Security around BYOD& ConsumerizationAct now to have comfort!Heliview Consumerization of ITDecember 11 2012Feijenoord Stad...
1© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary o...
2© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary o...
The challenges
4© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary o...
Question: Are wemore secure thanbefore?
6© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary o...
7© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary o...
8© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary o...
9© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary o...
10© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
11© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
12© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
13© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
14© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
15© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
16© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
17© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
What to do?
19© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
20© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
21© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
22© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
23© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
24© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
25© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary ...
© 2012 KPMG Advisory N.V., registered with the traderegister in the Netherlands under number 33263682,is a subsidiary of K...
Upcoming SlideShare
Loading in …5
×

Marc smeets KPMG - mobile security - act now to have comfort

998 views

Published on

Presentation mobile security around BYOD & Consumerization

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
998
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Marc smeets KPMG - mobile security - act now to have comfort

  1. 1. Security around BYOD& ConsumerizationAct now to have comfort!Heliview Consumerization of ITDecember 11 2012Feijenoord StadionMarc Smeets
  2. 2. 1© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Who am IMarc Smeets:■ Loves IT security■ Loves fast cars■ Loves champagneIT security advisor / ethical hacker @ KPMG IT Advisory■ Team of over 40 IT security advisors, 25 penetration testers■ Combining strong technical skills with IT auditing skills■ Hacking and testing mobile since 2009
  3. 3. 2© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.What are the challenges with currentsecurity of mobile devices?What to do now in order to have comfort?
  4. 4. The challenges
  5. 5. 4© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Mobile securityNew platforms and new termsBring Your Own DeviceSelect Your Own DeviceApps & AppStoreCloud integration & online IDNew vendors on the marketMobile Device Management
  6. 6. Question: Are wemore secure thanbefore?
  7. 7. 6© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Mobile SecurityAre we becoming more secure?Yes, new mobile platforms are more secure in several aspects■ Disk encryption built-in■ New core security features■ Tight down platforms with eco-systemNo, new platforms still fail at basic security■ Size and complexity of the eco-system■ Basic security checks ineffective■ Remote wipe■ Easy installation of Apps■ Security update cycle■ Apps Apps Apps | Insecure Insecure Insecure
  8. 8. 7© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: remote wipe
  9. 9. 8© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: remote wipe
  10. 10. 9© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: encryptioniOS Disk encryption:■ Technically it is hard disk encryption■ But, it decrypts itself without user input■ Main reason: fast wiping via crypto-shreddingAndroid Disk encryption:■ Better implementation■ But depending on version
  11. 11. 10© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: encryption
  12. 12. 11© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: encryption
  13. 13. 12© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: encryption
  14. 14. 13© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: the mobile eco-systemINTERNETCORPORATE EXCHANGE SERVICESDEVICESWIFI / UMTS / GPRSMobile Device Management
  15. 15. 14© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: the mobile eco-systemINTERNETCORPORATE EXCHANGE SERVICESMobile Device ManagementINTERNETSERVICESDEVICESWIFI / UMTS / GPRSWIFI / USBUSBWEBCLOUDSERVICESBluetoothLOCALSERVICESCORPORATE / PRIVATENETWORKPERIPHERALSLegacy ActiveSync conn.
  16. 16. 15© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: basic management of security checksTwo major security issues with Exchange ActiveSync■ 1. Security checks are device local security checks■ 2. Relies on communication over HTTP(S)
  17. 17. 16© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: basic management of security checks
  18. 18. 17© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Challenge: Apps Apps Apps | Insecure Insecure InsecureChange in usage■ Email & Contacts  External Apps  Line-of-Business AppsNot all App developers of desired maturity levelMain issues we encounter when security testing Mobile Apps:■ Insecure local storage of data■ Data in transit not secured■ Insecure server side controls■ Weak identification and authentication
  19. 19. What to do?
  20. 20. 19© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.What to do?Quick and easy fixes for mobile:■ Implement MDM with proper policy■ Educate and train your users■ Have your Apps tested on security issues■ Be aware of residual risksBut, more important: be ready for cybercrime■ “Online banking two-factor authentication compromised by a hybrid trojan (PC + mobile),36M EUR stolen: ”■ “3,325% increase in malware targeting the Android OS”NCSC – Beveiligingsrichtlijnen voor mobiele apparaten :■ “Kwetsbaarheden waardoor malware geïnstalleerd kan worden”■ “Een aanvaller steelt geld van de gebruiker door middel van malware die op de achtergrondgebruikmaakt van betaalde SMS-diensten of telefoonnummers.”
  21. 21. 20© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.CybercrimeWhat is cybercrime?Cybercrime concerns performing illegal activities towards an organization, using digitalmeans.The term cybercrime covers a proliferation of purposes and methods of attack. Fun Financial gain Activism Espionage Terrorism Digital warfare Breaking the chainPurpose of Attack Method of Attack Hacking Phishing Identity theft Denial of Service Advanced Persistent ThreatTraditional InfoSec Value of info to organization(confidentiality, integrity,availability) Focus on crown jewelsShifting viewpoint in InfoSecNew InfoSec Value of info to attacker Security awareness andunderstanding of risks is crucial Attackers understand the risksof technology, so should you.Think like a hacker!
  22. 22. 21© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Examples of cybercrime attack
  23. 23. 22© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Examples of a cybercrime attackNon default attacks
  24. 24. 23© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Cybercrime defenceWhat should you do on the short term?Short term action response Implement standby incidentresponse organisationShort term action detection Identify and monitor criticalassetsShort term action prevention Perform risk analysis fromperspective of attackerDetectRespondPrevent
  25. 25. 24© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.It is not about technology alonePeople + Process + Technology!Cybercrime defenceWhat should you do on the long term?CYBERCRIME DEFENSE FRAMEWORKPREVENT DETECT RESPONDPEOPLE /ORGANISATION Security awarenesstraining Appoint cybercrimedefence asresponsibility Security operationscentre 24/7 Crisis organisation CommunicationsPROCESSES  Compliance monitoring Vulnerability monitoring Security testing Patch management Incident preparednesstraining Procedures for follow-up on security events Cybercrime responseplan High-value assetisolation proceduresTECHNOLOGY  Segmentation Endpoint andperimeter protection Logging andalarming Incident dashboards Forensic analysis
  26. 26. 25© 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and‘cutting through complexity’ are registered trademarks of KPMG International.Cybercrime defenceMain message■ ‘Everything mobile’ changes yoursecurity posture.■ The cybercrime threat is real andhere to stay.■ Take a look at your company froman attacker’s perspective.■ Prevention is insufficient.Invest in detection and response.■ 100% security is not possible.And undesirable!
  27. 27. © 2012 KPMG Advisory N.V., registered with the traderegister in the Netherlands under number 33263682,is a subsidiary of KPMG Europe LLP and a memberfirm of the KPMG network of independent memberfirms affiliated with KPMG International Cooperative(‘KPMG International’), a Swiss entity. All rightsreserved. Printed in the Netherlands.The KPMG name, logo and ‘cutting throughcomplexity’ are registered trademarks of KPMGInternational.Marc Smeetssmeets.marc@kpmg.nl+31 6 51 36 66 80@MRAMSMEETS

×