Weak Spots in Enterprise Mobility Management Dennis Schröder

Transcription

1 Weak Spots in Enterprise Mobility Management Dennis Schröder

2 Personal details TÜV Informationstechnik GmbH TÜV NORD GROUP Dennis Schröder, M. Sc. IT Security Business Security & Privacy Product Manager Cyber Security Services Main focus: Mobile Security, Application Security, Network Security, Industrial Security, SE Security TÜV Informationstechnik GmbH TÜV NORD GROUP 1

3 Agenda Why Mobile Security Challenges Case Study How to securely integrate mobile devices? How to verify correct integration? 2

4 Mobile Security? Mobile Security is mostly about Smartphones, Tablets, and their integration into existing environments Key factors are Devices are always at our side, ready to be used Always on Always connected Functionality easy to extend with apps 3

5 Sample Mobile Use Cases 4

6 Challenges Mobile devices are constant companions You can loose them They get stolen Prime target for attackers Vast amount of data, private and corporate Attackers can easily get monetary revenue Corporate vs private: BYOD, COPE, COBO? Who wants his private data to be corporate controlled? Who believes corporate data is safe on private devices? Who wants to carry two smartphones? 5

7 More challenges All problems from classic IT also apply How to administrate and manage? How to integrate into network? Users usually have no or low knowlegde of internals & security It should just work No reading, just tapping Smartphones, tablets and mobile security in general is a complex topic 6

8 Mobile Security Overview 7

9 Mobile Solution Enterprise Mobility Management Mobile Devices MAM Mobile Devices Mobile OS und OS Functions Secure Elements Apps Interfaces EMM Mobile Strategy IT Infrastructure IT Infrastructure Security Architecture Business Applications Mobile Devices Internet Services Security Architecture Web Application Web Services Apps Internet Services Mobile Solution Individual Solutions Hard und Software Components Apps und Services 8

10 Mobile Strategy Consider every aspect What should employees be able to do? Which business use cases should be covered? BYOD, COPE, COBO MDM, MAM, MCM (Containerization) Choose devices and operating systems (if not BYOD) Integrate into exisiting network with security in mind Develop emergency plans, e.g. for lost devices Brief staff on usage and security implications Next to technical guidelines, develop organizational ones 9

11 Mobile Strategy Find a fair balance between usability and security Employees should be able to use the devices Nobody likes to enter a long passphrase every 2 minutes Nobody wants to be monitored (at least when you ask them) Not every asset should be accessible on a mobile device If something should be kept top secret, treat it so! Some use-cases are not suited for mobile devices 10

12 Case Study The Client A global player checks his infrastructure. 10k employees, worldwide sites 200+ smartphones on tested site ios and Android, used throughout all staff hierarchies MDM with integrated MAM and sane policies Detected Jailbreak results in remote wipe Activated device encryption Devices are (automatically) locked with secure PIN MDM externally hosted and administrated (SAAS) so far so good! 11

13 Case Study First Security Problem Although multiple security measures were in place, some devices had an unlocked bootloader. We could boot our own kernel and ramdisk We had full access to the phone We could eavesdrop the PIN or bruteforce it Impact: Full access to encrypted data (Credentials, WiFi PSK, ) We could also disable MDM and other security features Use device on behalf of original user Access corporate data and even services Gather data for subsequent attacks (infrastructure accessed via corporate wifi) 12

14 Case Study Second Security Problem Although a mutual certificate-based authentication between the mail proxy and the mobile device is required, Activce Directory passwords could be eavesdropped. Security policy allows self signed certificates User must accept them Man-in-the-Middle attack doable with minor effort Attacker cannot communicate with mail proxy (no certificate) But mobile devices sends credentials via HTTP POST after accepting attackers certificate Reuse AD credentials elsewhere, e.g. VPN or webmail 13

15 Case Study Summary Mobile devices are computers they are complex You have to find and close all vulnerabilities An attacker only has to find one vulnerability In this case one problem already occurred in the procurement process Even smartphones are complex devices, the integration into an existing network is complex. Users, many administrators and CISOs often do not recognize this complexity. 14

16 Other Thoughts even more challenges Cloud Provider What data is sent there? Is it encrypted? Who actually reads the EULA? What happens if the provider suddenly stops his service? Messaging services and social media Which data is sent where? Corporate secrets? EULA? Device features Hello Siri? Try to gather information while device is locked! Speech-To-Text: Where does it end up? (EULA!) Manufacturer ID and mobile device, who owns what? 15

17 Where do Problems Occur? 16

18 Verify Secure Mobile Device Integration Set everything up, but do not roll it out yet Test the prototyped EMM integration Verify use cases are working Verify role and group policies Verify software setup and security measures Verify emergency scenarios are working as planned Verify staff knows what they are doing Test the prototype again, this time externally It s usually a fatal mistake to trust a system which you could not break but also built yourself! Fix everything (maybe test again), then roll it out 17

19 TÜViT accompanies your Organisation on the Way to a Secure Mobile Business World TÜViT offers testing and advisory services for all mobile security and EMM scenarios Health Check (without seal of approval) Assessement (with seal of approval) Test procedures based on international standards und best practices (OWASP, WASC, CESG, BSI) Technical and organisational test procedures Continuous monitoring and retesting (managed services) 18

20 Penetration Tests Classification and Criteria Penetration test Information basis Black-Box Gray-Box White-Box Aggressivity Passively scanning Cautious Considering Aggressive Coverage Thorough Bounded Focused Approach Covered Obvious Access Network Physical Social Engineering Source Remote Local 19

21 OWASP Mobile Top 10 Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage 5. Poor Authorization and Authentication 6. Broken Cryptography 7. Client Side Injections 8. Security Decisions via Untrusted Inputs 9. Improper Session Handling 10. Lack of Binary Protections 20

22 Many Thanks! TÜV Informationstechnik GmbH TÜV NORD GROUP Dennis Schröder IT Security Langemarckstr Essen Phone: Fax: