What is “mobile security?” Seriously, what is it? Is it hardening controls, policy enforcement, knowing how to test mobile apps, mobile antivirus? And how do I map mobile security into an enterprise security strategy? A year later, it’s still as ubiquitous as it has ever been. However with the sophistication of device-based attacks and with the sheer volume of mobile malware exploding, mobile security maintains its status as a major pain point and a critical element you have to consider when building a security program. Given the research available and the increasing threatscape, mobile security preparedness predicated on managing the strategy is a better option than reactionary measures. What’s new in 2015 is there is more sufficient evidence that mobile attacks will further penetrate enterprise systems based on the increase of mobile device ‘involvement’ in many major hacks (not necessarily root cause traced to devices or compromised mobile apps) This presentation will discuss the key trends impacting mobile security and will lay out an updated set of building blocks to produce a holistic mobile security model: from BYOD to mobile policy development to MDM; common and emerging exploits and targeted malware; the myriad of possible mitigations; and the notion of trusted software vs device-specific consideration. Additionally, before we look at policy implementation best practices, we’ll look at a few key use cases and review a few sample enterprise models to learn how some of top organizations are managing mobile security. Finally, the presentation will take a five-year look outward to determine what impact mobile security will have long-term.

1. Why
You’ll
Care
More
About
Mobile
Security
in
2020
Tom
Bain
@tmbainjr1

2. Presentation
Agenda
• Today’s
emerging
‘threatscape’
+
the
key
trends
impacting
mobile
security
• Common
&
emerging
exploits
+
impact
• Seven
steps
to
tackling
mobile
security
&
a
glimpse
forward
WHAT
WE’LL
COVER
TODAY

3. • Next-­‐generation
security
firm
in
the
EDR
market
• Venture-­‐backed
endpoint
security
organization
with
$56M
total
raise
• Office
locations:
Boston;
Los
Angeles;
Sacramento,
Washington,
DC
• EDR
and
IR
Product
Suite:
(200+
customers)
Sentinel,
Active
Defense,
Responder
PRO
• Recognized
by
Gartner,
451,
ESG
&
Forrester
• Android
sensor
to
GA
soon
Big
Data
Endpoint
Detection
&
Response
Investors

4. Who
Am
I?
@tmbainjr1
@CounterTack
• 13+
years
in
information
security
• CounterTack |
MCSI,
Security
Innovation,
Q1
Labs/IBM,
Application
Security,
Inc./TrustWave,
Sophos,
WAVE
Systems
• Hacker
Halted,
Global
CISO
Forum,
SecureWorld Expo,
ISSA,
OWASP,
Boston
Security
Conference,
Terrapin
Cybersecurity
Conference,
Strata
+
Hadoop
World
• Struggling
musician
• Mobile
device
owner

5. TODAY’S
EMERGING
‘THREATSCAPE’
+
KEY
TRENDS
Enterprise
and
Individual
Threats
are
Colliding

6. You
Can’t
Defend
Against
What
You
Don’t
Understand
In
2014
95%
of
major
data
breaches
were
unknown
Known
Previously
70%
Unknown
30%
2015
Verizon
Business
Data
Breach
Investigations
Report

7. The
Mobile
Explosion
• 73%
organizations
plan
to
spend
increase
spending
on
mobility
• Enterprise/Fortune
500
spend
an
average
of
$34M
developing
mobile
apps
for
business
purposes
• 5.5%
of
the
mobile
budget
is
targeted
at
app
security
• Only
50%
of
organizations
appropriate
budget
toward
securing
mobile
apps
• 62%
of
enterprise
org’s
say
mobile
computing
increases
difficulty
of
security
management
ENTERPRISE
SPENDING

8. The
Mobile
Explosion
ENTERPRISE
PRIORITIES
• 25%
of
organizations
state
that
mobile
computing
platforms
are
the
highest
software
development
priority
• 66%
of
organizations
say
that
mobile
platforms
will
become
the
dominant
software
development
priority
over
the
next
24
months
• 55%
of
enterprises
believe
mobile
computing
increases
productivity
• 300M
mobile
devices
sold
per
quarter
2014
State
of
Mobile
Security,
Enterprise
Strategy
Group

9. Today’s
Threatscape
• Mobile
threats
are
more
pervasive
and
more
sophisticated
• Users
continue
to
engage
in
risky
behavior
• IoT has
opened
up
a
new
attack
surface
• Organizations
find
assessing
their
mobile
security
risk
levels
challenging
• Building
a
mobile
security
policy
presents
multiple
challenges
&
needs
sponsorship
• Targeting
an
individual
can
help
penetrate
an
organization
INCREASED
RISK

10. Today’s
Threatscape
MOBILE
MALWARE:
JUST
LAST
YEAR!
• 98%
of
all
mobile
malware
targets
Android
users
• Kaspersky:
3.4M
malware
detections
on
1.1M
devices
• 60%
of
all
attacks
are
capable
of
stealing
users’
money
• Reported
attacks
have
increased
6X!
(from
35K
in
August
2013
to
242K
as
of
March
2014

11. Today’s
Threatscape
MOBILE
MALWARE:
A
YEAR
LATER
• By
end
of
2014,
an
estimated
16M
devices
were
infected
with
malware
• 80%
believe
mobile
malware
will
become
significantly/somewhat
more
dangerous
over
the
next
two
years
• Estimated
that
11.6M
devices
are
infected
with
malicious
code
at
any
given
time
• Closer
to
99%
of
all
mobile
malware
targets
Android
users
• 57%
of
all
malicious
programs
detected
by
Kaspersky
were
Trojans
designed
to
proliferate
via
SMS

12. Today’s
Threatscape
WE
ARE
SEEING
THE
IMPACT
Reported
a
security
breach
resulting
from
a
compromised
mobile
device
in
2014.
47% 90%
Of
the
most
popular
mobile
applications
have
been
breached.
(multiple
times)

13. Why
Are
We
Here?
CAUSES/PATTERNS
• Lost/stolen
devices
• Jailbroken devices
• Device
misuse
• Non
App
Store
or
Play
Store
3rd party
apps
downloaded
• No
formal
mobile
security
policy

14. COMMON
&
EMERGING
EXPLOITS
+
IMPACT
Specific
Threats
&
Impact

15. StageFright
1
Text
950M
devices

16. FakeToken

17. Spveng
$1M
350K
devices

18. Exploits
@
Black
Hat
• Universal
Android
Rooting
• Researchers:
KEEN
Team
(Wen
Xu)
• Achieved
permanent
root
on
most
Android
devices
through
kernel
memory
control
• @K33nTeam
• iOS
Exploit:
TrustKit
• Researchers:
Data
Theorem
• New
technique
around
SSL
pinning
for
iOS
8
• https://datatheorem.github.io/ios/ssl/2015
/08/08/introducing-­‐trustkit/

19. Android
Kit
Resources

20. iOS
Kit
Resources

21. SEVEN
STEPS
TO
TACKLING
MOBILE
SECURITY
HEAD-­‐ON
There’s
No
One
‘Right’
Way
to
Do
It

22. Assess
Your
Risk
1.
START
WITH
A
CHECKLIST
ü Take
an
inventory
of
your
high-­‐risk
aps
and
mobile
applications.
ü Determine
business
criticality.
ü What’s
your
attack
probability?
ü How
do
you
define
the
attack
surface?
ü Consider
overall
business
impact.
ü Where
does
compliance
factor
in?
ü What
are
the
security
threats?

23. Examine
&
Verify
BYOD
Challenges
2.
VERIFY
CHALLENGES
Devices
Data/Content
Applications
Users
Policy
Management
Integration

24. Access
Controls
&
Organizational
Roles
3.
DETERMINE
WHO
&
WHAT
THEY
DO
• Which
departments/groups/individuals
have
been
most
active
in
developing
policies?
• Has
there
been
any
previous
collaboration
between
policies
and
authors?
• Can
you
identify
a
potential
champion(s)
to
support
the
new
policy?
• Areas
of
agreement
in
commonly
implemented
controls
re:
policies?
• Support
documents,
materials
and
related
policies
should
be
cited
in
mobile
device
policy.

25. Phase
I:
Policy
Construction
ü Consider
risk
scenarios
in
your
business.
ü Adapt
from
proven
or
trustworthy
models.
ü Measure
perception.
ü Understand
roles,
privileges
and
what’s
in
place
today.
ü Get
granular
with
your
questions
&
considerations.
ü Figure
out
a
strategy
for
testing
your
applications.
ü Policy
enforcement.
ü Raise
awareness/required
training.
4.
FACTORS
INFLUENCING
HOW
YOU
BUILD
A
POLICY

26. Phase
II:
Further
Define
Policy
5.
GET
GRANULAR
&
SET
OBJECTIVES
• Provide
contextual,
technical
guidelines
• Map
to
compliance
mandates
• Considers
criticality
of
application
and
data
‒ Requirements,
activities
and
level
of
detail
needed
will
differ
• Have
clear
exception
policies
where
necessary
‒ What
if
minimum
standards
can’t
be
met?
What
is
considered
acceptable?
Who
approves?
• Includes
internally
built
and
third
party
applications
• Reflects
current
maturity
and
skillset
of
staff
‒ The
more
skilled,
the
less
explicit
you
need
to
be
with
policies

27. Mobile
Device
Management
Strategy
6.
BUILD
ON
BROADER
POLICY
• Establish
certificate
policies
to
require
valid
signatures
(VPN,
email,
WiFi)
• Policy
on
no
rooting
– wipe
if
violated
• Define
the
platforms
supported
(firmware
specs,
OS
levels)
• Reporting
of
lost
or
stolen
devices
• Password
policy
– complexity,
length,
time-­‐
out
and
limit
of
re-­‐try’s
• Right
to
wipe
– the
organization
can
reserve
this
right
• Containment
– data
&
apps
isolated
by
authentication
&
crypto
(separate
from
underlying
platform
for
greater
visibility)
• Static
application
testing

28. Enforcement
of
Policy
7.
ENFORCEMENT
STRATEGY
IS
CRITICAL
• You
need
management
buy-­‐in!
• Broad
strategy
vs Targeted
strategy
roll-­‐out
• On-­‐boarding:
‒ Require
all
device
info
as
part
of
hiring
process
‒ Require
policy
training
up
front
• Require
training
for
various
departments:
‒ General
population
receives
awareness
training
‒ Technical
employees
receive
in-­‐depth
training
• Monitor
for
effectiveness
– EX:
Deliver
training
or
reminder
when
employee
is
out
of
compliance.

29. LOOKING
FORWARD
What
Can
We
Expect?

30. Rinse
and
Repeat
Implementation
Technology
People Process
Data

31. By
2020
4.3B
of
global
GDP
(mobile
industry)
people
globally
own
a
mobile
device
infected
devices
unique
subscribers
5.1%
56%
100M

32. Sources
• Containing
Mobile
Security
Risks
with
the
80/20
Rule,
Gartner
• 2015
Mobile
Security
Trends,
IBM
Security
Systems
• The
State
of
Mobile
Computing
Security,
2014,
Enterprise
Strategy
Group
• Introducing
the
Mobile
Security
Assessment
and
Audit
Framework,
Gartner
• Motive
Security
Labs
2H2014
Malware
Report,
Motive
Security/Alcatel-­‐
Lucent
• Mobile
Cyber
Threats,
Kaspersky/Interpol
study
• Managed
Diversity
Model
for
BYOD
and
CYOD
to
Manage
and
Safeguard
Users,
IT
and
Business,
Gartner

33. Thank
you.
Tom
Bain
@tmbainjr1
@CounterTack