Weak Spots in Enterprise Mobility Management Dennis Schröder

Similar documents
BYOD: End-to-End Security

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Mobile Device Management

The State of Mobile Application Insecurity

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Guideline on Safe BYOD Management

Security Testing Guidelines for mobile Apps

Data Protection Act Bring your own device (BYOD)

Do you want to mobilize your entire work process efficiently? Do you want to protect your most valuable asset data?

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

perspective The battle between MDM and MAM: Where MAM fills the gap? Abstract - Payal Patel, Jagdish Vasishtha (Jags)

Guidance End User Devices Security Guidance: Apple ios 7

BYOD Guidelines A practical guide for implementing a successful BYOD Management program in an organization of any size.

MDM, COPE, BYOD, MAM, MIM, PIM???

Hands on, field experiences with BYOD. BYOD Seminar

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

SECURING MOBILE APPLICATIONS

Security for mobile apps

Managing Remote and Mobile Workers Adam Licata, Enterprise Mobility SE, TSO Brian Sheedy, Sr. Principal TEC, Endpoint Management

Workday Mobile Security FAQ

When enterprise mobility strategies are discussed, security is usually one of the first topics

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Kaspersky Security for Mobile

Mobile Access Software Blade

Resco Mobile CRM Security

End User Devices Security Guidance: Apple ios 8

EndUser Protection. Peter Skondro. Sophos

Mobile Application Security Study

In-Depth Look at Capabilities: Samsung KNOX and Android for Work

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

MOBILE SECURITY. As seen by FortConsult. Lars Syberg Head of Security Services

Sophos Mobile Control SaaS startup guide. Product version: 6

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

BYOD Guidance: BlackBerry Secure Work Space

Windows Phone 8 devices will be used remotely over 3G, 4G and non-captive Wi-Fi networks to enable a variety of remote working approaches such as

Total Enterprise Mobility

MDM Mobile Device Management

Public Key Applications & Usage A Brief Insight

Enterprise Mobility Management

Cloud Security:Threats & Mitgations

Supplier Information Security Addendum for GE Restricted Data

Mobile device and application management. Speaker Name Date

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

How To Protect Your Mobile Device From Attack

EFFECTIVE BYOD. A presentation by: Tzachy Givaty, CommuniTake

Mobilize your Enterprise in 60 Minutes!

Mobile First Government

Web Application Security

BYOD Management : Geo-fence

BENEFITS OF MOBILE DEVICE MANAGEMENT

Enterprise Mobility Management for Financial Sector

MDM: Enabling Productivity in the world of mobility. Sudhakar S Peddibhotla Director of Engineering, Good Technology

Choosing an MDM Platform

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

Mobile Device Management:

Bell Mobile Device Management (MDM)

SAST, DAST and Vulnerability Assessments, = 4

IT Resource Management & Mobile Data Protection vs. User Empowerment

Sophos Mobile Control User guide for Apple ios. Product version: 4

SECURE MOBILE APP DEVELOPMENT: DIFFERENCES FROM TRADITIONAL APPROACH

Managing Mobile: BYOD, MDM, MAM, and more acronyms. John H Sawyer Senior Security Analyst InGuardians, Inc.

Solve BYOD with! Workspace as a Service!

BYOD Guidance: Good Technology

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Building Secure Mobile Applications Using MaaS360 SDK and IBM Worklight

Microsoft Enterprise Mobility Suite

Mobile Device Security Is there an app for that?

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Mobile Device and Application Strategy. Right Technology, Right Design, Right Price

If you can't beat them - secure them

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Managing and Securing the Mobile Device Invasion IBM Corporation

Addressing NIST and DOD Requirements for Mobile Device Management

Izplatītākie mobilo iekārtu lietošanas riski, kas apdraud organizācijas datu un informācijas sistēmu drošību Raivis Kalniņš 2015, Riga

Building a BYOD Program Using the Casper Suite. Technical Paper Casper Suite v9.4 or Later 17 September 2014

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

Which is the Right EMM: Enterprise Mobility Management. Craig Cohen - President & CEO Adam Karneboge - CTO

Transcription:

Weak Spots in Enterprise Mobility Management Dennis Schröder

Personal details TÜV Informationstechnik GmbH TÜV NORD GROUP Dennis Schröder, M. Sc. IT Security Business Security & Privacy Product Manager Cyber Security Services Main focus: Mobile Security, Application Security, Network Security, Industrial Security, SE Security 05.11.2015 TÜV Informationstechnik GmbH TÜV NORD GROUP 1

Agenda Why Mobile Security Challenges Case Study How to securely integrate mobile devices? How to verify correct integration? 2

Mobile Security? Mobile Security is mostly about Smartphones, Tablets, and their integration into existing environments Key factors are Devices are always at our side, ready to be used Always on Always connected Functionality easy to extend with apps 3

Sample Mobile Use Cases 4

Challenges Mobile devices are constant companions You can loose them They get stolen Prime target for attackers Vast amount of data, private and corporate Attackers can easily get monetary revenue Corporate vs private: BYOD, COPE, COBO? Who wants his private data to be corporate controlled? Who believes corporate data is safe on private devices? Who wants to carry two smartphones? 5

More challenges All problems from classic IT also apply How to administrate and manage? How to integrate into network? Users usually have no or low knowlegde of internals & security It should just work No reading, just tapping Smartphones, tablets and mobile security in general is a complex topic 6

Mobile Security Overview 7

Mobile Solution Enterprise Mobility Management Mobile Devices MAM Mobile Devices Mobile OS und OS Functions Secure Elements Apps Interfaces EMM Mobile Strategy IT Infrastructure IT Infrastructure Security Architecture Business Applications Mobile Devices Internet Services Security Architecture Web Application Web Services Apps Internet Services Mobile Solution Individual Solutions Hard und Software Components Apps und Services 8

Mobile Strategy Consider every aspect What should employees be able to do? Which business use cases should be covered? BYOD, COPE, COBO MDM, MAM, MCM (Containerization) Choose devices and operating systems (if not BYOD) Integrate into exisiting network with security in mind Develop emergency plans, e.g. for lost devices Brief staff on usage and security implications Next to technical guidelines, develop organizational ones 9

Mobile Strategy Find a fair balance between usability and security Employees should be able to use the devices Nobody likes to enter a long passphrase every 2 minutes Nobody wants to be monitored (at least when you ask them) Not every asset should be accessible on a mobile device If something should be kept top secret, treat it so! Some use-cases are not suited for mobile devices 10

Case Study The Client A global player checks his infrastructure. 10k employees, worldwide sites 200+ smartphones on tested site ios and Android, used throughout all staff hierarchies MDM with integrated MAM and sane policies Detected Jailbreak results in remote wipe Activated device encryption Devices are (automatically) locked with secure PIN MDM externally hosted and administrated (SAAS) so far so good! 11

Case Study First Security Problem Although multiple security measures were in place, some devices had an unlocked bootloader. We could boot our own kernel and ramdisk We had full access to the phone We could eavesdrop the PIN or bruteforce it Impact: Full access to encrypted data (Credentials, WiFi PSK, ) We could also disable MDM and other security features Use device on behalf of original user Access corporate data and even services Gather data for subsequent attacks (infrastructure accessed via corporate wifi) 12

Case Study Second Security Problem Although a mutual certificate-based authentication between the mail proxy and the mobile device is required, Activce Directory passwords could be eavesdropped. Security policy allows self signed certificates User must accept them Man-in-the-Middle attack doable with minor effort Attacker cannot communicate with mail proxy (no certificate) But mobile devices sends credentials via HTTP POST after accepting attackers certificate Reuse AD credentials elsewhere, e.g. VPN or webmail 13

Case Study Summary Mobile devices are computers they are complex You have to find and close all vulnerabilities An attacker only has to find one vulnerability In this case one problem already occurred in the procurement process Even smartphones are complex devices, the integration into an existing network is complex. Users, many administrators and CISOs often do not recognize this complexity. 14

Other Thoughts even more challenges Cloud Provider What data is sent there? Is it encrypted? Who actually reads the EULA? What happens if the provider suddenly stops his service? Messaging services and social media Which data is sent where? Corporate secrets? EULA? Device features Hello Siri? Try to gather information while device is locked! Speech-To-Text: Where does it end up? (EULA!) Manufacturer ID and mobile device, who owns what? 15

Where do Problems Occur? 16

Verify Secure Mobile Device Integration Set everything up, but do not roll it out yet Test the prototyped EMM integration Verify use cases are working Verify role and group policies Verify software setup and security measures Verify emergency scenarios are working as planned Verify staff knows what they are doing Test the prototype again, this time externally It s usually a fatal mistake to trust a system which you could not break but also built yourself! Fix everything (maybe test again), then roll it out 17

TÜViT accompanies your Organisation on the Way to a Secure Mobile Business World TÜViT offers testing and advisory services for all mobile security and EMM scenarios Health Check (without seal of approval) Assessement (with seal of approval) Test procedures based on international standards und best practices (OWASP, WASC, CESG, BSI) Technical and organisational test procedures Continuous monitoring and retesting (managed services) 18

Penetration Tests Classification and Criteria Penetration test Information basis Black-Box Gray-Box White-Box Aggressivity Passively scanning Cautious Considering Aggressive Coverage Thorough Bounded Focused Approach Covered Obvious Access Network Physical Social Engineering Source Remote Local 19

OWASP Mobile Top 10 Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage 5. Poor Authorization and Authentication 6. Broken Cryptography 7. Client Side Injections 8. Security Decisions via Untrusted Inputs 9. Improper Session Handling 10. Lack of Binary Protections 20

Many Thanks! TÜV Informationstechnik GmbH TÜV NORD GROUP Dennis Schröder IT Security Langemarckstr. 20 45141 Essen Phone: +49 201 8999 606 Fax: +49 201 8999 666 E-Mail: d.schroeder@tuvit.de https://www.tuvit.de https://appsecuritycenter.com 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information