2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not

•

1 gefällt mir•828 views

NCC Group

Technologie

Mobile Security – The impending
apocalypse… or maybe not
ISF Summer Chapter

Before we begin…
Hopefully not a lesson
in sucking eggs

Agenda
•What the press would have
you believe
•The reality

Before we begin… Who is this guy?
• Information Cyber Security for > 15 years
• Consultancy – 1997 – 2005
• Research – 2005 – 2011
• Symantec / BlackBerry
• Research / Consultancy – 2012
• Recx / NCC Group

What you are led to believe
•Mobile is as insecure the desktop
•BYOD is insecure
•Malware is rampant
•Mobile security needs augmenting

Motivations
•.… something to sell
•…. exposure

Mobile is as insecure as the desktop
•Incentivised
•Defence in depth
•App stores
•Ubiquitous sandboxes
•Security policy APIs
•Vendors adopting SDLs

BYOD is insecure
•BYOD is CHALLENGING
•Extending your security perimeter
•Loosening your control (potentially)
•Mixed domain devices
•Policies

Malware is rampant
•Malware is present NOT rampant
•Trojans (re-packaged apps)
•Trojans (unique appealing apps)
•App store revocation 
•People using third party app stores 

Mobile security needs augmenting
•Platforms have rich security stories
•Samsung KNOX
•BlackBerry Balance
•MDM APIs / Policies ..
•Some augmentation may be needed
•on iOS
•On device AV is not one of them

SDLs cost
•Vendors don’t have
•limitless funds
•limitless people
•limitless time
•Market driven by features
•not secure code
•Skills in short demand
•Not evenly deployed

Vulnerability v patching frequency
•No monthly patch Tuesday
•Carrier certification
•desire
•capacity
•Vendors
•desire
•capacity

Vulnerability v patching frequency
•Handset cycle 12 to 36 months
•HTC 10 Android models
•ZTE 18 Android models
•Samsung 12 Android models
•Apple 1 iPhone model
•BlackBerry 3 BB10 models
•Sustainment costs huge..

Devices are complex
•Peripherals
•Radio
•OS
•Apps
= a large and complex attack surface

Use cases are different
•Physical interaction
•Usage patterns

UK Offices
Manchester - Head Ofﬁce
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Ollie Whitehouse
ollie.whitehouse@nccgroup.com

Weitere ähnliche Inhalte

Andere mochten auch

Practical SME Security on a Shoestring

NCC Group

Pki 202 Architechture Models and CRLs

NCC Group

Mobile App Security: Enterprise Checklist

Jignesh Solanki

Exploiting appliances presentation v1.1-vids-removed

NCC Group

NCC Group 44Con Workshop: How to assess and secure ios apps

NCC Group

Cryptography101

NCC Group

07182013 Hacking Appliances: Ironic exploits in security products

NCC Group

Cryptography - 101

n|u - The Open Security Community

Current & Emerging Cyber Security Threats

NCC Group

USB: Undermining Security Barriers

NCC Group

Real World Application Threat Modelling By Example

NCC Group

单反相机

Jacky Wu

HAPPYWEEK 184 - 2016.09.05.

Jiří Černák

삼색신호등 공청회 발표자료

kimjint

Situación de Aprendizaje basada en la Didáctica Crítica

ADORACION RODRIGUEZ

A decentralized future – the technology of next century

Blockchain Conferences

As part of the sessions at the 2016 California Public Higher Education Collaborative Business Conference, the presentation covers why Shared Services has become such an important part of your toolkit for delivering improved “back office” services to support your institution’s core mission. It explains why the true meaning of the words “shared” and “services” is so important. It also defines and distinguishes between “clients”, “consumers” and “stakeholders”.

Shared Services in Higher Education: conceps, clients, consumers and stakehol...

Chazey Partners

不一樣的台灣

honan4108

Andere mochten auch (18)

Practical SME Security on a Shoestring

Pki 202 Architechture Models and CRLs

Mobile App Security: Enterprise Checklist

Exploiting appliances presentation v1.1-vids-removed

NCC Group 44Con Workshop: How to assess and secure ios apps

Cryptography101

07182013 Hacking Appliances: Ironic exploits in security products

Cryptography - 101

Current & Emerging Cyber Security Threats

USB: Undermining Security Barriers

Real World Application Threat Modelling By Example

单反相机

HAPPYWEEK 184 - 2016.09.05.

삼색신호등 공청회 발표자료

Situación de Aprendizaje basada en la Didáctica Crítica

A decentralized future – the technology of next century

Shared Services in Higher Education: conceps, clients, consumers and stakehol...

不一樣的台灣

Kürzlich hochgeladen

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Manulife - Insurer Transformation Award 2024

The Digital Insurer

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Kürzlich hochgeladen (20)

Why Teams call analytics are critical to your entire business

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

GenAI Risks & Security Meetup 01052024.pdf

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

A Beginners Guide to Building a RAG App Using Open Source Milvus

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Corporate and higher education May webinar.pptx

Manulife - Insurer Transformation Award 2024

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Automating Google Workspace (GWS) & more with Apps Script

Data Cloud, More than a CDP by Matt Robison

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

2024: Domino Containers - The Next Step. News from the Domino Container commu...

A Year of the Servo Reboot: Where Are We Now?

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

FWD Group - Insurer Innovation Award 2024

Axa Assurance Maroc - Insurer Innovation Award 2024

AXA XL - Insurer Innovation Award Americas 2024

Powerful Google developer tools for immediate impact! (2023-24 C)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not

1. Mobile Security – The impending apocalypse… or maybe not ISF Summer Chapter

2. Before we begin… Hopefully not a lesson in sucking eggs

3. Agenda •What the press would have you believe •The reality

4. Before we begin… Who is this guy? • Information Cyber Security for > 15 years • Consultancy – 1997 – 2005 • Research – 2005 – 2011 • Symantec / BlackBerry • Research / Consultancy – 2012 • Recx / NCC Group

5. What you are led to believe •Mobile is as insecure the desktop •BYOD is insecure •Malware is rampant •Mobile security needs augmenting

6. Motivations •.… something to sell •…. exposure

8. Mobile is as insecure as the desktop •Incentivised •Defence in depth •App stores •Ubiquitous sandboxes •Security policy APIs •Vendors adopting SDLs

9. BYOD is insecure •BYOD is CHALLENGING •Extending your security perimeter •Loosening your control (potentially) •Mixed domain devices •Policies

10. Malware is rampant •Malware is present NOT rampant •Trojans (re-packaged apps) •Trojans (unique appealing apps) •App store revocation  •People using third party app stores 

11. Malware is rampant

12. Mobile security needs augmenting •Platforms have rich security stories •Samsung KNOX •BlackBerry Balance •MDM APIs / Policies .. •Some augmentation may be needed •on iOS •On device AV is not one of them

13. But it is no utopia

14. SDLs cost •Vendors don’t have •limitless funds •limitless people •limitless time •Market driven by features •not secure code •Skills in short demand •Not evenly deployed

15. Vulnerability v patching frequency •No monthly patch Tuesday •Carrier certification •desire •capacity •Vendors •desire •capacity

16. Vulnerability v patching frequency •Handset cycle 12 to 36 months •HTC 10 Android models •ZTE 18 Android models •Samsung 12 Android models •Apple 1 iPhone model •BlackBerry 3 BB10 models •Sustainment costs huge..

17. Vulnerabilities can be exploited

18. But… criminals are lazy …

19. But… there are motivated enablers..

20. Devices are complex •Peripherals •Radio •OS •Apps = a large and complex attack surface

21. Rapid change

22. Use cases are different •Physical interaction •Usage patterns

23. Mobile security – the future

24. Thanks? Questions?

25. UK Offices Manchester - Head Ofﬁce Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Ollie Whitehouse ollie.whitehouse@nccgroup.com

2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (18)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not