20120418 Ward Solutions Mobility - Securing your Applications, Pat Larkin
Upcoming SlideShare
Loading in...5
×
 

20120418 Ward Solutions Mobility - Securing your Applications, Pat Larkin

on

  • 244 views

Pat Larkin of Ward Solutions on Mobility – Securing for Applications

Pat Larkin of Ward Solutions on Mobility – Securing for Applications

Statistics

Views

Total Views
244
Views on SlideShare
244
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

20120418 Ward Solutions Mobility - Securing your Applications, Pat Larkin 20120418 Ward Solutions Mobility - Securing your Applications, Pat Larkin Presentation Transcript

  • Mobility – Securing for Applications Ward Solutions 1 CONFIDENTIAL Mobility – Securing for Applications www.ward.ie Pat Larkin Business Development Director 087-2446093 pat.larkin@ward.ie
  • Agenda • Introductions • Outline security issues for Mobility and Mobile Apps in the Cloud for Enterprises • Outline Security Strategies to enable Mobile and Mobile Apps • Share our experiences as a Security Consultancy, 2 CONFIDENTIAL • Share our experiences as a Security Consultancy, Auditor/Tester as well as a Security Integrator • Q&A
  • Introductions 3 CONFIDENTIAL Introductions
  • What we do 4 CONFIDENTIAL
  • 5 CONFIDENTIAL
  • Ward Solutions • Irelands largest dedicated Information Security provider – 45 staff – growing to 60 by 2014 • Established 1999 - offices in Dublin, Belfast, Limerick and London • Debt free – organic growth – profitable – strong reserves, growing 20% per annum 6 CONFIDENTIAL • A Complete Security Service and Solution provider • Broadest set of Information Security services and Solutions in Ireland • A reputation for excellence and broad experience in Government & Private Sector (all verticals) - blue chip client base
  • 7 CONFIDENTIAL
  • Partnerships 8 CONFIDENTIAL
  • Mobility - Some Context 9 CONFIDENTIAL Mobility - Some Context
  • Mobility Statistics • 35% of tablet sales by 2015 will be Enterprise (Gartner 2012) • 17.7m mobile apps downloaded in 2011 (Cylabs 2011) • 118.9M tablets forecast sales - 2012 (Gartner 2012) • Enterprises now reliant on mobile devices (Cylabs 2011) 10 CONFIDENTIAL • Enterprises now reliant on mobile devices (Cylabs 2011) 31% – “heavily reliant” 18% - “extremely reliant” 7 in 10 more reliant than 12 months ago
  • Lost Smartphone Protection Employees/Enterprise consistently fail to protect their mobile devices 19% 31% 57% Encryption Anti-theft device No protection 11 CONFIDENTIAL 4% 5% 11% 17% 0% 10% 20% 30% 40% 50% 60% Other Anti-virus/anti-malware Client firewall Password or keypad lock
  • 3 Types of data loss of concern 12 CONFIDENTIAL + Data Loss from the Device – e.g. inadvertent or deliberate emailing or posting - bypassing normal corporate gateways etc.
  • Traditional Attack Vectors Shifting Trend: PC Malware Growth Slows New PC Malware SamplesNew PC Malware Samples GGrowthrowth of PCof PC--based malware continued tobased malware continued to decline butdecline but don’t get complacent. The cumulativedon’t get complacent. The cumulative number of unique malware samplesnumber of unique malware samples stillstill exceeds the 75 millionexceeds the 75 million mark. (McAfee Q4 threat report 2011)mark. (McAfee Q4 threat report 2011) 6,000,0006,000,000 7,000,0007,000,000 13 CONFIDENTIAL -- 1,000,0001,000,000 2,000,0002,000,000 3,000,0003,000,000 4,000,0004,000,000 5,000,0005,000,000 Q1 09Q1 09 Q2 09Q2 09 Q3 09Q3 09 Q4 09Q4 09 Q1 10Q1 10 Q2 10Q2 10 Q3 10Q3 10 Q4 10Q4 10 Q1 11Q1 11 Q2 11Q2 11 Q3 11Q3 11 Q4 11Q4 11
  • Mobile Devices is the new Malware growth segment Mobile malware has now established itself as the fastest growing category as attackers continue toMobile malware has now established itself as the fastest growing category as attackers continue to experiment with new attacks aimed primarily at the Android platform.experiment with new attacks aimed primarily at the Android platform. 1,2001,200 1,4001,400 1,6001,600 1,8001,800 14 CONFIDENTIAL 00 200200 400400 600600 800800 1,0001,000 1,2001,200 Q1 10Q1 10 Q2 10Q2 10 Q3 10Q3 10 Q4 10Q4 10 Q1 11Q1 11 Q2 11Q2 11 Q3 11Q3 11 Q4 11Q4 11
  • The number of reports of data breaches via hacking, malware, fraud, and insiders has more thanThe number of reports of data breaches via hacking, malware, fraud, and insiders has more than doubled since 2009. Indoubled since 2009. In the Q4 2011 alonethe Q4 2011 alone we saw more than 40 breaches publically reportedwe saw more than 40 breaches publically reported.. (McAfee Q4 threat report)(McAfee Q4 threat report) Reported data Breaches continue to rise Accelerate Reported Data BreachesReported Data Breaches 200200 250250 Cost per data breach €96 15 CONFIDENTIAL 00 5050 100100 150150 200200 20052005 20062006 20072007 20082008 20092009 20102010 20112011 Cost per data breach €96 (Ponemon Inst. 2012)
  • Where we see the threats- server side Services Layer < 10% Application Layer > 80% 16 CONFIDENTIAL Network Layer < 5% Host/OS Layer < 1% This is where Ward mobile app pen tests still finds >75% of critical and high vulnerabilities!
  • Enabling Mobility Brings Risk HR There is a policy disconnect between IT and end users More than half of all users don’t lock their devices 17 CONFIDENTIAL IT Finance Sales IT Almost 1 in 5 devices are lost each year Mobile devices predicted to be New Malware Frontier
  • The benefits are “unstoppable” • Employees with mobile devices work 20% longer (Forrester 2011) respond 30% faster (Motorola 2011) • 73% CIO’s - improved employee productivity (CIO magazine 2011) • 70% of Consumers using mobile as their primary device 18 CONFIDENTIAL • 70% of Consumers using mobile as their primary device (BusinessWeek 2011) • Lower operating costs
  • Mobile Application Security 19 CONFIDENTIAL Mobile Application Security Strategy
  • Regulatory Sources Policies Mobile, non-mobile – principles are the same Risk Assessment 20 CONFIDENTIAL Management ControlsOrganizational Controls Technical Controls ActivityActivity ProcessesProcesses ProceduresProcedures Risk managementRisk management Contingency planningContingency planning IncidentIncident responseresponse Physical securityPhysical security Personnel securityPersonnel security Certification/verificationCertification/verification Access controlAccess control ID & authenticationID & authentication AuditingAuditing EncryptionEncryption Incident detectionIncident detection NetworkingNetworking Information classificationInformation classification CommunicationsCommunications Acceptable useAcceptable use PerimeterPerimeter securitysecurity Incident responseIncident response
  • Mobile Threats are similar & different THREAT MODELS PC Mobile • Malware, Virus, Phishing, Lost, Stolen Data, Trojans, DoS, Social Engineering • Similar to PC + • Immaturity, policy gap, ownership, device/data loss, eavesdropping, premium SMS fraud • Browser, Bluetooth, Wi-Fi, • Similar to PC + = + similar and more ≠ divergent = + 21 CONFIDENTIAL Mobility’s Unique Challenges Call for Different Approaches to Security ATTACK CHANNELS COMPUTING ENVIRONMENT • Browser, Bluetooth, Wi-Fi, Cellular Network, Cross Channel, Email • Similar to PC + • Malware, trojans, client side attacks, theft, SMS, MMS, App downloads • Homogenous OS environment • Largely local computing centric • Fragmented OS environment • Cloud-centric, tethered to OS provider = + ≠
  • Approach • Risk Assessment – end to end • Risk Treatment on a prioritised basis – end to end • Develop organisational, management and technical: Policies 22 CONFIDENTIAL Procedures Controls • Implement • Validate • Improve
  • Regulatory Sources Policies Organisational & Management Controls Risk Assessment 23 CONFIDENTIAL Management ControlsOrganizational Controls Technical Controls ActivityActivity ProcessesProcesses ProceduresProcedures Risk managementRisk management Contingency planningContingency planning IncidentIncident responseresponse Physical securityPhysical security Personnel securityPersonnel security Certification/verificationCertification/verification Access controlAccess control ID & authenticationID & authentication AuditingAuditing EncryptionEncryption Incident detectionIncident detection NetworkingNetworking Information classificationInformation classification CommunicationsCommunications Acceptable useAcceptable use PerimeterPerimeter securitysecurity Incident responseIncident response
  • Controls- Technical remediation • Limited remediation in existing Mobile platforms AD, ActiveSync Native encryption, authentication, app control Virtualisation 24 CONFIDENTIAL • Strong mature remediation on existing Server side Secure development practices Hardening, patching, encryption, RBAC Firewalls, WAF’s, IPS, IDS, VPN’s etc.
  • Protecting the client side Devices Data PROTECT MOBILE DEVICES • Device Management (MDM) • Anti-Malware • Web Protection PROTECT MOBILE DATA 25 CONFIDENTIAL Apps Data PROTECT MOBILE APPS • Enterprise App Store • Application black list, white list, • reputations PROTECT MOBILE DATA • Data Protection (Locate, Lock, Wipe, Delete) • Jailbroken and Rooted Device Exclusion • Encryption
  • MDM or MDP Lifecycle Life Cycle Provisioning Define security policies, network connectivity, and resources; user self- service provisioning for automatic device personalization Application Management Provisioning Security and Authentication Enable devices to strongly IT Operations Support Visualize and manage devices Enterprise Application Management Make apps available in a secure, role-based way. Offer apps for download, links to third- party app stores, and web links. 26 CONFIDENTIAL ePO Policy Management Compliance IT Operations Support Security and Authentication Enable devices to strongly authenticate against Microsoft CA. Supports two-factor authentication. Policy Management Remotely perform helpdesk tasks and push security policies and configuration updates over-the-air Compliance Automatically check devices prior to network access Visualize and manage devices centrally through Mobile Device Management
  • Use vendors with capabilities, vision & deep pockets 27 CONFIDENTIAL
  • Questions & Answers 28 CONFIDENTIAL Questions & Answers