• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ascure session
 

Ascure session

on

  • 711 views

 

Statistics

Views

Total Views
711
Views on SlideShare
710
Embed Views
1

Actions

Likes
1
Downloads
12
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ascure session Ascure session Document Transcript

    • Ascure (c) - www.ascure.com March 2011 Mobile Security From a strategic, tactical and operational point of view Bart De Win March 28, 2011 About Ascure & the speaker • Ascure – Ascure is a leading, independent provider of information security services – We combine in-depth knowledge with the necessary experience to meet your organization’s information security challenges and needs. – Multi-disciplinary teams to provide the right strategic, architectural and operational services & technologies – Ascure Academy • Myself – Principal Risk Management Consultant – Leading the competence center on Secure Applications – Ph.D. in CS (topic: application security) – Author of >60 scientific publicationsMobile Security - Mobile in Business 1
    • Ascure (c) - www.ascure.com March 2011 Mobile Platforms • Your enterprise will be faced with integrating mobile platforms • People will be using their favorite platform in your environment 3 Mobile malware 4Mobile Security - Mobile in Business 2
    • Ascure (c) - www.ascure.com March 2011 Agenda • Enterprise strategy • Secure platform • Secure application Titel - Datum Enterprise StrategyMobile Security - Mobile in Business 3
    • Ascure (c) - www.ascure.com March 2011 Philosophy • There is no such thing as the best platform • Strategic considerations: – Controlled vs. open platform – Within or beyond enterprise boundaries – Is it considered a trusted part of your network – Does it make sense to separate business/private or high/low risk 7 Data Protection • Enterprise data will be stored on smartphones – Mail, Office documents, Customer data, ... • Strategic considerations – Which data (public vs. confidential) – Enterprise policy – Full device encryption (including SD!) – Remote wipe & localization 8Mobile Security - Mobile in Business 4
    • Ascure (c) - www.ascure.com March 2011 Application Management • A Smartphone without applications is like ... • Do you support trusted vs. arbitrary apps – Who defines and assesses trust ? • Think of the difference between the iPhone AppStore and the Android Market 9 Incident Management & Disaster Recovery ? 10Mobile Security - Mobile in Business 5
    • Ascure (c) - www.ascure.com March 2011 Secure Platform Considerations Physical device security • Small & agile devices -> high risk of loss • Real solutions are scarce – Do they really provide benefits ? • Consider remote disabling & tracking software 12Mobile Security - Mobile in Business 6
    • Ascure (c) - www.ascure.com March 2011 System hardening • User authentication • Update & Patch management – Core libraries vs. applications • Virus scanners • Running services • And then there is jailbreaking ... 13 Privilege management • Enforce whether users can: – Install/update software – Use communication technology • WLAN • Bluetooth – Synchronize with arbitrary devices – ... • And then there is jailbreaking ... 14Mobile Security - Mobile in Business 7
    • Ascure (c) - www.ascure.com March 2011 Secure Application Considerations Titel - Datum 15 It’s life Jim, but not (exactly) as we know it … • Many commonalities with regular (web)applications – Computing paradigm – Fully functional platforms – Never trust the client – Insecure programming models • But, also important differences – Different security models – Restricted security mechanisms – Multiple communication mechanisms 16Mobile Security - Mobile in Business 8
    • Ascure (c) - www.ascure.com March 2011 Common security models • All-or-nothing vs. more fine-grained models – Typically based on code signing • Sometimes apps can access each other ... 17 Rights Management • Typically based on application signatures • Application Rights Management can be complex • Android vs. iPhone approach – Android has 117 different permissions <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ... </manifest> 18Mobile Security - Mobile in Business 9
    • Ascure (c) - www.ascure.com March 2011 Top 10 mobile risks (OWASP) • Insecure or unnecessary client-side data storage • Lack of data protection in transit • Personal data leakage • Failure to protect resources with strong authentication • Failure to implement least privilege authorization policy • Client-side injection • Client-side DOS • Malicious third-party code • Client-side buffer overflow • Failure to apply server-side controls 19 Top 10 Security Controls (OWASP) • Protect data at rest • Protect data in transport • Multi-factor authentication • Session management • Least privilege access control • Untrusted data validation • Output encoding • Enterprise device management • Keep business logic on the server • Platform security 20Mobile Security - Mobile in Business 10
    • Ascure (c) - www.ascure.com March 2011 Application Testing • Importance of static & dynamic testing – Source code review, disassembly, reverse engineering, patch analysis – Debugging, network traffic analysis, remote service attacking =>Tools are available for key platforms • Emulators come in handy to “play” with security/platform assumptions • Communication facilities 21 Conclusion • Mobile security is not a new type of game, although it has its specificities • You’re working with a fully functional platform ! • Enterprise roll-out requires careful considerations • Application security is a must and a challenge 22Mobile Security - Mobile in Business 11