E t d d i it
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
42/45
GENERAL
MOBILE HOTSPOT AND TETHERING
PLANS APP, APPWORLD
PASSWORD (THE SAME WITH ANDROID, iOS)
BES MANAGEMENT (SMARTPHONES, TABLETS)
SOFTWARE
OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER
TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE
BBM VIDEO ACCESS TO WORK NETWORK
VIDEO CHAT APP USES ORGANIZATIONS WI-FI/VPN NETWORK
SECURITY
WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE
VOICE CONTROL & DICTATION IN WORK & USER APPS
BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE
PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)
PERSONAL SPACE DATA ENCRYPTION
NETWORK ACCESS CONTROL FOR WO
PERSONAL APPS ACCESS TO WORK CO
SHARE WORK DATA DURING BBM VID
WORK DOMAINS, WORK NETWORK U
EMAIL PROFILES
CERTIFICATES & CIPHERS & S/MIME
HASH & ENCRYPTION ALGS AND KEY P
TASK/MEMO/CALENDAR/CONTACT/D
WI-FI PROFILES
ACCESS POINT, DEFAULT GATEWAY, D
PROXY PASSWORD/PORT/SERVER/SU
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS
TOKENS, IKE, IPSEC OTHER PARAMS
PROXY PORTS, USERNAME, OTHER PA
MDM . Extend your device security capa
BlackBerry (new, 10,qnx) CONTROLLED7 GROUPSONLY
MDM Extend yo r device sec rity capa
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
43/45
THERE 55 GROUPS CONTROLLED IN ALL
EACH GROUP CONTAINS FROM 10 TO 30 UNITS
ARE CONTROLLED TOO
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs
INSTEAD OF A WAY DISABLE/ENABLED &
HIDE/UNHIDE
EACH EVENT IS
CONTROLLED BY CERTAIN PERMISSION
ALLOWED TO CONTROL BY SIMILAR
PERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
MORE THAN OTHER DOCUMENTS
EACH UNIT CANT CONTROL ACT
ITSELF
CREATE, READ, WRITE/S
DELETE ACTIONS IN REG
MESSAGES LEAD TO SPO
REQUESTING A MESSAG
ONLY SOME PERMISSIONS ARE
DELETE ANY OTHER APP
SOME PERMISSIONS ARE
WHICH 3RD PARTY PLUGI
IN, INSTEAD OF THAT PLU
MDM . Extend your device security capa
Blackberry(old) Huge amountofpermissions are MD
CONCLUSION
-
8/13/2019 (PDF) Yury Chemerkin Ita 2013
44/45
The best Security & Permissions ruled by AWS
Most cases are not clear in according to the roles
and responsibilities of cloud vendors & customers
May happen swapping responsibilities and shifting
the vendor job on to customer shoulders
Referring to independent audits reports under
NDA as many times as they can
CSA put the cross references to other standardsthat impact on complexity & lack of clarity more
than NIST SP800-53
CONCLUSION
SelectSecurityControls
CheckScope
CSA
DefGranu
ApplyCSA as
common
Remapto NIST
Improvebasic
CSA
Nenh
http://scribd.com/ychemerkin -
8/13/2019 (PDF) Yury Chemerkin Ita 2013
45/45
Q & A
https://plus.google.com/108216608239392698703mailto:[email protected]://twitter.com/sto_bloghttps://twitter.com/yury.chemerkinhttp://scribd.com/ychemerkinhttps://www.facebook.com/yury.chemerkinhttp://www.slideshare.net/YuryChemerkin/http://www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com/http://eforensicsmag.com/http://pentestmag.com/http://hakin9.org/