How can mobile device data be protected? This SANS webcast reviews the current and emerging services and practices designed to help secure and protect the data on these devices, and identifies areas where solutions are needed to fill the remaining gaps and provides recommendations for a holistic approach including mobile threat protection.
5. What are we protecting?
Credentials
• VPN
• E-Mail
• Social Media
• Other systems
Documents/Photos/Data
Contacts/Connections
• PII, personal and corporate
6. Why are we protecting…
• Network Access
• Impersonation/Identity Theft
• Data Access/Exfiltration/Modification
• Corporate Espionage
7. How is data lost/stolen
Insiders
– User sends it
– Recycle non-wiped devices
– Weak or no passcode
– Access malicious web site
– Install software
– Weaken settings
8. How is data lost/stolen
Outsiders
• Man in The Middle (MiTM)
• Social Engineering
• Logical or physical access
9. Attack Mitigations
Physical Security
Passcode, encryption, possession
Network Security
Use known networks (network spoofing)
Disable unneeded services
Malware Security
Use the primary app stores, update OS/Apps
Don’t root/jailbreak
11. Keeping OS and Applications Updated
OS/App update checklist:
• Has the update been regression tested?
• What will the requirement be for applying that
update?
• Who is responsible to update the items and how
will the update be applied?
• What are the consequences of not applying
updates?
• What is your communication plan to affected
parties?
Teamwork between IT and users is needed to secure mobile devices
Technology limitations are always being stretched both in the devices and the management solution
Were going to talk about what both sides can do, then introduce some new options that may be able to close some of the gaps in the armor to create a more comprehensive solution.
--
The ubiquitous use of mobile devices has radically changed the landscape of data protection, and the abundance of applications only complicates the situation. Regrettably, not every application is what it seems. Users can't always detect a well-crafted forgery or application that secretly exfiltrates data in addition to the displayed functions. Additionally, not every network is what it seems. Users stumble across illegitimate networks that a intercept or even change legitimate communications from mobile devices. And even legitimate operating systems and applications have numerous vulnerabilities that can be exploited.
How, then, can mobile device data be protected? This webcast reviews the current and emerging services and practices designed to help secure and protect the data on these devices, and identifies areas where solutions are needed to fill the remaining gaps and provides recommendations for a holistic approach including mobile threat protection.
Attendees will learn:
What role security tools such as analytics can play in managing mobile devices
What the risks are to mobile devices
How mobile devices and data are currently protected and how effective those protections are
Common attack vectors and possible mitigation strategies
Features and capabilities that a solution should have to provide organizations with ideal mobile security and visibility
Behaviors that increase the risk of compromise when compared to traditional laptop
Apps:
Legitimate app store only – helps – most common sources of mobile malware are secondary app stores (Apple/Google)
Repackaged apps – look just like the legitimate app – but have added behaviors. Some had it all alon
Permissions – it is confusing for users to understand the permissions, particularly in Android, and many folks just click “Accept”
Always connected – looking for known wi-fi
Default behavior is Wi-Fi connects to strongest signal for known network
Wi-fi compromised three ways
Misconfigured router is compromised – legit connection, legit AP, still owned
Malicious device on legitimate network accessing information or providing bogus services
Fake real network (Karma, Pineapple)
Always on
Most people don’t suspend the devices, so they’re available for exploit 24x7
People process information 24x7, independent of location
People switch between personal and business processing on the same device
Data Security
To support this paradigm, applications are often written to favor speed over security. E.g. mobile application uses http, while browser versions use https.
Patching/Updates
Traditional IT – we push the patches, and can patch most ongoing
Smartphones – limited device lifecycle, patch availablilty inconsisistent
Application updates are in the users hands. While we can use a EMM to push updates of corporate apps, the others are in user control.
What’s so important on those devices?
Corporate Data
Personal Data
Information about you, your friends, your company
How to reach others
How to connect
Stored passwords in applications
Stored username/passwords in notes/documents/contacts – or insecure password management apps.
Sensitive personal or sensitive corporate data
Why – Next slide
This is kind-of the point.
To Become you
To act as you
To become someone else
Data for further action/compromise. Consider the data as pieces of a puzzle, which solving allows access your data/systems
Ask Why to expose the risks.
Be well aware of what the devices do, what information they process and how that information can be used & abused
0Insider – So often they are trying to get their job done.
Type of Insider + type of action = = loss
Accidental -
Malicious
Theft
Hactivists
Deliberate -
Email it to my home so I can work on it
Take shot with camera because can’t copy/paste…
Cloud use
Personal gain, revenge, etc.
Accidental
Respond/Forward wrong email, Put file in wrong folder, Too much data in document or message
Connecting to a malicious, compromised or misleading network (free public wi-fi anyone?)
PWN2OWN – Fully patched Android, could install any app by Chrome hitting web site. *Network legit, device legit, even so---
Were it as simple as a burglar-
Separately or in combination
Users leveraged to aid the process – install malicious or repackaged apps. Some protections prevents installation of top of legit copies.
Talk bout physical access soon
Download a Mobile Security App = from AV to More comprehensive solutions
Mobile device operating systems and applications vulnerabilities drive the need to keep the OS and applications updated. When a device needs an update, ask:
Deployment
Provision OTA
Ease of on/off-boarding
End User Experience
Low battery use
Low data use (Esp. BYOD)
Threat Detection
Network
Malware
Device Vulnerabilities
Management and Administration
Detected threat reporting
Identify device OS vulnerabilities
Per-device Risk estimate
Reporting
Other
Seim integration
API
Deployment
Provision OTA
Ease of on/off-boarding
End User Experience
Low battery use
Low data use (Esp. BYOD)
Threat Detection
Network
Malware
Device Vulnerabilities
Management and Administration
Detected threat reporting
Identify device OS vulnerabilities
Per-device Risk estimate
Reporting
Other
Seim integration
API
Containers-
Common security model
Users often want to work outside container as apps/functions not in-container
Provides nice hardened spot for BYOD
Must configure data in/exfil settings
Application Wrapping
To add to container or MDM, but, need source and application has to use frameworks wrapping tool supports.
Secure Network access
Authentication integration
VPN-
Per application – possibly exploitable as kernel controls
Full device – any malware on device can access, can leverage network controls for remote access.
VDI
Connectivity and user experience largest challenges
Beyond analysis and human intervention
Typically, reports are read by local analyst and actions taken, blended with data from local systems
Real time application of data is needed
The mobile device could be an added source of threat data
Imagine aggregating data from thousands of mobile devices?
Application analysis
Not just in-house, there are services that provide this information
Location based defense
Distributed threat intelligence
Imagine dynamically changing the security configuration based on distributed threat information and device location?
** Make sure setting revert when appropriate **
For example DefCon BlueTooth attacks were mitigated by disablement of BT.
Manual analysis and application of threat information won’t scale.
Transition to SkyCure
The thing that is common in most of the reasons mentioned in the previous slide is Endpoints. If we talk about Old Endpoints they are full of security solutions – IDS, IPS, Av, Wireless security, USB security, Encryption, DLP, and so on.
(CLICK)
What about the new Endpoints? What kind of security do you have on them?