Mobile Security

3,385 views

Published on

Slides about mobile security presented during the BELTUG Security SIG ("Special Interest Group") in January 2013.

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • For data visualization,data analytics,data intelligence and ERP Tools, online training with job placements, register at http://www.todaycourses.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
3,385
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
181
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Mobile Security

  1. 1. Mobile Security“Bring war material with you from home but forage on the enemy” - Sun Tzu Xavier Mertens Beltug SIG Security - Jan 2013
  2. 2. Disclaimer“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect those of past, present employers,partners or customers.”
  3. 3. Agenda• Introduction: Top-10 mobile risks• Company owned devices• Employee owned device (BYOD)• Risks inherent in mobile devices• Mobile applications development
  4. 4. Top-10 Mobile Risks• Insecure data storage• Weak server side controls• Insufficient transport layer protection• Client side injection• Poor authentication & authorization• Improper session handling• Secure decision via untrusted input• Side channel data leakage• Broken cryptography• Sensitive information disclosure (Source: OWASP)
  5. 5. Top-10 Mobile Risks• Insecure data storage• Weak server side controls• Insufficient transport layer protection Mobile devices• Client side injection are• Poor authentication & authorization Computers!• Improper session handling• Secure decision via untrusted input• Side channel data leakage• Broken cryptography• Sensitive information disclosure (Source: OWASP)
  6. 6. Company Owned Devices
  7. 7. Easy? Really?• Limited set of manufacturers/OS• Full control of hell?• People try to evade from jail (like laptops)• Need procedures (backups, helpdesk)
  8. 8. Corporate Policy• Must be communicated & approved before the device provisioning• Communication channels: addendum to a contract, Intranet, a “check box”?• Restrictions (SD cards, Bluetooth, camera)• What about private data? (pictures, MP3, downloaded (paid!) apps?
  9. 9. Examples• Document already available on beltug.be (Members section)• Simple policy: http://www.security-marathon.be/?p=1466 (Jean-Sébastien Opdebeeck)
  10. 10. Data Classification• Another approach is implementing data classification• Implementation of the “least privileges” principle• Access to data is based on profiles• Work with any device! (benefit broader than the scope of mobile devices)
  11. 11. Data Classification Data Company Owned Personal Devices Classification Devices Top-Secret No NoHighly Confidential No No Proprietary Yes NoInternal Use Only Yes Yes Public Yes Yes
  12. 12. Employed Owned Devices
  13. 13. Why do people BTOD? • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere!
  14. 14. First Question?• Are you ready to accept personal devices on your network?• It’s a question of ... risk!• Examples: • Data loss • Network intrusion • Data ex-filtration
  15. 15. “MDM”?• Do you need a MDM solution? (Mobile Device Management)• Can you trust $VENDORS?• Microsoft Exchange include ActiveSync for free• Most security $VENDORS propose (basic) tools to handle mobile devices
  16. 16. Minimum Requirements• Automatic lock + password• No jailbroken devices• Remote wipe• Backups (who’s responsible?)
  17. 17. Risks Inherent InMobile Devices
  18. 18. Personal Hotspots• Tethering allows mobile devices to be used as hotspots• Corporate devices (laptops) could bypass Internet access controls• Risks of rogue routers (if IP-forwarding is enabled
  19. 19. Rogue App Stores• Mobile devices without apps is less useful• Owners tend to install any apps• Some apps may require much more rights than required• People trust Apps stores and developers• Developers must write good code
  20. 20. QR Codes
  21. 21. Geolocalization
  22. 22. NFC
  23. 23. Home & Cars
  24. 24. Mobile Application Development
  25. 25. OWASP Mobile Security Project• Mobile testing guide• Secure mobile development guide• Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  26. 26. Lack of/Bad Encryption• Developers re-invent the wheel: do not write a new encryption algorithm• Encrypt everything (data at rest, data in move)
  27. 27. Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($)Central No risk of loss Speed
  28. 28. Geolocalization• Again! But this time for good purposes• Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe• Combine with passwords for stronger authentication/authorization
  29. 29. Enterprise Appstores• Goal: Distribute, secure and manage mobile apps through your own company branded appstore.• Application available in the appstore have been approved by a strong validation process.
  30. 30. Thank You!Xavier Mertensxavier@rootshell.be@xmehttp://blog.rootshell.be

×