SlideShare a Scribd company logo

Protecting Mobile Apps and Security around Bring Your Own Device

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/14bpf2V. Alex Batlin and Shane Williams explore the challenges faced maintaining the security of mobile apps and also take a look at the enterprise implications with the push for BYOD. Filmed at qconlondon.com. Shane is currently regional head of mobile development in Switzerland, developing secure mobile applications across the UBS group. Alex is a Director in UBS's technology innovation, research and development team covering emerging and trending technology topics like big data analytics, social media, cloud and mobile computing, unified communication, post-PC consumer BYOD enterprise architecture.

TechnologyNews & Politics
1 of 55
Protec'ng  Mobile  Apps  and   security  in  the  context  of  Bring  Your   Own  Device     Shane  Williams   Alex  Batlin  
InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /mobile-security-byod
Presented at QCon London www.qconlondon.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
THE  BASICS  AND  BACKGROUND  
Basics  –  Security  is  the  same   Confiden9ality     LOSS  =  unauthorized   disclosure  of   informa9on.    
Basics  –  Security  is  the  same   Availability   LOSS  =  disrup9on  of   access  to  or  use  of   informa9on  or  an   informa9on  system.    
Basics  –  Security  is  the  same   Integrity   LOSS  =  unauthorized   modifica9on  or   destruc9on  of   informa9on  
Basics  –  Security  is  the  same   Confiden9ality     Integrity   Availability   LOSS  =  unauthorized   disclosure  of   informa9on.     LOSS  =  unauthorized   modifica9on  or   destruc9on  of   informa9on   LOSS  =  disrup9on  of   access  to  or  use  of   informa9on  or  an   informa9on  system.    
Mobile  Threat  Model   WEB   Cloud   Storage   App   Stores   Websites   Web   Services   Corp   Networks   Hardware   Radio,  GPS,  Sensor   OS   Kernel,  Drivers,  FS   Run9me   Libs,  Deps,  VM’s   Apps   Card  reader   Sensors   Laptop   Peer  Device   Payments   Laptop   802.11   NFC   Bluetooth   SMS   Voice   Carrier   Network   Local  Network    (Wi-­‐Fi,  VPN,  etc)   OWASP  Trust  Boundary   CORP   CONS   BUILTIN  
Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness  
Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Ø Mo9va9on   Ø Financial   Ø Poli9cal   Ø Publicity     Threat-­‐Source  
Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Threat-­‐   Source   A]ack   A]ack   A]ack  
Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Threat-­‐   Source   A]ack   A]ack   A]ack  
Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Threat-­‐   Source   A]ack   A]ack   A]ack  
Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Threat-­‐   Source   A]ack   A]ack   A]ack   0wned
Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Threat-­‐   Source   A]ack   A]ack   A]ack   Func9on   Impact  
Threat  paths   A]ack   A]ack   A]ack   Weakness   Weakness   Control   Control   Control   Asset   Func9on   Asset   Impact   Impact   Impact   Weakness   Weakness   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   ©  2002-­‐2013  OWASP  Founda3on   Threat-­‐   Source  
Threat  paths   A]ack   A]ack   A]ack   Weakness   Weakness   Control   Control   Control   Asset   Func9on   Asset   Impact   Impact   Impact   Weakness   Weakness   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Threat-­‐   Source  
Top  10  Mobile  Risks     ?   The  poten3al  that  a  given  threat  will  exploit  vulnerabili3es  of  an  asset  or  group   of  assets  and  thereby  cause  harm  to  the  organiza3on.   ISO  13335  –  Informa9on  Technology  Security  Techniques  
Top  10  Mobile  Risks   1.  Insecure  Data  Storage   2.  Weak  Server  Side  Controls   3.  Insufficient  Transport  Layer  Protec9on   4.  Client  Side  Injec9on   5.  Poor  Authoriza9on  and  Authen9ca9on   6.  Improper  Session  Handling   7.  Security  Decisions  Via  Untrusted  Inputs   8.  Side  Channel  Data  Leakage   9.  Broken  Cryptography   10.  Sensi9ve  Informa9on  Disclosure   The  Open  Web  Applica9on  Security  Project  (OWASP)  -­‐  Mobile  Security  Project     Data  at  rest  control   Bypass  client  to  a]ack   Over-­‐the-­‐wire   XSS,  etc.   Low  factors   Allow  Hijacking   Keyboards   Listening,  in-­‐Sophis9cated     Easily  breakable,  WEP   Data  leakage,  Social    
A]acks  
A]acks  
A]acks  
A]acks   S   R   S   R   Eavesdrop/Copy   Stop/Delay/Modify   A]ack  Confiden9ality   A]ack  Integrity   S   R   Masquerade/   Assume  iden9ty/ Authen9city   S   R   Destroy  channel,   corrupt,  overwhelm   A]ack  Availability  
Ø Eavesdropping   Ø No  Physical  Boundaries   Ø Tracing/Tracking   Ø Device  Capture   S   R  A]ack  Confiden9ality  
S   R  A]ack  Integrity   S   R   Ø SSL  Stripping   Ø Reputa9on   Ø Fraud  (Monetary/Iden9ty)   Ø Browser  icons  common  
S   R  A]ack  Availability   Ø Distributed  Denial  of  Service   Ø Bandwidth  Constraints   Ø Interference  and  Jamming  
Recent  Real  World  Examples   •  Feb  2013  –  Watering  Hole  a]ack   •  Notable  and  news  worthy    
SECURITY  CONTROLS  
Security  controls   Plakorm   Controls   Custom   Controls  
Custom  controls   BYOD   Personal  Data   Company   Data   LOA2+   Client  Data   Employee   Data  
NIST  Levels  of  assurance   Level  of  Assurance   Data   Classifica'on   Data  Examples   Cumula've   Authen'ca'on   Requirements   Authen'ca'on  Examples   L0  –  No  knowledge   of  iden9ty.   Public   Anonymous   Public  Website   None   Public  website   L1  -­‐  Li]le  or  no   confidence  in  the   asserted  iden9ty’s   validity.   Public   Public  discussion  forum   One  of  any  factor   Username  +  password  i.e.   something  you  know     L2  -­‐  Some   confidence  in  the   asserted  iden9ty’s   validity.   Internal   Team  process   documents  in   SharePoint   One  of  any  factor   Verified  iden9ty   Username  +  password  i.e.   something  you  know,   checked  against  company  HR   controlled  LDAP  directory.   L3  -­‐  High  confidence   in  the  asserted   iden9ty’s  validity.   Confiden9al   Company  strategy   presenta9on   Two  or  more  of  any  factor   Password  protected    X509   son  cer9ficate,  is  both   something  you  have  and   something  you  know.   L4  -­‐Very  high   confidence  in  the   asserted  iden9ty’s   validity.   Strictly   Confiden9al   Client  or  employee   iden9fying  documents   Two  or  more  factors   One  hard  FIPS  140-­‐2   token   Independent  reader   Password  protected   smartcard  over  reader  with   bu]on   Factors:  something  you  know(username,  password),  you  have  (smartcard),  you  are  (fingerprints)  
Control  categories   Secure  Boot   Code   Protec9on   Data   Protec9on   Mobile   Management   Server   Protec9on  
Secure  Boot  –  Apple  Example   Ø Protec9ng  low  level  to  create   start  of  a  chain  of  trust   Ø  Processor  boots  from  read-­‐only  boot   ROM  –  trusted  –  Protects  Integrity   Ø  Contains  the  Apple  Root  CA   Ø  Verifies  Low-­‐Level  boot  loader  is  signed  by   Apple   Ø  Secure  boot  chain  ensures  lowest  levels  of   sonware  are  tamper  free   Ø  Boot  process  ensures  only  Apple  signed   code  can  run  on  the  device   Ø  Jailbreaks  have  exploited  boot  loader   vulnerabili9es   OS  Par99on   Kernel   Crypto  Engine   Device  Key   Group  Key   Apple  Root  Cer9ficate   Encrypted  File  System   User  Par99on     App  Sandbox   Sonware   Hardware  and   Firmware  
Code  Protec9on   Plakorm   Signed  applica9on   Ve]ed  applica9ons   ASLR   Applica9on  sandboxing  
Code  Protec9on   Custom   Sta9c  code  analysis   Code  obfusca9on   Jailbreak  Detec9on   Trusted  Execu9on  Environment   An9-­‐malware  
Code  Protec9on   Plakorm   Signed  applica9on   Ve]ed  applica9ons   ASLR   Applica9on  sandboxing   Custom   Sta9c  code  analysis   Code  obfusca9on   Jailbreak  Detec9on   Trusted  Execu9on  Environment   An9-­‐malware  
DATA  Protec9on   Plakorm   User  Authen9ca9on   Hardware  Encryp9on   Device  VPN  
Data  Protec9on  -­‐  Encryp9on   Hybrid   •  Symmetric   •  Asymmetric   Homomorphic  
Data  protec9on   Custom   Container  FIPS  140-­‐2  Encryp9on   Container  Tunnels   Digital  Rights  Management   Secure  Tokens  &  OS  
Data  Protec9on  -­‐  Encryp9on   Hardware   Embedded   TPM   HSM   Standalone   (Independent)   SmartCard   Hypervisor   TEE   Sonware   API   OpenSSL  
Data  Protec9on  -­‐  Encryp9on   Keys   Effaceable  Memory   HW  Crypto  API   App   Code   PKCS#11   over  PS/ SC  
Data  Protec9on  -­‐  Authen9ca9on   Ease  of  use   Protec9on   PIN   Freq   #1   1234   10.71%   #2   1111   6.02%   #3   0000   1.88%   #4   1212   1.20%   #5   7777   0.75%   #6   1004   0.62%   #7   2000   0.61%   #8   4444   0.53%   #9   2222   0.52%   #10   6969   0.51%   #11   9999   0.45%   #12   3333   0.42%   #13   5555   0.40%   #14   6666   0.39%   #15   1122   0.37%   #16   1313   0.30%   #17   8888   0.30%   #18   4321   0.29%   #19   2001   0.29%   #20   1010   0.29%   #22  =  2580  ?   No  Password   Long  Password   Top  20  used  pins…do  you  have  one?  
Data  Protec9on  -­‐  Authen9ca9on   Basic   (1FA)   PIN   Password   Cryptographic   (MFA)   Son   Cer9ficate   Hard   Token   (OTP/SC)   Biometrics  
Data  Protec9on  -­‐  Authen9ca9on   Mutual   Nego9ated   SSO   Federated   Delegated  
Data  protec9on   Plakorm   User  Authen9ca9on   Hardware  Encryp9on   Device  VPN   Custom   Container  FIPS  140-­‐2   Encryp9on   Container  Tunnels   Digital  Rights  Management   Secure  Tokens  &  OS  
Mobile  Management   Plakorm   Mobile  Device   Management  
Mobile  Management   Custom   Mobile  Applica9on   Management   Mobile  Hypervisor   Management  
Mobile  Management   Plakorm   Mobile  Device   Management   Custom   Mobile  Applica9on   Management   Mobile  Hypervisor   Management  
Securing  Access  to  Services   Reverse  Proxy   Applica9on  Server   Internet  
Securing  Access  to  Services   Ø Risk  Assessment  
Securing  Access  to  Services   Ø Black  Hats  and  White  Hats  
Securing  Access  to  Services   Ø Penetra9on  Test  
Closing  Thoughts   Ø You  get  a  lot  without  trying  on  mobile   plakorm   Ø You  have  to  spend  the  effort  on  the   controls  (Client  /  Server)   Ø Technology  is  improving  to  support   security  
Thank  You!   And  Stay  Safe   Shane  Williams   Alex  Batlin  

Recommended

Adapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTICAdapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTICJim Fenton
 
iOS Architecture and MVC
iOS Architecture and MVCiOS Architecture and MVC
iOS Architecture and MVCMarian Ignev
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 

Recommended

Adapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTICAdapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTICJim Fenton
 
iOS Architecture and MVC
iOS Architecture and MVCiOS Architecture and MVC
iOS Architecture and MVCMarian Ignev
 
Jailbreaking iOS
Jailbreaking iOSJailbreaking iOS
Jailbreaking iOSKai Aras
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechC4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/awaitC4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaC4Media
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

More Related Content

More from C4Media

Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechC4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/awaitC4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaC4Media
 

More from C4Media (20)

Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/await
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven Utopia
 

Recently uploaded

Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Protecting Mobile Apps and Security around Bring Your Own Device

  • 1. Protec'ng  Mobile  Apps  and   security  in  the  context  of  Bring  Your   Own  Device     Shane  Williams   Alex  Batlin  
  • 2. InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /mobile-security-byod
  • 3. Presented at QCon London www.qconlondon.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
  • 4. THE  BASICS  AND  BACKGROUND  
  • 5. Basics  –  Security  is  the  same   Confiden9ality     LOSS  =  unauthorized   disclosure  of   informa9on.    
  • 6. Basics  –  Security  is  the  same   Availability   LOSS  =  disrup9on  of   access  to  or  use  of   informa9on  or  an   informa9on  system.    
  • 7. Basics  –  Security  is  the  same   Integrity   LOSS  =  unauthorized   modifica9on  or   destruc9on  of   informa9on  
  • 8. Basics  –  Security  is  the  same   Confiden9ality     Integrity   Availability   LOSS  =  unauthorized   disclosure  of   informa9on.     LOSS  =  unauthorized   modifica9on  or   destruc9on  of   informa9on   LOSS  =  disrup9on  of   access  to  or  use  of   informa9on  or  an   informa9on  system.    
  • 9. Mobile  Threat  Model   WEB   Cloud   Storage   App   Stores   Websites   Web   Services   Corp   Networks   Hardware   Radio,  GPS,  Sensor   OS   Kernel,  Drivers,  FS   Run9me   Libs,  Deps,  VM’s   Apps   Card  reader   Sensors   Laptop   Peer  Device   Payments   Laptop   802.11   NFC   Bluetooth   SMS   Voice   Carrier   Network   Local  Network    (Wi-­‐Fi,  VPN,  etc)   OWASP  Trust  Boundary   CORP   CONS   BUILTIN  
  • 10. Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness  
  • 11. Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Ø Mo9va9on   Ø Financial   Ø Poli9cal   Ø Publicity     Threat-­‐Source  
  • 12. Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Threat-­‐   Source   A]ack   A]ack   A]ack  
  • 13. Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Threat-­‐   Source   A]ack   A]ack   A]ack  
  • 14. Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Threat-­‐   Source   A]ack   A]ack   A]ack  
  • 15. Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Threat-­‐   Source   A]ack   A]ack   A]ack   0wned
  • 16. Threat  paths   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Weakness   Weakness   Control   Control   Control   Weakness   Weakness   Threat-­‐   Source   A]ack   A]ack   A]ack   Func9on   Impact  
  • 17. Threat  paths   A]ack   A]ack   A]ack   Weakness   Weakness   Control   Control   Control   Asset   Func9on   Asset   Impact   Impact   Impact   Weakness   Weakness   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   ©  2002-­‐2013  OWASP  Founda3on   Threat-­‐   Source  
  • 18. Threat  paths   A]ack   A]ack   A]ack   Weakness   Weakness   Control   Control   Control   Asset   Func9on   Asset   Impact   Impact   Impact   Weakness   Weakness   Threat     Agents   A]ack   Vectors   Security   Weaknesses   (Vulnerabili9es)   Security   Controls   Technical   Impacts   Business   Impacts   Threat-­‐   Source  
  • 19. Top  10  Mobile  Risks     ?   The  poten3al  that  a  given  threat  will  exploit  vulnerabili3es  of  an  asset  or  group   of  assets  and  thereby  cause  harm  to  the  organiza3on.   ISO  13335  –  Informa9on  Technology  Security  Techniques  
  • 20. Top  10  Mobile  Risks   1.  Insecure  Data  Storage   2.  Weak  Server  Side  Controls   3.  Insufficient  Transport  Layer  Protec9on   4.  Client  Side  Injec9on   5.  Poor  Authoriza9on  and  Authen9ca9on   6.  Improper  Session  Handling   7.  Security  Decisions  Via  Untrusted  Inputs   8.  Side  Channel  Data  Leakage   9.  Broken  Cryptography   10.  Sensi9ve  Informa9on  Disclosure   The  Open  Web  Applica9on  Security  Project  (OWASP)  -­‐  Mobile  Security  Project     Data  at  rest  control   Bypass  client  to  a]ack   Over-­‐the-­‐wire   XSS,  etc.   Low  factors   Allow  Hijacking   Keyboards   Listening,  in-­‐Sophis9cated     Easily  breakable,  WEP   Data  leakage,  Social    
  • 24. A]acks   S   R   S   R   Eavesdrop/Copy   Stop/Delay/Modify   A]ack  Confiden9ality   A]ack  Integrity   S   R   Masquerade/   Assume  iden9ty/ Authen9city   S   R   Destroy  channel,   corrupt,  overwhelm   A]ack  Availability  
  • 25. Ø Eavesdropping   Ø No  Physical  Boundaries   Ø Tracing/Tracking   Ø Device  Capture   S   R  A]ack  Confiden9ality  
  • 26. S   R  A]ack  Integrity   S   R   Ø SSL  Stripping   Ø Reputa9on   Ø Fraud  (Monetary/Iden9ty)   Ø Browser  icons  common  
  • 27. S   R  A]ack  Availability   Ø Distributed  Denial  of  Service   Ø Bandwidth  Constraints   Ø Interference  and  Jamming  
  • 28. Recent  Real  World  Examples   •  Feb  2013  –  Watering  Hole  a]ack   •  Notable  and  news  worthy    
  • 30. Security  controls   Plakorm   Controls   Custom   Controls  
  • 31. Custom  controls   BYOD   Personal  Data   Company   Data   LOA2+   Client  Data   Employee   Data  
  • 32. NIST  Levels  of  assurance   Level  of  Assurance   Data   Classifica'on   Data  Examples   Cumula've   Authen'ca'on   Requirements   Authen'ca'on  Examples   L0  –  No  knowledge   of  iden9ty.   Public   Anonymous   Public  Website   None   Public  website   L1  -­‐  Li]le  or  no   confidence  in  the   asserted  iden9ty’s   validity.   Public   Public  discussion  forum   One  of  any  factor   Username  +  password  i.e.   something  you  know     L2  -­‐  Some   confidence  in  the   asserted  iden9ty’s   validity.   Internal   Team  process   documents  in   SharePoint   One  of  any  factor   Verified  iden9ty   Username  +  password  i.e.   something  you  know,   checked  against  company  HR   controlled  LDAP  directory.   L3  -­‐  High  confidence   in  the  asserted   iden9ty’s  validity.   Confiden9al   Company  strategy   presenta9on   Two  or  more  of  any  factor   Password  protected    X509   son  cer9ficate,  is  both   something  you  have  and   something  you  know.   L4  -­‐Very  high   confidence  in  the   asserted  iden9ty’s   validity.   Strictly   Confiden9al   Client  or  employee   iden9fying  documents   Two  or  more  factors   One  hard  FIPS  140-­‐2   token   Independent  reader   Password  protected   smartcard  over  reader  with   bu]on   Factors:  something  you  know(username,  password),  you  have  (smartcard),  you  are  (fingerprints)  
  • 33. Control  categories   Secure  Boot   Code   Protec9on   Data   Protec9on   Mobile   Management   Server   Protec9on  
  • 34. Secure  Boot  –  Apple  Example   Ø Protec9ng  low  level  to  create   start  of  a  chain  of  trust   Ø  Processor  boots  from  read-­‐only  boot   ROM  –  trusted  –  Protects  Integrity   Ø  Contains  the  Apple  Root  CA   Ø  Verifies  Low-­‐Level  boot  loader  is  signed  by   Apple   Ø  Secure  boot  chain  ensures  lowest  levels  of   sonware  are  tamper  free   Ø  Boot  process  ensures  only  Apple  signed   code  can  run  on  the  device   Ø  Jailbreaks  have  exploited  boot  loader   vulnerabili9es   OS  Par99on   Kernel   Crypto  Engine   Device  Key   Group  Key   Apple  Root  Cer9ficate   Encrypted  File  System   User  Par99on     App  Sandbox   Sonware   Hardware  and   Firmware  
  • 35. Code  Protec9on   Plakorm   Signed  applica9on   Ve]ed  applica9ons   ASLR   Applica9on  sandboxing  
  • 36. Code  Protec9on   Custom   Sta9c  code  analysis   Code  obfusca9on   Jailbreak  Detec9on   Trusted  Execu9on  Environment   An9-­‐malware  
  • 37. Code  Protec9on   Plakorm   Signed  applica9on   Ve]ed  applica9ons   ASLR   Applica9on  sandboxing   Custom   Sta9c  code  analysis   Code  obfusca9on   Jailbreak  Detec9on   Trusted  Execu9on  Environment   An9-­‐malware  
  • 38. DATA  Protec9on   Plakorm   User  Authen9ca9on   Hardware  Encryp9on   Device  VPN  
  • 39. Data  Protec9on  -­‐  Encryp9on   Hybrid   •  Symmetric   •  Asymmetric   Homomorphic  
  • 40. Data  protec9on   Custom   Container  FIPS  140-­‐2  Encryp9on   Container  Tunnels   Digital  Rights  Management   Secure  Tokens  &  OS  
  • 41. Data  Protec9on  -­‐  Encryp9on   Hardware   Embedded   TPM   HSM   Standalone   (Independent)   SmartCard   Hypervisor   TEE   Sonware   API   OpenSSL  
  • 42. Data  Protec9on  -­‐  Encryp9on   Keys   Effaceable  Memory   HW  Crypto  API   App   Code   PKCS#11   over  PS/ SC  
  • 43. Data  Protec9on  -­‐  Authen9ca9on   Ease  of  use   Protec9on   PIN   Freq   #1   1234   10.71%   #2   1111   6.02%   #3   0000   1.88%   #4   1212   1.20%   #5   7777   0.75%   #6   1004   0.62%   #7   2000   0.61%   #8   4444   0.53%   #9   2222   0.52%   #10   6969   0.51%   #11   9999   0.45%   #12   3333   0.42%   #13   5555   0.40%   #14   6666   0.39%   #15   1122   0.37%   #16   1313   0.30%   #17   8888   0.30%   #18   4321   0.29%   #19   2001   0.29%   #20   1010   0.29%   #22  =  2580  ?   No  Password   Long  Password   Top  20  used  pins…do  you  have  one?  
  • 44. Data  Protec9on  -­‐  Authen9ca9on   Basic   (1FA)   PIN   Password   Cryptographic   (MFA)   Son   Cer9ficate   Hard   Token   (OTP/SC)   Biometrics  
  • 45. Data  Protec9on  -­‐  Authen9ca9on   Mutual   Nego9ated   SSO   Federated   Delegated  
  • 46. Data  protec9on   Plakorm   User  Authen9ca9on   Hardware  Encryp9on   Device  VPN   Custom   Container  FIPS  140-­‐2   Encryp9on   Container  Tunnels   Digital  Rights  Management   Secure  Tokens  &  OS  
  • 47. Mobile  Management   Plakorm   Mobile  Device   Management  
  • 48. Mobile  Management   Custom   Mobile  Applica9on   Management   Mobile  Hypervisor   Management  
  • 49. Mobile  Management   Plakorm   Mobile  Device   Management   Custom   Mobile  Applica9on   Management   Mobile  Hypervisor   Management  
  • 50. Securing  Access  to  Services   Reverse  Proxy   Applica9on  Server   Internet  
  • 51. Securing  Access  to  Services   Ø Risk  Assessment  
  • 52. Securing  Access  to  Services   Ø Black  Hats  and  White  Hats  
  • 53. Securing  Access  to  Services   Ø Penetra9on  Test  
  • 54. Closing  Thoughts   Ø You  get  a  lot  without  trying  on  mobile   plakorm   Ø You  have  to  spend  the  effort  on  the   controls  (Client  /  Server)   Ø Technology  is  improving  to  support   security  
  • 55. Thank  You!   And  Stay  Safe   Shane  Williams   Alex  Batlin