How To Protect Poste Italiane From Cyber Crime

Transcription

1 Mobile Application VERIfication Cluster Platform Computer Emergency Response Team of Poste Italiane ESSoS 15 - Engineering Secure Software and Systems March 4-6, 2015 Milan, Italy

2 Authors Poste Italiane S.p.A., Rome, Italy Computer Emergency Responce Team (CERT) of the Information Security Department University of Genova, Italy DIBRIS Fondazione Bruno Kessler, Trento, Italy Security & Trust Unity Rocco Mammoliti Alessandro Armando Andrea Volponi Gabriele Costa Gianluca Bocci Alessio Merlo Gabriele De Maglie

3 Agenda 1. Poste Italiane: National Leader in Digital Services 2. Focus on the Poste Italiane Cyber Security Ecosystem Computer Emergency Response Team Cyber Security Innovation Lab Cyber Security District 3. The m-app security needs of Poste Italiane 4. The solution: MAVERIC platform Purpose & Objectives Architecture State of the art & working in progress 5. Demo Topics Static Module

4 Poste Italiane: Na.onal leader in Digital Services Poste Italiane is one of the main Italian organization with 144,000 employees, 13 Mln of online customers and a widespread presence in Italy with 12,000 post offices. It provides financial, logistics, postal, insurance, digital communication, mobile and TLC services. Finance and Insurance 5.8 Mln banking account 18 Mln payment cards 10 Mln prepaid cards With 144,000 employees, Poste Italiane is the largest Italian company and State owned enterprise POSTE ITALIANE NEEDS Protecting customers is a top Logistics and Postal 12,000 postal offices Ecommerce services 38,000 vehicles Poste Italiane s customers are citizens, Public administrations and private enterprises priority in Poste Italiane business strategy. Providing s e c u r e a n d continuous services i s Digital communication Web channel more than 70 Mln page/ month viewed Certified Poste Italiane provides traditional and new services through internet and mobile channels e s s e n t i a l t o g u a r a n t e e customer satisfaction. More and more sophisticated cyber attacks working on a Mobile and TLC >3 Mln SIM cards 23,500 postman with mobile terminal for mobile services Poste provides e-finance, e- government, e-commerce, e-post digital communication services global scale call for a deeper cooperation at international level. 4

5 5 Focus on the Poste Italiane Cyber Security Ecosystem The Computer Emergency Response Team (CERT) of Poste Italiane provides prevention, analysis and response services for cyber security incidents, provides bulletins about vulnerabilities and threats, share information with other public and privat security entities in order to improve the security level of its Costituency. Informa.on sharing Security Governance Cyber LAB Security services of the CERT Cloud Services ecommerce egovernment Opera.ve Services Cyber Crime Preven.on Communica.on Poste Italiane - Cyber Security Innovation Lab Research Lab on cyber security issues based on collaboration between Poste Italiane Office and Trento RISE. Poste Italiane Cyber Security District Technological Center for industrial research and development of security solution oriented to the end user protection, electronic payments and dematerialization documents. Collaboration of the CERT Certifications and accreditations of CERT Certification ISO/IEC of the Information Security Management System Certification STAR of the Cloud Security Services! Trusted Introducer accreditation, collaborative newtork of European CERT! Register in the official list of recognized ENISA CERTs FIRST membership, leading to issues of incident management!

6 The m-app security needs of Poste Italiane 6 Official Mobile Apps Unofficial Mobile Apps! Unofficial Mobile Marketplaces Official Mobile Marketplaces Malicious apps removed - Poste Italiane provides this information to its Customers at Number of downloads for unofficial apps (min and max values)* 0.5M 1.8M * This information are publicly available on marketplaces websites

7 The Solution: MAVERIC platform - Purpose & Objective - Architecture MAVERIC aims to achieve the following benefits: " help to ensure the privacy and the security of Poste Italiane's Customers; " identify and control the nature of the information collected, analyzed and disseminated by apps in order to protect Poste Italiane's Customers; " prevent complaints for offenses related to apps directly, indirectly or allegedly linked to Poste Italiane; " prevent indirect damages (eg. reputational damages, etc...) due to an improper use of the Poste Italiane brand; " protect intellectual property (logos, trademarks, etc...) of Poste Italiane;!

8 The Solution: MAVERIC platform State of the art & work in progress Mobile Application VERICation Detection Analysis Risk Calculator Reporting Market Discovery App Discovery Static Analysis Dynamic Analysis Legal Analysis Engine Dashboard Report News Innovation Research Development

9 Demo Topics Static Analysis Module Reverse Engineering The component has the purpose of extracting a series of data directly from the android package. Permission Checker The component performs an analysis and categorization of Android permissions to access to device resources required by an application. Malware Analysis The component interacts with the Virus Total platform in order to detect malicious code within the application. Application Source Code, Resources Application, Manifest, Scores Obfuscation, Native-Dynamic and reflection Code, General Statistics List of required per mits, List permissions used, Level of criticality and description of permits, Mapping of permits in the code List of responses engine malware detection (Virus Total) and malware type Secure Code Reviewer The component carrying out systematic pattern programming that may correspond to known vulnerabilities, within the code of the application object. List and details of security code vulnerabilities Application Verification The component has the purpose of determining whether the application satisfies or not certain security policies. List of results of the analysis process and flow of instructions that violate the security policy specification

10