Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

modern security risks for big data and mobile applications

946 Aufrufe

Veröffentlicht am

Trivadis - modern security risks for big data and mobile applications
by Florian van Keulen

Veröffentlicht in: Mobil
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

modern security risks for big data and mobile applications

  1. 1. Modern Security Risks for Big Data and Mobile Applications Florian van Keulen Senior Consultant Information Security IT Security Officer - Trivadis Group BASEL BERN BRUGG LAUSANNE ZUERICH DUESSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MUNICH STUTTGART VIENNA 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 1
  2. 2. Florian van Keulen 2014 © Trivadis Senior Consultant Information Security IT Security Officer Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 2  „Telematics“ with focus on Security University of Twente, The Netherlands  Since 2000 working in IT  Since 2009 specialized in IT-Security  Since 2014 at Trivadis AG, Zürich (BDS)
  3. 3. 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 “ 3 When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece “ Tim Cook, CEO Apple Inc. 9/5/14 Wall Street Journal* *Interview on iCloud Nude Celebrity Photos Leak
  4. 4. 2014 © Trivadis Agenda 1. Past Incidents  Data Breaches 2. Big Data  Privacy and Data Protection  Mosaic effect (de-anonymizing / reidentification)  Lack of well-known Security Controls 3. Mobile applications  Application decomposition  Bad defined Permission  Data-in-Rest / Data-in-Transit Trivadis TechEvent Sep. 2014 12.09.2014 4
  5. 5. Past Incidents iCloud Celebrity Photo Leak 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 5 145 million customer records by compromising Employee credentials attack lasted 2 Month 93.4% of Home Depot Stores Affected by Card Data Breach - US largest home-improvement chain - scope of the hack is not yet known, - could be the biggest in US Retail history 152 million customer records hack possible by weak password requirements
  6. 6. Past Incidents 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 6
  7. 7. Data Breach types in 2004 - 2013 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 7
  8. 8. Data Breach types in 2014 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 8 Data Beach Report 2014 by: Risk Based Security
  9. 9. 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 9
  10. 10. Privacy und Data Protection  Who owns the Data? Multiple sources Usage public available data  Private Policies Are user reading it? New Regulations? 2014 © Trivadis  Deletion of Data Impossible due to many redundancy  Anonymization private data must be Anonymized  Legal Compliance National / International Country Borders Trivadis TechEvent Sep. 2014 12.09.2014 10
  11. 11. Mosaic Effect  Combining large datasets Privacy Policies? Ownership?  reassemble in unforeseen ways in Good / Bad ways 2014 © Trivadis  De-Anonymization By combining of data sets  Profiling misuse / valuable target  Unanticipated Uses of Big Data Data collected now, used later in an unwanted way Trivadis TechEvent Sep. 2014 12.09.2014 11
  12. 12. Lack of well-known Security Controls  Security controls not applied  Focus on 3 V’s, not security (Volume, Velocity, Varity)  What’s with the 3 A’s of security: - Authorization - Access Control - Audit 2014 © Trivadis  NoSQL DBs lack of security  transactional integrity  Authentication  Consistency  Injection attacks (like SQL has)  Montoring & Logging  SIEM  Infrastruktur  Availability  Backup / Recovery  Disaster Trivadis TechEvent Sep. 2014 12.09.2014 12
  13. 13. 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 13
  14. 14. Mobile Application Risks 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 14
  15. 15. Application decomposition  Identification / Manipulation of client side logic  Static Analysis  File System Analysis  Dynamic Analysis  Reverse Engineering 2014 © Trivadis  Obfuscation No Code obfuscation makes it easier for the the bad guys  Own Client for attacking One of the best ways to attack a client-server application  Logical Flaws implementing business logic into applications, which should be done on server side Trivadis TechEvent Sep. 2014 12.09.2014 15
  16. 16. Bad defined Permission  App Isolation is not secure enough  communications between components are a critical area - Activities - Services - Content Providers - Broadcast Receivers 2014 © Trivadis  Permissions Granted to Components If not properly secured / set, malicious or other rogue programs can interact with them  3rd Party Libraries Potentially threat as it might get full access to your Application Trivadis TechEvent Sep. 2014 12.09.2014 16
  17. 17. Data-in-Rest / Data-in-Transit  Data on device not secured  Files or use SQLite DB  Rooted / Jailbreak device  Stolen Device  Encryption?  Algorithms  Wrapper / Container 2014 © Trivadis  Communication  Weak Authentication / no 2FA  No verification of Endpoints  Bad Session-management  Harvesting User-information  Encryption  SSL  VPN  App VPN  Wrapper Trivadis TechEvent Sep. 2014 12.09.2014 17
  18. 18. Mobile Application Assessment 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 18 ©
  19. 19. Awareness 2014 © Trivadis  Security  Florian van Keulen  BI / Big Data  Gregor Zeiler, Solution Manager  Peter Welker, Principal Consultant  Mobile  Martin Lukow, Senior Solution Manager  Consult  Advice  Plan Together Trivadis TechEvent Sep. 2014 12.09.2014 19
  20. 20. Questions and answers ... Florian van Keulen IT Security Officer Florian.vanKeulen@trivadis.com BASEL BERN BRUGG LAUSANNE ZUERICH DUESSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MUNICH STUTTGART VIENNA 2014 © Trivadis Trivadis TechEvent Sep. 2014 12.09.2014 20

×