SECURING MOBILEPOPULATIONVladimir JirasekAbout.me/jirasek2nd Dec 2011
About me• Security professional (11 years), current work at WorldPay as Head of Security Solutions• Director, CSA UK & Ireland• I love reading books: thrillers (Clive Cusler) and business management (Jo Owen)• Apple fan
I will cover three topics today• Consumerisation opportunities and challenges• Threats related to mobile devices• Smart devices security architecture• How to fit mobile devices to company security architecture
Consumerisation Hmm, might be tricky but I want to use here is what one device for we can do…. both personal and work stuff Say yes and give clear policies! Access to data and systems based on risk Agree forensic policy and investigations rules for personal devices.
How to manage access – not binaryAccess decisions based on accuracy of following:• Identity – Google apps ID vs. Active directory ID, one factor auth vs. two factor auth• Role – FTE, contractor, cleaner, executive• Device – trusted, non-trusted• Location – inside fw or outside, US vs. China, IPv6 vs IPv4, changes in locations in time• Time – inside working hours or outside,• Data/Application – business impact, approved apps vs consumer apps.
Classifications of systems M anaged U nmanaged Domain joined or mobile Non-domain joined managed T r usted syst ems I solated syst ems · Domain joi ned devices · Non domain joined but · M anaged mobile devices passed t he complianceCompliant (TPM , Bit locker , · Confi gur at ion assessed and checksconfi g and pat ch) compliant St r at egy: Offer managed pat h t o St r at egy: K eep incr ease number of apps and dat a access Vulner able syst ems Rogue systems · Domain joi ned devices · Unknown devices · M anaged mobile devices · Not compliant orN on-Compliant · Non-compliant st at us cannot assess St r at egy: M igr at e t o compliant compliance St r at egy: Block
Evolution of connected world Source: McAfee 100B 10BNumber of Devices 1B Mobile, Cloud… 100M Connected PC 10M PC Minicomputer 1M Mainframe 1960 1970 1980 1990 2000 2010
Revolution in mobile device capabilities Source: McAfee • Microsoft Windows Vista • Blackberry & Palm • iOS App Store • iOS ActiveSync email Apple iPhone launches • Gartner approves iPhone • Gartner says never for the enterprise ready for enterprise • Android G1 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2007 2008 2009
And its acceleration • iPad2 RIM • Microsoft Windows 7 Playbook • Android Honeycomb with Encryption• iOS 3GS w/ encryption iPad • iCloud launches • iPhone 4s Android tablets • Windows Phone 7 • webOS • Next gen Blackberry Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2009 2010 2011 2012
Mobile devices threats• Web-based and network-based attacks• Malware• Social engineering attacks• Resource and service availability abuse.• Malicious and unintentional data loss.• Attacks on the integrity of the device’s data.
Mobile platforms – security architecture• Traditional Access Control: Traditional access control seeks to protect devices using techniques such as pass- words and idle-time screen locking.• Application Provenance: Provenance is an approach where each application is stamped with the identity of its author and then made tamper resistant (using a digital signature).• Encryption: Encryption seeks to conceal data at rest on the device to address device loss or theft.• Isolation: Isolation techniques attempt to limit an application’s ability to access the sensitive data or systems on a device.• Permissions-based access control: Permission- based access control grants a set of permissions to each application and then limits each application to Source: Symantec accessing device data/systems that are within the scope of those permissions, blocking the applications if they attempt to perform actions that exceed these permissions.
iOS• The iOS is based on Mac OS X• The number of vulnerabilities and attacks on iOS is very small and usually occurs in 3rd party applications installed on iOS• The OS offers very good security, data protection, encryption, access control• Lack of anonymity in application developer community. It is far more risky to develop malware for iOS.• Certified for Microsoft ActiveSync program
AndroidAndroid is based on Linux and uses the best securityfeatures Linux can offer, such as robust access control andapplication isolation. However, the main security problemwith Android is that:• It is very easy to jailbreak• Users can install any application from any Marketplace• Confusing application access permission confirmations• Many devices do not implement strong device encryption• Google does not control final deployment – vendors and operators may add “features”
Updating of old devices is an an issue forAndroid… By Michael DeGusta TheUnderstatement.com
Windows Phone (Mango release)• Robust security model• Mandatory access control – 4 privilege chambers– similar to Windows 7 (trusted, elevated, standard, least privileged)• Application isolation• Application code-signing• Data isolation• Controlled developer environment• Lack of enterprise VPN features• Immature certificate and key support• Capability notifications and enforcement
Correct approach to mobile security• Secure Device, Applications and Data• Use risk based approach for access control decisions• Less emphasis on whether device is procured by company or user• Extend DLP to mobile• Extend security event and forensic services• Monitor installed apps, jail-breaking and configuration compliance Source: McAfee
References• “A Window Into Mobile Device Security”, Carey Nachenberg, Symantec, 2011• McAfee EMM Site• Mobile Security: Looking Back, Looking Forward, David Goldschlag, McAfee, 2011• Microsoft ActiveSync certification program, http://technet.microsoft.com/en-us/exchange/gg187968.aspx• Microsoft Consumerization Site, http://www.microsoft.com/enterprise/viewpoints/consumerization/default.aspx• “CISO Perspective: Consumerization of IT” @ RSA Europe 2011, Bret Arsenault, CISO Microsoft,• “Magic Quadrant for Mobile Device Management Software”, Document ID G00211101, Gartner, 2011• “Your Apps Are Watching You,” The Wall Street Journal, December 17, 2010• Windows Phone 7.5 (Mango) Security model explained, http://j4ni.com/blog/?p=59, Jani Nevalainen• Windows Phone Platform Security, http://www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security, Nokia• Windows Phone Security page, http://msdn.microsoft.com/en-us/library/ff402533(v=vs.92).aspx, Microsoft• VMware Mobile virtual platform, http://www.vmware.com/products/mobile/overview.html• Revolution or Evolution: Information Security 2020, http://www.pwc.co.uk/eng/publications/revolution_or_evolution_information_security_2020.html, PWC, 2010• Consumerisation and Corporate IT Security, http://www.schneier.com/blog/archives/2010/09/consumerization.html, Bruce Schneier, September 2010• Android Orphans: Visualizing a Sad History of Support, http://theunderstatement.com/post/11982112928/android- orphans-visualizing-a-sad-history-of-support, Michael Degusta, October 2011