SlideShare a Scribd company logo

iScan Online - PCI DSS Mobile Task Force

MAX Risk Intelligence by LOGICnow
MAX Risk Intelligence by LOGICnow

iScan Online presentation to the PCI DSS Mobile task force, illustrating the results of the latest 500 Android Scans

Technology
1 of 23
Download to read offline
iScan Online presentation for: PCI DSS Mobile Task Force April 18, 2013
Our Backgrounds Host Binary Mobile Scanning Scanners Scanning 1998 2012 1997 2012 2013 Browser Network Plugin Scanners Scanning
Remember these Networks? Good Old Days XP  Desktops  with  a  Sta;c  IP Easy to secure Only  worry  -­‐  s;cky  notes  w/   passwords  and  customer   credit  card  data The world has changed... Security  and  Compliance  should  lead  and  not  follow.
Wake Up Time • Mobile is moving faster • Government 2013 than the speed of light battling standards: • Threats, attacks and USGCB audit benchmarks: mobile data breaches 1. IE 7 2. IE 8 are here 3. Windows XP 4. Windows XP Firewall 5. Windows Vista • Security and Compliance 6. Windows Vista Firewall 7. Windows 7 regulations are for 8. Windows 7 Firewall 9. Red Hat Linux 5 yesterdays network
Protecting Card Data Scan Audit Zone Only Gets there how? Corporate America PCI Today’s Response to PCI Response:  damn  this  is  expensive Encrypt.  Segment.  Reduce  Scope.
Compliance 101 What do we tell employees: The employee responds? • Don’t write your • ? passwords on sticky notes • Don’t write, text, email • ? or store cardholder data Think users adhere to 101, think again.
2013 - Today’s Network Employees are Mobile Mobile  Cybercrime  War  has  Begun Employees on the go Don’t  care  about  security  nor   compliance.  They  sell  and   take  down  orders!! Devices are on 24/7 Assessment  approach  has  to  change
In Case you missed the Tweet Insecure Smart Mobile Devices = Secure & Compliant PC fatality HP Dell US 90 Day PC Shipment 9000 Android 6750 “Daily Activations” 4500 1500 2250 750 0 0 2012 Q1 2013 Q1 2013
7 billion 2013 global population 6.3 billion mobile device subscriptions 5% stolen 0% scanned loss or theft vulnerabilities or cardholder data
Mobile Standard Remarks Example Remarks Purpose Work Protect Cardholders Selection Evidence Analyze flow or Transaction? Repeat History Step 1 Step 2 Step 3 Step 4 Mobile threats - too fast for awaiting slow Standards Define Specs to be Report & Mobile procedures assessed Score Standards - enforcement Speed
April 2013 Mobile Scan Analysis Android Devices 500 Smartphones and Tablets - Last 500 global scans
Scan Deliver Thought Process • PCI Provider - Assess & Service • Acquiring Bank - Compliance proof of results by MID, Theft locate • Vendor - develops technology, standards mapping and features • End user - option to self assess
Mobile Scans Performed Standards are usually not in place until: • Evidence is proven that procedures can be assessed • Procedures can be analyzed to measure - risk and mitigation
Android Vulnerability Scan None Low Medium High • CVSS Scores • CVE numbers • 79% Procedures are familiar, 14% just like PC’s but easier 5% • Methodology has to 2% change to assess mobile
Data Discovery Scan Vulnerability Scan Configuration Scan Cardholder PAN Data OS & Applications OS & Applications
Mobile Vulnerabilities vs. History Android Apple iOS Novell Windows Linux 200 90 150 67.5 100 45 50 22.5 0 0 2011 2012 Q1 -2013 1998-99
Vulnerable Attack Vector Attack Threat Vector Impact Remediation Stolen / Loss / Misplacement of Device Data breach Encrypt cardholder data Patches / SMS / Browser / Email Exploit Full device control Configurations Configuration / ~Some Malicious App Full device control Patches Configuration / User Bluetooth / Tethering / NFC / Wifi Partial data loss Awareness Configuration / Policy / Carrier Network / Black List Partial data loss Awareness
Mobile Configurations Sample Configuration Results Severity % Failed Device Storage Encryption Enabled 8 99 Password Expired every 30 Days 7 97 Require Password or PIN Check (unlock device) 10 72 Device Rooted 9 48 Allows Non App Market App Installation 5 44 18 Configurations - All 500 failed something
8% of scans had PAN data on Android Protect and assess P2PE ‘Point to Point Encryption’ the transaction? Cardholder data on mobile is everywhere? NFC, Google Drive, Dropbox, SMS, Contacts
Today’s Network Always  connected,  Any;me,  Anywhere ff ice Free wifi Corporate Office R e mote O Mobile Yesterday Network  Today Network  Today Network  Today Static Networks Small Offices Road warrior Employee Mobile Devices are  the  past,  data  and  devices   lack  security  and  connect   Who  hasn’t  connected  to  a  free   can  now  be  assessed  for  threats   are  not  only  at  corporate. indirectly  back  to  corporate. wifi  network. but  not  with  historical  network   approaches Employees  are  on  the  go  and   TransmiQng  data  with  BYOD   Mul;ple  network  connec;ons   working  remote. connec;ons  who  are  on/off   over  ~untrusted  Wifi  /  4G untrusted  networks
Mobile Audit - Fast Easy Affordable More likely to be stolen or lost equating to an increase in potential cardholder Mobile facts vs. Non- breaches. ~Processing w/ a financial app - Banks to get a call Mobile guaranteed. Vulnerabilities & configurations are equally important to assess and remediate, if not more important than traditional PC’s Are your employees storing cardholder data? Just like not writing down passwords. They are going to SMS and store it.
My Suggestions Baseline 1 Many existing Rapid Adopt 2 procedures can be Mobile moves fast and used from DSS 2.0 standards should as well Continuous 5 Changes to ensure costs don’t outweigh the threat Influence buyin 3 Individuals: Merchant, Council, Automate 4 Vendor, Bank, Providers Utilize XML, JSON for communication and sharing
Questions? More Information? iScan Online, Inc. 19111 Dallas Parkway, Suite 200 Dallas, TX 75287 Billy Austin, President austin@iscanonline.com 214-276-1148

Recommended

Mobile Security
Mobile Security Mobile Security
Mobile Security Fresh Digital Group
 
Tutor Web 2.0 World
Tutor Web 2.0 WorldTutor Web 2.0 World
Tutor Web 2.0 WorldGlobal_Scholar
 
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Systems, Inc.
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise Security
CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise SecurityCIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise Security
CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise SecurityCloudIDSummit
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Systems, Inc.
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 

Recommended

Mobile Security
Mobile Security Mobile Security
Mobile Security Fresh Digital Group
 
Tutor Web 2.0 World
Tutor Web 2.0 WorldTutor Web 2.0 World
Tutor Web 2.0 WorldGlobal_Scholar
 
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Systems, Inc.
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise Security
CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise SecurityCIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise Security
CIS13: Don't Let Mobile be the Achilles Heel for Your Enterprise SecurityCloudIDSummit
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Systems, Inc.
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyQualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyFIDO Alliance
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity ManagementHitachi ID Systems, Inc.
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1Dan Miller
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1Ian Sommerville
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallySukanya Ben
 
Automated Management of Intelligent Devices
Automated Management of Intelligent DevicesAutomated Management of Intelligent Devices
Automated Management of Intelligent Devicesuplogix
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentationguestf018d88
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Securitytbeckwith
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyTyler Shields
 
Mobile device management
Mobile device management Mobile device management
Mobile device management Advanced Logic Industries
 
Penrillian.com - Mobile Money
Penrillian.com - Mobile MoneyPenrillian.com - Mobile Money
Penrillian.com - Mobile MoneyMobileMoney
 
BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.Michal Jarski
 
eircom Managed Security
eircom Managed Securityeircom Managed Security
eircom Managed Securityeircom
 
Handkey 2012
Handkey 2012Handkey 2012
Handkey 2012Hosea Kahiga
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overviewkevino80
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...ProductNation/iSPIRT
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityXavier Mertens
 

More Related Content

What's hot

Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyQualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyFIDO Alliance
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1Dan Miller
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1Ian Sommerville
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallySukanya Ben
 
Automated Management of Intelligent Devices
Automated Management of Intelligent DevicesAutomated Management of Intelligent Devices
Automated Management of Intelligent Devicesuplogix
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentationguestf018d88
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Securitytbeckwith
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyTyler Shields
 
Penrillian.com - Mobile Money
Penrillian.com - Mobile MoneyPenrillian.com - Mobile Money
Penrillian.com - Mobile MoneyMobileMoney
 
BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.Michal Jarski
 
eircom Managed Security
eircom Managed Securityeircom Managed Security
eircom Managed Securityeircom
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overviewkevino80
 

What's hot (16)

Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyQualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity Management
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and Ethically
 
Automated Management of Intelligent Devices
Automated Management of Intelligent DevicesAutomated Management of Intelligent Devices
Automated Management of Intelligent Devices
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentation
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
 
Mobile device management
Mobile device management Mobile device management
Mobile device management
 
Penrillian.com - Mobile Money
Penrillian.com - Mobile MoneyPenrillian.com - Mobile Money
Penrillian.com - Mobile Money
 
BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.
 
eircom Managed Security
eircom Managed Securityeircom Managed Security
eircom Managed Security
 
Handkey 2012
Handkey 2012Handkey 2012
Handkey 2012
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overview
 

Similar to iScan Online - PCI DSS Mobile Task Force

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...ProductNation/iSPIRT
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
The Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and MonitoringThe Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and MonitoringCorrelsense
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Temia Mobile Device Management Webinar 03 21-12
Temia Mobile Device Management Webinar 03 21-12Temia Mobile Device Management Webinar 03 21-12
Temia Mobile Device Management Webinar 03 21-12Wireless_Analytics
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingKaseya
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...IBM Sverige
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Source Conference
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxtmbainjr131
 
An Introduction to South Seas Corporation
An Introduction to South Seas CorporationAn Introduction to South Seas Corporation
An Introduction to South Seas CorporationEd Mohr
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
 

Similar to iScan Online - PCI DSS Mobile Task Force (20)

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
The Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and MonitoringThe Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and Monitoring
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Temia Mobile Device Management Webinar 03 21-12
Temia Mobile Device Management Webinar 03 21-12Temia Mobile Device Management Webinar 03 21-12
Temia Mobile Device Management Webinar 03 21-12
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance Briefing
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
 
Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
An Introduction to South Seas Corporation
An Introduction to South Seas CorporationAn Introduction to South Seas Corporation
An Introduction to South Seas Corporation
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 

More from MAX Risk Intelligence by LOGICnow

More from MAX Risk Intelligence by LOGICnow (7)

Data Breach Risk Brief - 2015
Data Breach Risk Brief - 2015Data Breach Risk Brief - 2015
Data Breach Risk Brief - 2015
 
Data Breach Risk Intelligence
Data Breach Risk IntelligenceData Breach Risk Intelligence
Data Breach Risk Intelligence
 
iScan Risk Intelligence for Regional Banks
iScan Risk Intelligence for Regional BanksiScan Risk Intelligence for Regional Banks
iScan Risk Intelligence for Regional Banks
 
5 Phrases Every Security Chief Needs to Speak - Business
5 Phrases Every Security Chief Needs to Speak - Business5 Phrases Every Security Chief Needs to Speak - Business
5 Phrases Every Security Chief Needs to Speak - Business
 
Data Breach Risk Intelligence for Higher Education
Data Breach Risk Intelligence for Higher EducationData Breach Risk Intelligence for Higher Education
Data Breach Risk Intelligence for Higher Education
 
5 Data Breach Charts for the Board Room
5 Data Breach Charts for the Board Room5 Data Breach Charts for the Board Room
5 Data Breach Charts for the Board Room
 
BYOD Security Scanning
BYOD Security ScanningBYOD Security Scanning
BYOD Security Scanning
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

iScan Online - PCI DSS Mobile Task Force

  • 1. iScan Online presentation for: PCI DSS Mobile Task Force April 18, 2013
  • 2. Our Backgrounds Host Binary Mobile Scanning Scanners Scanning 1998 2012 1997 2012 2013 Browser Network Plugin Scanners Scanning
  • 3. Remember these Networks? Good Old Days XP  Desktops  with  a  Sta;c  IP Easy to secure Only  worry  -­‐  s;cky  notes  w/   passwords  and  customer   credit  card  data The world has changed... Security  and  Compliance  should  lead  and  not  follow.
  • 4. Wake Up Time • Mobile is moving faster • Government 2013 than the speed of light battling standards: • Threats, attacks and USGCB audit benchmarks: mobile data breaches 1. IE 7 2. IE 8 are here 3. Windows XP 4. Windows XP Firewall 5. Windows Vista • Security and Compliance 6. Windows Vista Firewall 7. Windows 7 regulations are for 8. Windows 7 Firewall 9. Red Hat Linux 5 yesterdays network
  • 5. Protecting Card Data Scan Audit Zone Only Gets there how? Corporate America PCI Today’s Response to PCI Response:  damn  this  is  expensive Encrypt.  Segment.  Reduce  Scope.
  • 6. Compliance 101 What do we tell employees: The employee responds? • Don’t write your • ? passwords on sticky notes • Don’t write, text, email • ? or store cardholder data Think users adhere to 101, think again.
  • 7. 2013 - Today’s Network Employees are Mobile Mobile  Cybercrime  War  has  Begun Employees on the go Don’t  care  about  security  nor   compliance.  They  sell  and   take  down  orders!! Devices are on 24/7 Assessment  approach  has  to  change
  • 8. In Case you missed the Tweet Insecure Smart Mobile Devices = Secure & Compliant PC fatality HP Dell US 90 Day PC Shipment 9000 Android 6750 “Daily Activations” 4500 1500 2250 750 0 0 2012 Q1 2013 Q1 2013
  • 9. 7 billion 2013 global population 6.3 billion mobile device subscriptions 5% stolen 0% scanned loss or theft vulnerabilities or cardholder data
  • 10. Mobile Standard Remarks Example Remarks Purpose Work Protect Cardholders Selection Evidence Analyze flow or Transaction? Repeat History Step 1 Step 2 Step 3 Step 4 Mobile threats - too fast for awaiting slow Standards Define Specs to be Report & Mobile procedures assessed Score Standards - enforcement Speed
  • 11. April 2013 Mobile Scan Analysis Android Devices 500 Smartphones and Tablets - Last 500 global scans
  • 12. Scan Deliver Thought Process • PCI Provider - Assess & Service • Acquiring Bank - Compliance proof of results by MID, Theft locate • Vendor - develops technology, standards mapping and features • End user - option to self assess
  • 13. Mobile Scans Performed Standards are usually not in place until: • Evidence is proven that procedures can be assessed • Procedures can be analyzed to measure - risk and mitigation
  • 14. Android Vulnerability Scan None Low Medium High • CVSS Scores • CVE numbers • 79% Procedures are familiar, 14% just like PC’s but easier 5% • Methodology has to 2% change to assess mobile
  • 15. Data Discovery Scan Vulnerability Scan Configuration Scan Cardholder PAN Data OS & Applications OS & Applications
  • 16. Mobile Vulnerabilities vs. History Android Apple iOS Novell Windows Linux 200 90 150 67.5 100 45 50 22.5 0 0 2011 2012 Q1 -2013 1998-99
  • 17. Vulnerable Attack Vector Attack Threat Vector Impact Remediation Stolen / Loss / Misplacement of Device Data breach Encrypt cardholder data Patches / SMS / Browser / Email Exploit Full device control Configurations Configuration / ~Some Malicious App Full device control Patches Configuration / User Bluetooth / Tethering / NFC / Wifi Partial data loss Awareness Configuration / Policy / Carrier Network / Black List Partial data loss Awareness
  • 18. Mobile Configurations Sample Configuration Results Severity % Failed Device Storage Encryption Enabled 8 99 Password Expired every 30 Days 7 97 Require Password or PIN Check (unlock device) 10 72 Device Rooted 9 48 Allows Non App Market App Installation 5 44 18 Configurations - All 500 failed something
  • 19. 8% of scans had PAN data on Android Protect and assess P2PE ‘Point to Point Encryption’ the transaction? Cardholder data on mobile is everywhere? NFC, Google Drive, Dropbox, SMS, Contacts
  • 20. Today’s Network Always  connected,  Any;me,  Anywhere ff ice Free wifi Corporate Office R e mote O Mobile Yesterday Network  Today Network  Today Network  Today Static Networks Small Offices Road warrior Employee Mobile Devices are  the  past,  data  and  devices   lack  security  and  connect   Who  hasn’t  connected  to  a  free   can  now  be  assessed  for  threats   are  not  only  at  corporate. indirectly  back  to  corporate. wifi  network. but  not  with  historical  network   approaches Employees  are  on  the  go  and   TransmiQng  data  with  BYOD   Mul;ple  network  connec;ons   working  remote. connec;ons  who  are  on/off   over  ~untrusted  Wifi  /  4G untrusted  networks
  • 21. Mobile Audit - Fast Easy Affordable More likely to be stolen or lost equating to an increase in potential cardholder Mobile facts vs. Non- breaches. ~Processing w/ a financial app - Banks to get a call Mobile guaranteed. Vulnerabilities & configurations are equally important to assess and remediate, if not more important than traditional PC’s Are your employees storing cardholder data? Just like not writing down passwords. They are going to SMS and store it.
  • 22. My Suggestions Baseline 1 Many existing Rapid Adopt 2 procedures can be Mobile moves fast and used from DSS 2.0 standards should as well Continuous 5 Changes to ensure costs don’t outweigh the threat Influence buyin 3 Individuals: Merchant, Council, Automate 4 Vendor, Bank, Providers Utilize XML, JSON for communication and sharing
  • 23. Questions? More Information? iScan Online, Inc. 19111 Dallas Parkway, Suite 200 Dallas, TX 75287 Billy Austin, President austin@iscanonline.com 214-276-1148