SlideShare a Scribd company logo

Mobile security summit - 10 mobile risks

Download as PPTX, PDF
Vladimir Jirasek
Vladimir Jirasek
Technology
1 of 12
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 1 TOP 10 MOBILE RISKS Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 2 I am going to talk about …. • Risks associated with mobile devices • Mobile Applications threat model • Mobile risks in an Enterprise • Mobile device as a Trusted device • Mobile security models • Mobile Top 10 • Not all doom and gloom: What to look for
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 3 Mobile devices are ubiquitous for most people Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Either online or via mobile apps
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 4 And the risks associated with the use cases are Power (CPU) and storage with seamless Accessing potentially and always on Traveling with people private and sensitive connectivity all the time. data, managing critical Millions lost everyday transactions. Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Mobile phone is your most personal computer and it needs to be wellmobile Either online or via protected to become a trusted device. apps
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 5 Mobile device use cases threat model Mobile device is Mobile device is is used Mobile device is compromised to conduct malicious lost or stolen with malware activity Malicious Loss of data, Unauthorised activity, Loss of potential transactions, data, Monitoring malicious activity Botnets, Attack of activity, Botnet on web services
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 6 Mobile device risk in an Enterprise Enterprise control Un-controlled data sync Un-managed personal device Enterprise control Un-controlled data access Un-managed mobile device
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 7 Mobile threats summary [2] • Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content, malicious proxy servers • Malware – traditional viruses, worms, and Trojan horses • Social engineering attacks – phishing. Also used to install malware. • Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls) • Malicious and unintentional data loss – exfiltration of information from phone • Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 8 Mobile device as a trusted device: [4,5] How does mobile HW and OS hold up? Typically contains System on Chip (SoC) Load mobile Load Kernel and applications mobile OS Application OS security segregation, capabilities are security reviews crucial Enterprise apps accessed from If Trust is not assured from HW up then mobile devices there is no trust at all!
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 9 Mobile Security Models [2] • Traditional Access Control: passwords and idle-time screen locking. • Application Provenance: Application signing and Application review in App store • Encryption: Encryption of device data and application data • Isolation: traditional Sandboxing and Storage separation • Permissions-based access control: Limiting application to needed functionality only All must be supported by Trust from Jailbreaking breaks HW up. the security model!
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 10 Veracode Mobile Top 10 [1] Malicious Functionality Vulnerabilities 1. Activity monitoring and 7. Sensitive data leakage data retrieval (inadvertent or side 2. Unauthorized dialing, channel) SMS, and payments 3. Unauthorized network 8. Unsafe sensitive data connectivity (exfiltration or storage command & control) 9. Unsafe sensitive data 4. UI Impersonation transmission 5. System modification 10. Hardcoded (rootkit, APN proxy config) 6. Logic or Time bomb password/keys
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 11 Summary: What to look for Device and applications Enterprise Network • Do not jail-break the device • Configure VPN for mobile • Utilise mobile OS security devices features (access control, • Provision VPN profiles for encryption) seamless connectivity • Follow data classification • Monitor traffic for data policies – what data can be exfiltration on mobile devices and what • Enable processes to wipe protection is required devices • Follow best practices for • Data security policy includes mobile application device capabilities and development position
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 12 Resources 1. Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/ 2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=2011 0627_02 3. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile 4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture- of-smartphones 5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec- comparison-ETHZ-mar2011.pdf 6. Security in Windows Phone 7 - http://msdn.microsoft.com/en- us/library/ff402533(v=VS.92).aspx

Recommended

The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
The challenges of BYOD for campus network by Leonard Raphael
The challenges of BYOD for campus network by Leonard RaphaelThe challenges of BYOD for campus network by Leonard Raphael
The challenges of BYOD for campus network by Leonard RaphaelBeamos Technologies
 
Android security a survey of issues, malware penetration, and defenses
Android security a survey of issues, malware penetration, and defensesAndroid security a survey of issues, malware penetration, and defenses
Android security a survey of issues, malware penetration, and defensesLeMeniz Infotech
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSPurna Bhat
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
U S Embassy Event - Today’S Cyber Threats
U S Embassy Event - Today’S Cyber ThreatsU S Embassy Event - Today’S Cyber Threats
U S Embassy Event - Today’S Cyber ThreatsNarinrit Prem-apiwathanokul
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile securityKavita Rastogi
 
Managing and securing the enterprise
Managing and securing the enterpriseManaging and securing the enterprise
Managing and securing the enterpriseAbha Damani
 

Recommended

The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
The challenges of BYOD for campus network by Leonard Raphael
The challenges of BYOD for campus network by Leonard RaphaelThe challenges of BYOD for campus network by Leonard Raphael
The challenges of BYOD for campus network by Leonard RaphaelBeamos Technologies
 
Android security a survey of issues, malware penetration, and defenses
Android security a survey of issues, malware penetration, and defensesAndroid security a survey of issues, malware penetration, and defenses
Android security a survey of issues, malware penetration, and defensesLeMeniz Infotech
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSPurna Bhat
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
U S Embassy Event - Today’S Cyber Threats
U S Embassy Event - Today’S Cyber ThreatsU S Embassy Event - Today’S Cyber Threats
U S Embassy Event - Today’S Cyber ThreatsNarinrit Prem-apiwathanokul
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile securityKavita Rastogi
 
Managing and securing the enterprise
Managing and securing the enterpriseManaging and securing the enterprise
Managing and securing the enterpriseAbha Damani
 
Mobile Security
Mobile Security Mobile Security
Mobile Security Fresh Digital Group
 
Article on Mobile Security
Article on Mobile SecurityArticle on Mobile Security
Article on Mobile SecurityTharaka Mahadewa
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
880 st011
880 st011880 st011
880 st011Chandra Rao
 
Top Cyber Security Concerns for Small Businesses
Top Cyber Security Concerns for Small BusinessesTop Cyber Security Concerns for Small Businesses
Top Cyber Security Concerns for Small BusinessesJairo Batista, MBA
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss PreventionSeqrite
 
[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the worldSeqrite
 
Ijetr042177
Ijetr042177Ijetr042177
Ijetr042177Engineering Research Publication
 
Decision-Zone Introduction
Decision-Zone IntroductionDecision-Zone Introduction
Decision-Zone IntroductionRocco Magnotta
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtRoopa Nadkarni
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET Journal
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Source Conference
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityAVG Technologies AU
 
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousThe Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousIBM Security
 
Context based access control systems for mobile devices
Context based access control systems for mobile devicesContext based access control systems for mobile devices
Context based access control systems for mobile devicesLeMeniz Infotech
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud DatasheetMani Rai
 
5 Data Breach Charts for the Board Room
5 Data Breach Charts for the Board Room5 Data Breach Charts for the Board Room
5 Data Breach Charts for the Board RoomMAX Risk Intelligence by LOGICnow
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Vladimir Jirasek
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud securityVladimir Jirasek
 

More Related Content

What's hot

Article on Mobile Security
Article on Mobile SecurityArticle on Mobile Security
Article on Mobile SecurityTharaka Mahadewa
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
Top Cyber Security Concerns for Small Businesses
Top Cyber Security Concerns for Small BusinessesTop Cyber Security Concerns for Small Businesses
Top Cyber Security Concerns for Small BusinessesJairo Batista, MBA
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss PreventionSeqrite
 
[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the worldSeqrite
 
Decision-Zone Introduction
Decision-Zone IntroductionDecision-Zone Introduction
Decision-Zone IntroductionRocco Magnotta
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtRoopa Nadkarni
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET Journal
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Source Conference
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityAVG Technologies AU
 
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousThe Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousIBM Security
 
Context based access control systems for mobile devices
Context based access control systems for mobile devicesContext based access control systems for mobile devices
Context based access control systems for mobile devicesLeMeniz Infotech
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud DatasheetMani Rai
 

What's hot (19)

Mobile Security
Mobile Security Mobile Security
Mobile Security
 
Article on Mobile Security
Article on Mobile SecurityArticle on Mobile Security
Article on Mobile Security
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
880 st011
880 st011880 st011
880 st011
 
Top Cyber Security Concerns for Small Businesses
Top Cyber Security Concerns for Small BusinessesTop Cyber Security Concerns for Small Businesses
Top Cyber Security Concerns for Small Businesses
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention
 
[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world
 
Ijetr042177
Ijetr042177Ijetr042177
Ijetr042177
 
Decision-Zone Introduction
Decision-Zone IntroductionDecision-Zone Introduction
Decision-Zone Introduction
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holt
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and Threats
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our Community
 
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousThe Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
 
Context based access control systems for mobile devices
Context based access control systems for mobile devicesContext based access control systems for mobile devices
Context based access control systems for mobile devices
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud Datasheet
 
5 Data Breach Charts for the Board Room
5 Data Breach Charts for the Board Room5 Data Breach Charts for the Board Room
5 Data Breach Charts for the Board Room
 

Viewers also liked

Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud securityVladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekVladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011Vladimir Jirasek
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Vladimir Jirasek
 

Viewers also liked (6)

Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 

Similar to Mobile security summit - 10 mobile risks

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsVince Verbeke
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2SHOLOVE INTERNATIONAL LLC
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityLenin Aboagye
 
Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011CPPGroup Plc
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentationJamesDempsey1
 
Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx1SI19IS064TEJASS
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesBee_Ware
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentK Singh
 
Third Annual Mobile Threats Report
Third Annual Mobile Threats ReportThird Annual Mobile Threats Report
Third Annual Mobile Threats ReportJuniper Networks
 

Similar to Mobile security summit - 10 mobile risks (20)

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Top 6-Security-Threats-on-iOS
Top 6-Security-Threats-on-iOSTop 6-Security-Threats-on-iOS
Top 6-Security-Threats-on-iOS
 
CyberCrime attacks on Small Businesses
CyberCrime attacks on Small BusinessesCyberCrime attacks on Small Businesses
CyberCrime attacks on Small Businesses
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
 
Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentation
 
Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Securing mobile devices 1
Securing mobile devices 1Securing mobile devices 1
Securing mobile devices 1
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environment
 
Third Annual Mobile Threats Report
Third Annual Mobile Threats ReportThird Annual Mobile Threats Report
Third Annual Mobile Threats Report
 

More from Vladimir Jirasek

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVladimir Jirasek
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009Vladimir Jirasek
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metricsVladimir Jirasek
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesVladimir Jirasek
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityVladimir Jirasek
 

More from Vladimir Jirasek (11)

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Mobile security summit - 10 mobile risks

  • 1. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 1 TOP 10 MOBILE RISKS Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland
  • 2. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 2 I am going to talk about …. • Risks associated with mobile devices • Mobile Applications threat model • Mobile risks in an Enterprise • Mobile device as a Trusted device • Mobile security models • Mobile Top 10 • Not all doom and gloom: What to look for
  • 3. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 3 Mobile devices are ubiquitous for most people Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Either online or via mobile apps
  • 4. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 4 And the risks associated with the use cases are Power (CPU) and storage with seamless Accessing potentially and always on Traveling with people private and sensitive connectivity all the time. data, managing critical Millions lost everyday transactions. Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Mobile phone is your most personal computer and it needs to be wellmobile Either online or via protected to become a trusted device. apps
  • 5. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 5 Mobile device use cases threat model Mobile device is Mobile device is is used Mobile device is compromised to conduct malicious lost or stolen with malware activity Malicious Loss of data, Unauthorised activity, Loss of potential transactions, data, Monitoring malicious activity Botnets, Attack of activity, Botnet on web services
  • 6. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 6 Mobile device risk in an Enterprise Enterprise control Un-controlled data sync Un-managed personal device Enterprise control Un-controlled data access Un-managed mobile device
  • 7. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 7 Mobile threats summary [2] • Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content, malicious proxy servers • Malware – traditional viruses, worms, and Trojan horses • Social engineering attacks – phishing. Also used to install malware. • Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls) • Malicious and unintentional data loss – exfiltration of information from phone • Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
  • 8. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 8 Mobile device as a trusted device: [4,5] How does mobile HW and OS hold up? Typically contains System on Chip (SoC) Load mobile Load Kernel and applications mobile OS Application OS security segregation, capabilities are security reviews crucial Enterprise apps accessed from If Trust is not assured from HW up then mobile devices there is no trust at all!
  • 9. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 9 Mobile Security Models [2] • Traditional Access Control: passwords and idle-time screen locking. • Application Provenance: Application signing and Application review in App store • Encryption: Encryption of device data and application data • Isolation: traditional Sandboxing and Storage separation • Permissions-based access control: Limiting application to needed functionality only All must be supported by Trust from Jailbreaking breaks HW up. the security model!
  • 10. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 10 Veracode Mobile Top 10 [1] Malicious Functionality Vulnerabilities 1. Activity monitoring and 7. Sensitive data leakage data retrieval (inadvertent or side 2. Unauthorized dialing, channel) SMS, and payments 3. Unauthorized network 8. Unsafe sensitive data connectivity (exfiltration or storage command & control) 9. Unsafe sensitive data 4. UI Impersonation transmission 5. System modification 10. Hardcoded (rootkit, APN proxy config) 6. Logic or Time bomb password/keys
  • 11. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 11 Summary: What to look for Device and applications Enterprise Network • Do not jail-break the device • Configure VPN for mobile • Utilise mobile OS security devices features (access control, • Provision VPN profiles for encryption) seamless connectivity • Follow data classification • Monitor traffic for data policies – what data can be exfiltration on mobile devices and what • Enable processes to wipe protection is required devices • Follow best practices for • Data security policy includes mobile application device capabilities and development position
  • 12. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 12 Resources 1. Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/ 2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=2011 0627_02 3. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile 4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture- of-smartphones 5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec- comparison-ETHZ-mar2011.pdf 6. Security in Windows Phone 7 - http://msdn.microsoft.com/en- us/library/ff402533(v=VS.92).aspx