1. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 1 TOP 10 MOBILE RISKS Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland
2. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 2I am going to talk about ….• Risks associated with mobile devices• Mobile Applications threat model• Mobile risks in an Enterprise• Mobile device as a Trusted device• Mobile security models• Mobile Top 10• Not all doom and gloom: What to look for
3. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 3Mobile devices are ubiquitous for most people Mobile devices Used by people To access services they with power of around the globe want, communicate withaverage computer in personal and other people, shop and business life play Either online or via mobile apps
4. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 4 And the risks associated with the use cases are Power (CPU) andstorage with seamless Accessing potentially and always on Traveling with people private and sensitive connectivity all the time. data, managing critical Millions lost everyday transactions. Mobile devices Used by people To access services they with power of around the globe want, communicate withaverage computer in personal and other people, shop and business life play Mobile phone is your most personal computer and it needs to be wellmobile Either online or via protected to become a trusted device. apps
5. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 5Mobile device use cases threat model Mobile device is Mobile device is is used Mobile device is compromised to conduct malicious lost or stolen with malware activity Malicious Loss of data, Unauthorised activity, Loss of potential transactions, data, Monitoring malicious activity Botnets, Attack of activity, Botnet on web services
6. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 6Mobile device risk in an Enterprise Enterprise control Un-controlled data sync Un-managed personal device Enterprise control Un-controlled data access Un-managed mobile device
7. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 7Mobile threats summary • Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content, malicious proxy servers• Malware – traditional viruses, worms, and Trojan horses• Social engineering attacks – phishing. Also used to install malware.• Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls)• Malicious and unintentional data loss – exfiltration of information from phone• Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
8. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 8 Mobile device as a trusted device: [4,5] How does mobile HW and OS hold up? Typicallycontains System on Chip (SoC) Load mobile Load Kernel and applications mobile OS Application OS security segregation, capabilities are security reviews crucial Enterprise apps accessed from If Trust is not assured from HW up then mobile devices there is no trust at all!
9. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 9Mobile Security Models • Traditional Access Control: passwords and idle-time screen locking.• Application Provenance: Application signing and Application review in App store• Encryption: Encryption of device data and application data• Isolation: traditional Sandboxing and Storage separation• Permissions-based access control: Limiting application to needed functionality only All must be supported by Trust from Jailbreaking breaks HW up. the security model!
10. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 10Veracode Mobile Top 10  Malicious Functionality Vulnerabilities1. Activity monitoring and 7. Sensitive data leakage data retrieval (inadvertent or side2. Unauthorized dialing, channel) SMS, and payments3. Unauthorized network 8. Unsafe sensitive data connectivity (exfiltration or storage command & control) 9. Unsafe sensitive data4. UI Impersonation transmission5. System modification 10. Hardcoded (rootkit, APN proxy config)6. Logic or Time bomb password/keys
11. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 11Summary: What to look for Device and applications Enterprise Network• Do not jail-break the device • Configure VPN for mobile• Utilise mobile OS security devices features (access control, • Provision VPN profiles for encryption) seamless connectivity• Follow data classification • Monitor traffic for data policies – what data can be exfiltration on mobile devices and what • Enable processes to wipe protection is required devices• Follow best practices for • Data security policy includes mobile application device capabilities and development position
12. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 12Resources1. Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=2011 0627_023. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture- of-smartphones5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec- comparison-ETHZ-mar2011.pdf6. Security in Windows Phone 7 - http://msdn.microsoft.com/en- us/library/ff402533(v=VS.92).aspx