6. What makes mobile riskier? Convergence Mobile misuse can cost Small physical footprint Increasing processing power Multiple communication channels Increasing bandwidth Ownership Storage Fragmentation Applications Data
7. How do you secure mobile? Security Technology Elements 7 Security ProgramElements
14. What about apps? 33% on NA Smartphone owners download apps Multiple versions Location based apps / social networking will increase Games continue to dominate among apps Users continue to demand greater usability 10 billion app downloads from Apple's App Store in 2010 Signed Apps = Secure Apps? 12 Can’t impede app proliferation, but how do you know which to trust?
15. What about everything else? Force encryption of data at rest on mobile devices Force secure connectivity on unsecured public networks Ensure unauthorized mobile devices do not have access to corporate LAN* Ensuring mobile user spending is in line with the mobile policy and additional costs can be recovered Over-the-air decommissioning (remote brick’ing) Authentication: set the device to auto-lock; set clipping level Keep device out of sight when not worn Handheld devices should be enterprise property Before an employee departs, obtain device and remove corporate data Have a clear policy on remote data deletion and do not hesitate to execute it Classify data according to the sensitivity of the data they carry Only permit digitally signed applications Be agile – quickly and flexibly adapt to changing mobile landscape
16. An approach… Inventory data (technical and consultative) Destroy any unnecessary data Associate data access w/ users, roles Ensure only users that need access to data have access to it (access governance) Assign sensitivity level to data types (tier by quantity) - based on business impact Assign control requirements for each data set Determine feasible controls for each environment (mobile, cloud, etc.) Identify how (vendor, etc.) to implement controls across each platform For each platform, define what access level (to each of the data sets) is allowed based on residual risk 14
18. Finally… Follow the data Consistent security controls Start w/ the business (data), not the controls Simplify security program Closely align mobile and cloud security 16 Doing Things Right Doing the Right Things
Will there be non-mobile end-user devices in 10 years? In 15 Years? Can you have a separate security program for just mobile?
homeshoring
Data anywhere is good, data everywhere is badMobile ↔ Cloud: 2 sides of the same coin: User / Client / Consumerization of IT – Provider / Server / Democratization of IT
Fragmentation (hardware, OSs, applications, operators) Market is currently too fragmented for targeted attacks to be lucrative Security testing requires access to many resources Physical security is almost non-existent Physical access is easierPhysicalwhen cell phones are lost or stolen, people immediately notice that they're gone, and have thendeactivated, reducing the potential risks associated with active cell phones.Limited physical control: physical access is easier (increased theft, loss, breach) Mobile handsets are ultra-portable; therefore, physical security is almost non-existent.CommunicationIncreasing processing power: Treat mobile devices with the same care and caution as full workstations. Multiple communication mechanisms: bluetooth, wi-fi, IR, cellular, USBDual Mode devices (Wi-Fi) Limited bandwidth creates unique obstacles that a developer must cope with by implementing bandwidth consumption reduction techniques such as caching of data;.DDoS is easierCertificate and signing:Symbian Signed Program: digitally sign applications so developers are traceableThe three Symbian Signed test houses are mPhasis, NSTL and SogetiAppDevelopers are still learning best practices Mobile apps function more like native apps or thick clients rather than utilizing a standard browser.Mobile apps are not restricted to using standard HTTP/HTTPS as their communication protocol.DevicesLocal storage: More info is stored locally (caching) since you may not always have connectivity Local data storage techniques vary by manufacturer, so multiple variations of handsets must be considered during testing.Many operating systems (Symbian, J2ME, BREW, iPhone)Multiple OS variants are used throughout the mobile phone industry causing several variations of a single application to be developed for each platform. Each environment has its own idiosyncrasies that must be dealt with during development.Devices have varying levels of support for various technologies, so implementing secure authentication, secure data storage, secure communications across all devices becomes difficult with a single mechanism. CostSpam costs the user (SMS, data, Voice)Must be flexible:"Unlike the PC market, there will continue to be a lot of churn in the mobile device market. Companies are going to have to deal with consumer devices because they can't do an adequate job of picking corporate standard devices," he says. "If you create a standard device list but don't readdress it for three years, that's six generations of mobile products. Your users are never going to have the best mobile devicesMust be quick:"We're getting five to seven requests a day for the iPhone, but I can't centrally manage, inventory or encrypt it today," he says. "By the time that I can, those doctors will have already replaced it with another latest and greatest. I'm in a loop where I can't respond until a device is a generation old." ConvergenceMarket is too fragmented for targeted attacks to be lucrative: hardware, OSs, applications, operatorsFixed-Mobile (wi-fi - Cellular)Voice + DataPC + PhoneDead Spot -> Hot Spot (Femto Cells)
ISO 27002 Control Areas
"ignoramus et ignorabimus" = "we do not know and will not know”
Energizer Duo Battery ChargerTrojan may have been in the software since it was first offered three years agoSoftware that can be downloaded for use with the Energizer Duo USB battery charger contains a backdoor that could allow an attacker to remotely take control of a Windows-based PC, Energizer and US-CERT is warning.Read more: http://news.cnet.com/8301-27080_3-10465429-245.html#ixzz1I1Wa6YyO
*This is starting to become unacceptable to the businessForcing encryption of data at rest on mobile devices. Forcing secure connectivity on unsecured public networks. Ensuring unauthorized mobile devices do not have access to the corporate network or company data. Ensuring mobile user spending is in line with the mobile policy and additional costs can be recovered.BB is more enterprise friendly:over-the-air provisioning, authentication, data encryption, monitoring and decommissioning. (remote bricking)Set the device to auto-lock. After each usage session, the device should automatically lock and require re-authentication. Auto-lock does not affect the phone function, and allows the phone to be answered promptly without entering the password. Keep the device out of sight when not worn. It is risky to leave handheld data devices unguarded – even in the household. They are often targeted in break-ins because they are very easy to conceal and they usually carry important information. Instead of leaving them in plain sight, keep them in a drawer or somewhere within reach. Handheld devices should be enterprise property. While it may be more convenient from an asset management point-of-view to allow employees to purchase their own handheld data devices, it is problematic in terms of data management. It is much easier to provide the devices for employees, and require them to be returned to the enterprise at the conclusion of employment. Before an employee departs, obtain the device and remove corporate data. This policy should apply to any personal devices. A condition for allowing staff to connect their devices to the enterprise network should state that the enterprise may examine the device and delete corporate data at the enterprise's initiative. Keep an updated list of who owns a handheld data device, and make sure the device is examined before an employee leaves. Ensure that all pertinent information including address books and e-mails are deleted. Have a clear policy on remote data deletion and do not hesitate to execute it. Devices should be classified according to the sensitivity of the data they carry. For devices carrying highly sensitive data, the time to deletion should be almost immediate. For devices containing less sensitive data, more time should be permitted for the recovery attempt before the deletion is executed.\\Must be flexible:"Unlike the PC market, there will continue to be a lot of churn in the mobile device market. Companies are going to have to deal with consumer devices because they can't do an adequate job of picking corporate standard devices," he says. "If you create a standard device list but don't readdress it for three years, that's six generations of mobile products. Your users are never going to have the best mobile devicesMust be quick:"We're getting five to seven requests a day for the iPhone, but I can't centrally manage, inventory or encrypt it today," he says. "By the time that I can, those doctors will have already replaced it with another latest and greatest. I'm in a loop where I can't respond until a device is a generation old."
(encourage vendors to support multiple platforms consistently)storageapplications (internally and externally delivered)in transit (internal, external and partners)
"If the primary aim of a captain were to preserve his ship, he would keep it in port forever." [Thomas Aquinas]
For the latest version, please contact Omar KhawajaActively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortiaVerizon Business manages 260,000-plus security, network and hosting devices across more than 4,200 customer networks in 142 countries and territories.Privacy Rights has tracked only 263 million breached records from Jan ‘05 to July ’09 (http://www.privacyrights.org/ar/ChronDataBreaches.htm#Total)Threat & Vulnerability IntelTrack and analyze new software vulnerabilities and related attacksUnderground Intel Watch discussions, code sharing, planning,... Historically BBS, then Usenet, now more IRC and Cons... ICSA Labs IntelSecurity product testing and security consortia operations. 400+ products Forensics IntelData and Intel from forensics investigations (200+ cases per year). MSS IntelData from IDS, FW, IPS, Applications… Management & Monitoring SOC operations Net IntelData from backbone. Sensors on more than 1 Million VzB addresses. Netflow Honey nets, Honey Pots…Studies & Surveys VZB Studies, surveys (10+/yr), Others published data to drive Risk Models, equations & methodology