Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.
1. Are our mobile devices too ‘smart’ for their own good?
MOBILE SECURITY FOR
SMARTPHONES AND TABLETS
2. One Ring to Rule Them All
• Smartphones and Tablets are the most
intimate pieces of IT that we've ever had:
– Personal digital assistant, High resolution cameras
– GPS navigation, Wi-Fi, Enhanced web browsers
– Apps to do almost anything
• Users (from healthcare, police, military)
store/manage personal data & sensitive info
– View slides at http://www.slideshare.net/vcv1
One Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the
darkness bind them. J. R. R. Tolkien
3. Mobile (via @LukeW)
• Think Mobile First
• 3 Trends in Mobile Devices
– Processing Power
– Network Access
– Data in the Cloud
• 1.4 Million devices are activated each day
4. BYOD
• Bring Your Own Disk
• Bathe Your Own Dog
• Be Your Own Detective
• Bring Your Own Dessert
• Bring Your Own Deck (a.k.a John Dorner)
• Bring Your Own Drink
• Bring Your Own Disaster
5. Bring Your Own Device
“Consumerization of IT,” refers to employees
who bring their own computing devices –
such as laptops, smartphones, and tablets to
the workplace for use, using a corporate
network for connectivity
7. Forrsights Workforce Employee Survey
• Q4 2011, asked 9,900 information workers in
17 countries about devices they use, personal
devices they use for work purposes 1
• Typical information worker has manage their
information from more than one device
• Interested in work systems and personal cloud
services that enable easy multidevice access,
such as Dropbox, Box, SugarSync, Google
Docs/Apps, Windows Live, and Apple iCloud
12. Forrsights Workforce Employee Survey
• Shipping PCs still > 90% Win OS
• Share of PCs in companies is even higher
• Info workers, not IT, are voting with $$$,
Microsoft is down to about two-thirds of the
devices they use to get work done
• Report concludes that
– “mobile devices will become majority of devices
used for work, surpassing PCs” and “Windows’
device share will fall below 50 % by 2016.”
13. Security Quotes
“Against the growing, unstoppable
backdrop of consumerisation and
BYOD [bring your own device], every
mobile device is a risk to business.”
Raimund Genes, Trend Micro CTO 2
14. Security Quotes
“Security becomes a critical requirement
(in mobile banking) and all parties
involved in a financial transaction need
to consider security. Mobility and
freedom to transact anywhere, anytime
is no longer negotiable - it is the nature
of the lives we live today.”
Schalk Nolte, Entersekt 3
15. Security Quotes
“I'm sure you've seen this scenario.
Halfway through [a] flight, a user
switches from super-critical pieces of
corporate work to checking out the app
they downloaded while waiting in the
airport terminal.”
Cameron Camp, ESET 4
16. Security Quotes
“Today what we’re seeing are malicious Android
applications that have bundled legitimate apps such
as Rovio ’s Angry Birds Space. First the malicious
“wrapper” tricks and manipulates the user into
granting permissions that allow the malware to
subscribe to premium rate services. But then… the
malware actually does install a working copy of the
promised game. At this point, there is little to be
suspicious of and nothing to troubleshoot. The user
gets the game that he was promised.”
Sean Sullivan F-Secure Labs 5
17. MDM vs. Mobile Security
• What is Mobile Device Management (MDM)?
• By controlling and protecting the data and
configuration settings for all mobile devices in
the network, MDM can greatly reduce support
costs and business risks. Gartner Aug 2011
• Software allows you to:
– Remote lock/wipe, Password enforcement
– Remote Configuration and Provisioning
– Logging and Reporting, Decommissioning
18. Why Do Criminals Want Access?
• Smartphones are the new credit cards!
– This is where our "wallets" are
– This is where our information is
• Criminals will take any info for Identity Theft
• They can sell (make money) on online forums
• Targeted emails designed to be read on
Smartphone/Tablets are just a matter of time
19. Security and Data Protection
• Focus Four
– Apple iOS
– Blackberry
– Google Android
– MS Windows Phone 7
• Discussion will be Smartphone focused but
will discuss tablets at the end
21. Which BOYD is most secure?
Answer:
1. Blackberry
2. iPhone and Windows Phone 7.x
3. Android
That said, if you have poorly educated user, they can
download malicious app on any Smartphone or
Tablet and it can be compromised!
22. Which BOYD is most UN-secure?
Answer:
1. Android
2. iPhone and Windows Phone 7.x
3. Blackberry
That said, this can change quickly.. Could have a
Vulnerability that is quickly accessed on iPhone by
attackers
23. Blackberry
• Long history of being Enterprise Ready
• RIM's upcoming BlackBerry 10 (B10) OS is
intended to be even more secure
• BB10 security will have multiple integrated
layers, with tight relationship between
hardware and software
• There will be a permissions-based security
model for apps, coupled with a various OS-
level security and safety features
24. B10 New Protections
• Blocking root access, which enables a user or
hacker to gain administrative access to the OS
• Memory randomization, "scrambles" where in
memory routines may run, making it harder
for these to be leveraged by attackers
• Adding security management, including
auditing, to the kernel
Source: Network World “BlackBerry 10 OS will have multi-
layered security model” May 8, 2012
25. Apple iOS
• Will growing popularity in iOS mean criminals
will target?
• Apple doesn’t allow 3rd party companies to
develop antivirus software for iOS-based
devices, such as the iPhone and iPad
• Enterprise iPhone security issues and how to
address them (Dec 2011)
26. Apple iOS
• iOS threats are largely satisfied by tweaking
native security settings
• VirusBarrier for iOS by Intego, $2.99
• “Flashback” Java Vulnerability Exploit
– 2 month delay for Apple’s Response
– 600,000 Mac users infected
• Can you jailbreak iOS? Yup!
– Absinthe 2.0 Untethered Jailbreak Released for
iOS 5.1.1 (May 25 2012)
27. Apple iOS
• Kaspersky CEO Eugene Kaspersky is very vocal
in his criticism of Apple
– Criminals “are happy with Windows computers.
Now they are happy with Mac. They are happy
with Android. It is much more difficult to infect
iOS but it is possible and when it happens it will
be the worst-case scenario because there will be
no protection. The Apple SDK won’t let us do it.” 7
– Eugene Kaspersky frustrated by Apple’s iOS AV
ban (May 22 2012)
28. Windows Phone 7 History 8,9
• Released in late 2010, 7 updates since then
– Microsoft shut down the Marketplace app store
for older Windows Mobile 6.x phone platform on
May 9, 2012
• Apps only from Windows Phone Marketplace
• Aimed at the Consumer market not Enterprise
• Smartphone OS market share 2011
– MS has only 1.9% market share
– IDC predicts a 20% share by 2015 (likely high)
29. Windows Phone 7 Platform Security
• Chambers concept to enforce app isolation
and least privilege, 4 chambers, apps in LPC
• The fourth chambers is capabilities based
– Least Privileged Chamber (LPC)
• Three higher chambers have fixed permissions
– Standard Rights Chamber (SRC)
– Elevated Rights Chamber (ERC)
– Trusted Computing Base (TCB)
30. Windows Phone 7 App Security
• Capability checks are enforced at runtime
• Requests for other resources ==
UnauthorizedAccessException
• Apps must have a valid MS signature to be
installed & run in LPC sandbox
• Apps use their own “Isolated Storage”
• WP7 allows developers to encrypt data and
databases
31. Windows Phone 7 - What’s Missing
• Lack of native disk encryption
• No support for client side SSL certificates
• Lack of in built VPN functionality
– Source: Windows Phone 7 'not fit for big biz ...
unlike Android, iOS'
32. Windows Phone 7 Tips
• Only install apps from Marketplace. This
ensures that any app you install has been
digitally signed, which reduces your risk and
increases phone safety
• Windows Phone 7 includes a "Find My Phone"
feature that allows you to find a lost phone,
lock it remotely, and also wipe it remotely
• Best-windows-phone-7-apps#security
33. Android
• Popularity makes Android a lucrative target for
malware authors
• New families and variants of malware keep
cropping up each quarter, trend shows no sign
of slowing down
• In Q1 2012, malware authors are focusing on
improving their malware’s techniques in
evading detection, as well as exploring new
infection methods
34. F-SECURE Mobile Threat Report
• In Q1 2011, 10 new families and variants were
discovered; In Q1 2012, 37 new families and
variants were discovered
• Malicious Android application package files
(APKs) received in Q1 2011 and in Q1 2012
reveals a more staggering find — an increase
from 139 to 3063 counts.
F-SECURE Mobile Threat Report, Q4 2011 (.pdf)
36. That Said... Perspective
• Mobile malware numbers remain low -- about
1% or less of all malware globally
• Android threats now reach almost 7,000, with
more than 8,000 total mobile malware in our
database
• To put it in perspective, there are 83 million
malware samples in McAfee’s database
McAfee Threats Report for First Quarter of 2012 (.pdf)
37. Android – Reducing Risk
• Practice safe mobile computing, Be vigilant
and avoid risky behavior
• Don’t install apps that are new to the market
– Yahoo’s Axis Browser Security Slip-Up (May 23 2012)
• Research apps before downloading, Check the
publisher and app reviews, Use the official
Android Market
• Avoid side-loading apps, unless software and
its developer are familiar to you.
38. Android – Reducing Risk
• Turn off the ability to install apps from
unknown sources in by going to Settings and
then to the Security menu (in Android 4.0 or
later) or the Applications menu (in earlier
versions of Android)
• When installing an app, pay close attention to
the permissions it requires, Use your phone’s
app-management tools to make sure it’s using
only the resources it promised to use
39. Android – Reducing Risk
• Be wary of phishing scams and malware via
the Web browser or SMS messages
• Be cautious if you root a device, Keep an eye
out for Superuse prompts displayed when an
app requests root permissions
• Rooting allows you to use some powerful apps
and even enhanced security functionality, but
at the same time increases potential damage
from infections
40. Android – Reducing Risk
• Install an antivirus/security app
• Block or disable ability to send premium SMS
subscriptions (prevent malware from sending
messages that will automatically charge your
account)
– AT&T (Manage Mobile Purchases & Downloads)
– Verizon FAQ
– More from c|net
41. Android – Mobile Security Apps
• PC Mag Review (May 24 2012)
• Apps reviewed on 5 Stars
– Bitdefender Mobile Security
– F-Secure Mobile Security 7.6
– Lookout for Android
– McAfee Mobile Security 2.0
– TrustGo Antivirus and Mobile Security 1.0.6
– ESET Mobile Security 1.1
42. Infographic: Grand Theft Mobile
Source: http://blog.mylookout.com/blog/2012/05/04/infographic-grand-theft-mobile/
43.
44.
45.
46.
47.
48.
49.
50.
51.
52. Security Checklist
• Attevo is a global business and information
technology consulting firm based in Cleveland,
OH
• Here is their 13-point checklist for addressing
mobile technology threats 10
• Keep in mind security around Windows
laptops from mid to late 1990s
53. Security Checklist
1. Where is My Device Again?
Always maintain physical control over your smartphone to
prevent outright theft, unauthorized usage or the
installation of malware (apps with malicious code) by
seemingly mild-mannered co-workers or by ruthless digital
predators; treat a smartphone like a wallet, never leave it
unattended in public spaces.
vcv_note: @LukeW listed Near Field communication
(NFC) as a positive, it is, I guess
54. Security Checklist
2. Yes, You Need to Use a Passcode
Enable the smartphone's password/passcode
protection; a recent study reveals that only 38% of
smartphone users enable this security feature.
vcv_note: SIM-locks can be by-passed, but
BlackBerrys 'a challenge' (May 17, 2012)
Tip: Open Excel. In cell A1, enter =RAND() and press
Enter. Fill Down to A10. Pick 5 random codes.
55. Security Checklist
3. You Still Need to Do Updates
Install operating system updates whenever they
become available to reduce the number of system
vulnerabilities; a 2011 report indicated that 90% of
Android users were running outdated operating
system versions with serious security vulnerabilities.
vcv_note: Reinforce basics with your staff
56. Security Checklist
4. Use a Security App
Install an anti-malware protection app (if available
for the device) to thwart infection from malicious
apps and websites; all major platforms have been
hacked and are susceptible.
vcv_note: Free apps are good (better than nothing),
but pay for apps give more features. Go ahead and
spend 4.99 or 9.99
57. Security Checklist
5. Be Careful Where You Browse
When using the smartphone's or tablet’s web
browser, avoid suspicious/questionable websites
that can be the source of malicious code.
vcv_note: Few security apps are available for iOS,
but you can find secure Web browsers that offer
extra features to lower risk of stumbling upon a
malicious website, ex: Webroot SecureWeb Browser
58. Security Checklist
6. Download/Install with Care & Caution
Be selective when buying or installing apps; wait for
app reviews, download only from trusted sources
(known app stores) and be cautious/suspicious of
free apps, because they are free for a reason (the
reason could be access to your data).
vcv_note: Google Android Market, Windows Phone Marketplace, RIM
BlackBerry App World and Appstore for Android all disclose the
permissions of apps. Apple iTunes App Store doesn’t (Apple vets apps)
59. Security Checklist
7. Review What You “Agree To”
Understand and control each downloaded apps
"access" to smartphone data and personal
information; game apps do not need access to
phonebook contacts, photos, e-mails, location,
browsing history, texting history and other phone
features (avoid allowing automatic app updates).
vcv_note: Double check, then go back AGAIN
60. Security Checklist
8. Credentials Management
Do not save passwords, PINs or other account
information as Contacts or in Notes.
vcv_note: In other words, don’t put your password
on a sticky and attach it to the tablet
61. Security Checklist
9. Wild Wild Free Wi-Fi
Avoid using open Wi-Fi, especially for shopping and
banking activities; Wi-Fi sniffing is a common
occurrence that can have significant consequences
like lost credit card numbers.
vcv_note: Do not, I repeat, DO NOT do this at all
62. Security Checklist
10.Phishing is More Than Nigerian Spam
Avoid opening suspicious e-mail or SMS text
messages, especially from unknown sources.
Unwary readers may be unwillingly tricked into
phishing by entering sensitive information from
online prompts.
vcv_note: If you are not certain, email your IT
Specialist and ask, ;-)
63. Security Checklist
11.Shields Up! Go to Red Alert!
Turn the Bluetooth access feature off when not
needed and avoid Bluetooth use in busy public
areas.
vcv_note: Commander Riker Audio
64. Security Checklist
12.PIN Use “Good”; PIN Default “Bad”
Utilize a PIN to access voice-mail and avoid using
the carrier's default PIN setting.
vcv_note: Beyond the default...
Top ten iPhone passcodes: [1234, 0000, 2580, 1111,
5555, 5683, 0852, 2222, 1212, 1998] 11
65. Security Checklist
13.Locked and Loaded
Insure that smartphone or tablet e-mail account
access is through either a SSL or HTTPS connection
so that transmitted data is encrypted.
vcv_note: Quick web search should provide this
answer. Example: Gmail
66. Encrypting Email Traffic
• Android
– TouchDown for Smartphones by NitroDesk
includes support for S/MIME keys from EchoWorx
• Blackberry
– BlackBerry devices provide encryption and policy
from the BlackBerry Enterprise Server (BES); The
implementation is trusted and validated by many
government organizations
67. Encrypting Email Traffic
• iPhone
– 3GS has hardware encryption (also enabled via
ActiveSync option); AES256 employed by default;
Pre-3GS devices do not provide encryption
– Encryption bypass vulnerabilities all require the
iPhone to be already jail-broken
• Windows Phone
– Good for Enterprise by Good Technologies
providing security at the application layer (in
addition to device security)
68. Tablet Security Products
• Pay-for Android tablet security, similar
features, protect 1 device for 1 year, $19.99
– Norton Mobile Security Lite
– Kaspersky Tablet Security
– Webroot Mobile Security
• Norton 360 Everywhere (May 4 2012)
– protects up to 5 devices, including PC, Mac, and
Android smartphones and tablets, $99
69. Jumpstarting Your BYOD Policy 12
• Basic BYOD employee training include:
– Training on physical security
– Training on Wi-Fi security
– Information about social engineering attacks and
how to avoid them
– A requirement to password-protect personal
devices and education on strong passwords
– Clearly stated rules on what work-related data can
be accessed from personal devices (Ohio State)
70. Intel’s Mobile Policy 13
• Policies and security expectations are same for
corporate and personally owned devices
• Communicated to employees...
– When employees sign up for particular services
– When staff connect a new device to the Intel
network
– On a regular basis through security awareness
articles and notices
– In an annual security refresher for the entire staff
71. Future for People
• One Constant ... Human Nature
• People will look to do both good and bad
things with technology
• Consumers will continue to drive new devices
and technology
• Lack of Security Skills with today’s devices
(and future devices) will haunt us going
forward
72. Future for Technology
• Advances in materials science will continue to
make devices smaller and faster
• Embedded devices
– iDermal, Strapless iPod Nano Watch
• Tokenless Two-Factor authentication
– PhoneFactor (Commercial) Video, White Paper
• Improved Security Built-In to devices (hope)
– ZTE Android Backdoor Vulnerability
73. Future Threats
• Social Networks will continue to evolve and
change
• Transition to a more secure 3G/4G may take
some time
• Those with bad intent (e.g. criminals) will
always find way to outwit or outlast any
security measures put into place
– One Constant ... Human Nature
74. Future Actions (by YOU)
• BYOD is a done deal (mostly)
• Devices with very little effort can be made
reasonably secure
• Mobile Device Management (MDM) still
young – implement but review in 1 year
75. Final Thoughts
• We come back to USER EDUCATION,
TRAINING, and RE-TRAINING
• Encourage the use of “Common Sense”
• Discourage the attitude of “No one would
want my data” and “this can’t happen to me”
• Security - It's not your fault. It's your
responsibility.
76.
77. Sources
1. Employees Use Multiple Gadgets For Work — And Choose Much Of The Tech Themselves
2. BlackBerry still trumps Android for security, analysis finds
3. 41% of people believe online banking and shopping is akin to playing Russian Roulette
4. BYOD Smartphones, PCs and Tablets Raise Big Security Risks, Experts Say
5. Mobile Threat Report Q1 2012, F-Secure Labs
6. Android, Apple iOS run away from pack: Can Windows Phone challenge at all?
7. Apple iOS Needs Antivirus Protection: Kaspersky
8. SecurityBSides London - windows phone 7
9. Bsides London 2012 David Rook: Windows Phone 7 platform and application security overview
10. Attevo Offers A 13-Point Security Checklist For Smartphone Users
11. Most Common iPhone Passcodes
12. Jumpstarting Your BYOD Policy
13. How to Enforce Your Mobile Policy