3. Remember these Networks?
Good Old Days
XP
Desktops
with
a
Sta;c
IP
Easy to secure
Only
worry
-‐
s;cky
notes
w/
passwords
and
customer
credit
card
data
The world has changed...
Security
and
Compliance
should
lead
and
not
follow.
4. Wake Up Time
• Mobile is moving faster • Government 2013
than the speed of light battling standards:
• Threats, attacks and USGCB audit benchmarks:
mobile data breaches 1. IE 7
2. IE 8
are here 3. Windows XP
4. Windows XP Firewall
5. Windows Vista
• Security and Compliance 6. Windows Vista Firewall
7. Windows 7
regulations are for 8. Windows 7 Firewall
9. Red Hat Linux 5
yesterdays network
5. Protecting Card Data
Scan Audit Zone Only Gets there how?
Corporate America PCI Today’s Response to PCI
Response:
damn
this
is
expensive Encrypt.
Segment.
Reduce
Scope.
6. Compliance 101
What do we tell employees: The employee responds?
• Don’t write your • ?
passwords on sticky
notes
• Don’t write, text, email • ?
or store cardholder data
Think users adhere to 101, think again.
7. 2013 - Today’s Network
Employees are Mobile
Mobile
Cybercrime
War
has
Begun
Employees on the go
Don’t
care
about
security
nor
compliance.
They
sell
and
take
down
orders!!
Devices are on 24/7
Assessment
approach
has
to
change
8. In Case you missed the Tweet
Insecure Smart Mobile Devices =
Secure & Compliant PC fatality
HP Dell
US 90 Day PC Shipment
9000
Android
6750
“Daily Activations”
4500
1500
2250 750
0 0
2012 Q1 2013 Q1 2013
9. 7 billion
2013 global population
6.3 billion
mobile device subscriptions
5% stolen 0% scanned
loss or theft vulnerabilities or cardholder data
10. Mobile Standard Remarks
Example Remarks
Purpose
Work Protect Cardholders
Selection Evidence Analyze
flow or Transaction?
Repeat History
Step 1 Step 2 Step 3 Step 4 Mobile threats - too
fast for awaiting
slow Standards
Define Specs to be Report & Mobile
procedures assessed Score Standards - enforcement
Speed
11. April 2013
Mobile Scan Analysis
Android Devices
500 Smartphones and Tablets - Last
500 global scans
12. Scan Deliver Thought Process
• PCI Provider - Assess &
Service
• Acquiring Bank -
Compliance proof of
results by MID, Theft
locate
• Vendor - develops
technology, standards
mapping and features
• End user - option to self
assess
13. Mobile Scans Performed
Standards are usually not
in place until:
• Evidence is proven that
procedures can be
assessed
• Procedures can be
analyzed to measure - risk
and mitigation
14. Android Vulnerability Scan
None Low Medium High
• CVSS Scores
• CVE numbers
•
79%
Procedures are familiar, 14%
just like PC’s but easier 5%
• Methodology has to 2%
change to assess mobile
15. Data Discovery Scan Vulnerability Scan Configuration Scan
Cardholder PAN Data OS & Applications OS & Applications
16. Mobile Vulnerabilities vs. History
Android Apple iOS Novell Windows Linux
200 90
150 67.5
100 45
50 22.5
0 0
2011 2012 Q1 -2013 1998-99
17. Vulnerable Attack Vector
Attack Threat Vector Impact Remediation
Stolen / Loss / Misplacement of Device Data breach Encrypt cardholder data
Patches /
SMS / Browser / Email Exploit Full device control
Configurations
Configuration / ~Some
Malicious App Full device control
Patches
Configuration / User
Bluetooth / Tethering / NFC / Wifi Partial data loss
Awareness
Configuration / Policy /
Carrier Network / Black List Partial data loss
Awareness
18. Mobile Configurations
Sample Configuration Results Severity % Failed
Device Storage Encryption Enabled 8 99
Password Expired every 30 Days 7 97
Require Password or PIN Check (unlock device) 10 72
Device Rooted 9 48
Allows Non App Market App Installation 5 44
18 Configurations - All 500 failed something
19. 8% of scans had PAN
data on Android
Protect and assess P2PE ‘Point to Point Encryption’ the
transaction?
Cardholder data on mobile is everywhere?
NFC, Google Drive,
Dropbox, SMS, Contacts
20. Today’s Network
Always
connected,
Any;me,
Anywhere
ff ice Free wifi
Corporate Office R e mote O Mobile
Yesterday Network
Today Network
Today Network
Today
Static Networks Small Offices Road warrior Employee Mobile Devices
are
the
past,
data
and
devices
lack
security
and
connect
Who
hasn’t
connected
to
a
free
can
now
be
assessed
for
threats
are
not
only
at
corporate. indirectly
back
to
corporate. wifi
network. but
not
with
historical
network
approaches
Employees
are
on
the
go
and
TransmiQng
data
with
BYOD
Mul;ple
network
connec;ons
working
remote. connec;ons
who
are
on/off
over
~untrusted
Wifi
/
4G
untrusted
networks
21. Mobile Audit - Fast Easy Affordable
More likely to be stolen or lost
equating to an increase in potential cardholder Mobile facts vs. Non-
breaches.
~Processing w/ a financial app - Banks to get a call Mobile
guaranteed.
Vulnerabilities & configurations
are equally important to assess and
remediate, if not more important than
traditional PC’s
Are your employees storing
cardholder data?
Just like not writing down passwords.
They are going to SMS and store it.
22. My Suggestions
Baseline 1
Many existing Rapid Adopt 2
procedures can be Mobile moves fast and
used from DSS 2.0 standards should as well
Continuous 5
Changes to ensure costs
don’t outweigh the threat
Influence buyin 3
Individuals: Merchant, Council,
Automate 4 Vendor, Bank, Providers
Utilize XML, JSON for
communication and
sharing