Upload
miles-atkinson
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
© 2014 All Rights Reserved
1
@codenomicon
Mohit RampalShubika Soni
MOBILE & WIRELESS THREATS AND BUILDING CAPACITY FOR SECURITY
© 2014 All Rights Reserved
2
Strength in visibility
© 2014 All Rights Reserved
3
Today’s world is filled with complexityNew threats are waiting for cracks to appear See the cracks Know the threats
Build a more resilient world
LANDSCAPE TODAY
© 2014 All Rights Reserved
4
CYBER THREATS : MORE PROFESSIONAL & SOPHISTICATED• Cyber Attacks: Internet-based incidents involving politically or
financially motivated attacks on information and information systems.
• Zero-day Vulnerabilities, Or Unknown Vulnerabilities: Software flaws that make exploitation and other illegal activities towards information systems possible
• Proactive Cyber Defense: acting in anticipation to oppose an attack against computers and networks.
© 2014 All Rights Reserved
5
Top 10 risks in terms of Likelihood1. Interstate conflict2. Extreme weather events3. Failure of national governance4. State collapse or crisis5. Unemployment or underemployment6. Natural catastrophes7. Failure of climate-change adaptation8. Water crises9. Data fraud or theft10. Cyber attacks
GLOBAL RISKS FOR 2015
Source: Global Risks Perception Survey 2014. 7 representing a risk most likely to occur
© 2014 All Rights Reserved
6
Top 10 risks in terms of Impact1. Water crises2. Spread of infectious diseases3. Weapons of mass destruction4. Interstate conflict5. Energy price shock6. Critical information infrastructure
breakdown7. Failure of climate-change adaptation8. Fiscal crises9. Unemployment or underemployment10. Biodiversity loss and ecosystem collapse
GLOBAL RISKS FOR 2015
Source: Global Risks Perception Survey 2014. 7 representing a risk most likely to occur
© 2014 All Rights Reserved
7
• Large-scale cyber attacks : considered above average on both dimensions of impact and likelihood
• Reflects : growing sophistication of cyber attacks and the rise of hyperconnectivity
• In the United States alone, cybercrime already costs an estimated $100 billion each year
• IOT delivers technology with new risks
TECHNOLOGICAL RISKS: BACK TO THE FUTURE
Source: Global Risks Perception Survey 2014. 7 representing a risk most likely to occur
© 2014 All Rights Reserved
8
TECHNOLOGICAL RISKS: BACK TO THE FUTURE
• Attacks against infrastructure are targeting significant resources across the Internet
• Malicious actors are using trusted applications to exploit gaps in perimeter security
• Evidence of internal compromise in Organisations with suspicious traffic emanating from their networks and attempting to connect to questionable sites
• Trust with greater attack surfaces, sophistication of attacks and the complexity of threats and solutions
• Lack of threat intelligence with malicious actors using trusted applications to exploit gaps
© 2014 All Rights Reserved
9
RELOOK AT THREATS AND ATTACKSHEARTBLEED, SHELLSHOCK, POODLE
Year 2014:…
© 2014 All Rights Reserved
10
RELOOK AT THREATS AND ATTACKS CYBER SUPPLY CHAIN MANAGEMENT AND TRANSPARENCY ACT OF 2014 TL;DR
1. HW/SW/FW sold to any Agency must come
with Bill of Materials
2. Cannot use known vulnerable components
1. Must use less vulnerable version
2. (or need waiver)
3. Must design software so that it can be patched
© 2014 All Rights Reserved
11
CHALLENGES
© 2014 All Rights Reserved
12
SOME WIRELESS SECURITY CONCERNS
• Wireless (WiFi) • BYOD (Device) • Virtual WiFi • Accidental associations • Rogue APs • RF congestion / interference (DoS)
• Mobile (Cellular) • BYOD / BYOA (Application) • Tethered devices connected to infra. • Mobile Malware • 3G/4G LTE offload to WiFi (interference / DoS)
• Bluetooth
© 2014 All Rights Reserved
13
MITIGATING THE RISKS
• Known Vulnerability Management which is Grey Box Testing• Application testing for Associated 3rd party library
vulnerabilities which is testing integrated components for known vulnerabilities
• Unknown Vulnerability Management which is Black Box Testing
• Lastly, a process • Requirement gathering=>Pre-Tender=>Tender=>Technical Qualify=>Purchase
© 2014 All Rights Reserved
14
THE KNOWN AND THE UNKNOWN
Known Vulnerability Management
Unknown Vulnerability Management (UVM)
TotalVulnerability Management
SAST Approach1980-
PC Lint, OSS, Coverity, Fortify,
IBM, Microsoft ...
Whitebox testing
DAST Approach2000-
Fuzzing:Codenomicon
Defensics, Peach, Sulley
Blackbox testing
1995-2000Satan/Saint
1999-Nessus, ISS
Reac
tive
Proa
ctive
Bottom line: All systems have vulnerabilities.- Both complimentary categories needs to be covered.
2000-Qualys, HP, IBM, Symantec ...2013: Codenomicon AppCheck
© 2014 All Rights Reserved
15
ATTACK POINTS
• WiFi end points• Network elements • Unlicensed and unmanaged applications running on Desktop and
Mobiles• Device Firmware’s• Lack of threat monitoring and threat intelligence
© 2014 All Rights Reserved
16
• Process of:• Detecting attack vectors• Finding zero-day vulnerabilities• Building defenses• Performing patch verification• Deployment in one big security push
UNKNOWN VULNERABILITY MANAGEMENT (UVM)
© 2014 All Rights Reserved
17
UVM- WORKFLOW
Execute tests
Configure fuzzerand target Test interoperability
Analyze results Remediate Repeat
© 2014 All Rights Reserved
18
18
FUZZ TEST EFFECTIVENESS AGAINST WIFI
© 2014 All Rights Reserved
19
19
MODEL BASED FUZZING TECHNIQUES
• Template Based Fuzzing• Quality of tests is based on the used seed and modeling technique• Very quick to develop, but slow to run• Editing requires deep protocol know-how• Good for testing around known vulnerabilities
• Specification Based Fuzzing• Full test coverage• Always repeatable• Short test cycle, more optimized tests• Easy to edit and add tests
© 2014 All Rights Reserved
20
• Codenomicon Defensics is unsurpassed in finding unknown vulnerabilities.
• No other solution does more to quickly empower organizations to discover unknown vulnerabilities that put business performance and reputation at critical risk.• World’s most powerful platform for stress testing • Fast, reliable, efficient deployment • Support for 270+ protocols—continuously updated • Capable of finding subtle security flaws • Run at pace of product development lifecycle and process • Discovered Heartbleed
PROACTIVE SECURITY TESTING - DEFENSICSUnknown Vulnerability Management (UVM)
© 2014 All Rights Reserved
21
• Codenomicon is the industry leader in identifying the threat factors that weaken business trust • First to report Heartbleed • Global authorities with vast knowledge of known and unknown vulnerabilities• Protect customer trust & confidence • Trusted partner to Verizon, AT&T, Cisco, Alcatel-Lucent, the FDA, Homeland
Security, and notable global governments and agencies • Global advocate for improved software development and responsible network
safeguarding
WHO WE ARE
© 2014 All Rights Reserved
22
SAMPLE CUSTOMER LIST
© 2014 All Rights Reserved
23
QuestionsEmail: