Security and the Smartphone Revolution

Similar documents
Tutorial on Smartphone Security

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Jim Donaldson, M.S., MPA, CHC, CIPP/US, CISSP. Director of Compliance, Chief Privacy and Information Security Officer. Pensacola, Florida

The Risks and Rewards of Social Media and Mobile Devices

10 Quick Tips to Mobile Security

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

BlackBerry 10.3 Work and Personal Corporate

Protecting your Data, Devices, and Digital Life in a BYOD World: A Security Primer GLENDA ROTVOLD AND SANDY BRAATHEN NBEA APRIL 2, 2015

BYOD Guidance: BlackBerry Secure Work Space

EasiShare Whitepaper - Empowering Your Mobile Workforce

The Need for BYOD Mobile Device Security Awareness and Training

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

Smartphone Security. A Holistic view of Layered Defenses. David M. Wheeler, CISSP, CSSLP, GSLC. (C) 2012 SecureComm, Inc. All Rights Reserved

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Mobile Device Deployments-The Security Dangers of Technology on the Go

Addressing NIST and DOD Requirements for Mobile Device Management

Data Storage on Mobile Devices Introduction to Computer Security Final Project

Why you need. McAfee. Multi Acess PARTNER SERVICES

BYOD: End-to-End Security

BYPASSING THE ios GATEKEEPER

2015 MDRT Annual Meeting e Handout Material. What is Your Smartphone Leaking?

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

An Analysis of Twitter s App Based Two- Factor Authentication and Recovery System

Data Protection Act Bring your own device (BYOD)

Enterprise Apps: Bypassing the Gatekeeper

Tom Schauer TrustCC cell

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Chris Boykin VP of Professional Services

Mobile Security BYOD and Consumer Apps

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner IAIK

Workday Mobile Security FAQ

Mobile Iron User Guide

Mobile Device Management

Leading business advisers. Mobile devices Secure or security risk?

Business Wireless Providers That Reduce Costs, Improve Mobile Management, And Enhance Security

Mobile Device Security

Good for Enterprise Good Dynamics

platforms Android BlackBerry OS ios Windows Phone NOTE: apps But not all apps are safe! malware essential

Enterprise Mobile Threat Report

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

2016 Digital Safety Class UNDERSTAND YOUR RISKS AND STAY TOTALLY SECURE JESSE ROBERTSON, TECH 4 LIFE

Mobile First Government

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

[BRING YOUR OWN DEVICE POLICY]

Mobile Security & BYOD Policy

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

App Reputation Report February 2013 The Authority in App Security

Android vs. Apple ios Security Showdown Tom Eston

Building Trust in a Digital World. Brian Phelps, BSc CISSP Director of Advanced Solutions Group EMEA Thales UK, Ltd.

Practical Attacks against Mobile Device Management (MDM) Michael Shaulov, CEO Daniel Brodie, Security Researcher Lacoon Mobile Security

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

Defending Behind The Device Mobile Application Risks

Practical Attacks against Mobile Device Management Solutions

Hands on, field experiences with BYOD. BYOD Seminar

Smart Ideas for Smartphone Security

It s 2 o clock: Who Has Your Data? Josh Krueger Chief Technology Officer Integrity Technology Solutions

Information Security Updates Mobile Security Best Practices for General User

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Security Best Practices for Mobile Devices

Brainloop Secure Dataroom Version QR Code Scanner Apps for ios Version 1.1 and for Android

Android Security. Device Management and Security. by Stephan Linzner & Benjamin Reimold

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Addressing NIST and DOD Requirements for Mobile Device Management (MDM) Essential Capabilities for Secure Mobility.

Mobile Health Apps 101: A Primer for Consumers. myphr.com

Mobile Application Security Sharing Session May 2013

Mobile Device as a Platform for Assured Identity for the Federal Workforce

Your Digital Dollars Online & Mobile Banking

That Point of Sale is a PoS

4 Steps to Effective Mobile Application Security

SNOOPWALL FLASHLIGHT APPS THREAT ASSESSMENT REPORT

Izplatītākie mobilo iekārtu lietošanas riski, kas apdraud organizācijas datu un informācijas sistēmu drošību Raivis Kalniņš 2015, Riga

FileDrawer An Enterprise File Sharing and Synchronization (EFSS) solution.

Advanced Online Threat Protection: Defending. Malware and Fraud. Andrew Bagnato Senior Systems Engineer

Wearable Technology Evolution & Security: Grant Brown - Security Strategist Symantec

End User Devices Security Guidance: Apple ios 8

Cloud Backup and Recovery for Endpoint Devices

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

EXECUTIVE SUMMARY Cloud Backup for Endpoint Devices

Protecting against Mobile Attacks

Reliance Bank Fraud Prevention Best Practices

U.S. Mobile Benchmark Report

Managing and Automating Data Erasure for Mobile Devices: STRATEGIES FOR RECYCLERS AND IT ASSET DISPOSAL SPECIALISTS

Marble & MobileIron Mobile App Risk Mitigation

SECURITY OF HANDHELD DEVICES TAKE CONTROL OF THE MOBILE DEVICE

Mobile Security: Threats and Countermeasures

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

The Evolution of the Enterprise And Enterprise Security

The Future of Enterprise Mobility: Part II. Strategic Options for Mobile Security Firms

Predatory Hacking of Mobile Devices

SecureCom Mobile s mission is to help people keep their private communication private.

Mobile App Security: Who Else is on Your Device? August 27, 2013

IEEE CQR 2010 A Holistic Approach to Mobile Security

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

Pentesting Mobile Applications

Embracing Complete BYOD Security with MDM and NAC

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Transcription:

Security and the Smartphone Revolution

About the Speaker Joseph Granneman, MBA, CISSP Joseph Granneman has developed a passion and expertise in information security in his 20 years of experience as a CIO, CTO and CSO of hospitals and clinics in the Chicago region. His passion drove him to be an independent author, presenter and professor in the health care information technology and information security fields. He has been frequently consulted by the media and interviewed on various health care information technology and security topics. He has also been a member in many information security standards groups, including identifying security vulnerabilities in HIEs as part of the Health Information Security and Privacy Security Working Group for Illinois. He was also a volunteer for Certification Commission for Health Information Technology (CCHIT) Security Working Group, which developed the information security standards for ARRA certification of electronic medical records. He also continues to be involved in the FBI InfraGard program.

PUTTING MOBILE IN PERSPECTIVE

August 12, 1981

PC Growth April 2002 1 billion PCs shipped* 2007 2 billion PCs Shipped** *Gartner Dataquest statistics **Forrester Research

PC Growth Over 1 billion PCs in use today** 2 billion PCs in use by 2015** *Gartner Dataquest statistics **Forrester Research

PC Growth 27 years to reach first billion PCs in use.** Only 7 more years to reach 2 billion PCs in use.** *Gartner Dataquest statistics **Forrester Research

June 29, 2007

October 22, 2008

By the numbers 2 billion mobile devices in use by 2015 PC shipments decline by 10.6% in 2013 Tablet shipments increase by 67.9% Source: Gartner (June 2013)

By the numbers Worldwide Devices Shipments by Segment (Thousands of Units) Device Type 2012 2013 2014 PC 341,273 305,178 289,239 Ultramobile 9,787 20,301 39,824 Tablet 120,203 201,825 276,178 Mobile Phone 1,746,177 1,821,193 1,901,188 Total 2,217,440 2,348,497 2,506,429 Source: Gartner (June 2013)

OUR COMPUTING MODEL HAS FUNDAMENTALLY CHANGED

New Capabilities Fingerprint Scanner Heartrate Relative humidity Env. Temperature Barometer NFC Accelerometer Magnetic Field Light Flux Battery temp. GPS Proximity RGB Ambient Light Gyroscope

New Use Cases Always connected User proximity Personalized services Fitness Banking Healthcare Travel Shopping Mobile Payments

Health Care Perspective Providers Access EMR Hospital Rounding Coding Schedule Medical Imaging Prescriptions Photos Dictation Patients Access PHR Pay bills Schedule Appointments Email physician IOT (Internet of Things) Weight, BP, Pulse, etc.

The Perfect Storm Always on Full of personal information Adopted by almost everyone Rapid adoption without consideration for security Mobile = Increased Risk

Criminal Attention Cybercrime is quickly turning to mobile More profitable than PC malware Evolving much faster Infrastructure was already built over the last 10 years. People more trusting of phishing on mobile

Mobile Cybercrime Pricing Source: Antiphishing Workgroup Mobile Report

Nowhere to hide

Mobile/BYOD Risks Classified 1. Design/Architectural Vulnerabilities 2. Operating System Vulnerabilities 3. Application Vulnerabilities 4. Network Vulnerabilities 5. Cloud reliance

DESIGN/ARCHITECTURE VULNERABILITIES

Design/Architecture Mobile device storage issues Flash memory differences Limited number of write cycles Nothing is truly deleted DOD style data wipes cannot be used Differences in Android vs ios Differences in models of devices Standard forensic techniques very successful

Design/Architecture Encryption of Devices - Apple ios encrypted by default Hardware based AES 256 Bit encryption FIPS-140-2 Certified Wipes after 10 incorrect PIN entries

Design/Architecture Encryption of Devices Apple Private Key is NOT based on PIN Developer mode bypass allows brute force Older devices use software based keys Recovery times around 2 minutes

Design/Architecture Encryption of Devices Optional on Android device Various states of FIPS-140-2 Compliance Software based Key and Salt stored in boot footer Performance penalty 4 Digit pins recovered in seconds

Example Open source tools for security testing Santoko Linux Free for downloading Mobile Forensics Password Recovery Penetration testing Network Manipulation

Example

Example

Example

Technology Makes PINS Obsolete

Password Recovery Times Recovery times with a $1,500 PC: Password: 'Pa5$w0d - 2m12.367s Password: 'K#n&r4Z - 1m51.962s 7 Character passwords 40GB of possible combinations Dictionary words are almost instantaneous Only around 70,000 possible combinations. 4 Digit PINS only 10,000 possible combinations.

No Cracking Necessary ios Backups easier to recover Newer devices backup to icloud

OPERATING SYSTEM VULNERABILITIES

BYOD/Mobile Don t Forget the Basics Patching is still a key defense Many users do not apply patches but still access company data Apple pushes out patches Planned Obsolescence old devices Android devices left to the carrier Patches are not pushed out Many devices still vulnerable

Android MasterKey Hole Discovered in August 2013 Simple way to install malware How it works - Android Apps are simply digitally signed.zip files Modified.ZIP files fail digital signature checks Simply place two files with the same name in the.zip file. Android verifies the first but not the second.

Android Fragmentation

BYOD - Audits

Example Vulnerable iphone

APPLICATION VULNERABILITIES

Trust the App Store? The App Store Security Model Applications are tested before being posted Apple more closed but more scrutiny Android more open but less scrutiny

Trust the Google Play Store? Trend Micro Study Analyzed 700,000 Google Play apps Found more than 68,740 malicious 1 in 10 applications Cloning popular titles Angry Birds, Cut the Rope, Riptide GP Sent premium SMS messages

BYOD - Risky Behavior Rooted Phones Use vulnerability to bypass OS protections Third Party App Stores Pirated material more malware Android App Side Loading Direct loading of unverified apps Custom Android ROMS Full custom versions of Android from unknown sources None of these devices should be allowed to connect to sensitive networks.

Careless Mobile Apps Mobile App Security Study Tested for unencrypted private data Performed by NowSecure - https://www.nowsecure.com/resources/mobile-appsecurity-study/ Financial Apps 25% Failed, 31% Warning, 44% Pass Best category tested Recovered password, payment history, partial credit card numbers

Careless Mobile Apps Social Networking 74% Failed, 26% Warning, 0% Pass Included Facebook, Twitter, LinkedIn, Foursquare All stored username in cleartext IM Logs, Direct Messages, passwords stored in cleartext Retail 14% Failed, 86% Warning, 0% Pass Included Best Buy, Amazon, Groupon and Starbucks Storing search history, name and address Groupon was storing password Starbucks was storing full 16-digit credit card number

Careless Mobile Apps UUID serial number for ios devices AntiSec a subgroup of Anonymous Claimed to have 12 Million UUIDs from the FBI Released on Internet Bluetoad electronic publisher Stored customer s UUIDs Found that their systems compromised

Example 'ec166427e203c6302e2573a965f2a0b895a809d36da021be1ede10fb2553632a','aandrew..?','ipod touch' '02a7441f686282e9ecea010f977fa6bf9ca144d040625469b2676faabb26e016','aandrews s ipad','ipad' '900c55c8a03fede9896d9efbfd8c2f980a17d28aee6ebd63e300c1df7e047cae','Aanemy','iPad 20f22415fe803f444f46320a3819fa391b6057bee786c0bce9da7aad59cb6d6c','Aang','iPad' 'cbcbb2c2893dbb680c02bcf3800c2981b6526438f1c369e4dfbbd366de91cb47','aangle ipad','ipad' '7a4525b51996cac60d5c7c69cdd2e1650b7046933c9b37e9488264c07848829e','aan','iPad' 'fb277bff9503179d3dbf42bc8db482d3e6b6b6438a2fca0eae4e4e8ef32e5851','aan iphone 4','iPhone' 'fcb77c4ceb9fe7d9bdeab9783b42240d8a403e2b83a1a990908afa9dfb928be1','aanisha\'s ipad','ipad' '3fe6671e670acf9d2fcb7fdd9b2df5df4807687ec6553d7b08bdaec09c0f20e6','AANN','iPad' '647a3eba98396822bf860615cfbde050f641972a9f166159b4ddea0e4399fb43','Aansh Jagwani','iPad' '4d0ee301f8d44c7fdd40a2e80d8c28c588809028f159a1a184fbe857861541fc','Aan\'s ipad','ipad' '6f80d5941a78da97bf05ca2b00b797339cba4f86ab756658900a2d48c3c1b70b','aan s iphone','iphone' '6555e43aabaeb5fa47be4f1a0e1f4457ed729b4e9b3f1adc0fd6d1bff3464527','AANS Meeting','iPod touch' '8cffd1e5f4259c9c6c0ec45887007302581dbbc42507902e3f9b86bea384c038','AAntonov','iPad' 5282850b8731eda235df1a94f3c3e6b78821ab3e8f5b2314eb260aa80383a64b','AAntonov','iPhone'

NETWORK VULNERABILITIES

Insecure Communication Mobile devices are broadcasting for known wireless networks Malicious devices answer and route communications through How many have attwifi on their phone?

Man-in-the-Middle Attacks

Near Field Communication NFC mobile payments are projected to be a $1T market NFC risks Eavesdropping Data corruption Data manipulation MITM Attacks

RELIANCE ON THE CLOUD

icloud Weaknesses

Importance of Dual Factor

Google Wallet Brute Force

Google 2-Step Verification

MOBILE DEVICE MITIGATION ADVICE

Securing BYOD/Mobile Utilize some form of Mobile Device Management Disallow rooted devices Require updates to be installed Disallow 3 rd party app stores and apps Require stronger pin codes Require timeouts Require encrypted devices

Securing BYOD/Mobile Disallow clear communications over public networks. Inspect mobile applications for security flaws Use sandboxing when needed Utilize remote wiping

Securing BYOD/Mobile End User Training Lost phones must be reported immediately. Phishing identification Physical security Dangers of malicious applications

QUESTIONS?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information