Remember these Networks? Good Old Days XP Desktops with a Sta;c IP Easy to secure Only worry -‐ s;cky notes w/ passwords and customer credit card data The world has changed... Security and Compliance should lead and not follow.
Wake Up Time• Mobile is moving faster • Government 2013 than the speed of light battling standards:• Threats, attacks and USGCB audit benchmarks: mobile data breaches 1. IE 7 2. IE 8 are here 3. Windows XP 4. Windows XP Firewall 5. Windows Vista• Security and Compliance 6. Windows Vista Firewall 7. Windows 7 regulations are for 8. Windows 7 Firewall 9. Red Hat Linux 5 yesterdays network
Protecting Card Data Scan Audit Zone Only Gets there how?Corporate America PCI Today’s Response to PCIResponse: damn this is expensive Encrypt. Segment. Reduce Scope.
Compliance 101 What do we tell employees: The employee responds?• Don’t write your • ? passwords on sticky notes• Don’t write, text, email • ? or store cardholder data Think users adhere to 101, think again.
2013 - Today’s NetworkEmployees are MobileMobile Cybercrime War has Begun Employees on the go Don’t care about security nor compliance. They sell and take down orders!! Devices are on 24/7 Assessment approach has to change
In Case you missed the Tweet Insecure Smart Mobile Devices = Secure & Compliant PC fatality HP Dell US 90 Day PC Shipment9000 Android6750 “Daily Activations”4500 15002250 750 0 0 2012 Q1 2013 Q1 2013
7 billion 2013 global population 6.3 billionmobile device subscriptions 5% stolen 0% scanned loss or theft vulnerabilities or cardholder data
Mobile Standard Remarks Example Remarks Purpose Work Protect CardholdersSelection Evidence Analyze flow or Transaction? Repeat History Step 1 Step 2 Step 3 Step 4 Mobile threats - too fast for awaiting slow Standards Deﬁne Specs to be Report & Mobile procedures assessed Score Standards - enforcement Speed
April 2013 Mobile Scan Analysis Android Devices 500 Smartphones and Tablets - Last 500 global scans
Scan Deliver Thought Process • PCI Provider - Assess & Service • Acquiring Bank - Compliance proof of results by MID, Theft locate • Vendor - develops technology, standards mapping and features • End user - option to self assess
Mobile Scans Performed Standards are usually not in place until:• Evidence is proven that procedures can be assessed• Procedures can be analyzed to measure - risk and mitigation
Android Vulnerability Scan None Low Medium High• CVSS Scores• CVE numbers• 79% Procedures are familiar, 14% just like PC’s but easier 5%• Methodology has to 2% change to assess mobile
Data Discovery Scan Vulnerability Scan Conﬁguration ScanCardholder PAN Data OS & Applications OS & Applications
Mobile Vulnerabilities vs. History Android Apple iOS Novell Windows Linux200 90150 67.5100 45 50 22.5 0 0 2011 2012 Q1 -2013 1998-99
Vulnerable Attack Vector Attack Threat Vector Impact RemediationStolen / Loss / Misplacement of Device Data breach Encrypt cardholder data Patches / SMS / Browser / Email Exploit Full device control Configurations Configuration / ~Some Malicious App Full device control Patches Configuration / User Bluetooth / Tethering / NFC / Wifi Partial data loss Awareness Configuration / Policy / Carrier Network / Black List Partial data loss Awareness
Mobile Conﬁgurations Sample Configuration Results Severity % Failed Device Storage Encryption Enabled 8 99 Password Expired every 30 Days 7 97Require Password or PIN Check (unlock device) 10 72 Device Rooted 9 48 Allows Non App Market App Installation 5 44 18 Conﬁgurations - All 500 failed something
8% of scans had PAN data on AndroidProtect and assess P2PE ‘Point to Point Encryption’ the transaction? Cardholder data on mobile is everywhere? NFC, Google Drive, Dropbox, SMS, Contacts
Today’s Network Always connected, Any;me, Anywhere ff ice Free wifi Corporate Office R e mote O Mobile Yesterday Network Today Network Today Network TodayStatic Networks Small Offices Road warrior Employee Mobile Devicesare the past, data and devices lack security and connect Who hasn’t connected to a free can now be assessed for threats are not only at corporate. indirectly back to corporate. wiﬁ network. but not with historical network approachesEmployees are on the go and TransmiQng data with BYOD Mul;ple network connec;ons working remote. connec;ons who are on/oﬀ over ~untrusted Wiﬁ / 4G untrusted networks
Mobile Audit - Fast Easy Affordable More likely to be stolen or lost equating to an increase in potential cardholder Mobile facts vs. Non- breaches. ~Processing w/ a ﬁnancial app - Banks to get a call Mobile guaranteed. Vulnerabilities & conﬁgurations are equally important to assess and remediate, if not more important than traditional PC’s Are your employees storing cardholder data? Just like not writing down passwords. They are going to SMS and store it.
My Suggestions Baseline 1 Many existing Rapid Adopt 2 procedures can be Mobile moves fast and used from DSS 2.0 standards should as wellContinuous 5Changes to ensure costsdon’t outweigh the threat Influence buyin 3 Individuals: Merchant, Council, Automate 4 Vendor, Bank, Providers Utilize XML, JSON for communication and sharing