Your SlideShare is downloading. ×
iScan Online - PCI DSS Mobile Task Force
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

iScan Online - PCI DSS Mobile Task Force


Published on

iScan Online presentation to the PCI DSS Mobile task force, illustrating the results of the latest 500 Android Scans

iScan Online presentation to the PCI DSS Mobile task force, illustrating the results of the latest 500 Android Scans

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. iScan Online presentation for:PCI DSS Mobile Task Force April 18, 2013
  • 2. Our Backgrounds Host Binary MobileScanning Scanners Scanning 1998 20121997 2012 2013 Browser Network Plugin Scanners Scanning
  • 3. Remember these Networks? Good Old Days XP  Desktops  with  a  Sta;c  IP Easy to secure Only  worry  -­‐  s;cky  notes  w/   passwords  and  customer   credit  card  data The world has changed... Security  and  Compliance  should  lead  and  not  follow.
  • 4. Wake Up Time• Mobile is moving faster • Government 2013 than the speed of light battling standards:• Threats, attacks and USGCB audit benchmarks: mobile data breaches 1. IE 7 2. IE 8 are here 3. Windows XP 4. Windows XP Firewall 5. Windows Vista• Security and Compliance 6. Windows Vista Firewall 7. Windows 7 regulations are for 8. Windows 7 Firewall 9. Red Hat Linux 5 yesterdays network
  • 5. Protecting Card Data Scan Audit Zone Only Gets there how?Corporate America PCI Today’s Response to PCIResponse:  damn  this  is  expensive Encrypt.  Segment.  Reduce  Scope.
  • 6. Compliance 101 What do we tell employees: The employee responds?• Don’t write your • ? passwords on sticky notes• Don’t write, text, email • ? or store cardholder data Think users adhere to 101, think again.
  • 7. 2013 - Today’s NetworkEmployees are MobileMobile  Cybercrime  War  has  Begun Employees on the go Don’t  care  about  security  nor   compliance.  They  sell  and   take  down  orders!! Devices are on 24/7 Assessment  approach  has  to  change
  • 8. In Case you missed the Tweet Insecure Smart Mobile Devices = Secure & Compliant PC fatality HP Dell US 90 Day PC Shipment9000 Android6750 “Daily Activations”4500 15002250 750 0 0 2012 Q1 2013 Q1 2013
  • 9. 7 billion 2013 global population 6.3 billionmobile device subscriptions 5% stolen 0% scanned loss or theft vulnerabilities or cardholder data
  • 10. Mobile Standard Remarks Example Remarks Purpose Work Protect CardholdersSelection Evidence Analyze flow or Transaction? Repeat History Step 1 Step 2 Step 3 Step 4 Mobile threats - too fast for awaiting slow Standards Define Specs to be Report & Mobile procedures assessed Score Standards - enforcement Speed
  • 11. April 2013 Mobile Scan Analysis Android Devices 500 Smartphones and Tablets - Last 500 global scans
  • 12. Scan Deliver Thought Process • PCI Provider - Assess & Service • Acquiring Bank - Compliance proof of results by MID, Theft locate • Vendor - develops technology, standards mapping and features • End user - option to self assess
  • 13. Mobile Scans Performed Standards are usually not in place until:• Evidence is proven that procedures can be assessed• Procedures can be analyzed to measure - risk and mitigation
  • 14. Android Vulnerability Scan None Low Medium High• CVSS Scores• CVE numbers• 79% Procedures are familiar, 14% just like PC’s but easier 5%• Methodology has to 2% change to assess mobile
  • 15. Data Discovery Scan Vulnerability Scan Configuration ScanCardholder PAN Data OS & Applications OS & Applications
  • 16. Mobile Vulnerabilities vs. History Android Apple iOS Novell Windows Linux200 90150 67.5100 45 50 22.5 0 0 2011 2012 Q1 -2013 1998-99
  • 17. Vulnerable Attack Vector Attack Threat Vector Impact RemediationStolen / Loss / Misplacement of Device Data breach Encrypt cardholder data Patches / SMS / Browser / Email Exploit Full device control Configurations Configuration / ~Some Malicious App Full device control Patches Configuration / User Bluetooth / Tethering / NFC / Wifi Partial data loss Awareness Configuration / Policy / Carrier Network / Black List Partial data loss Awareness
  • 18. Mobile Configurations Sample Configuration Results Severity % Failed Device Storage Encryption Enabled 8 99 Password Expired every 30 Days 7 97Require Password or PIN Check (unlock device) 10 72 Device Rooted 9 48 Allows Non App Market App Installation 5 44 18 Configurations - All 500 failed something
  • 19. 8% of scans had PAN data on AndroidProtect and assess P2PE ‘Point to Point Encryption’ the transaction? Cardholder data on mobile is everywhere? NFC, Google Drive, Dropbox, SMS, Contacts
  • 20. Today’s Network Always  connected,  Any;me,  Anywhere ff ice Free wifi Corporate Office R e mote O Mobile Yesterday Network  Today Network  Today Network  TodayStatic Networks Small Offices Road warrior Employee Mobile Devicesare  the  past,  data  and  devices   lack  security  and  connect   Who  hasn’t  connected  to  a  free   can  now  be  assessed  for  threats  are  not  only  at  corporate. indirectly  back  to  corporate. wifi  network. but  not  with  historical  network   approachesEmployees  are  on  the  go  and   TransmiQng  data  with  BYOD   Mul;ple  network  connec;ons  working  remote. connec;ons  who  are  on/off   over  ~untrusted  Wifi  /  4G untrusted  networks
  • 21. Mobile Audit - Fast Easy Affordable More likely to be stolen or lost equating to an increase in potential cardholder Mobile facts vs. Non- breaches. ~Processing w/ a financial app - Banks to get a call Mobile guaranteed. Vulnerabilities & configurations are equally important to assess and remediate, if not more important than traditional PC’s Are your employees storing cardholder data? Just like not writing down passwords. They are going to SMS and store it.
  • 22. My Suggestions Baseline 1 Many existing Rapid Adopt 2 procedures can be Mobile moves fast and used from DSS 2.0 standards should as wellContinuous 5Changes to ensure costsdon’t outweigh the threat Influence buyin 3 Individuals: Merchant, Council, Automate 4 Vendor, Bank, Providers Utilize XML, JSON for communication and sharing
  • 23. Questions?More Information?iScan Online, Inc.19111 Dallas Parkway, Suite 200Dallas, TX 75287Billy Austin, Presidentaustin@iscanonline.com214-276-1148