securing mobile population for white hats
DESCRIPTION
Peter Wood invited me to present mobile to White Hats in December 2011.TRANSCRIPT
SECURING MOBILE POPULATIONVladimir Jirasek
About.me/jirasek
2nd Dec 2011
About me• Security professional (11 years), current work at WorldPay
as Head of Security Solutions• Director, CSA UK & Ireland• I love reading books: thrillers (Clive Cusler) and business
management (Jo Owen)• Apple fan
I will cover three topics today• Consumerisation opportunities and challenges• Threats related to mobile devices• Smart devices security architecture• How to fit mobile devices to company security architecture
ConsumerisationI want to use
one device for both personal and work stuff
Hmm, might be tricky but here is what we can do….
Say yes and give clear policies!
Access to data and systems based on risk
Agree forensic policy and investigations rules for personal devices.
How to manage access – not binary
Access decisions based on accuracy of following:• Identity – Google apps ID vs. Active directory ID, one
factor auth vs. two factor auth• Role – FTE, contractor, cleaner, executive• Device – trusted, non-trusted• Location – inside fw or outside, US vs. China, IPv6 vs
IPv4, changes in locations in time• Time – inside working hours or outside, • Data/Application – business impact, approved apps vs
consumer apps.
Classifications of systems
Evolution of connected world
1960 1970 1980 1990 2000 2010
100B
10B
1B
100M
10M
1M
Nu
mb
er o
f D
evic
es
Mainframe
Minicomputer
PC
ConnectedPC
Mobile, Cloud…
Source: McAfee
Revolution in mobile device capabilities
Apple iPhone launches
• Gartner says never ready for enterprise
• iOS App Store
• iOS ActiveSync email
• Gartner approves iPhone for the enterprise
• Android G1
• Microsoft Windows Vista
• Blackberry & Palm
Q3 Q4 Q12008
Q2 Q3 Q4 Q12009
Q12007
Q2
Source: McAfee
And its acceleration
Q3 Q4 Q12010
Q2 Q3 Q4 Q12011
Q2 Q3 Q4Q12009
Q2 Q12012
Androidtablets
• Microsoft Windows 7
• iOS 3GS w/ encryption
RIMPlaybook
iPadlaunches
• iPad2
•Android Honeycombwith Encryption
• Windows Phone 7• webOS• Next gen Blackberry
• iCloud
• iPhone 4s
Mobile devices threats• Web-based and network-based attacks• Malware• Social engineering attacks• Resource and service availability abuse.• Malicious and unintentional data loss.• Attacks on the integrity of the device’s data.
Mobile platforms – security architecture
• Traditional Access Control: Traditional access control seeks to protect devices using techniques such as pass- words and idle-time screen locking.
• Application Provenance: Provenance is an approach where each application is stamped with the identity of its author and then made tamper resistant (using a digital signature).
• Encryption: Encryption seeks to conceal data at rest on the device to address device loss or theft.
• Isolation: Isolation techniques attempt to limit an application’s ability to access the sensitive data or systems on a device.
• Permissions-based access control: Permission-based access control grants a set of permissions to each application and then limits each application to accessing device data/systems that are within the scope of those permissions, blocking the applications if they attempt to perform actions that exceed these permissions.
Source: Symantec
iOS• The iOS is based on Mac OS X• The number of vulnerabilities and attacks on iOS is very
small and usually occurs in 3rd party applications installed on iOS
• The OS offers very good security, data protection, encryption, access control
• Lack of anonymity in application developer community. It is far more risky to develop malware for iOS.
• Certified for Microsoft ActiveSync program
Android
Android is based on Linux and uses the best security features Linux can offer, such as robust access control and application isolation. However, the main security problem with Android is that:• It is very easy to jailbreak• Users can install any application from any Marketplace• Confusing application access permission confirmations• Many devices do not implement strong device encryption• Google does not control final deployment – vendors and
operators may add “features”
Updating of old devices is an an issue for Android…
By Michael DeGustaTheUnderstatement.com
Windows Phone (Mango release)• Robust security model• Mandatory access control – 4 privilege chambers– similar
to Windows 7 (trusted, elevated, standard, least privileged)
• Application isolation• Application code-signing• Data isolation• Controlled developer environment• Lack of enterprise VPN features• Immature certificate and key support• Capability notifications and enforcement
Correct approach to mobile security• Secure Device, Applications and Data• Use risk based approach for access control decisions• Less emphasis on whether device is procured by company or
user• Extend DLP to mobile• Extend security event and forensic services• Monitor installed apps, jail-breaking and configuration compliance
Source: McAfee
References• “A Window IntoMobile Device Security”, Carey Nachenberg, Symantec, 2011• McAfee EMM Site• Mobile Security: Looking Back, Looking Forward, David Goldschlag, McAfee, 2011• Microsoft ActiveSync certification program, http://technet.microsoft.com/en-us/exchange/gg187968.aspx• Microsoft Consumerization Site, http://www.microsoft.com/enterprise/viewpoints/consumerization/default.aspx• “CISO Perspective: Consumerization of IT” @ RSA Europe 2011, Bret Arsenault, CISO Microsoft, • “Magic Quadrant for Mobile Device Management Software”, Document ID G00211101, Gartner, 2011• “Your Apps Are Watching You,” The Wall Street Journal, December 17, 2010• Windows Phone 7.5 (Mango) Security model explained, http://j4ni.com/blog/?p=59, Jani Nevalainen• Windows Phone Platform Security,
http://www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security, Nokia• Windows Phone Security page, http://msdn.microsoft.com/en-us/library/ff402533(v=vs.92).aspx, Microsoft• VMware Mobile virtual platform, http://www.vmware.com/products/mobile/overview.html• Revolution or Evolution: Information Security 2020,
http://www.pwc.co.uk/eng/publications/revolution_or_evolution_information_security_2020.html, PWC, 2010• Consumerisation and Corporate IT Security, http://www.schneier.com/blog/archives/2010/09/consumerization.html,
Bruce Schneier, September 2010• Android Orphans: Visualizing a Sad History of Support,
http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support , Michael Degusta, October 2011