1. The State of Security in The Mobile Enterprise
Cesare Garlati
VP Consumerization & Mobile Security – Trend Micro
Co-Chair Mobile Group – Cloud Security Alliance
APPNATION – December, 2012

2. Cloud Security Alliance: Mobile Guidance V1
Security Guidance for
Critical Areas of Mobile Computing
 Mobile Computing Definition
 Threats to Mobile Computing
 Maturity of the Mobile Landscape
 BYOD Policies
 Mobile Authentication
 App Stores
 Mobile Device Management
https://cloudsecurityalliance.org/research/mobile/

3. CSA Top Mobile Threats – Evil 8
1. Data loss from lost, stolen or decommissioned devices.
2. Information-stealing mobile malware.
3. Data loss and data leakage through poorly written third-party apps.
4. Vulnerabilities within devices, OS, design and third-party applications.
5. Unsecured Wi-Fi, network access and rogue access points.
6. Unsecured or rogue marketplaces.
7. Insufficient management tools, capabilities and access to APIs.
8. NFC and proximity-based hacking.

4. How Secure and Manageable?
Raimund Genes
Chief Technology Officer, Trend Micro
http://trendmicro.com/our-contributors/raimund-genes
Chris Silva
Industry Analyst, Altimeter Group
http://www.altimetergroup.com/about/team/chris-silva
Nigel Stanley
Practice Leader, Bloor Research
http://www.bloorresearch.com/about/people/nigel-stanley.html
Philippe Winthrop
Managing Director, Enterprise Mobility Foundation
http://www.enterprisemobilitymatters.com/about.html
http://trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_enterprise_readiness_consumerization_mobile_platforms.pdf

5. Security and Management Criteria

6. Security and Management Criteria

7. Security and Management Criteria

8. Ratings By Category
Mobile
Technology
Gap

9. Ratings By Mobile Platform
Consumer
Technology
Gap

10. Mobile vulnerabilities are real
Android Apple iOS
 CVE-2012-3979 – log_print  CVE-2012-0643 – Malicious
function, allowing remote code allows remote attackers to
attackers to execute arbitrary bypass sandbox restrictions and
code via a crafted web page that execute arbitrary code.
calls the JavaScript dump
function.  CVE-2012-0646 – Format
string vulnerability in VPN allows
 CVE-2011-3874 – Stack- remote attackers to execute
based buffer overflow in libsysutils arbitrary code via a crafted racoon
allows user-assisted remote configuration file.
attackers to execute arbitrary
code via an application call.  CVE-2012-0642 – Integer
underflow allows remote attackers
 CVE-2011-4276 – Bluetooth to execute arbitrary code via a
service allows remote attackers crafted catalog file in an HFS disk
within range to obtain contact data image.
via an AT phonebook transfer.
Source: National Vulnerability Database via CVEDetails.com – as of October 4, 2012

11. No Platform is immune: Apple iOS Detail
Source: National Vulnerability Database via CVEDetails.com – as of October 4, 2012

12. Apple iOS Jailbreaking Trends
June 2007 July 2008 July 2009 June 2010 Oct 2011 Sept 2012
iPhone iPhone 3G iPhone 3GS iPhone 4 iPhone 4S iPhone 5
Source: Google Trends – as of October 4, 2012

13. Android is the most exploited
Source: Trend Labs, Trend Micro Inc. – as of Q2 2012

14. Malicious Apps on Legit Marketplace
 March 2011 – 58 malicious apps (approx
250,000 victims)
 May 2011 – 24 malicious apps (up to
120,000 victims)
 December 2011 – 27 malicious apps
(approx 14,000 victims).
 February 2012 – 37 “Fan Apps” stealing
handset information and aggressive
advertising
 August 2012 – many, many more …

15. Android Versions Distribution
73%
Fragmentation
Vulnerable Devices
Source: Google http://developer.android.com/resources/dashboard/platform-versions – as of August1, 2012

16. Mobility is not the problem
“Consumerization will be
the most significant trend
affecting IT during
the next 10 years”
Gartner
New technology emerges first in the consumer market and then
spreads into business organizations brought in by the employees
IT and consumer electronics converge as individuals rely on the same
devices and applications for personal use and work-related activities
Overwhelmed by the wave of consumer technology flooding the
enterprise, IT managers lose control and struggle to enforce policies

17. ConsumerizationReport©
Source: Trend Micro Global Survey IT Managers, 500+ Employees, February 2012

18. "What mobile platforms are allowed by "Rank security and manageability of
your BYOD policy?" each mobile operating system"
BlackBerry 71% Apple iOS 20%
Android 68% BlackBerry 19%
Windows Ph 53% Android 18%
Apple iOS 51% Windows Ph 14%
Other 25% Other 15%
BYOD Top 5 concerns "Has your company ever experienced
a security breach as result of BYOD?"
Security 64%
Yes No
Data Loss 59%
Compliance 43% 47% 49%
Personal… 41%
Privacy 40% 5%
Don't Know
ConsumerizationReport©
Source: Trend Micro Global Survey IT Managers, 500+ Employees, February 2012

19. You are not ready for this
• Consumer mobile
technology is invading the
enterprise and you won‟t
be able to resist it
1 Embrace Consumerization
• Consumer technology is
not as secure as Understand the risk profile
manageable as required by 2 of the various platforms
the enterprise
Deploy new security and
• No platform is immune 3 management tools
from attack, although some
are safer than others

20. Thank You!
Cesare Garlati
http://BringYourOwnIT.com

21. As VP of Mobile Security at Trend Micro, Cesare Garlati
serves as the evangelist for the enterprise mobility
product line. Cesare is responsible for raising awareness
of Trend Micro‟s vision for security solutions in an
increasingly consumerized IT world.
Prior to Trend Micro, Mr. Garlati held director positions
within leading mobility companies such as iPass, Smith
Micro Software and WaveMarket – now LocationLabs.
Prior to this, he was senior manager of product
development at Oracle, where he led the development of
Cesare Garlati Oracle‟s first cloud application and many other modules
of the Oracle E-Business Suite.
Cesare Garlati | Vice President
Consumerization & Mobile Security
Cesare holds an MBA from U.C. Berkeley, a BS in
Blog: BringYourOwnIT.com Computer Science and professional certifications from
linkedin/in/CesareGarlati Microsoft, Cisco and Sun. Cesare is Chair of Trend Micro
twitter/CesareGarlati
Cesare_Garlati@trendmicro.com Advisory Board for Consumerization and Mobile and Co-
Chair of the CSA Mobile Working Group.
Skype: Cesare.Garlati
Mobile: +1 408.667.3320
Blog: http://BringYourOwnIT.com

22. http://consumerization.com

23. http://consumerization.trendmicro.com

24. http://BringYourOwnIT.com

25. http://youtube.com/user/BringYourOwnIT

26. Installed Base % 4Q11 Installed Base % 2015*
60%
50%
40%
30%
20%
10%
0%
X
Android iOS Win Ph RIM Symbian Other Android iOS Win Ph RIM Symbian Other
38% 17% 3% 12% 26% 3% 52% 19% 21% 6% 0% 2%
59% 92%
Android and iOS will account for over 70% of smartphone sales
by the end of 2012. Microsoft will rise to third place in the global
OS rankings by 2013, ahead of Research In Motion.
ConsumerizationReport©
Source: Trend Micro internal analysis based on Gartner, Forrester and IDC market data – February, 28 2012

27. How To: Jailbreak iOS (5.1.1)
Download Links
Xxxx v2.0.4 MacOSX (10.5, 10.6, 10.7)
Xxxx v2.0.4 Windows (XP/Vista/Win7)
Xxxx v2.0.4 Linux (x86/x86_64)
How To Use Xxxxx 2.0:
1. Make a backup of your device in iTunes by right clicking on your device name under
the „Devices‟ menu and click „Back Up‟.
2. Open Xxxxx and be sure you are still connected via USB cable to your computer.
3. Click „Jailbreak‟ and wait…. just be patient and do not disconnect your device.
4. Once jailbroken return to iTunes and restore your backup from earlier.
Xxxxx 2.0 supports the following devices on 5.1.1:
iPad 1, iPad 2, iPad 3 (iPad2,4 is now supported as of Xxxxx 2.0.4)
iPhone 3GS, iPhone 4, iPhone 4S
iPod touch 3rd generation, iPod touch 4th generation

28. Taller screens like Cydia too. :)
 @saurik – Jay Freeman
 Cydia: 1.5M Apps per day
 5% to 10% of Apple iOS devices
 $8M rev 2011 (to developers)

29. Apple iOS Jailbreaking Trends – U.S.
June 2007 July 2008 July 2009 June 2010 Oct 2011 Sept 2012
iPhone iPhone 3G iPhone 3GS iPhone 4 iPhone 4S iPhone 5
Source: Google Trends – as of October 4, 2012

30. Malicious Apps on Legit Marketplace

31. Android Commercial Spy Apps

32. 3D Porsche Sports Car HD Live Wallpapers

33. VScan:AndroidOS_ADWLeadbolt.HRY

34. FBI Warns of Mobile Malware Risks
Source: Federal Bureau Of Investigation – New E-Scams & Warnings – 10/12/2012