Download - Mobile security summit - 10 mobile risks
Vladimir Jirasek: Top 10 Mobile Risks 1
TOP 10 MOBILE RISKSVladimir JirasekCISSP-ISSAP & ISSMP, CISM, CISA
Senior Enterprise Security Architect, Nokia
Steering Group, Common Assurance Maturity Model
Non-executive director, CSA UK & Ireland
2011-07-13
Vladimir Jirasek: Top 10 Mobile Risks 2
I am going to talk about ….• Risks associated with mobile devices• Mobile Applications threat model• Mobile risks in an Enterprise • Mobile device as a Trusted device• Mobile security models• Mobile Top 10• Not all doom and gloom: What to look for
2011-07-13
Vladimir Jirasek: Top 10 Mobile Risks 3
Mobile devices are ubiquitous for most people
Mobile devices with power of
average computer
Used by people around the globe in personal and business life
To access services they want, communicate with other people, shop and
playEither online or via mobile
apps
2011-07-13
Vladimir Jirasek: Top 10 Mobile Risks 4
And the risks associated with the use cases are
Mobile devices with power of
average computer
Used by people around the globe in personal and business life
To access services they want, communicate with other people, shop and
playEither online or via mobile
appsMobile phone is your most personal computer and it needs to be well
protected to become a trusted device.
Power (CPU) and storage with seamless
and always on connectivity
Traveling with people all the time.
Millions lost everyday
Accessing potentially private and sensitive
data, managing critical transactions.
2011-07-13
Vladimir Jirasek: Top 10 Mobile Risks 5
Mobile device use cases threat model
2011-07-13
Mobile device is compromised with malware
Mobile device is lost or stolen
Mobile device is is used to conduct malicious
activity
Malicious activity, Loss of data, Monitoring of
activity, Botnet
Loss of data, potential
malicious activity
Unauthorised transactions,
Botnets, Attack on web services
Vladimir Jirasek: Top 10 Mobile Risks 6
Mobile device risk in an Enterprise
2011-07-13
Un-managed mobile device
Enterprise control
Enterprise control
Un-controlled data sync
Un-controlled data access
Un-managed personal device
Vladimir Jirasek: Top 10 Mobile Risks 7
Mobile threats summary [2]
2011-07-13
• Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content, malicious proxy servers
• Malware – traditional viruses, worms, and Trojan horses
• Social engineering attacks – phishing. Also used to install malware.
• Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls)
• Malicious and unintentional data loss – exfiltration of information from phone
• Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
Vladimir Jirasek: Top 10 Mobile Risks 8
Mobile device as a trusted device: [4,5]
How does mobile HW and OS hold up?
2011-07-13
Typically contains System on Chip (SoC)
Load Kernel and mobile OS
Load mobile applications
If Trust is not assured from HW up then there is no trust at all!
Enterprise apps accessed from mobile devices
OS security capabilities are crucial
Application segregation, security reviews
Vladimir Jirasek: Top 10 Mobile Risks 9
Mobile Security Models [2]
• Traditional Access Control: passwords and idle-time screen locking.
• Application Provenance: Application signing and Application review in App store
• Encryption: Encryption of device data and application data
• Isolation: traditional Sandboxing and Storage separation
• Permissions-based access control: Limiting application to needed functionality only
2011-07-13
All must be supported by Trust from HW up.
Jailbreaking breaks the security model!
Vladimir Jirasek: Top 10 Mobile Risks 10
Veracode Mobile Top 10 [1]
Malicious Functionality
1. Activity monitoring and data retrieval
2. Unauthorized dialing, SMS, and payments
3. Unauthorized network connectivity (exfiltration or command & control)
4. UI Impersonation
5. System modification (rootkit, APN proxy config)
6. Logic or Time bomb
Vulnerabilities
7. Sensitive data leakage (inadvertent or side channel)
8. Unsafe sensitive data storage
9. Unsafe sensitive data transmission
10. Hardcoded password/keys
2011-07-13
Vladimir Jirasek: Top 10 Mobile Risks 11
Summary: What to look for
Device and applications
• Do not jail-break the device• Utilise mobile OS security
features (access control, encryption)
• Follow data classification policies – what data can be on mobile devices and what protection is required
• Follow best practices for mobile application development
Enterprise Network
• Configure VPN for mobile devices
• Provision VPN profiles for seamless connectivity
• Monitor traffic for data exfiltration
• Enable processes to wipe devices
• Data security policy includes device capabilities and position
2011-07-13
Vladimir Jirasek: Top 10 Mobile Risks 12
Resources1. Veracode Mobile app Top 10 -
http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/
2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=20110627_02
3. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile
4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture-of-smartphones
5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec-comparison-ETHZ-mar2011.pdf
6. Security in Windows Phone 7 - http://msdn.microsoft.com/en-us/library/ff402533(v=VS.92).aspx
2011-07-13