Securing the mobile enterprise - Sydney 24 Mar 2014
•
0 likes•616 views
My presentation at the World Cyber Resilience Congress at Sydney, 24-25 March 2014
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Securing the mobile enterprise - Sydney 24 Mar 2014
Similar to Securing the mobile enterprise - Sydney 24 Mar 2014 (20)
More from Parag Deodhar
More from Parag Deodhar (11)
Recently uploaded
Recently uploaded (20)
Securing the mobile enterprise - Sydney 24 Mar 2014
- 3. Automated Workforce •Document Management Systems (DMS), Field Force Automation (FFA), Salesforce Automation (SFA), Customer Relationship Management (CRM), and Enterprise Resource Planning (ERP). •Minimize paperwork, reduce back‐to‐office visits, improve productivity, and achieve higher sales closing ratios by simplifying and automating their day‐to‐day processes. Always Connected Unified Communications (UC), Location‐based Services (LBS), and Business Intelligence (BI). Anytime, anywhere, any device real‐time communication and collaboration capabilities to employees. Enterprises can leverage LBS to track vehicles and employees in real‐time, while information can be extracted, analyzed and reported using BI. Pervasive Mobility Mobile Point‐of‐Sale (MPOS), Social Networking Services (SNS), Financial Management System (FMS) Human Resource Management Systems (HRMS). Enhance brand image , facilitate efficient administration of internal operations 24 March 2014 PARAG DEODHAR 3
- 4. • Consumerization of IT is driving new devices and access requests • Companies need to accept and address the reality • People expect to work on multiple devices and from anywhere • Companies need to provide access to applications and data from any device • IT needs to change its processes and tools to manage the devices, taking security into consideration PARAG DEODHAR 4 88% Globally, 88% of executives report employees are using their personal computing technologies for business purposes today ‐ Gartner 24 March 2014
- 5. The Blame Game – why company provided tools are not used? – The system is too complicated and takes too long – External partners have trouble accessing files I sent through company tools – The company does not offer mobile access – convenience… – I was never trained to use company systems Source: Ponemon institute Survey shows that many employees use high risk methods to store or move sensitive corporate data. 24 March 2014 PARAG DEODHAR 5
- 6. Laptops Other devices – Tabs / Smart phones – Company Owned – BYOD • Shared devices Risks!!! – Data segregation – Data Leakage – Personal Data on device – Unverified apps – Lost, Stolen 24 March 2014 PARAG DEODHAR 6
- 9. Infecting legal web resources – Mobile malware spreads via popular websites. More and more smartphone and tablet owners use their devices to access websites, unaware that even the most reputable resources can be hacked. Distribution via alternative app stores. – In Asia there are numerous companies producing Android‐based devices and Android apps, and many of them offer users their own app stores containing programs that cannot be found in Google Play. The purely nominal control over the applications uploaded to these stores means attackers can conceal Trojans in apps made to look like innocent games or utilities. Distribution via botnets. – Bots self‐proliferate by sending out text messages with a malicious link to addresses in the victim’s address book. We also registered one episode of mobile malware spreading via a third‐party botnet. Criminals are increasingly using obfuscation, the deliberate act of creating complex code to make it difficult to analyze. The more complex the obfuscation, the longer it will take an antivirus solution to neutralize the malicious code. 24 March 2014 PARAG DEODHAR 9
- 10. Android devices account for 60% of the infections observed in the mobile network. Malware is in the form of Trojanized apps with phishing spam campaigns luring victims to install the infected apps. Reasons: – Android has largest smartphone market share. Maximize criminal’s RoI. – Android offers the ability to load apps from third‐party app sites. Un‐policed mechanism to distribute their malware. – It is trivial for an attacker to hijack a legitimate Android application, inject malware into it and redistribute it for consumption. There are now binder kits available that will allow an attacker to automatically inject malware into an existing application. This is only exacerbated by Android’s incredibly weak app signing policy that encourages using self‐ signed certificates to sign applications. Common Malware: – Adware – Information Stealers – Spy Phone – SMS Trojans – Banking Trojans – Fake Security Software 24 March 2014 PARAG DEODHAR 10
- 12. Jailbreak Jammers – Fool the MDM agent by patching the device leaving no trace for the MDM agent to detect if the device is Jailbroken or Rooted. mRAT – Gets high privilege access and can access all communications that happen on the device, can access all encrypted emails and secure highly confidential documents and then sends these content to the attacker’s command and control (C&C) servers – Bypass container encryption – grab the information at the point where the user pulls up the data to read it. Mobile Device Tunnel Borers – Since the tunnel is typically created on allowed ports (e.g. port 22, SSH) it cannot be blocked by Firewalls and or IDS/IPS solution. 24 March 2014 PARAG DEODHAR 12
- 13. Corporate Owned • High Cost = Device + Management • Allow personal data – risk of “pirated” software / images / videos on corporate device • Generally single OS/brand/model – easy to manage but no choice for employees BYOD • Increases Productivity – myth or fact? • Lower cost • Multiple OS/brands/models to manage • Employee privacy – does law allow data wiping on assets owned by someone else? 24 March 2014 PARAG DEODHAR 13
- 14. MAM MIM 24 March 2014 PARAG DEODHAR 14 DEVICE APPLICATION DATA • Ability to ensure the proper protection around the entire device and ensure compliance with the set policies. • Central management of all mobile devices and ability to check compliance of each device. • Security around the information is an unknown. • Ability to apply controls becomes significantly difficult. • Monitoring becomes significantly difficult. • Centralized location for data and information. • Ability to access information from almost any device and share between multiple platforms • Loss of native apps and the “look and feel” of what the user is typically accustomed to • Intrusive management & lock down • Degraded user experience and added troubleshooting requirements • Electronic Discovery difficult. • Inability to separate personal data from company data. • Containerization. • Policies are pushed only to the container; user experience is not impacted for the entire phone. • Applications within the container • Support single‐sign‐on
- 15. COMPLY WITH APPLICABLE LAWS AND REGULATIONS FOCUS ON DATA – NOT ON DEVICE POLICY AND TRAINING / AWARENESS END USER AGREEMENT LIST OF ALLOWED DEVICES CHOOSE THE RIGHT MDM / MAM / MIM SOLUTION – YOUR ENVIRONMENT & DEVICES – DATA FLOW AND ACCESS REQUIREMENTS – CONVENIENCE v/s SECURITY • CONTAINERIZATION & DEVICE LEVEL POLICIES • SECURE WIPE • IDENTITY AND ACCESS • ENCRYPTION – EMPLOYEE PERSONAL DATA PRIVACY – CORPORATE APP STORE – INTEGRATION WITH DLP & DRM MOBILE SECURITY SOLUTIONS IMPLEMENT ENHANCED NETWORK SECURITY FOR MOBILE GATEWAYS TRAIN APPLICATION DEVELOPERS IN SECURE CODING PRACTICES FOR MOBILE DEVICE PLATFORMS LIMIT THE SENSITIVE DATA TRANSFERRED TO MOBILE DEVICES, OR CONSIDER VIEW‐ONLY ACCESS. PERFORM TECHNICAL SECURITY ASSESSMENTS ON MOBILE DEVICES AND THE SUPPORTING INFRASTRUCTURE — FOCUS ON DEVICE‐SIDE DATA STORAGE. ESTABLISH A PROGRAM THAT CONTINUALLY EVALUATES NEW AND EMERGING THREATS IN MOBILE PLATFORMS. AUDIT THE DEVICES… 24 March 2014 PARAG DEODHAR 15