Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NETC 2012_Mobile Security for Smartphones and Tablets (pptx)


Published on

Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

NETC 2012_Mobile Security for Smartphones and Tablets (pptx)

  1. 1. Are our mobile devices too ‘smart’ for their own good?MOBILE SECURITY FORSMARTPHONES AND TABLETS
  2. 2. One Ring to Rule Them All• Smartphones and Tablets are the most intimate pieces of IT that weve ever had: – Personal digital assistant, High resolution cameras – GPS navigation, Wi-Fi, Enhanced web browsers – Apps to do almost anything• Users (from healthcare, police, military) store/manage personal data & sensitive info – View slides at One Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the darkness bind them. J. R. R. Tolkien
  3. 3. Mobile (via @LukeW)• Think Mobile First• 3 Trends in Mobile Devices – Processing Power – Network Access – Data in the Cloud• 1.4 Million devices are activated each day
  4. 4. BYOD• Bring Your Own Disk• Bathe Your Own Dog• Be Your Own Detective• Bring Your Own Dessert• Bring Your Own Deck (a.k.a John Dorner)• Bring Your Own Drink• Bring Your Own Disaster
  5. 5. Bring Your Own Device “Consumerization of IT,” refers to employees who bring their own computing devices – such as laptops, smartphones, and tablets to the workplace for use, using a corporate network for connectivity
  6. 6. How Are Smartphones Being Used?(9/20/2011)
  7. 7. Forrsights Workforce Employee Survey• Q4 2011, asked 9,900 information workers in 17 countries about devices they use, personal devices they use for work purposes 1• Typical information worker has manage their information from more than one device• Interested in work systems and personal cloud services that enable easy multidevice access, such as Dropbox, Box, SugarSync, Google Docs/Apps, Windows Live, and Apple iCloud
  8. 8. Combination of Devices
  9. 9. Combination of Devices
  10. 10. Global Device Usage• 33% use operating systems other than MS
  11. 11. Global Device Usage• 25% are mobile devices, not PCs
  12. 12. Forrsights Workforce Employee Survey• Shipping PCs still > 90% Win OS• Share of PCs in companies is even higher• Info workers, not IT, are voting with $$$, Microsoft is down to about two-thirds of the devices they use to get work done• Report concludes that – “mobile devices will become majority of devices used for work, surpassing PCs” and “Windows’ device share will fall below 50 % by 2016.”
  13. 13. Security Quotes “Against the growing, unstoppable backdrop of consumerisation and BYOD [bring your own device], every mobile device is a risk to business.” Raimund Genes, Trend Micro CTO 2
  14. 14. Security Quotes “Security becomes a critical requirement (in mobile banking) and all parties involved in a financial transaction need to consider security. Mobility and freedom to transact anywhere, anytime is no longer negotiable - it is the nature of the lives we live today.” Schalk Nolte, Entersekt 3
  15. 15. Security Quotes “Im sure youve seen this scenario. Halfway through [a] flight, a user switches from super-critical pieces of corporate work to checking out the app they downloaded while waiting in the airport terminal.” Cameron Camp, ESET 4
  16. 16. Security Quotes “Today what we’re seeing are malicious Android applications that have bundled legitimate apps such as Rovio ’s Angry Birds Space. First the malicious “wrapper” tricks and manipulates the user into granting permissions that allow the malware to subscribe to premium rate services. But then… the malware actually does install a working copy of the promised game. At this point, there is little to be suspicious of and nothing to troubleshoot. The user gets the game that he was promised.” Sean Sullivan F-Secure Labs 5
  17. 17. MDM vs. Mobile Security• What is Mobile Device Management (MDM)?• By controlling and protecting the data and configuration settings for all mobile devices in the network, MDM can greatly reduce support costs and business risks. Gartner Aug 2011• Software allows you to: – Remote lock/wipe, Password enforcement – Remote Configuration and Provisioning – Logging and Reporting, Decommissioning
  18. 18. Why Do Criminals Want Access?• Smartphones are the new credit cards! – This is where our "wallets" are – This is where our information is• Criminals will take any info for Identity Theft• They can sell (make money) on online forums• Targeted emails designed to be read on Smartphone/Tablets are just a matter of time
  19. 19. Security and Data Protection• Focus Four – Apple iOS – Blackberry – Google Android – MS Windows Phone 7• Discussion will be Smartphone focused but will discuss tablets at the end
  20. 20. Smartphone Market Share 6
  21. 21. Which BOYD is most secure?Answer:1. Blackberry2. iPhone and Windows Phone 7.x3. Android That said, if you have poorly educated user, they can download malicious app on any Smartphone or Tablet and it can be compromised!
  22. 22. Which BOYD is most UN-secure?Answer:1. Android2. iPhone and Windows Phone 7.x3. Blackberry That said, this can change quickly.. Could have a Vulnerability that is quickly accessed on iPhone by attackers
  23. 23. Blackberry• Long history of being Enterprise Ready• RIMs upcoming BlackBerry 10 (B10) OS is intended to be even more secure• BB10 security will have multiple integrated layers, with tight relationship between hardware and software• There will be a permissions-based security model for apps, coupled with a various OS- level security and safety features
  24. 24. B10 New Protections• Blocking root access, which enables a user or hacker to gain administrative access to the OS• Memory randomization, "scrambles" where in memory routines may run, making it harder for these to be leveraged by attackers• Adding security management, including auditing, to the kernelSource: Network World “BlackBerry 10 OS will have multi-layered security model” May 8, 2012
  25. 25. Apple iOS• Will growing popularity in iOS mean criminals will target?• Apple doesn’t allow 3rd party companies to develop antivirus software for iOS-based devices, such as the iPhone and iPad• Enterprise iPhone security issues and how to address them (Dec 2011)
  26. 26. Apple iOS• iOS threats are largely satisfied by tweaking native security settings• VirusBarrier for iOS by Intego, $2.99• “Flashback” Java Vulnerability Exploit – 2 month delay for Apple’s Response – 600,000 Mac users infected• Can you jailbreak iOS? Yup! – Absinthe 2.0 Untethered Jailbreak Released for iOS 5.1.1 (May 25 2012)
  27. 27. Apple iOS• Kaspersky CEO Eugene Kaspersky is very vocal in his criticism of Apple – Criminals “are happy with Windows computers. Now they are happy with Mac. They are happy with Android. It is much more difficult to infect iOS but it is possible and when it happens it will be the worst-case scenario because there will be no protection. The Apple SDK won’t let us do it.” 7 – Eugene Kaspersky frustrated by Apple’s iOS AV ban (May 22 2012)
  28. 28. Windows Phone 7 History 8,9• Released in late 2010, 7 updates since then – Microsoft shut down the Marketplace app store for older Windows Mobile 6.x phone platform on May 9, 2012• Apps only from Windows Phone Marketplace• Aimed at the Consumer market not Enterprise• Smartphone OS market share 2011 – MS has only 1.9% market share – IDC predicts a 20% share by 2015 (likely high)
  29. 29. Windows Phone 7 Platform Security• Chambers concept to enforce app isolation and least privilege, 4 chambers, apps in LPC• The fourth chambers is capabilities based – Least Privileged Chamber (LPC)• Three higher chambers have fixed permissions – Standard Rights Chamber (SRC) – Elevated Rights Chamber (ERC) – Trusted Computing Base (TCB)
  30. 30. Windows Phone 7 App Security• Capability checks are enforced at runtime• Requests for other resources == UnauthorizedAccessException• Apps must have a valid MS signature to be installed & run in LPC sandbox• Apps use their own “Isolated Storage”• WP7 allows developers to encrypt data and databases
  31. 31. Windows Phone 7 - What’s Missing• Lack of native disk encryption• No support for client side SSL certificates• Lack of in built VPN functionality – Source: Windows Phone 7 not fit for big biz ... unlike Android, iOS
  32. 32. Windows Phone 7 Tips• Only install apps from Marketplace. This ensures that any app you install has been digitally signed, which reduces your risk and increases phone safety• Windows Phone 7 includes a "Find My Phone" feature that allows you to find a lost phone, lock it remotely, and also wipe it remotely• Best-windows-phone-7-apps#security
  33. 33. Android• Popularity makes Android a lucrative target for malware authors• New families and variants of malware keep cropping up each quarter, trend shows no sign of slowing down• In Q1 2012, malware authors are focusing on improving their malware’s techniques in evading detection, as well as exploring new infection methods
  34. 34. F-SECURE Mobile Threat Report• In Q1 2011, 10 new families and variants were discovered; In Q1 2012, 37 new families and variants were discovered• Malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts. F-SECURE Mobile Threat Report, Q4 2011 (.pdf)
  35. 35. Kaspersky - # of Signatures
  36. 36. That Said... Perspective• Mobile malware numbers remain low -- about 1% or less of all malware globally• Android threats now reach almost 7,000, with more than 8,000 total mobile malware in our database• To put it in perspective, there are 83 million malware samples in McAfee’s database McAfee Threats Report for First Quarter of 2012 (.pdf)
  37. 37. Android – Reducing Risk• Practice safe mobile computing, Be vigilant and avoid risky behavior• Don’t install apps that are new to the market – Yahoo’s Axis Browser Security Slip-Up (May 23 2012)• Research apps before downloading, Check the publisher and app reviews, Use the official Android Market• Avoid side-loading apps, unless software and its developer are familiar to you.
  38. 38. Android – Reducing Risk• Turn off the ability to install apps from unknown sources in by going to Settings and then to the Security menu (in Android 4.0 or later) or the Applications menu (in earlier versions of Android)• When installing an app, pay close attention to the permissions it requires, Use your phone’s app-management tools to make sure it’s using only the resources it promised to use
  39. 39. Android – Reducing Risk• Be wary of phishing scams and malware via the Web browser or SMS messages• Be cautious if you root a device, Keep an eye out for Superuse prompts displayed when an app requests root permissions• Rooting allows you to use some powerful apps and even enhanced security functionality, but at the same time increases potential damage from infections
  40. 40. Android – Reducing Risk• Install an antivirus/security app• Block or disable ability to send premium SMS subscriptions (prevent malware from sending messages that will automatically charge your account) – AT&T (Manage Mobile Purchases & Downloads) – Verizon FAQ – More from c|net
  41. 41. Android – Mobile Security Apps• PC Mag Review (May 24 2012)• Apps reviewed on 5 Stars – Bitdefender Mobile Security – F-Secure Mobile Security 7.6 – Lookout for Android – McAfee Mobile Security 2.0 – TrustGo Antivirus and Mobile Security 1.0.6 – ESET Mobile Security 1.1
  42. 42. Infographic: Grand Theft MobileSource:
  43. 43. Security Checklist• Attevo is a global business and information technology consulting firm based in Cleveland, OH• Here is their 13-point checklist for addressing mobile technology threats 10• Keep in mind security around Windows laptops from mid to late 1990s
  44. 44. Security Checklist1. Where is My Device Again? Always maintain physical control over your smartphone to prevent outright theft, unauthorized usage or the installation of malware (apps with malicious code) by seemingly mild-mannered co-workers or by ruthless digital predators; treat a smartphone like a wallet, never leave it unattended in public spaces. vcv_note: @LukeW listed Near Field communication (NFC) as a positive, it is, I guess
  45. 45. Security Checklist2. Yes, You Need to Use a Passcode Enable the smartphones password/passcode protection; a recent study reveals that only 38% of smartphone users enable this security feature. vcv_note: SIM-locks can be by-passed, but BlackBerrys a challenge (May 17, 2012) Tip: Open Excel. In cell A1, enter =RAND() and press Enter. Fill Down to A10. Pick 5 random codes.
  46. 46. Security Checklist3. You Still Need to Do Updates Install operating system updates whenever they become available to reduce the number of system vulnerabilities; a 2011 report indicated that 90% of Android users were running outdated operating system versions with serious security vulnerabilities. vcv_note: Reinforce basics with your staff
  47. 47. Security Checklist4. Use a Security App Install an anti-malware protection app (if available for the device) to thwart infection from malicious apps and websites; all major platforms have been hacked and are susceptible. vcv_note: Free apps are good (better than nothing), but pay for apps give more features. Go ahead and spend 4.99 or 9.99
  48. 48. Security Checklist5. Be Careful Where You Browse When using the smartphones or tablet’s web browser, avoid suspicious/questionable websites that can be the source of malicious code. vcv_note: Few se-curity apps are available for iOS, but you can find secure Web browsers that offer extra features to lower risk of stumbling upon a malicious website, ex: Webroot SecureWeb Browser
  49. 49. Security Checklist6. Download/Install with Care & Caution Be selective when buying or installing apps; wait for app reviews, download only from trusted sources (known app stores) and be cautious/suspicious of free apps, because they are free for a reason (the reason could be access to your data). vcv_note: Google Android Market, Windows Phone Marketplace, RIM BlackBerry App World and Appstore for Android all disclose the permissions of apps. Apple iTunes App Store doesn’t (Apple vets apps)
  50. 50. Security Checklist7. Review What You “Agree To” Understand and control each downloaded apps "access" to smartphone data and personal information; game apps do not need access to phonebook contacts, photos, e- mails, location, browsing history, texting history and other phone features (avoid allowing automatic app updates). vcv_note: Double check, then go back AGAIN
  51. 51. Security Checklist8. Credentials Management Do not save passwords, PINs or other account information as Contacts or in Notes. vcv_note: In other words, don’t put your password on a sticky and attach it to the tablet
  52. 52. Security Checklist9. Wild Wild Free Wi-Fi Avoid using open Wi-Fi, especially for shopping and banking activities; Wi-Fi sniffing is a common occurrence that can have significant consequences like lost credit card numbers. vcv_note: Do not, I repeat, DO NOT do this at all
  53. 53. Security Checklist10.Phishing is More Than Nigerian Spam Avoid opening suspicious e-mail or SMS text messages, especially from unknown sources. Unwary readers may be unwillingly tricked into phishing by entering sensitive information from online prompts. vcv_note: If you are not certain, email your IT Specialist and ask, ;-)
  54. 54. Security Checklist11.Shields Up! Go to Red Alert! Turn the Bluetooth access feature off when not needed and avoid Bluetooth use in busy public areas. vcv_note: Commander Riker Audio
  55. 55. Security Checklist12.PIN Use “Good”; PIN Default “Bad” Utilize a PIN to access voice-mail and avoid using the carriers default PIN setting. vcv_note: Beyond the default... Top ten iPhone passcodes: [1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1 212, 1998] 11
  56. 56. Security Checklist13.Locked and Loaded Insure that smartphone or tablet e-mail account access is through either a SSL or HTTPS connection so that transmitted data is encrypted. vcv_note: Quick web search should provide this answer. Example: Gmail
  57. 57. Encrypting Email Traffic• Android – TouchDown for Smartphones by NitroDesk includes support for S/MIME keys from EchoWorx• Blackberry – BlackBerry devices provide encryption and policy from the BlackBerry Enterprise Server (BES); The implementation is trusted and validated by many government organizations
  58. 58. Encrypting Email Traffic• iPhone – 3GS has hardware encryption (also enabled via ActiveSync option); AES256 employed by default; Pre-3GS devices do not provide encryption – Encryption bypass vulnerabilities all require the iPhone to be already jail-broken• Windows Phone – Good for Enterprise by Good Technologies providing security at the application layer (in addition to device security)
  59. 59. Tablet Security Products• Pay-for Android tablet security, similar features, protect 1 device for 1 year, $19.99 – Norton Mobile Security Lite – Kaspersky Tablet Security – Webroot Mobile Security• Norton 360 Everywhere (May 4 2012) – protects up to 5 devices, including PC, Mac, and Android smartphones and tablets, $99
  60. 60. Jumpstarting Your BYOD Policy 12• Basic BYOD employee training include: – Training on physical security – Training on Wi-Fi security – Information about social engineering attacks and how to avoid them – A requirement to password-protect personal devices and education on strong passwords – Clearly stated rules on what work-related data can be accessed from personal devices (Ohio State)
  61. 61. Intel’s Mobile Policy 13• Policies and security expectations are same for corporate and personally owned devices• Communicated to employees... – When employees sign up for particular services – When staff connect a new device to the Intel network – On a regular basis through security awareness articles and notices – In an annual security refresher for the entire staff
  62. 62. Future for People• One Constant ... Human Nature• People will look to do both good and bad things with technology• Consumers will continue to drive new devices and technology• Lack of Security Skills with today’s devices (and future devices) will haunt us going forward
  63. 63. Future for Technology• Advances in materials science will continue to make devices smaller and faster• Embedded devices – iDermal, Strapless iPod Nano Watch• Tokenless Two-Factor authentication – PhoneFactor (Commercial) Video, White Paper• Improved Security Built-In to devices (hope) – ZTE Android Backdoor Vulnerability
  64. 64. Future Threats• Social Networks will continue to evolve and change• Transition to a more secure 3G/4G may take some time• Those with bad intent (e.g. criminals) will always find way to outwit or outlast any security measures put into place – One Constant ... Human Nature
  65. 65. Future Actions (by YOU)• BYOD is a done deal (mostly)• Devices with very little effort can be made reasonably secure• Mobile Device Management (MDM) still young – implement but review in 1 year
  66. 66. Final Thoughts• We come back to USER EDUCATION, TRAINING, and RE-TRAINING• Encourage the use of “Common Sense”• Discourage the attitude of “No one would want my data” and “this can’t happen to me”• Security - Its not your fault. Its your responsibility.
  67. 67. Sources 1. Employees Use Multiple Gadgets For Work — And Choose Much Of The Tech Themselves 2. BlackBerry still trumps Android for security, analysis finds 3. 41% of people believe online banking and shopping is akin to playing Russian Roulette 4. BYOD Smartphones, PCs and Tablets Raise Big Security Risks, Experts Say 5. Mobile Threat Report Q1 2012, F-Secure Labs 6. Android, Apple iOS run away from pack: Can Windows Phone challenge at all? 7. Apple iOS Needs Antivirus Protection: Kaspersky 8. SecurityBSides London - windows phone 7 9. Bsides London 2012 David Rook: Windows Phone 7 platform and application security overview 10. Attevo Offers A 13-Point Security Checklist For Smartphone Users 11. Most Common iPhone Passcodes 12. Jumpstarting Your BYOD Policy 13. How to Enforce Your Mobile Policy