How To Protect Poste Italiane From Cyber Crime



Similar documents
Mobile App Security Analysis with the MAVeriC Static Analysis Module

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

IBM Security X-Force Threat Intelligence

WEBSENSE TRITON SOLUTIONS

Cyber security in an organization-transcending way

Qatar Computer Emergency Team

Data Security: Fight Insider Threats & Protect Your Sensitive Data

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Comprehensive real-time protection against Advanced Threats and data theft

Secure Your Mobile Workplace

Cisco Advanced Services for Network Security

White Paper. Advantage FireEye. Debunking the Myth of Sandbox Security

National Cyber Security Policy -2013

THE WORLD IS MOVING FAST, SECURITY FASTER.

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cisco Security Intelligence Operations

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Privacy Liability & Data Breach Management Nikos Georgopoulos 1 st Athens Privacy & Data Breach Management Conference

CYBERCRIMINAL IN BRAZIL SHARES MOBILE CREDIT CARD STORE APP

Certification for Information System Security Professional (CISSP)

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY-274 Privacy, Ethics & Computer Forensics

The Onslaught of Cyber Security Threats and What that Means to You

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Certified Cyber Security Analyst VS-1160

Small businesses: What you need to know about cyber security

PCI Data Security Standard 3.0

Addressing Cyber Security in Oracle Utilities Applications

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Big 4 Information Security Forum

Security Business Intelligence Big Data for Faster Detection/Response

Securing the future of mobile services. SIMalliance Open Mobile API. An Introduction v2.0. Security, Identity, Mobility

Web Protection for Your Business, Customers and Data

ITAR Compliance Best Practices Guide

Symantec Managed Security Services The Power To Protect

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Zak Khan Director, Advanced Cyber Defence

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

IBM Security QRadar Vulnerability Manager

McAfee Endpoint Protection for SMB. You grow your business. We keep it secure.

The Current State of Cyber Security

EC-Council. Certified Ethical Hacker. Program Brochure

Training Employees to Recognise & Avoid Advanced Threats

Cyber Risk Insurance for Agents. Frequently Asked Questions

Acceptable Use Policy

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

KASPERSKY FRAUD PREVENTION PLATFORM COVERING ONLINE AND MOBILE BANKING RISKS

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

NZI LIABILITY CYBER. Are you protected?

What legal aspects are needed to address specific ICT related issues?

Introduction to Cyber Security / Information Security

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Rogers Insurance Client Presentation

Defending Behind The Device Mobile Application Risks

NATIONAL CYBER SECURITY AWARENESS MONTH

Data Security on the Move. Mark Bloemsma, Sr. Sales Engineer Websense

Cloud Security Standards. Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority

Making our Cyber Space Safe

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Security Intelligence Services. Cybersecurity training.

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

The Cloud App Visibility Blindspot

Managing Cyber Risk through Insurance

NTT R&D s anti-malware technologies

Enterprise Apps: Bypassing the Gatekeeper

ICS-SCADA testing and patching: Recommendations for Europe

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

Course 4202: Fraud Awareness and Cyber Security Workshop (3 days)

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

McAfee Enterprise Mobility

10 best practice suggestions for common smartphone threats

Information Security Seminar 2013

Industry Oriented Training and Capacity Building Program on Mobile Threats, Android Security, IOS security and Cyber Laws

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

WHITE PAPER Mapping Organizational Roles & Responsibilities for Social Media Risk. A Hootsuite & Nexgate White Paper

Transcription:

Mobile Application VERIfication Cluster Platform Computer Emergency Response Team of Poste Italiane ESSoS 15 - Engineering Secure Software and Systems March 4-6, 2015 Milan, Italy

Authors Poste Italiane S.p.A., Rome, Italy Computer Emergency Responce Team (CERT) of the Information Security Department University of Genova, Italy DIBRIS Fondazione Bruno Kessler, Trento, Italy Security & Trust Unity Rocco Mammoliti mammoliti.rocco@posteitaliane.it Alessandro Armando alessandro.armando@unige.it alessandro.armando@fbk.eu Andrea Volponi volponia@posteitaliane.it Gabriele Costa gabriele.costa@unige.it Gianluca Bocci boccigi2@posteitaliane.it Alessio Merlo alessio.merlo@unige.it Gabriele De Maglie

Agenda 1. Poste Italiane: National Leader in Digital Services 2. Focus on the Poste Italiane Cyber Security Ecosystem Computer Emergency Response Team Cyber Security Innovation Lab Cyber Security District 3. The m-app security needs of Poste Italiane 4. The solution: MAVERIC platform Purpose & Objectives Architecture State of the art & working in progress 5. Demo Topics Static Module

Poste Italiane: Na.onal leader in Digital Services Poste Italiane is one of the main Italian organization with 144,000 employees, 13 Mln of online customers and a widespread presence in Italy with 12,000 post offices. It provides financial, logistics, postal, insurance, digital communication, mobile and TLC services. Finance and Insurance 5.8 Mln banking account 18 Mln payment cards 10 Mln prepaid cards With 144,000 employees, Poste Italiane is the largest Italian company and State owned enterprise POSTE ITALIANE NEEDS Protecting customers is a top Logistics and Postal 12,000 postal offices Ecommerce services 38,000 vehicles Poste Italiane s customers are citizens, Public administrations and private enterprises priority in Poste Italiane business strategy. Providing s e c u r e a n d continuous services i s Digital communication Web channel more than 70 Mln page/ month viewed Certified email Poste Italiane provides traditional and new services through internet and mobile channels e s s e n t i a l t o g u a r a n t e e customer satisfaction. More and more sophisticated cyber attacks working on a Mobile and TLC >3 Mln SIM cards 23,500 postman with mobile terminal for mobile services Poste provides e-finance, e- government, e-commerce, e-post digital communication services global scale call for a deeper cooperation at international level. 4

5 Focus on the Poste Italiane Cyber Security Ecosystem The Computer Emergency Response Team (CERT) of Poste Italiane provides prevention, analysis and response services for cyber security incidents, provides bulletins about vulnerabilities and threats, share information with other public and privat security entities in order to improve the security level of its Costituency. Informa.on sharing Security Governance Cyber LAB Security services of the CERT Cloud Services ecommerce egovernment Opera.ve Services Cyber Crime Preven.on Communica.on Poste Italiane - Cyber Security Innovation Lab Research Lab on cyber security issues based on collaboration between Poste Italiane Office and Trento RISE. Poste Italiane Cyber Security District Technological Center for industrial research and development of security solution oriented to the end user protection, electronic payments and dematerialization documents. Collaboration of the CERT Certifications and accreditations of CERT Certification ISO/IEC 27001 of the Information Security Management System Certification STAR of the Cloud Security Services! Trusted Introducer accreditation, collaborative newtork of European CERT! Register in the official list of recognized ENISA CERTs FIRST membership, leading to issues of incident management!

The m-app security needs of Poste Italiane 6 Official Mobile Apps Unofficial Mobile Apps! Unofficial Mobile Marketplaces Official Mobile Marketplaces Malicious apps removed - Poste Italiane provides this information to its Customers at http://www.poste.it/app/index.shtml Number of downloads for unofficial apps (min and max values)* 0.5M 1.8M * This information are publicly available on marketplaces websites

The Solution: MAVERIC platform - Purpose & Objective - Architecture MAVERIC aims to achieve the following benefits: " help to ensure the privacy and the security of Poste Italiane's Customers; " identify and control the nature of the information collected, analyzed and disseminated by apps in order to protect Poste Italiane's Customers; " prevent complaints for offenses related to apps directly, indirectly or allegedly linked to Poste Italiane; " prevent indirect damages (eg. reputational damages, etc...) due to an improper use of the Poste Italiane brand; " protect intellectual property (logos, trademarks, etc...) of Poste Italiane;! http://csrc.nist.gov/projects/appvet/index.html

The Solution: MAVERIC platform State of the art & work in progress Mobile Application VERICation Detection Analysis Risk Calculator Reporting Market Discovery App Discovery Static Analysis Dynamic Analysis Legal Analysis Engine Dashboard Report News Innovation Research Development

Demo Topics Static Analysis Module Reverse Engineering The component has the purpose of extracting a series of data directly from the android package. Permission Checker The component performs an analysis and categorization of Android permissions to access to device resources required by an application. Malware Analysis The component interacts with the Virus Total platform in order to detect malicious code within the application. Application Source Code, Resources Application, Manifest, Scores Obfuscation, Native-Dynamic and reflection Code, General Statistics List of required per mits, List permissions used, Level of criticality and description of permits, Mapping of permits in the code List of responses engine malware detection (Virus Total) and malware type Secure Code Reviewer The component carrying out systematic pattern programming that may correspond to known vulnerabilities, within the code of the application object. List and details of security code vulnerabilities Application Verification The component has the purpose of determining whether the application satisfies or not certain security policies. List of results of the analysis process and flow of instructions that violate the security policy specification

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information