Secure.	
  Everywhere.	
   ©2013	
  Zscaler,	
  Inc.	
  All	
  rights	
  reserved.	
  
Secure.	
  Everywhere.	
  
©2012	
 ...
Secure.	
  Everywhere.	
  
whois	
  
§  Zscaler	
  
–  VP,	
  Security	
  Research	
  
–  SaaS	
  based	
  soluLon	
  for...
Secure.	
  Everywhere.	
  
Three	
  Mega	
  Trends	
  in	
  IT	
  
This	
  turns	
  tradi,onal	
  security	
  &	
  network...
Secure.	
  Everywhere.	
  
(In)visibility	
  
§  HQ	
  
–  Consolidate	
  data	
  from	
  disparate	
  
systems	
  (IDS,	...
Secure.	
  Everywhere.	
  
Threat	
  MiGgaGon	
  
©2012	
  Zscaler,	
  Inc.	
  All	
  rights	
  reserved.	
  
Appliances	
...
Secure.	
  Everywhere.	
  
Global	
  Threat	
  MiGgaGon	
  
©2012	
  Zscaler,	
  Inc.	
  All	
  rights	
  reserved.	
  
Ap...
Secure.	
  Everywhere.	
  
Why	
  enterprise	
  security	
  is	
  failing	
  to	
  keep	
  pace	
  
©2012	
  Zscaler,	
  I...
Secure.	
  Everywhere.	
  
How	
  iOS	
  is	
  Forcing	
  Enterprises	
  to	
  Rethink	
  Security	
  
Yesterday	
   Tomor...
Secure.	
  Everywhere.	
  
Is	
  this	
  the	
  Year?	
  
To	
  date,	
  mobile	
  devices	
  such	
  as	
  smartphones	
 ...
Secure.	
  Everywhere.	
  
Is	
  Mobile	
  Malware	
  on	
  the	
  Rise?	
  
Mobile	
  
PC	
  
Lookout	
  Mobile	
  Securi...
Secure.	
  Everywhere.	
  
All	
  Devices	
  Are	
  Not	
  Created	
  Equal	
  
§  PCs	
  ocen	
  run	
  numerous	
  serv...
Secure.	
  Everywhere.	
  
Rapid	
  Growth	
  
§  Rapid	
  adopLon	
  of	
  web	
  
development	
  at	
  the	
  turn	
  
...
Secure.	
  Everywhere.	
  
Mobile	
  Challenges	
  
§  Ownership	
  
–  BYOD,	
  cloud	
  and	
  social	
  are	
  forcing...
Secure.	
  Everywhere.	
  
Mobile	
  IdenGty	
  
Passwords	
  
Pers.	
  Ident.	
  Info.	
  
Device	
  ID	
  (IMEI)	
  
No	...
Secure.	
  Everywhere.	
  
ZAP	
  –	
  Zscaler	
  ApplicaGon	
  Analyzer	
  
hGp://zap.zscaler.com	
  	
  
Secure.	
  Everywhere.	
  
ZAP	
  Process	
  
1 IdenLfy	
  official	
  app	
  URL	
  from	
  iTunes/Google	
  Play,	
  enter...
Secure.	
  Everywhere.	
  
Device	
  Info	
  Leakage	
  –	
  UDID	
  
App	
  Name:	
  Hangman	
  ⓇⓈⓈ	
  
Version:	
  2.2.6...
Secure.	
  Everywhere.	
  
Weak	
  AuthenGcaGon	
  –	
  Password	
  Hash	
  
App	
  Name:	
  Twitxr	
  
Version:	
  0.13	
...
Secure.	
  Everywhere.	
  
Weak	
  AuthenGcaGon	
  –	
  Clear	
  Text	
  Password	
  
App	
  Name:	
  Evenful	
  
Version:...
Secure.	
  Everywhere.	
  
Weak	
  AuthenGcaGon	
  –	
  Shared	
  Libraries	
  
App	
  Names:	
  Zip	
  Cloud,	
  JustClou...
Secure.	
  Everywhere.	
  
Mobile	
  ApplicaGon	
  Privacy	
  
0.00%	
  
10.00%	
  
20.00%	
  
30.00%	
  
40.00%	
  
50.00...
Secure.	
  Everywhere.	
  
Securing	
  Mobile	
  
How	
  enterprises	
  must	
  
adapt	
  in	
  a	
  mobile	
  world	
  
Secure.	
  Everywhere.	
  
How	
  Mobility	
  turns	
  Enterprise	
  Security	
  Upside	
  Down	
  
§  Devices,	
  applic...
Secure.	
  Everywhere.	
  
Zscaler	
  Secure	
  Cloud	
  Gateway	
  	
  
©2012	
  Zscaler,	
  Inc.	
  All	
  rights	
  res...
Secure.	
  Everywhere.	
  
Consider	
  Three	
  Users…	
  
§  We	
  must	
  seek	
  security	
  solu,ons	
  that	
  ensur...
Secure.	
  Everywhere.	
   ©2013	
  Zscaler,	
  Inc.	
  All	
  rights	
  reserved.	
  
Secure.	
  Everywhere.	
  
©2012	
 ...
Upcoming SlideShare
Loading in …5
×

CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise Security

3,079 views

Published on

Michael Sutton, Vice President of Security Research, Zscaler
Nothing will more dramatically alter the enterprise security landscape than mobile devices, especially those that are employee owned (BYOD). While mobile devices can greatly improve employee productivity, they don't play nice with legacy enterprise security controls. Are you stuck choosing between the lesser of two evils—lowering security by permitting mobile access or maintaining the status quo by banishing mobile access altogether? Despite the many hurdles that today's mobile OS's pose for enterprise security, with the right policies and technologies, it’s possible to ensure that mobile employees are just as secure as those sitting at their desks.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,079
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
62
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise Security

  1. 1. Secure.  Everywhere.   ©2013  Zscaler,  Inc.  All  rights  reserved.   Secure.  Everywhere.   ©2012  Zscaler,  Inc.  All  rights  reserved.   Don't  Let  Mobile  be  the  Achilles  Heel   for  Your  Enterprise  Security   Michael  SuGon   VP,  Security  Research   July  12,  2013  
  2. 2. Secure.  Everywhere.   whois   §  Zscaler   –  VP,  Security  Research   –  SaaS  based  soluLon  for  end  user  web  security   –  ThreatLabZ  –  security  research  arm  of  the  company   §  Background   –  Founding  Member  –  Cloud  Security  Alliance   –  SPI  Dynamics  –  acquired  by  HP   –  iDefense  –  acquired  by  VeriSign   §  Research   –  Web  security   –  Client-­‐side  vulnerabiliLes   –  Book  –  Fuzzing:  Brute  Force  Vulnerability  Discovery  
  3. 3. Secure.  Everywhere.   Three  Mega  Trends  in  IT   This  turns  tradi,onal  security  &  networking  upside  down   Businesses   adopt  Mobile     Cloud  goes   mainstream     Social   meets   Enterprise  
  4. 4. Secure.  Everywhere.   (In)visibility   §  HQ   –  Consolidate  data  from  disparate   systems  (IDS,  IPS,  Firewall,  AV,  etc.)   –  Internal/external  view   §  Regional  offices   –  Consolidate  data  to  obtain   comprehensive  threatscape   §  AcquisiLon   –  IncompaLble  technologies   §  Remote  Employees   –  Poor  user  experience  (forced  VPN)  vs   weak  security  (split  tunnel)   §  Cloud   –  Losing  control  of  data   ©2012  Zscaler,  Inc.  All  rights  reserved.   HQ   Regional  Office   AcquisiGon   Remote   Employees   Cloud  
  5. 5. Secure.  Everywhere.   Threat  MiGgaGon   ©2012  Zscaler,  Inc.  All  rights  reserved.   Appliances   Man  Hours   Threat  Complexity   Resource  Complexity   APTs                             Black/ White   LisGng                                            AnGvirus                                            IDS   IPS                                            Behavioral   Analysis                   Targeted   AGacks  
  6. 6. Secure.  Everywhere.   Global  Threat  MiGgaGon   ©2012  Zscaler,  Inc.  All  rights  reserved.   Appliances   Man  Hours   Threat  Complexity   Resource  Complexity   APTs                             BW   List                                          AV                                          IDS   IPS                                          BA                 Targeted   AGacks                             BW   List                                           BW   List                                           BW   List                                           BW   List                                           BW   List                                           BW   List                                          AV                                          AV                                          AV                                          AV                                          AV                                          AV                                          IDS   IPS                                          IDS   IPS                                          IDS   IPS                                          IDS   IPS                                          IDS   IPS                                          IDS   IPS                                          BA                                          BA                                          BA                                          BA                                          BA                                          BA                
  7. 7. Secure.  Everywhere.   Why  enterprise  security  is  failing  to  keep  pace   ©2012  Zscaler,  Inc.  All  rights  reserved.   Security  Threats   Con,nually  evolving   a9acks  defeat  security   –  Dynamic  aRacks   Malware  only  delivered   when  effecLve   –  LegiGmate  Resources   Popular  sites/results   deliver  aGacks   –  Targeted  ARacks   Well  funded,  skilled   aGackers  leverage   custom  aGacks  to   exfiltrate  sensiLve  data   and  ocen  go   undetected  for  months   –  Mobile   Custom  aGacks  target   always-­‐on,  mobile   devices   Endpoint  Security   Host  based  security  (An,-­‐ virus,  HIPS,  etc.)   –  Threats   AV  struggles  with   dynamic,  web  based   threats   –  Signatures   StaLc  signatures  to   keep  pace  with  the   volume  of  aGacks  seen   in  the  wild   –  Support   Different  soluLons   from  different  vendors   –  Mobile   Degrades  device   performance  and  is   not  an  opLon  on  iOS   devices   Gateway  Security   Appliance  based  Secure   Web  Gateway  solu,ons   –  URL  filtering   StaLc  blacklists   cannot  protect   against  threats  on   legiLmate  sites     –  Visibility   Batch  reporLng  from   individual  appliances   –  Support   Enterprise  remains   responsible  for   patching  and  maint.   –  Mobile   Appliances  cannot   see  traffic  for  remote   employees   Security  Needs   How  do  we  close  the  gap?   –  In-­‐line,  real-­‐Gme   Block/allow  decision   based  on  actual  content   –  Full  content  inspecGon   Complete  bi-­‐direcLonal   inspecLon  of  all  traffic   –  Encrypted  traffic   Malware  cannot  hide  in   SSL  encrypted  channels   –  Dynamic  reputaGon   Real-­‐Lme  reputaLon   scoring   –  Big  data   ConLnual  cloud  mining   –  Any  device/locaGon   Consistent  policy   enforcement   Security  Gap  Current  Enterprise  Security  
  8. 8. Secure.  Everywhere.   How  iOS  is  Forcing  Enterprises  to  Rethink  Security   Yesterday   Tomorrow   Malware   Host  based  AV   Background  apps/ services  prohibited   Network   Controlled  while  on-­‐ premises   3G  connecLvity  bypasses   network  controls   Traffic   Most  HTTP(S)  traffic   browser  based   Most  HTTP(S)  traffic  app   driven   Data  leakage   Appliance  based  DLP   Device  regularly  off-­‐ premises   Ownership   Corporate  owned  asset   Personal  asset  
  9. 9. Secure.  Everywhere.   Is  this  the  Year?   To  date,  mobile  devices  such  as  smartphones  and  tablets  have   been  preGy  safe  from  malware.  This  era  may  well  have  come   to  end.   The  reason  mobile  devices  have  been  immune  is  arguably   because  in  many  ways  the  opportuniLes  to  capitalize  on   weaknesses  and  flaws  in  the  relaLvely  young  operaLng  systems   of  these  new  products  have  been  scarce  in  comparison  to  the   millions  of  machines  running,  for  example,  Windows.   2013:  The  Year  Android  Users  Get  Pwned   Mark  Gibbs,  Contributor   CIO  NETWORK  |  4/24/2013  @  10:43PM  |124  views  
  10. 10. Secure.  Everywhere.   Is  Mobile  Malware  on  the  Rise?   Mobile   PC   Lookout  Mobile  Security  
  11. 11. Secure.  Everywhere.   All  Devices  Are  Not  Created  Equal   §  PCs  ocen  run  numerous  server  side  services  such  as  RDP,   RPC,  HTTP,  FTP,  etc.   §  Mobile  app  stores  provide  a  validaLon  layer   §  Mobile  fragmentaLon  (among  both  vendors  and  O/S   versions)  limits  total  exposure   §  PC  browser  plugin  framework  a  significant  malware  entry   point   §  Malicious  apps  can  be  revoked  via  official  app  stores  
  12. 12. Secure.  Everywhere.   Rapid  Growth   §  Rapid  adopLon  of  web   development  at  the  turn   of  the  century  ensured   that  security  was  an   acerthought…   §  …history  is  repeaLng  itself  in   the  mobile  space   §  Many  apps  are  outsourced  to   3rd  parLes  and  not  properly   tested  for  vulnerabiliLes  and   data  leakage  
  13. 13. Secure.  Everywhere.   Mobile  Challenges   §  Ownership   –  BYOD,  cloud  and  social  are  forcing  CISOs  to  lose  control  of  the  devices   and  data  that  they  are  tasked  with  managing   §  Visibility   –  Enterprises  have  significant  blind  spots  and  are  no  longer  able  to   understand  total  risk  and  exposure   »  Remote  users  bypass  appliances   »  ReporLng  not  consolidated   §   Hyper-­‐growth   –  Lack  of  security  tools  and  skills  to  fully  understand  security/privacy   –  Blind  trust  of  App  Store  gatekeepers   §  TradiLonal  endpoint  security  is  dead   –  Host  based  –  Resource  constraints  and  restricLve  O/S  ecosystem   –  Appliance  Based  –  Can’t  protect  what  it  can’t  see  
  14. 14. Secure.  Everywhere.   Mobile  IdenGty   Passwords   Pers.  Ident.  Info.   Device  ID  (IMEI)   No  SSL   Contacts   …   Privacy   XSS   Command  injecLon   Insecure  permissions   Data  thec   Race  condiLon   …   Security   Games   Social  Networking   Entertainment   …   ProducGvity   Person   Device   ApplicaGon  
  15. 15. Secure.  Everywhere.   ZAP  –  Zscaler  ApplicaGon  Analyzer   hGp://zap.zscaler.com    
  16. 16. Secure.  Everywhere.   ZAP  Process   1 IdenLfy  official  app  URL  from  iTunes/Google  Play,  enter  into  ZAP   4 Enter  ZAP  proxy  seqngs  in  iOS/Android  device  (2  minute  Lmeout)   5 Start  ZAP  proxy,  launch  app  and  use  all  funcLonality  (2  minute  Lmeout)   6 Stop  proxy,  download  MiTM  file  (opLonal)  and  analyze  traffic   1 4 Mobile  Device   ZAP   App  Vendor   AdverGsers   3rd  ParGes   5 6 3 Enter  fake  personally  idenLfiable  informaLon  (PII)  (opLonal)   3 2 Install  mitmproxy  SSL  cerLficate  (opLonal)   2
  17. 17. Secure.  Everywhere.   Device  Info  Leakage  –  UDID   App  Name:  Hangman  ⓇⓈⓈ   Version:  2.2.6  (July  20,  2012)   Category:  Games   RaGngs:  22,356   Plaform:  iOS   [+]http://ads.mopub.com/m/open? v=8&udid=sha:C6D279823C0BBEDC6E1751CEF09B2BD673FBBD41&id=366248637 [+]https://ws.tapjoyads.com/connect? mobile_network_code=&country_code=US&device_type=iPod %20touch&app_id=02aa9e96-7734-47b9- a199-187e294ca557&os_version=5.1.1&library_version=8.1.6&language_code=en&lad =0×tamp=1346830292&platform=iOS&allows_voip=yes&carrier_country_code=&mobile_ country_code=&mac_address=00c610c03723&display_multiplier=1.000000&udid=c5a53 500780d25743c08f079184903a2d246baad&app_version=1.20&carrier_name=&verifier=3 7d48f9d34a996dfcda2fd5bb8ee21229afa6f4bfd26d3b2f4edbcd70af81411 [-]https://www.chartboost.com/api/install.json Method: POST Host: www.chartboost.com User-Agent: HangmanFree/1.20 CFNetwork/548.1.4 Darwin/11.0.0 Request Body: sdk=2.5.11&os=5.1.1&uuid=c5a53500780d25743c08f079184903a2d246baad&app=4ed3202 6cb6015bd11000000&ui=0&signature=ecf69ddb296fe193d8963e8a12795707&country=US& bundle=1.20&language=en&model=iPod%20touch&
  18. 18. Secure.  Everywhere.   Weak  AuthenGcaGon  –  Password  Hash   App  Name:  Twitxr   Version:  0.13  (September  5,  2012)   Category:  Social  Networking   RaGngs:  484   Plaform:  iOS   [-]http://www.twitxr.com/api/rest/registerNewUser? username=unzscaler&password=42ef56a0090b7b29ab5ee54fc57dc156 &email=apps@zscaler.com Method: GET Host: www.twitxr.com User-Agent: Twitxr/1.3 CFNetwork/548.1.4 Darwin/11.0.0 Server Response: EwNay , 6PvJ [+]http://www.twitxr.com/api/rest/checkUserData [+]http://m.twitxr.com/? user=unzscaler&md5pass=42ef56a0090b7b29ab5ee54fc57dc156 [+]http://m.twitxr.com/unzscaler/with_friends [+]http://m.twitxr.com/unzscaler/with_friends/ [+]http://m.twitxr.com/style_mobile_v1.0.css Michael$ md5 -s Zscal3r! MD5 ("Zscal3r!") = 42ef56a0090b7b29ab5ee54fc57dc156
  19. 19. Secure.  Everywhere.   Weak  AuthenGcaGon  –  Clear  Text  Password   App  Name:  Evenful   Version:  1.0.4  (Oct  27,  2011)   Category:  Social  Networking   RaGngs:  9,415   Plaform:  iOS   [+]http://eventful.com/json/apps/klaxon/start?stsess=(null) [-]http://eventful.com/json/apps/klaxon/users/validate Method: POST Host: eventful.com User-Agent: Eventful/1.0.4 CFNetwork/548.1.4 Darwin/11.0.0 Request Body: password1=Zscal3r! &yob=1980&password2=Zscal3r! &location_id=&gender=M&email=apps %40zscaler.com&opt_partners=1&location_type=&username=unzsc aler Server Response: {"errors":null,"is_default_eventful_site":"1","home_url":"h ttp://eventful.com/sanjose/events"} [+]http://eventful.com/json/apps/klaxon/locations/search? location=38.951549,-77.333655&stsess=(null) [+]http://eventful.com/json/apps/klaxon/users/join [+]http://eventful.com/json/apps/klaxon/users/edit
  20. 20. Secure.  Everywhere.   Weak  AuthenGcaGon  –  Shared  Libraries   App  Names:  Zip  Cloud,  JustCloud,  MyPCBackup,  Novatech  Cloud   Version:  1.1.2  (September  22,  2012)   Category:  ProducGvity   Vendor:  JDI  Backup  Ltd   Plaform:  iOS   [+]http://data.flurry.com/aas.do [-]http://flow.backupgrid.net/account/create Method: POST Host: flow.backupgrid.net User-Agent: ZipCloud 1.0.2 (iPod touch; iPhone OS 5.1.1; en_US) Request Body: credentials={"app_time":"100","app":"jdi_ios","app_version":"1.0.2","se cret":"","token":""} &payload={"name":"Fnzscaler","password":"Zscal3r!","verify":"1cac4c9b84 b77738cb1ede06054ed664","email":"apps@zscaler.com","partner_id":"2"} &version=1.0.0 Server Response: ;;v# , r , '+4f , %eG} [+]http://flow.backupgrid.net/auth/request [+]http://flow.backupgrid.net/account/devices [+]http://flow.backupgrid.net/device/licence [+]http://flow.backupgrid.net/device/roots
  21. 21. Secure.  Everywhere.   Mobile  ApplicaGon  Privacy   0.00%   10.00%   20.00%   30.00%   40.00%   50.00%   60.00%   70.00%   60.78%   54.99%   44.04%   42.49%   31.19%   9.52%   3.50%   3.33%   2.75%   1.72%   Android  ApplicaGon  Permissions   0%   10%   20%   30%   40%   50%   60%   70%   80%   79.08%   61.61%   59.69%   41.65%   35.51%   25.72%   13.82%   9.40%   iOS  ApplicaGon  Behaviors   Device  Info.   3rd  ParLes   AuthenLcaLon  
  22. 22. Secure.  Everywhere.   Securing  Mobile   How  enterprises  must   adapt  in  a  mobile  world  
  23. 23. Secure.  Everywhere.   How  Mobility  turns  Enterprise  Security  Upside  Down   §  Devices,  applicaLons  &   Data  at  Corp  HQ  or  DC   –  Owned  and  controlled  by  the   enterprise   §  Traffic  backhaul   –  Branch  offices  -­‐  MPLS   –  Road  warriors  –  VPN   §  Protect  users  with   appliances   –  On-­‐prem  gateway  proxies   (URL,  AV,  DLP)  enforce   policies  for  users  accessing   Internet   Regional  Gateway   Branch   HQ   Home  /  Hotspot   On  the  Road/Mobile   No  policy  or  protecGon   VPN  Backhaul   Branch   MPLS   Backhaul   Ltd.  protec,on  and  visibility  for  the  mobile  workforce   Yesterday   §  Mobility   –  Users  go  direct   –  Data,  networks  and   devices  no  longer   owned/controlled  by   the  enterprise   Today  
  24. 24. Secure.  Everywhere.   Zscaler  Secure  Cloud  Gateway     ©2012  Zscaler,  Inc.  All  rights  reserved.    Zscaler  was  the  only  one  that  truly  delivered  an  ultra-­‐low  latency  experience   along  with  excep,onal  protec,on  from  threats.  And  best  of  all,  it  works   exactly  as  adver6sed.”             “ Mobile  &  Distributed     Workforce   Business   ApplicaGons   Home  or     Hotspot   Mobile  Apps   HQ   Cloud  Apps   Regional       Office   Email  Services   Securely  Enable  Direct  to  Internet   Nothing  good  leaks  out,  nothing  bad  comes  in   Enforce  Business  Policy   NO  HARDWARE    |    NO  SOFTWARE   Web  2.0  and  Social  On-­‐the-­‐go  
  25. 25. Secure.  Everywhere.   Consider  Three  Users…   §  We  must  seek  security  solu,ons  that  ensure  consistent  policy,   protec,on  and  visibility,  regardless  of  device  or  loca,on.   §  Cloud  provides  the  opportunity  to  level  the  playing  field.   Office   Coffee  Shop   Airport   Device   PC   Laptop   Tablet/smartphone   ProtecLon   IDS,  IPS,  FW,  SWG,   DLP,  etc.   Host  based  AV  and   firewall   Nothing   Visibility   LocaLon  based   reporLng   Nothing  
  26. 26. Secure.  Everywhere.   ©2013  Zscaler,  Inc.  All  rights  reserved.   Secure.  Everywhere.   ©2012  Zscaler,  Inc.  All  rights  reserved.   zscaler.com   threatlabz.com     Michael  SuRon   VP,  Security  Research  

×