EMERGING TRENDS IN ENTERPRISE MOBILITY AND SECURITY. Presented by: Don Gulling, CEO, Verteks Consulting

Transcription

1 EMERGING TRENDS IN ENTERPRISE MOBILITY AND SECURITY Presented by: Don Gulling, CEO, Verteks Consulting

2 You ve been DRAFTED During the 45 minutes of this presentation, a minimum of 69,750 confidential personal and financial records will be stolen. Breach Level Index reported that from January through March of this year, about 93,000 records were stolen each hour of the day. This total is definitely on the low end of what we should expect, since we know many breaches are still unreported or unknown. We ve all been drafted to fight in an ongoing war a war that has become more costly every day - and some of us don t even know we re soldiers in this conflict. Everyone in this room is on the front lines in the war to protect our vital financial data and confidential personal information from criminals and hackers.

3 Is security evolving fast enough? Our PCs, our tablets, our smartphones all of our computing devices are evolving, and security threats are evolving as well are we doing our part to protect ourselves, our families, our businesses and our communities from hackers and criminals? Or are we making it easier for them to steal our information and our identities? Security and mobility are intertwined and inseparable. The phone will someday replace the wallet, storing sensitive payments information such as credit card accounts, banking data and other personal information, an identity theft kit in your hand so to speak.

4 Our conversation today Today I m going to cover the IT security and IT mobility landscapes and talk about where they intersect. I m going to cover the past and present and talk about the near and mid-term future that I believe will come to pass.

5 Introduction First, in way of introduction, a bit about me and my past. I ve been employed in the IT industry for 27 years, and a serious hobbyist even longer. I first started writing software about 32 years ago, when I was 13 years old on my fist computer a Commodore VIC 20.

6 A bit about my past My very first job after high school was in the IT industry, working as a programmer for a software company that wrote Unix word processing systems for books and magazines. My first job involved technology like CTOS computers, TRS80 computers, and even a paper tape machine and 8.5 floppy disks to load fonts on our film printer this was before commercial laser printers existed.

7 A step up to serious IT I left that job to attend community college, where I worked in IT as well helping other students when they had computer issues, the best part was that I was paid for doing something I was already doing for free, and I got an employee discount on books and tuition. When I attended college, I worked on a Data General MV4000 Mainframe using a terminal but we also had IBM DOS PCs in the student computer lab. Any real programming had to be done on the mainframe.

8 Off to the Army I left college and I took a break from IT for awhile (or so I thought), and I enlisted in the Army, choosing the Infantry as my branch. Even there my computer experience was helpful, and I worked with the battalion staff to fix problems with a battle roster database we used when I wasn t doing my day job of Infantry soldier. The Infantry is really good at lots of things one of them is using the tools at hand to get the job done, and my leadership team put my IT skills to good use.

9 Commercial IT Industry After the Army, I found my way into the IT industry again focused on business and government IT, specifically networks, PCs and servers. These were the early days of Windows for Workgroups pre-internet really. When the Internet really started to become usable we were still accessing using modems at 28.8Kb then we stepped up to 33.6Kb, then finally 56Kb which we thought was really something at the time. The next technology leap was Windows 95, and ISDN 128Kb internet speeds. After that it was Windows 98 and DSL speeds.

10 CEO of Verteks Consulting In November, 1996 I left my job with a local IT company to start my own technology business Verteks Consulting. I created an S Corporation in January 1997 and have been learning more and expanding my business for the past 17 years.

11 The Story So Far What is in our rear view mirror in terms of security and mobility? We ll review high profile security breaches and impacts, plus evolution of individual and corporate mobility, and how the two are interconnected plus we ll touch on Cloud and how it surrounds the mobile enterprise.

12 2.28 Billion Stolen since 2013 During the first quarter of 2014, almost 200 million records were stolen by cybercriminals during data breaches. From January through March of this year, about 93,000 records were stolen each hour of the day. Breach Level Index reports that a minimum of 2.28 Billion records have been lost or stolen since 2013 based on disclosed incidents. This total is definitely on the low end, since we know many breaches are still unreported or unknown.

13 Top Breach Sources in 2014

14 Top Breaches By Industry

15 Top 10 External Breaches

16 CyberVor What is it? Excerpted from Hold Security What happened? After more than seven months of research, Hold Security identified a Russian cyber gang which is currently in possession of the largest cache of stolen data. While the gang did not have a name, we dubbed it CyberVor ( vor meaning thief in Russian). The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites. How did this occur? Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virusinfected computers controlled by one criminal system). These botnets used victims systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e- mails and passwords. The numbers - A credential pair is a combination of user id (mostly ) and password and we have discovered 1.2 billion of such unique pairs that have been breached. If we narrow it down by unique addresses, we still have over half a billion records since there may be multiple password corresponding to a single address.

17 ebay Breach ebay users suffered this year s biggest hack so far. In May, ebay revealed that hackers had managed to steal personal records of 233 million users. The hack took place between February and March, with usernames, passwords, phone numbers and physical addresses compromised. The good news for ebay customers is that the passwords were encrypted with a technique known as hashing, which turns text into irreversible jumbled code. And they were "salted" with an added random digit or two. Also, ebay's password requirements are ranked slightly better than average by password manager Dashlane. That'll make them even harder to decrypt. But that's not the point. The real danger here is in the fallout of such a major data breach. Hackers now know where you live. They can call you. Expect to receive fake deals and offers. Beware of getting duped into revealing even more sensitive information, like your bank details or Social Security number.

18 Home Depot Breach Federal security agencies warned retailers that a previously unseen malicious software program they are calling Mozart was used in the attack on Home Depot earlier this year. The software appeared to be customized for Home Depot s systems. While it was designed to steal credit card numbers and accomplish the same goals as computer code deployed in other giant breaches, at each turn it carried out its mission in slightly different ways to evade security gear. IT security experts call these attacks advanced persistent threats, or APT s. The attack on Home Depot ran for five months and may have compromised 56 million credit and debit cards, far bigger than the holiday season attack on Target. Home Depot has worked in recent years to upgrade its computer systems, and was adding technology to fully encrypt card data at its terminals, but didn't complete the rollout until after the attack was over.

19 What s an Advanced Persistent Threat (APT)? An Advanced Persistant Threat (APT) is a very high-tech, cutting edge attack leveraged to gain prolonged, stealthy control over a high value political or business target. Three APT Attributes: 1. Targeted 2. Advanced 3. Persistent

20 APT: Advanced Attack Techniques Zero day exploits Zero day malware Advanced rootkits Evasive Targets proprietary systems Smart cryptography Traditional Cyber Attack Advanced Persistent Threat

21 Advanced Threats Timeline Nation-states / Political Criminals / Private China-based C&C Spear Phishing Political Targets Four 0day PLC Rootkit Broke Centrifuges 0day Word flaw Iran, Sudan, Syrian Cyber Espionage Targeted Lebanon USB LNK Flaw APT Bank Trojan 152M records 0day Coldfusion Stolen source GhostNet Stuxnet Duqu Gauss Adobe Mar Jan Jun Mar Jun. Sep May 2012 Jan Oct Dec Operation Aurora RSA/Lockheed Flame NYTimes Target IE 0day Comment Crew (CN) Stole Gmail and Src 0day Flash Flaw 0dayTrojan Stole SecureID Info 0day MS Cert Flaw Stole IP Target Iranian Oil China-based Spear phishing 0day malware 40M CCNs 0day malware Partner access

22 Advanced Threats Require Defense-in-Depth Advanced threats, by definition, leverage multiple vectors of attack. No single defense will protect you completely from an APT attacks Firewall Intrusion Prevention System AntiVirus AntiSpam Reputation Services APT Protection The more layers of security you have, the higher chance an additional protection might catch an advanced threat that other layers might miss.

23 Apple icloud A security researcher who discovered a brute-force attack against Apple's icloud service in March similar to the "ibrute" vulnerability that surfaced in conjunction with the celebrity photo hacking scandal earlier last month says that the company refused to address the flaw for months after he reported it. Computer security expert Ibrahim Balic notified members of Apple's product security team of the vulnerability in late March, according to copies of correspondence that Balic provided to reporters. At the time, Balic told Apple representatives that he had been able to test as many as 20,000 passwords against specific accounts. It is unclear what relationship the bug that Balic discovered which he believes went unresolved has to the ibrute tool that allowed a similar attack against Find my iphone. Apple later denied that the Find my iphone vulnerability had been used in the now-infamous photo scandal, saying instead that it was the result of a "targeted attack" those likely involved years of social engineering against the targets. The celebrity hacks underscore the longer-term risks for mobile users as smartphones and tablets increasingly become the repository for far more sensitive education, healthcare and banking data. And that data gets stored increasingly in personal cloud accounts, hosted on the public and private Internet.

24 Mobility plus Cloud Apple s ipad launch in April, 2010 was really the mainstream beginning of tablet computing. The most recent ipad models, the ipad Air and second generation ipad Mini, went on sale last November. As of June, 2014, there have been over 200 million ipads alone sold since its release in 2010, with the overall tablet market more than double that size. Google s acquisition of Motorola, and Microsoft s acquisition of Nokia plus the overall consumer demand for price vs. value products has led us to three market leaders in mobile and tablet computing Apple, Google and Microsoft. Other niche players still have significant sales (like Amazon, Asus, Lenovo), but the big three have the cash and clout to keep the top spots unless something truly disruptive happens.

25 Mobility Security Trends This is not an endorsement of McAfee or their product suite, but they are the most recent publisher of a thorough review of the mobile malware and security trends and I ve excerpted some of that report content here. A leading security provider, McAfee, collected 2.47 million samples of new mobile malware last year with 744,000 being picked up in the fourth quarter of 2013 alone. That is a 197 percent increase over In Q the total malware sample count in the McAfee Labs zoo broke the 200 million sample barrier that is a massive increase in a very short period of time. The evidence is crystal clear - criminals are using every avenue available to break into mobile devices. Malware is arriving on mobile devices through just about every attack vector commonly associated with other endpoint devices - usually as a downloaded app, but also from visits to malicious websites, spam, malicious SMS messages, and malware-bearing ads.

26 New Mobile Malware Stats McAfee reports a steady increase from Q to Q of new mobile malware

27 Total Mobile Malware Stats McAfee reports a steady increase from Q to Q of total mobile malware

28 Flappy Bird Bonanza The Flappy Bird mobile game enjoyed a meteoric rise in popularity late last year and early this year but was closed down by its author in February. Based on its popularity, enterprising cybercriminals developed hundreds of Flappy Bird clones containing malware. McAfee Labs sampled 300 of those clones and found that almost 80% of them contained malware. Some of the behavior they found includes making calls without the user s permission; sending, recording, and receiving SMS messages; extracting contact data; and tracking geolocation. In the worst cases, the malware gained root access, which allows uninhibited control of anything on the mobile device including confidential business information.

29 All major mobility providers are affected Mobile malware abuses platform vulnerabilities, apps, and services. McAfee published one example that details how an app offered through the Google Play app store automatically downloads, installs, and launches other apps without a user s permission. In this example, the abusing app did not download malware but profited through a payto-download scheme. However, it s an easy leap from there to automatic downloads of malware-laden apps.

30 All major mobility apps are vulnerable In a second example, McAfee found a Trojan that exploits a security flaw in a legitimate digital wallet service to steal money. And finally, a third example they found illustrates how an encryption weakness in the popular messaging app WhatsApp was used to steal conversations and photos. Although that vulnerability has been fixed in a new release, it illustrates how attacks will continue to look for weaknesses in mobile platforms.

31 All major mobility apps are vulnerable In the scariest example, malware exploit digital wallet services. The Android/Waller.A Trojan exploits a security flaw in a legitimate digital wallet service to steal money. The malware exploits the money-transfer protocol used by the Visa QIWI Wallet. This malware is installed disguised as an update for Adobe Flash Player or another legitimate utility app, and is hidden from the home screen after installation. In the background, the malware checks whether the device user has a digital wallet account and whether there is a balance in the wallet, intercepts the confirmation response, and finally sends the money transfer to the attacker s server. In this case, the malware exploits the protocol that allows these steps via SMS messages without sufficient authentication, effectively impersonating the official app.

32 To The Cloud! Mobile devices and the cloud aren t one and the same, however much of mobile computing relies on the cloud for data storage, computing power, and interconnecting multiple devices for messaging, audio and video applications. In the wake of the Apple icloud breach, cybersecurity experts and mobile developers have called out inadequacies in Apple's and, more generally, cloud-services security. Some security experts faulted Apple for failing to make its devices and software easier to secure through two-factor authentication, which requires a separate verification code after users log in initially. Apple could also do more to advertise those security options.

33 Security or Convenience Pick One (For Now) As we all know, security is the opposite side of the coin we call convenience. Most people avoid implementing tight security measures because of the extra hassle, and the leading phone and tablet makers are partly to blame by not making tighter security easier to implement and use. Making things more private or secure by default instead of having security options" would go a long way to improve mobile security. This definitely isn t an Apple only problem - the inadequacies identified in Apple's cloud and mobile security ring true of other cloud or Internet-storage services, with official and celebrity Twitter accounts being routinely hacked.

34 Nightmare Scenario The most damaging recent cloud attack wasn t against Apple, but Amazon s EC2 cloud computing platform. Neil McAllister broke the story on June 18 th on The Register Source code hosting provider Code Spaces has suffered the ultimate cloud nightmare, having been effectively forced out of business by the actions of an attacker who managed to gain access to its Amazon EC2 control panel. The incident began on June 17 when Code Spaces a company that claimed to offer "Rock Solid, Secure and Affordable Svn Hosting, Git Hosting and Project Management" became the target of a DDoS attack from an unknown party who demanded "a large fee" to make it stop. This isn't the first such incident in recent weeks. As I mentioned before, Evernote and Feedly were each knocked down on June 10, reportedly by criminals trying to extort money. Both managed to restore their services, albeit only after extended outages.

35 Nightmare Scenario The difference this time is that in addition to having access to a formidable botnet, Code Spaces' assailant had also gained access to the company's Amazon EC2 control panel, giving him control over the data it had stored using Amazon's Elastic Block Store (EBS) and S3 cloud services. "We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI's, some EBS instances and several machine instances," the company wrote in a message posted to its homepage. "In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted." The net effect was that, once the smoke cleared, Code Spaces no longer had any service to offer its customers. "Code Spaces will not be able to operate beyond this point," the company's statement reads, "The cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility."

36 Breaking News Shellshock / Bash "Shellshock" is the first major Internet threat to emerge since the discovery in April of "Heartbleed," which affected encryption software used in about two-thirds of all web servers, along with hundreds of technology products. The new bug has the potential to wreak more havoc because it enables hackers to gain complete control of an infected machine, which lets them destroy data, shut down networks or launch attacks on websites. In comparison, the "Heartbleed" bug only allowed hackers to steal data. Joe Hancock, a cybersecurity expert with insurer AEGIS in London, said in a statement that he is concerned about the potential for attacks on home broadband routers and controllers used to manage critical infrastructure facilities. "In some areas this will be a challenge to fix, as many embedded devices are not designed with regular updates in mind and will never be able to be patched," Hancock said.

37 Bringing Us To The Present Mobile and tablet computing have grown market share and become more prevalent. The rapid pace of innovation in these markets, and the decentralized nature of application development in these markets (think about all the publishers in App Stores vs. traditional software publishers), has led to a security landscape without strong controls. In summary, a fast moving market equals a challenging security landscape. Every morning in Africa, a gazelle wakes up, it knows it must outrun the fastest lion or it will be killed. Every morning in Africa, a lion wakes up. It knows it must run faster than the slowest gazelle, or it will starve. It doesn't matter whether you're the lion or a gazelle-when the sun comes up, you'd better be running. Ancient Wisdom

38 Market Trend More Mobile Let s see a show of hands - how many of you in the room use either a mobile wallet today, or use mobile banking on your phone or a tablet? BeyondTrust security expert Marc Maiffret expects the phone will someday replace the wallet, storing sensitive payments information such as credit card accounts - data that would prove increasingly tempting to hackers. How long after that does it make sense for your identity beyond your financial information to follow?" he said. That points to a clear trend, and my first prediction for the future. I predict that at least 50% of mobile computing users will use either an online payment system on their smartphone or tablet, use online mobile banking, or use a digital wallet within the next 12 months. I don t predict exclusivity for this trend, but I do believe that in the next 2 to 3 years almost all of us will use mobile computing for a vast majority of our financial transactions.

39 Predictions from Daniel Burrus

40 Prediction - Mobile Banking and Payments Using smart phones as an ewallet is already being used in an increasing number of countries and will finally take off on a larger scale thanks to an increasing number of phones with either secure Mobile Banking Apps, and/or Near Field Communications (NFC) chips. More important, banks and credit card companies are already starting to see non-bank competitors jump in to the mobile payment race, including Google Wallet and Apple s Passbook to name a few.

41 Prediction - Smart Phones & Tablets Get Smarter With the rapid advances in processing power, storage, and bandwidth. Smart phones have already become our primary personal computer, and the Mobile Web has become a must-have capability. An Enterprise Mobility Strategy Becomes Mandatory for all size organizations as we see mobile data, mobile media, mobile sales, mobile marketing, mobile commerce, mobile finance, mobile payments, mobile health, and many more explode. The vast majority of mobile phones sold globally will have a browser, making the smart phone our primary computer that is with us 24/7 and signaling a profound shift in global computing. This new level of mobility and connectivity by many millions around the world will allow any size business to transform how they market, sell, communicate, collaborate, educate, train, and innovate using mobility. Declining Sales Increasing Sales

42 Prediction - Mobile Apps for Business Processes Such as purchasing, supply chain, logistics, distribution, service, sales, maintenance, and more will grow rapidly. There will be an increasing focus on Business App Stores within companies giving users access to personalized information they need on their mobile devices anytime and anywhere.

43 Example - Mobile Apps for Business Processes

44 Example - Mobile Apps for Business Processes

45 Prediction - Convenient Digital Identity Management This will become increasingly important to both organizations and individuals as new software allows users to better manage their multiple identities across business and personal networks. Next Generation Biometrics integrated into your smart phone, as Apple has recently done, as well as tablets and other devices, will play a key role in both identity management and security. As this hard trend continues, expect to see multiple biometrics, including facial recognition and voice recognition, used based on the level of security you need.

46 Key Takeaways - Cybersecurity Cybersecurity is no longer only about keeping your PC patched, or using a strong password. Advanced Persistent Threats are real, they are growing and they require a layered security approach to protect your confidential and critical data. What are the minimum components of a threat protection system for business: Perimeter firewall with unified threat management Internal security with strong, frequently changed passwords on all accounts Up-to-date patches on all applications not just Microsoft Endpoint protection that includes antivirus, antimalware, and data leak prevention Rock-solid, reliable, encrypted data backup plus off-site storage Moving your apps or your data To The Cloud doesn t automatically increase security. Think about Code Spaces the cloud itself isn t protection. Odds are not in our favor have a plan for when things don t go well. Expect the worst and plan for it, have a Recovery Strategy for your data and a Lockout Plan for when you believe you ve been hacked.

47 Key Takeaways - Mobility Mobile platforms are becoming the #1 attack target due to perceived weakness of security. If you allow mobile devices on the corporate network protect them with a centrally managed security and a digital policy enforcement tool. Gartner evaluates several vendors for Mobile Device Management including AirWatch, MobileIron, MaaS 360, BoxTone, Tangoe, Trend Micro, Symantec and others look into them When evaluating applications for the Enterprise, look at Mobility options and consider how adding a mobile app option could improve application access or improve service. Encourage, or mandate, users to reconfigure mobile devices to use all available options to enhance security. User education is a critical part of an overall business IT mobility security strategy. Communicate with users so they are empowered to make good decisions.

48 Conclusion The Power Of Peers The ITEN Wired conference is a great opportunity to make initial introductions and get to know others in the IT field. In my experience, structured, ongoing collaboration with peers is the #1 best way to learn and continue professional development. I encourage you to continue the conversation with me or others, and set goals around your peer networking.

49 THANK YOU! Don Gulling, CEO, Verteks Consulting