SlideShare a Scribd company logo

Mobile security summit - 10 mobile risks

Download as PPTX, PDF
Vladimir Jirasek
Vladimir Jirasek

This document discusses the top 10 mobile risks. It outlines common mobile device use cases and the associated threats. These include risks from lost/stolen devices, compromised devices with malware, and devices being used to conduct malicious activities. The document also discusses mobile security models and the importance of hardware security for mobile devices to be considered trusted. It concludes by listing the top 10 mobile application risks according to Veracode and providing resources for further information.

Related slideshows

Mobile Security
Mobile Security Mobile Security
Mobile Security
 
Article on Mobile Security
Article on Mobile SecurityArticle on Mobile Security
Article on Mobile Security
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
1 of 12
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 1 TOP 10 MOBILE RISKS Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 2 I am going to talk about …. • Risks associated with mobile devices • Mobile Applications threat model • Mobile risks in an Enterprise • Mobile device as a Trusted device • Mobile security models • Mobile Top 10 • Not all doom and gloom: What to look for
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 3 Mobile devices are ubiquitous for most people Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Either online or via mobile apps
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 4 And the risks associated with the use cases are Power (CPU) and storage with seamless Accessing potentially and always on Traveling with people private and sensitive connectivity all the time. data, managing critical Millions lost everyday transactions. Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Mobile phone is your most personal computer and it needs to be wellmobile Either online or via protected to become a trusted device. apps
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 5 Mobile device use cases threat model Mobile device is Mobile device is is used Mobile device is compromised to conduct malicious lost or stolen with malware activity Malicious Loss of data, Unauthorised activity, Loss of potential transactions, data, Monitoring malicious activity Botnets, Attack of activity, Botnet on web services
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 6 Mobile device risk in an Enterprise Enterprise control Un-controlled data sync Un-managed personal device Enterprise control Un-controlled data access Un-managed mobile device
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 7 Mobile threats summary [2] • Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content, malicious proxy servers • Malware – traditional viruses, worms, and Trojan horses • Social engineering attacks – phishing. Also used to install malware. • Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls) • Malicious and unintentional data loss – exfiltration of information from phone • Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 8 Mobile device as a trusted device: [4,5] How does mobile HW and OS hold up? Typically contains System on Chip (SoC) Load mobile Load Kernel and applications mobile OS Application OS security segregation, capabilities are security reviews crucial Enterprise apps accessed from If Trust is not assured from HW up then mobile devices there is no trust at all!
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 9 Mobile Security Models [2] • Traditional Access Control: passwords and idle-time screen locking. • Application Provenance: Application signing and Application review in App store • Encryption: Encryption of device data and application data • Isolation: traditional Sandboxing and Storage separation • Permissions-based access control: Limiting application to needed functionality only All must be supported by Trust from Jailbreaking breaks HW up. the security model!
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 10 Veracode Mobile Top 10 [1] Malicious Functionality Vulnerabilities 1. Activity monitoring and 7. Sensitive data leakage data retrieval (inadvertent or side 2. Unauthorized dialing, channel) SMS, and payments 3. Unauthorized network 8. Unsafe sensitive data connectivity (exfiltration or storage command & control) 9. Unsafe sensitive data 4. UI Impersonation transmission 5. System modification 10. Hardcoded (rootkit, APN proxy config) 6. Logic or Time bomb password/keys
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 11 Summary: What to look for Device and applications Enterprise Network • Do not jail-break the device • Configure VPN for mobile • Utilise mobile OS security devices features (access control, • Provision VPN profiles for encryption) seamless connectivity • Follow data classification • Monitor traffic for data policies – what data can be exfiltration on mobile devices and what • Enable processes to wipe protection is required devices • Follow best practices for • Data security policy includes mobile application device capabilities and development position
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 12 Resources 1. Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/ 2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=2011 0627_02 3. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile 4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture- of-smartphones 5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec- comparison-ETHZ-mar2011.pdf 6. Security in Windows Phone 7 - http://msdn.microsoft.com/en- us/library/ff402533(v=VS.92).aspx

More Related Content

Mobile security summit - 10 mobile risks

  • 1. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 1 TOP 10 MOBILE RISKS Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland
  • 2. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 2 I am going to talk about …. • Risks associated with mobile devices • Mobile Applications threat model • Mobile risks in an Enterprise • Mobile device as a Trusted device • Mobile security models • Mobile Top 10 • Not all doom and gloom: What to look for
  • 3. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 3 Mobile devices are ubiquitous for most people Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Either online or via mobile apps
  • 4. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 4 And the risks associated with the use cases are Power (CPU) and storage with seamless Accessing potentially and always on Traveling with people private and sensitive connectivity all the time. data, managing critical Millions lost everyday transactions. Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Mobile phone is your most personal computer and it needs to be wellmobile Either online or via protected to become a trusted device. apps
  • 5. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 5 Mobile device use cases threat model Mobile device is Mobile device is is used Mobile device is compromised to conduct malicious lost or stolen with malware activity Malicious Loss of data, Unauthorised activity, Loss of potential transactions, data, Monitoring malicious activity Botnets, Attack of activity, Botnet on web services
  • 6. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 6 Mobile device risk in an Enterprise Enterprise control Un-controlled data sync Un-managed personal device Enterprise control Un-controlled data access Un-managed mobile device
  • 7. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 7 Mobile threats summary [2] • Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content, malicious proxy servers • Malware – traditional viruses, worms, and Trojan horses • Social engineering attacks – phishing. Also used to install malware. • Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls) • Malicious and unintentional data loss – exfiltration of information from phone • Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
  • 8. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 8 Mobile device as a trusted device: [4,5] How does mobile HW and OS hold up? Typically contains System on Chip (SoC) Load mobile Load Kernel and applications mobile OS Application OS security segregation, capabilities are security reviews crucial Enterprise apps accessed from If Trust is not assured from HW up then mobile devices there is no trust at all!
  • 9. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 9 Mobile Security Models [2] • Traditional Access Control: passwords and idle-time screen locking. • Application Provenance: Application signing and Application review in App store • Encryption: Encryption of device data and application data • Isolation: traditional Sandboxing and Storage separation • Permissions-based access control: Limiting application to needed functionality only All must be supported by Trust from Jailbreaking breaks HW up. the security model!
  • 10. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 10 Veracode Mobile Top 10 [1] Malicious Functionality Vulnerabilities 1. Activity monitoring and 7. Sensitive data leakage data retrieval (inadvertent or side 2. Unauthorized dialing, channel) SMS, and payments 3. Unauthorized network 8. Unsafe sensitive data connectivity (exfiltration or storage command & control) 9. Unsafe sensitive data 4. UI Impersonation transmission 5. System modification 10. Hardcoded (rootkit, APN proxy config) 6. Logic or Time bomb password/keys
  • 11. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 11 Summary: What to look for Device and applications Enterprise Network • Do not jail-break the device • Configure VPN for mobile • Utilise mobile OS security devices features (access control, • Provision VPN profiles for encryption) seamless connectivity • Follow data classification • Monitor traffic for data policies – what data can be exfiltration on mobile devices and what • Enable processes to wipe protection is required devices • Follow best practices for • Data security policy includes mobile application device capabilities and development position
  • 12. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 12 Resources 1. Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/ 2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=2011 0627_02 3. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile 4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture- of-smartphones 5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec- comparison-ETHZ-mar2011.pdf 6. Security in Windows Phone 7 - http://msdn.microsoft.com/en- us/library/ff402533(v=VS.92).aspx