Embed Size (px)
DESCRIPTION
Citation preview
Cesare Garlati
VP Consumerization & Mobile Security – Trend Micro
Co-Chair Mobile Group – Cloud Security Alliance
APPNATION – December, 2012
The State of Security in The Mobile Enterprise
Cloud Security Alliance: Mobile Guidance V1
Security Guidance forCritical Areas of Mobile Computing
Mobile Computing Definition
Threats to Mobile Computing
Maturity of the Mobile Landscape
BYOD Policies
Mobile Authentication
App Stores
Mobile Device Management
https://cloudsecurityalliance.org/research/mobile/
CSA Top Mobile Threats – Evil 8
1. Data loss from lost, stolen or decommissioned devices.
2. Information-stealing mobile malware.
3. Data loss and data leakage through poorly written third-party apps.
4. Vulnerabilities within devices, OS, design and third-party applications.
5. Unsecured Wi-Fi, network access and rogue access points.
6. Unsecured or rogue marketplaces.
7. Insufficient management tools, capabilities and access to APIs.
8. NFC and proximity-based hacking.
Raimund GenesChief Technology Officer, Trend Microhttp://trendmicro.com/our-contributors/raimund-genes
Chris SilvaIndustry Analyst, Altimeter Grouphttp://www.altimetergroup.com/about/team/chris-silva
Nigel Stanley Practice Leader, Bloor Researchhttp://www.bloorresearch.com/about/people/nigel-stanley.html
Philippe WinthropManaging Director, Enterprise Mobility Foundationhttp://www.enterprisemobilitymatters.com/about.html
How Secure and Manageable?
http://trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_enterprise_readiness_consumerization_mobile_platforms.pdf
Security and Management Criteria
Security and Management Criteria
Security and Management Criteria
Ratings By Category
Mobile
Technology
Gap
Ratings By Mobile Platform
Consumer
Technology
Gap
Mobile vulnerabilities are real
CVE-2012-0643 – Malicious code allows remote attackers to bypass sandbox restrictions and execute arbitrary code.
CVE-2012-0646 – Format string vulnerability in VPN allows remote attackers to execute arbitrary code via a crafted racoon configuration file.
CVE-2012-0642 – Integer underflow allows remote attackers to execute arbitrary code via a crafted catalog file in an HFS disk image.
Android Apple iOS
CVE-2012-3979 – log_print function, allowing remote attackers to execute arbitrary code via a crafted web page that calls the JavaScript dump function.
CVE-2011-3874 – Stack-based buffer overflow in libsysutils allows user-assisted remote attackers to execute arbitrary code via an application call.
CVE-2011-4276 – Bluetooth service allows remote attackers within range to obtain contact data via an AT phonebook transfer.
Source: National Vulnerability Database via CVEDetails.com – as of October 4, 2012
No Platform is immune: Apple iOS Detail
Source: National Vulnerability Database via CVEDetails.com – as of October 4, 2012
Apple iOS Jailbreaking Trends
June 2007iPhone
July 2008iPhone 3G
July 2009iPhone 3GS
June 2010iPhone 4
Oct 2011iPhone 4S
Sept 2012iPhone 5
Source: Google Trends – as of October 4, 2012
Android is the most exploited
Source: Trend Labs, Trend Micro Inc. – as of Q2 2012
Malicious Apps on Legit Marketplace
March 2011 – 58 malicious apps (approx 250,000 victims)
May 2011 – 24 malicious apps (up to 120,000 victims)
December 2011 – 27 malicious apps (approx 14,000 victims).
February 2012 – 37 “Fan Apps” stealing handset information and aggressive advertising
August 2012 – many, many more …
Android Versions Distribution
Source: Google http://developer.android.com/resources/dashboard/platform-versions – as of August1, 2012
73%
Fragmentation
Vulnerable Devices
Mobility is not the problem
“Consumerization will be the most significant trend affecting IT during the next 10 years” Gartner
New technology emerges first in the consumer market and then spreads into business organizations brought in by the employees
IT and consumer electronics converge as individuals rely on the same devices and applications for personal use and work-related activities
Overwhelmed by the wave of consumer technology flooding the enterprise, IT managers lose control and struggle to enforce policies
Source: Trend Micro Global Survey IT Managers, 500+ Employees, February 2012
ConsumerizationReport©
Source: Trend Micro Global Survey IT Managers, 500+ Employees, February 2012
ConsumerizationReport©
BlackBerry
Android
Windows Ph
Apple iOS
Other
71%
68%
53%
51%
25%
"What mobile platforms are allowed by your BYOD policy?"
Apple iOS
BlackBerry
Android
Windows Ph
Other
20%
19%
18%
14%
15%
"Rank security and manageability of each mobile operating system"
Security
Data Loss
Compliance
Personal Data
Privacy
64%
59%
43%
41%
40%
BYOD Top 5 concerns
49%
5%
47%
"Has your company ever experienced a security breach as result of BYOD?"
Yes
Don't Know
No
• Consumer mobile technology is invading the enterprise and you won’t be able to resist it
• Consumer technology is not as secure as manageable as required by the enterprise
• No platform is immune from attack, although some are safer than others
Embrace Consumerization1
Understand the risk profile of the various platforms2
Deploy new security and management tools3
You are not ready for this
Thank You!Cesare Garlati
http://BringYourOwnIT.com
Cesare Garlati
As VP of Mobile Security at Trend Micro, Cesare Garlati serves as the evangelist for the enterprise mobility product line. Cesare is responsible for raising awareness of Trend Micro’s vision for security solutions in an increasingly consumerized IT world.
Prior to Trend Micro, Mr. Garlati held director positions within leading mobility companies such as iPass, Smith Micro Software and WaveMarket – now LocationLabs. Prior to this, he was senior manager of product development at Oracle, where he led the development of Oracle’s first cloud application and many other modules of the Oracle E-Business Suite.
Cesare holds an MBA from U.C. Berkeley, a BS in Computer Science and professional certifications from Microsoft, Cisco and Sun. Cesare is Chair of Trend Micro Advisory Board for Consumerization and Mobile and Co-Chair of the CSA Mobile Working Group.
Blog: http://BringYourOwnIT.com
Cesare Garlati | Vice PresidentConsumerization & Mobile Security Blog: BringYourOwnIT.comlinkedin/in/CesareGarlati twitter/CesareGarlati [email protected]
Skype: Cesare.GarlatiMobile: +1 408.667.3320
http://consumerization.com
http://consumerization.trendmicro.com
http://BringYourOwnIT.com
http://youtube.com/user/BringYourOwnIT
ConsumerizationReport©
Android iOS Win Ph RIM Symbian Other
Series1 0.3795098198643
59
0.1737500671052
38
0.0337722170903
226
0.1169934680654
97
0.2645287924807
3
0.0314456353938
564
5%
15%
25%
35%
45%
55%
Installed Base % 4Q11
Android iOS Win Ph RIM Symbian Other
Se-ries1
0.518592677538
7
0.190085981702
497
0.207006215213
87
0.057089286748
0719
0 0.019703081228
0377
Installed Base % 2015*
59% 92%
X
Android and iOS will account for over 70% of smartphone sales by the end of 2012. Microsoft will rise to third place in the global OS rankings by 2013, ahead of Research In Motion.
Source: Trend Micro internal analysis based on Gartner, Forrester and IDC market data – February, 28 2012
How To: Jailbreak iOS (5.1.1)
Xxxxx 2.0 supports the following devices on 5.1.1:iPad 1, iPad 2, iPad 3 (iPad2,4 is now supported as of Xxxxx 2.0.4)iPhone 3GS, iPhone 4, iPhone 4SiPod touch 3rd generation, iPod touch 4th generation
How To Use Xxxxx 2.0:1. Make a backup of your device in iTunes by right clicking on your device name under
the ‘Devices’ menu and click ‘Back Up’.2. Open Xxxxx and be sure you are still connected via USB cable to your computer.3. Click ‘Jailbreak’ and wait…. just be patient and do not disconnect your device.4. Once jailbroken return to iTunes and restore your backup from earlier.
Download LinksXxxx v2.0.4 MacOSX (10.5, 10.6, 10.7)Xxxx v2.0.4 Windows (XP/Vista/Win7)Xxxx v2.0.4 Linux (x86/x86_64)
Taller screens like Cydia too. :)
@saurik – Jay Freeman
Cydia: 1.5M Apps per day
5% to 10% of Apple iOS devices
$8M rev 2011 (to developers)
Apple iOS Jailbreaking Trends – U.S.
Source: Google Trends – as of October 4, 2012
June 2007iPhone
July 2008iPhone 3G
July 2009iPhone 3GS
June 2010iPhone 4
Oct 2011iPhone 4S
Sept 2012iPhone 5
Malicious Apps on Legit Marketplace
Android Commercial Spy Apps
3D Porsche Sports Car HD Live Wallpapers
VScan:AndroidOS_ADWLeadbolt.HRY
Source: Federal Bureau Of Investigation – New E-Scams & Warnings – 10/12/2012
FBI Warns of Mobile Malware Risks
