SlideShare ist ein Scribd-Unternehmen logo

Mobile security summit - 10 mobile risks

Als PPTX, PDF herunterladen
Vladimir Jirasek
Vladimir Jirasek
Technologie
1 von 12
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 1 TOP 10 MOBILE RISKS Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 2 I am going to talk about …. • Risks associated with mobile devices • Mobile Applications threat model • Mobile risks in an Enterprise • Mobile device as a Trusted device • Mobile security models • Mobile Top 10 • Not all doom and gloom: What to look for
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 3 Mobile devices are ubiquitous for most people Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Either online or via mobile apps
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 4 And the risks associated with the use cases are Power (CPU) and storage with seamless Accessing potentially and always on Traveling with people private and sensitive connectivity all the time. data, managing critical Millions lost everyday transactions. Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Mobile phone is your most personal computer and it needs to be wellmobile Either online or via protected to become a trusted device. apps
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 5 Mobile device use cases threat model Mobile device is Mobile device is is used Mobile device is compromised to conduct malicious lost or stolen with malware activity Malicious Loss of data, Unauthorised activity, Loss of potential transactions, data, Monitoring malicious activity Botnets, Attack of activity, Botnet on web services
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 6 Mobile device risk in an Enterprise Enterprise control Un-controlled data sync Un-managed personal device Enterprise control Un-controlled data access Un-managed mobile device
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 7 Mobile threats summary [2] • Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content, malicious proxy servers • Malware – traditional viruses, worms, and Trojan horses • Social engineering attacks – phishing. Also used to install malware. • Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls) • Malicious and unintentional data loss – exfiltration of information from phone • Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 8 Mobile device as a trusted device: [4,5] How does mobile HW and OS hold up? Typically contains System on Chip (SoC) Load mobile Load Kernel and applications mobile OS Application OS security segregation, capabilities are security reviews crucial Enterprise apps accessed from If Trust is not assured from HW up then mobile devices there is no trust at all!
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 9 Mobile Security Models [2] • Traditional Access Control: passwords and idle-time screen locking. • Application Provenance: Application signing and Application review in App store • Encryption: Encryption of device data and application data • Isolation: traditional Sandboxing and Storage separation • Permissions-based access control: Limiting application to needed functionality only All must be supported by Trust from Jailbreaking breaks HW up. the security model!
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 10 Veracode Mobile Top 10 [1] Malicious Functionality Vulnerabilities 1. Activity monitoring and 7. Sensitive data leakage data retrieval (inadvertent or side 2. Unauthorized dialing, channel) SMS, and payments 3. Unauthorized network 8. Unsafe sensitive data connectivity (exfiltration or storage command & control) 9. Unsafe sensitive data 4. UI Impersonation transmission 5. System modification 10. Hardcoded (rootkit, APN proxy config) 6. Logic or Time bomb password/keys
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 11 Summary: What to look for Device and applications Enterprise Network • Do not jail-break the device • Configure VPN for mobile • Utilise mobile OS security devices features (access control, • Provision VPN profiles for encryption) seamless connectivity • Follow data classification • Monitor traffic for data policies – what data can be exfiltration on mobile devices and what • Enable processes to wipe protection is required devices • Follow best practices for • Data security policy includes mobile application device capabilities and development position
2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 12 Resources 1. Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/ 2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=2011 0627_02 3. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile 4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture- of-smartphones 5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec- comparison-ETHZ-mar2011.pdf 6. Security in Windows Phone 7 - http://msdn.microsoft.com/en- us/library/ff402533(v=VS.92).aspx

Empfohlen

The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
Peter Wood
 
The challenges of BYOD for campus network by Leonard Raphael
The challenges of BYOD for campus network by Leonard RaphaelThe challenges of BYOD for campus network by Leonard Raphael
The challenges of BYOD for campus network by Leonard Raphael
Beamos Technologies
 
Android security a survey of issues, malware penetration, and defenses
Android security a survey of issues, malware penetration, and defensesAndroid security a survey of issues, malware penetration, and defenses
Android security a survey of issues, malware penetration, and defenses
LeMeniz Infotech
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoS
Purna Bhat
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
Tyler Shields
 
U S Embassy Event - Today’S Cyber Threats
U S Embassy Event - Today’S Cyber ThreatsU S Embassy Event - Today’S Cyber Threats
U S Embassy Event - Today’S Cyber Threats
Narinrit Prem-apiwathanokul
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile security
Kavita Rastogi
 
Managing and securing the enterprise
Managing and securing the enterpriseManaging and securing the enterprise
Managing and securing the enterprise
Abha Damani
 

Empfohlen

The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
Peter Wood
 
The challenges of BYOD for campus network by Leonard Raphael
The challenges of BYOD for campus network by Leonard RaphaelThe challenges of BYOD for campus network by Leonard Raphael
The challenges of BYOD for campus network by Leonard Raphael
Beamos Technologies
 
Android security a survey of issues, malware penetration, and defenses
Android security a survey of issues, malware penetration, and defensesAndroid security a survey of issues, malware penetration, and defenses
Android security a survey of issues, malware penetration, and defenses
LeMeniz Infotech
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoS
Purna Bhat
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
Tyler Shields
 
U S Embassy Event - Today’S Cyber Threats
U S Embassy Event - Today’S Cyber ThreatsU S Embassy Event - Today’S Cyber Threats
U S Embassy Event - Today’S Cyber Threats
Narinrit Prem-apiwathanokul
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile security
Kavita Rastogi
 
Managing and securing the enterprise
Managing and securing the enterpriseManaging and securing the enterprise
Managing and securing the enterprise
Abha Damani
 
Mobile Security
Mobile Security Mobile Security
Mobile Security
Fresh Digital Group
 
Article on Mobile Security
Article on Mobile SecurityArticle on Mobile Security
Article on Mobile Security
Tharaka Mahadewa
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
Tyler Shields
 
880 st011
880 st011880 st011
880 st011
Chandra Rao
 
Top Cyber Security Concerns for Small Businesses
Top Cyber Security Concerns for Small BusinessesTop Cyber Security Concerns for Small Businesses
Top Cyber Security Concerns for Small Businesses
Jairo Batista, MBA
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention
Seqrite
 
[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world
Seqrite
 
Ijetr042177
Ijetr042177Ijetr042177
Ijetr042177
Engineering Research Publication
 
Decision-Zone Introduction
Decision-Zone IntroductionDecision-Zone Introduction
Decision-Zone Introduction
Rocco Magnotta
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holt
Roopa Nadkarni
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and Threats
IRJET Journal
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Source Conference
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
illustro
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
ipspat
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our Community
AVG Technologies AU
 
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousThe Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
IBM Security
 
Context based access control systems for mobile devices
Context based access control systems for mobile devicesContext based access control systems for mobile devices
Context based access control systems for mobile devices
LeMeniz Infotech
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud Datasheet
Mani Rai
 
5 Data Breach Charts for the Board Room
5 Data Breach Charts for the Board Room5 Data Breach Charts for the Board Room
5 Data Breach Charts for the Board Room
MAX Risk Intelligence by LOGICnow
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
Vladimir Jirasek
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 

Weitere ähnliche Inhalte

Was ist angesagt?

Article on Mobile Security
Article on Mobile SecurityArticle on Mobile Security
Article on Mobile Security
Tharaka Mahadewa
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
Tyler Shields
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holt
Roopa Nadkarni
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Source Conference
 
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousThe Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
IBM Security
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud Datasheet
Mani Rai
 

Was ist angesagt? (19)

Mobile Security
Mobile Security Mobile Security
Mobile Security
 
Article on Mobile Security
Article on Mobile SecurityArticle on Mobile Security
Article on Mobile Security
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
880 st011
880 st011880 st011
880 st011
 
Top Cyber Security Concerns for Small Businesses
Top Cyber Security Concerns for Small BusinessesTop Cyber Security Concerns for Small Businesses
Top Cyber Security Concerns for Small Businesses
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention
 
[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world
 
Ijetr042177
Ijetr042177Ijetr042177
Ijetr042177
 
Decision-Zone Introduction
Decision-Zone IntroductionDecision-Zone Introduction
Decision-Zone Introduction
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holt
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and Threats
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our Community
 
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting SeriousThe Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
 
Context based access control systems for mobile devices
Context based access control systems for mobile devicesContext based access control systems for mobile devices
Context based access control systems for mobile devices
 
Anti-Fraud Datasheet
Anti-Fraud DatasheetAnti-Fraud Datasheet
Anti-Fraud Datasheet
 
5 Data Breach Charts for the Board Room
5 Data Breach Charts for the Board Room5 Data Breach Charts for the Board Room
5 Data Breach Charts for the Board Room
 

Andere mochten auch

ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
Vladimir Jirasek
 

Andere mochten auch (6)

Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 

Ähnlich wie Mobile security summit - 10 mobile risks

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Lenin Aboagye
 
Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011
CPPGroup Plc
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environment
K Singh
 

Ähnlich wie Mobile security summit - 10 mobile risks (20)

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Top 6-Security-Threats-on-iOS
Top 6-Security-Threats-on-iOSTop 6-Security-Threats-on-iOS
Top 6-Security-Threats-on-iOS
 
CyberCrime attacks on Small Businesses
CyberCrime attacks on Small BusinessesCyberCrime attacks on Small Businesses
CyberCrime attacks on Small Businesses
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
 
Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentation
 
Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Securing mobile devices 1
Securing mobile devices 1Securing mobile devices 1
Securing mobile devices 1
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environment
 
Third Annual Mobile Threats Report
Third Annual Mobile Threats ReportThird Annual Mobile Threats Report
Third Annual Mobile Threats Report
 

Mehr von Vladimir Jirasek

2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
Vladimir Jirasek
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
Vladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
Vladimir Jirasek
 

Mehr von Vladimir Jirasek (11)

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Mobile security summit - 10 mobile risks

  • 1. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 1 TOP 10 MOBILE RISKS Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland
  • 2. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 2 I am going to talk about …. • Risks associated with mobile devices • Mobile Applications threat model • Mobile risks in an Enterprise • Mobile device as a Trusted device • Mobile security models • Mobile Top 10 • Not all doom and gloom: What to look for
  • 3. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 3 Mobile devices are ubiquitous for most people Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Either online or via mobile apps
  • 4. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 4 And the risks associated with the use cases are Power (CPU) and storage with seamless Accessing potentially and always on Traveling with people private and sensitive connectivity all the time. data, managing critical Millions lost everyday transactions. Mobile devices Used by people To access services they with power of around the globe want, communicate with average computer in personal and other people, shop and business life play Mobile phone is your most personal computer and it needs to be wellmobile Either online or via protected to become a trusted device. apps
  • 5. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 5 Mobile device use cases threat model Mobile device is Mobile device is is used Mobile device is compromised to conduct malicious lost or stolen with malware activity Malicious Loss of data, Unauthorised activity, Loss of potential transactions, data, Monitoring malicious activity Botnets, Attack of activity, Botnet on web services
  • 6. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 6 Mobile device risk in an Enterprise Enterprise control Un-controlled data sync Un-managed personal device Enterprise control Un-controlled data access Un-managed mobile device
  • 7. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 7 Mobile threats summary [2] • Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content, malicious proxy servers • Malware – traditional viruses, worms, and Trojan horses • Social engineering attacks – phishing. Also used to install malware. • Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls) • Malicious and unintentional data loss – exfiltration of information from phone • Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
  • 8. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 8 Mobile device as a trusted device: [4,5] How does mobile HW and OS hold up? Typically contains System on Chip (SoC) Load mobile Load Kernel and applications mobile OS Application OS security segregation, capabilities are security reviews crucial Enterprise apps accessed from If Trust is not assured from HW up then mobile devices there is no trust at all!
  • 9. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 9 Mobile Security Models [2] • Traditional Access Control: passwords and idle-time screen locking. • Application Provenance: Application signing and Application review in App store • Encryption: Encryption of device data and application data • Isolation: traditional Sandboxing and Storage separation • Permissions-based access control: Limiting application to needed functionality only All must be supported by Trust from Jailbreaking breaks HW up. the security model!
  • 10. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 10 Veracode Mobile Top 10 [1] Malicious Functionality Vulnerabilities 1. Activity monitoring and 7. Sensitive data leakage data retrieval (inadvertent or side 2. Unauthorized dialing, channel) SMS, and payments 3. Unauthorized network 8. Unsafe sensitive data connectivity (exfiltration or storage command & control) 9. Unsafe sensitive data 4. UI Impersonation transmission 5. System modification 10. Hardcoded (rootkit, APN proxy config) 6. Logic or Time bomb password/keys
  • 11. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 11 Summary: What to look for Device and applications Enterprise Network • Do not jail-break the device • Configure VPN for mobile • Utilise mobile OS security devices features (access control, • Provision VPN profiles for encryption) seamless connectivity • Follow data classification • Monitor traffic for data policies – what data can be exfiltration on mobile devices and what • Enable processes to wipe protection is required devices • Follow best practices for • Data security policy includes mobile application device capabilities and development position
  • 12. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 12 Resources 1. Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/ 2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=2011 0627_02 3. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile 4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture- of-smartphones 5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec- comparison-ETHZ-mar2011.pdf 6. Security in Windows Phone 7 - http://msdn.microsoft.com/en- us/library/ff402533(v=VS.92).aspx