SECURING MOBILE POPULATIONVladimir Jirasek

About.me/jirasek

2nd Dec 2011

About me• Security professional (11 years), current work at WorldPay

as Head of Security Solutions• Director, CSA UK & Ireland• I love reading books: thrillers (Clive Cusler) and business

management (Jo Owen)• Apple fan

I will cover three topics today• Consumerisation opportunities and challenges• Threats related to mobile devices• Smart devices security architecture• How to fit mobile devices to company security architecture

ConsumerisationI want to use

one device for both personal and work stuff

Hmm, might be tricky but here is what we can do….

Say yes and give clear policies!

Access to data and systems based on risk

Agree forensic policy and investigations rules for personal devices.

How to manage access – not binary

Access decisions based on accuracy of following:• Identity – Google apps ID vs. Active directory ID, one

factor auth vs. two factor auth• Role – FTE, contractor, cleaner, executive• Device – trusted, non-trusted• Location – inside fw or outside, US vs. China, IPv6 vs

IPv4, changes in locations in time• Time – inside working hours or outside, • Data/Application – business impact, approved apps vs

consumer apps.

Classifications of systems

Evolution of connected world

1960 1970 1980 1990 2000 2010

100B

10B

1B

100M

10M

1M

Nu

mb

er o

f D

evic

es

Mainframe

Minicomputer

PC

ConnectedPC

Mobile, Cloud…

Source: McAfee

Revolution in mobile device capabilities

Apple iPhone launches

• Gartner says never ready for enterprise

• iOS App Store

• iOS ActiveSync email

• Gartner approves iPhone for the enterprise

• Android G1

• Microsoft Windows Vista

• Blackberry & Palm

Q3 Q4 Q12008

Q2 Q3 Q4 Q12009

Q12007

Q2

Source: McAfee

And its acceleration

Q3 Q4 Q12010

Q2 Q3 Q4 Q12011

Q2 Q3 Q4Q12009

Q2 Q12012

Androidtablets

• Microsoft Windows 7

• iOS 3GS w/ encryption

RIMPlaybook

iPadlaunches

• iPad2

•Android Honeycombwith Encryption

• Windows Phone 7• webOS• Next gen Blackberry

• iCloud

• iPhone 4s

Mobile devices threats• Web-based and network-based attacks• Malware• Social engineering attacks• Resource and service availability abuse.• Malicious and unintentional data loss.• Attacks on the integrity of the device’s data.

Mobile platforms – security architecture

• Traditional Access Control: Traditional access control seeks to protect devices using techniques such as pass- words and idle-time screen locking.

• Application Provenance: Provenance is an approach where each application is stamped with the identity of its author and then made tamper resistant (using a digital signature).

• Encryption: Encryption seeks to conceal data at rest on the device to address device loss or theft.

• Isolation: Isolation techniques attempt to limit an application’s ability to access the sensitive data or systems on a device.

• Permissions-based access control: Permission-based access control grants a set of permissions to each application and then limits each application to accessing device data/systems that are within the scope of those permissions, blocking the applications if they attempt to perform actions that exceed these permissions.

Source: Symantec

iOS• The iOS is based on Mac OS X• The number of vulnerabilities and attacks on iOS is very

small and usually occurs in 3rd party applications installed on iOS

• The OS offers very good security, data protection, encryption, access control

• Lack of anonymity in application developer community. It is far more risky to develop malware for iOS.

• Certified for Microsoft ActiveSync program

Android

Android is based on Linux and uses the best security features Linux can offer, such as robust access control and application isolation. However, the main security problem with Android is that:• It is very easy to jailbreak• Users can install any application from any Marketplace• Confusing application access permission confirmations• Many devices do not implement strong device encryption• Google does not control final deployment – vendors and

operators may add “features”

Updating of old devices is an an issue for Android…

By Michael DeGustaTheUnderstatement.com

Windows Phone (Mango release)• Robust security model• Mandatory access control – 4 privilege chambers– similar

to Windows 7 (trusted, elevated, standard, least privileged)

• Application isolation• Application code-signing• Data isolation• Controlled developer environment• Lack of enterprise VPN features• Immature certificate and key support• Capability notifications and enforcement

Correct approach to mobile security• Secure Device, Applications and Data• Use risk based approach for access control decisions• Less emphasis on whether device is procured by company or

user• Extend DLP to mobile• Extend security event and forensic services• Monitor installed apps, jail-breaking and configuration compliance

Source: McAfee

References• “A Window IntoMobile Device Security”, Carey Nachenberg, Symantec, 2011• McAfee EMM Site• Mobile Security: Looking Back, Looking Forward, David Goldschlag, McAfee, 2011• Microsoft ActiveSync certification program, http://technet.microsoft.com/en-us/exchange/gg187968.aspx• Microsoft Consumerization Site, http://www.microsoft.com/enterprise/viewpoints/consumerization/default.aspx• “CISO Perspective: Consumerization of IT” @ RSA Europe 2011, Bret Arsenault, CISO Microsoft, • “Magic Quadrant for Mobile Device Management Software”, Document ID G00211101, Gartner, 2011• “Your Apps Are Watching You,” The Wall Street Journal, December 17, 2010• Windows Phone 7.5 (Mango) Security model explained, http://j4ni.com/blog/?p=59, Jani Nevalainen• Windows Phone Platform Security,

http://www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security, Nokia• Windows Phone Security page, http://msdn.microsoft.com/en-us/library/ff402533(v=vs.92).aspx, Microsoft• VMware Mobile virtual platform, http://www.vmware.com/products/mobile/overview.html• Revolution or Evolution: Information Security 2020,

http://www.pwc.co.uk/eng/publications/revolution_or_evolution_information_security_2020.html, PWC, 2010• Consumerisation and Corporate IT Security, http://www.schneier.com/blog/archives/2010/09/consumerization.html,

Bruce Schneier, September 2010• Android Orphans: Visualizing a Sad History of Support,

http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support , Michael Degusta, October 2011