Your SlideShare is downloading. ×
Mobile Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Mobile Security

1,715

Published on

Slides about mobile security presented during the BELTUG Security SIG ("Special Interest Group") in January 2013.

Slides about mobile security presented during the BELTUG Security SIG ("Special Interest Group") in January 2013.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,715
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
118
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Mobile Security“Bring war material with you from home but forage on the enemy” - Sun Tzu Xavier Mertens Beltug SIG Security - Jan 2013
  • 2. Disclaimer“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect those of past, present employers,partners or customers.”
  • 3. Agenda• Introduction: Top-10 mobile risks• Company owned devices• Employee owned device (BYOD)• Risks inherent in mobile devices• Mobile applications development
  • 4. Top-10 Mobile Risks• Insecure data storage• Weak server side controls• Insufficient transport layer protection• Client side injection• Poor authentication & authorization• Improper session handling• Secure decision via untrusted input• Side channel data leakage• Broken cryptography• Sensitive information disclosure (Source: OWASP)
  • 5. Top-10 Mobile Risks• Insecure data storage• Weak server side controls• Insufficient transport layer protection Mobile devices• Client side injection are• Poor authentication & authorization Computers!• Improper session handling• Secure decision via untrusted input• Side channel data leakage• Broken cryptography• Sensitive information disclosure (Source: OWASP)
  • 6. Company Owned Devices
  • 7. Easy? Really?• Limited set of manufacturers/OS• Full control of hell?• People try to evade from jail (like laptops)• Need procedures (backups, helpdesk)
  • 8. Corporate Policy• Must be communicated & approved before the device provisioning• Communication channels: addendum to a contract, Intranet, a “check box”?• Restrictions (SD cards, Bluetooth, camera)• What about private data? (pictures, MP3, downloaded (paid!) apps?
  • 9. Examples• Document already available on beltug.be (Members section)• Simple policy: http://www.security-marathon.be/?p=1466 (Jean-Sébastien Opdebeeck)
  • 10. Data Classification• Another approach is implementing data classification• Implementation of the “least privileges” principle• Access to data is based on profiles• Work with any device! (benefit broader than the scope of mobile devices)
  • 11. Data Classification Data Company Owned Personal Devices Classification Devices Top-Secret No NoHighly Confidential No No Proprietary Yes NoInternal Use Only Yes Yes Public Yes Yes
  • 12. Employed Owned Devices
  • 13. Why do people BTOD? • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere!
  • 14. First Question?• Are you ready to accept personal devices on your network?• It’s a question of ... risk!• Examples: • Data loss • Network intrusion • Data ex-filtration
  • 15. “MDM”?• Do you need a MDM solution? (Mobile Device Management)• Can you trust $VENDORS?• Microsoft Exchange include ActiveSync for free• Most security $VENDORS propose (basic) tools to handle mobile devices
  • 16. Minimum Requirements• Automatic lock + password• No jailbroken devices• Remote wipe• Backups (who’s responsible?)
  • 17. Risks Inherent InMobile Devices
  • 18. Personal Hotspots• Tethering allows mobile devices to be used as hotspots• Corporate devices (laptops) could bypass Internet access controls• Risks of rogue routers (if IP-forwarding is enabled
  • 19. Rogue App Stores• Mobile devices without apps is less useful• Owners tend to install any apps• Some apps may require much more rights than required• People trust Apps stores and developers• Developers must write good code
  • 20. QR Codes
  • 21. Geolocalization
  • 22. NFC
  • 23. Home & Cars
  • 24. Mobile Application Development
  • 25. OWASP Mobile Security Project• Mobile testing guide• Secure mobile development guide• Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 26. Lack of/Bad Encryption• Developers re-invent the wheel: do not write a new encryption algorithm• Encrypt everything (data at rest, data in move)
  • 27. Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($)Central No risk of loss Speed
  • 28. Geolocalization• Again! But this time for good purposes• Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe• Combine with passwords for stronger authentication/authorization
  • 29. Enterprise Appstores• Goal: Distribute, secure and manage mobile apps through your own company branded appstore.• Application available in the appstore have been approved by a strong validation process.
  • 30. Thank You!Xavier Mertensxavier@rootshell.be@xmehttp://blog.rootshell.be

×