Working with a variety of multi-national organisations has shown Peter Wood that conventional security thinking has failed to address the challenge that the product of these areas has presented us - so how do we deal with this brave new world?

1. Cloud, social networking
and BYOD collide!
Peter Wood
Chief Executive Officer
First•Base Technologies

2. Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLP
Social engineer & penetration tester
Conference speaker and security ‘expert’
Member of ISACA Security Advisory Group
Vice Chair of BCS Information Risk Management and Audit Group
UK Chair, Corporate Executive Programme
FBCS, CITP, CISSP, MIEEE, M.Inst.ISP
Registered BCS Security Consultant
Member of ACM, ISACA, ISSA, Mensa
Slide 2 © First Base Technologies 2012

3. Cloud
Slide 3 © First Base Technologies 2012

4. What's Different in Cloud
Security ~
THEM
Security ~
YOU SaaS
Software as a Service
IaaS PaaS
Platform as a Service
Infrastructure as a
Service
Slide 4 © First Base Technologies 2012

5. What's Different in Cloud
Slide 5 © First Base Technologies 2012

6. What's Different in Cloud
Slide 6 © First Base Technologies 2012

7. Just a little brainstorm
Slide 7 © First Base Technologies 2012

8. Social Networking
Slide 8 © First Base Technologies 2012

9. Yada yada yada
• People have always talked about work to their friends
• What has changed is the nature of how we interact
• We talk about our lives on our blogs, on social networking sites such
as Facebook and Twitter, and on message boards pertaining to the
work we're doing
• What was once intimate and ephemeral is now available to the whole
world, indexed by Google, and archived for posterity
• A good open-source intelligence gatherer can learn a lot about what a
company is doing by monitoring its employees’ online activities
Bruce Schneier
Slide 9 © First Base Technologies 2012

10. Social networks vulnerabilities
Slide 10 © First Base Technologies 2012

11. Social networks vulnerabilities
Slide 11 © First Base Technologies 2012

12. Why APT works
Slide 12 © First Base Technologies 2012

13. BYOD
Slide 13 © First Base Technologies 2012

14. Data loss
• Unencrypted storage and backup
• Poor or missing passwords and PINs
• No automatic screen lock
• Mobile apps often store sensitive data such
as banking and payment system PIN
numbers, credit card numbers, or online
service passwords
Slide 14 © First Base Technologies 2012

15. Network spoofing
• Mobile devices use wireless
communications exclusively and
often public WiFi
• SSL can fall victim to a downgrade
attack if app allows degrading
HTTPS to HTTP
• SSL could also be compromised if
app does not fail on invalid
certificates, enabling MITM attacks
Slide 15 © First Base Technologies 2012

16. Spyware
http://www.f-secure.com/en/web/labs_global/whitepapers/reports
Slide 16 © First Base Technologies 2012

17. UI impersonation
• Malicious app creates UI that impersonates that of the
phone’s native UI or the UI of a legitimate application
• Victim is asked to authenticate and ends up sending
their credentials to an attacker
http://blogs.mcafee.com/mcafee-labs/android-malware-pairs-man-in-the-middle-with-remote-controlled-banking-trojan
Slide 17 © First Base Technologies 2012

18. BYOD risks
• Data loss: a stolen or lost phone with unprotected memory allows an
attacker to access the data on it
• Unintentional data disclosure: most apps have privacy settings but
many users are unaware that data is being transmitted, let alone know of
the existence of the settings to prevent this
• Network spoofing attacks: an attacker deploys a rogue network access
point and intercepts user’s data or conducts MITM attacks
• Phishing: an attacker collects user credentials using fake apps or
messages that seem genuine.
• Spyware: the smartphone has spyware installed allowing an attacker to
access or infer personal data
• Surveillance: spying using open microphone and/or camera
• Diallerware: an attacker steals money from the user by means of
malware that makes hidden use of premium SMS services or numbers.
• Financial malware: malware specifically designed for stealing credit card
numbers, online banking credentials or subverting online banking or
ecommerce transactions.
Slide 18 © First Base Technologies 2012

19. The Collision
Slide 19 © First Base Technologies 2012

20. How Security sees Management?
Slide 20 © First Base Technologies 2012

21. How Management sees Security?
Slide 21 © First Base Technologies 2012

22. The Solution?
Slide 22 © First Base Technologies 2012

23. Make it real!
Identify real threats
Identify real impact
Demonstrate the risk
Slide 23 © First Base Technologies 2012

24. Now for the science bit …
Slide 24 © First Base Technologies 2012

25. Business Impact Level
A successful exploit will result in compromise of
Confidentiality, Integrity or Availability of an asset
• Level 1: negligible impact
• Level 2: limited consequences
• Level 3: significant impact
• Level 4: very high impact, requiring external
assistance and possible financial support
• Level 5: major risk which seriously endangers
business processes and prevents continuity
Slide 25 © First Base Technologies 2012

26. Threat Actors
• System and Service Users
- Regular users, admins, end users, shared service users
• Direct Connections
- Service providers, other business units
• Indirect Connections
- Network users, internet users
• Supply Chain
- Developers, hardware support
• Physically Present
- Regular users, admins, visitors, war drivers, intruders
Slide 26 © First Base Technologies 2012

27. Threat Actor Capability
1. Very little: almost no capabilities or
resources
2. Little: an average untrained computer user
3. Limited: a trained computer user
4. Significant: a full-time well-educated
computer expert using publicly available
tools
5. Formidable: a full-time well-educated
computer expert using bespoke attacks
Slide 27 © First Base Technologies 2012

28. Threat Actor Motivation
1. Very low: Indifferent
2. Low: Curious
3. Medium: Interested
4. High: Committed
5. Very high: Focused
Slide 28 © First Base Technologies 2012

29. Threat = Capability x Motivation
Slide 29 © First Base Technologies 2012

30. Example Threat Actor Analysis
Slide 30 © First Base Technologies 2012

31. Risk = Impact x Threat
Slide 31 © First Base Technologies 2012

32. Example Risk for Impact Level of 3
Slide 32 © First Base Technologies 2012

33. Example Prioritised Risk List
Slide 33 © First Base Technologies 2012

34. Run a Workshop
Slide 34 © First Base Technologies 2012

35. Now you’ve added value!
Slide 35 © First Base Technologies 2012

36. Or …
Management Security
Slide 36 © First Base Technologies 2012

37. Which results in …
Slide 37 © First Base Technologies 2012

38. Need more information?
Peter Wood
Chief Executive Officer
First Base Technologies LLP
peterw@firstbase.co.uk
http://firstbase.co.uk
http://white-hats.co.uk
http://peterwood.com
Twitter: peterwoodx
Slide 38 © First Base Technologies 2012