Upload
skycure
View
565
Download
0
Embed Size (px)
Citation preview
Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 1
HOW HEALTHCARE CISOs CAN SECURE MOBILE DEVICES
Jim Routh, CSO, AetnaAdi Sharabani, CEO, Skycure
Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 2
Meet Your Speakers
Jim RouthCSO
Aetna
Adi SharabaniCo-founder and CEO
Skycure
Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 3
Quick Housekeeping
• Q&A panel is available if you have any questions• There will be time for Q&A at the end• We are recording this webinar for future viewing• All attendees will receive a copy of slides/recording
Join the discussion #MobileThreatDefense
Aetna Inc.
The Mobile Device is Our New Appendage
4
There are now more cell phones on the planet than there are people
90% of 19-29 year-olds in the U.S. sleep with their cell phones
65% of survey respondents said mobile phones make them better parents
75% of survey respondents bring their phones to the bathroom
Apple Siri captures everything you say to her for 6 months and aggregates it for 18 months
Social media apps have the ability to use your phone’s microphone to listen to your dialog
What is the mostcommonly usedmobile app?
Source: Qualcomm, Slick Text Surveys
The mobile phone is the best surveillance device in history
Aetna Inc.
Mobile Security Landscape
Security Changes
New Interaction Opportunities
Factors driving changes in mobile security • Frequent and shorter log-ins instead of long-on line sessions• Barriers to task completion
• Improved customer experience using native features they are familiar with…information presented in a format using native features• No browser- the application needs
hardening• Additive controls feasible
• Mobile customers want more security to have confidence in the channel. Customer adoption is slower due to security concerns
• Software distribution is a factor in security profile• Security vetting varies greatly• Fraudsters can scan mobile apps
for vulnerabilities in app stores more easily
• Mobile channel offers geo location, enhanced authentication capabilities (voice recognition, image and device attributes)
• Mobile can potentially offer better customer experience (location of ATMs, identification in a branch, authentication to a CSR, voice commands, etc.)
• 90% of 18-29 year olds sleep with their phone• 113 smartphones are lost or stolen
every minute• The theft of cell phones makes up
30-40% of all robberies nationwide
• Email, phone, browser used to be separate channels…now consolidating
Consolidated Channels
New Capabilities
App Stores
New Interaction Style
Native Applications
Security Sensitivity
Proximity with user
5
Aetna Inc. 7
The fourth dimension- Privacy
Dimensions of Mobile Application Risk
1. Application Development 2. Software Distribution The mobile ecosystem
3. Device Configuration
• Threat Models/Security features• Education & Developer Checklist• Application “wrapper” options
• Root detection• Authentication
• Security Test Selection Matrix• Static analysis• Dynamic scanning• Pen testing
• Different stores have different security vetting procedures• The probability of “application
collision” needs to be managed• Vetting mobile apps used by enterprise
users for security and privacy• Does the app need to be tamper
resistant?
• Consumer• Code protection• Root/malware detection• Authentication• Channel verification
• Enterprise• Mobile device configuration
standard- MDM• Authentication controls• VPN channel
Consumer Enterprise User
Aetna Inc.
Aetna Mobile App Security SDLC
Requirements Design Development Test Release
Technical Design Patterns• Key management• Encryption (data in
transit, data at rest)• Authentication• Version updates
Cost to fix
ENABLE VERIFYStatic Analysis Dynamic ScanningThreat Modeling
Design Patterns Ethical HackingOpen SourceRisk Classification
Mobile Mavens
Mobile Security Software Training (Role-Based Curriculum)
Preventive Detective
Security Reqs
Behavioral Auth SDK
Code Protection
DISTRIBUTEApp Signing
Process Guides
8
Aetna Inc.
Threat Modeling / App Risk Assessment
Key questions when threat modeling:• What are we building?• What information can be abused?• Are their flaws in the design?• How will the customer information captured be handled on
which platforms?
Benefits of threat modeling:• Early identification of security defects- lower cost• Increase product quality• Identify and understand security requirements
9
Aetna Inc.
Static Source Code Analysis• Performed during development
cycle• Includes exhaustive review of code
quality (E.g. Objective-C, Java or C#), security and privacy issues
• Goal to decrease defects during development lifecycle which results in longer term savings
• Benefits• Immediate feedback and
learnings for developers• Explicit references to areas
needing attention• Developer oversights• Increase product quality
Scan Results
10
Aetna Inc. 11
Next Generation Authentication
• Binary authentication is obsolete
• Behavioral- based modelis key
• Innovation applied to the interface
Authentication Hub
LOA
Advanced AnalyticsRisk Score API
Dynamic LOA API
Backend Analytics & Risk Engine
Prevent @ Inception
RT Push+TouchIDiWatch & Sign Out
Wearables + T/HapticSpatiotemporal +
Real-Time (RT)Authorization
SWIPE +Contextual
SWIPE + TAPAdvanced Contextual
Cognitive & Device Biometrics
FIDO UAF 1.0
FIDO 2.0When Available
DecentralizedAuthentication
The mobile device provides an opportunity to improve authentication
Aetna Inc.
Brand Protection – Tamper Resistance
12
• Reduce ability to perform app store scan for security vulnerabilities• Increase difficulty for attackers to create malware attacking our applications• Reduce ability to create clone applications• Provide brand protection
Aetna Inc.
The 2 Most Widely Exploited Mobile Vulnerabilities
14
Apps for Android314,000,000 hits
TLS is brokenAny credentials shared are exposed
Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 17
Mobile Security Trends in HealthcareExclusive Preview
Source: Skycure Mobile Threat Report
TREND
High Risk2.39%
Minimal-Risk31.78%
Low Risk24.43%
Medium-Risk41.40%
Report is available here:goo.gl/DJc5IF
Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 18
Mobile Threat Landscape
Phys
ical
Netw
ork
Vuln
erab
ilitie
s
Mal
ware ?
Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 19
Phys
ical
Netw
ork
Vuln
erab
ilitie
s
Mal
ware
Physical ThreatsAddressed by our partners
Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 20
% of doctors accessing patient data and exposed to network threats
NUMBER OF DOCTORS SHARING DATA THROUGH…
Network ThreatsMobile devices connect to x100 more networks
Phys
ical
Netw
ork
Vuln
erab
ilitie
s
Mal
ware
Man in the MiddleWifigatePineapple
arpspoofdnsspoof
SSL stripping
SSL decryption
Content manipulation
https://www.youtube.com/watch?v=F9qIgSRD5vs
Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 21
MalwareNow affects iOS as well
Phys
ical
Netw
ork
Vuln
erab
ilitie
s
Mal
ware
AndroidGoogle Play Store
Apple AppStore
”Chinese” Stores
XcodeGhostYiSpecter
Repackaged Apps
Malicious ProfilesiOS
NUMBER OF ANDROID DEVICES
WITH MALICIOUS APPS
INSTALLED
NUMBER OF ANDROID DEVICES
WITH AT LEAST ONE
MEDICAL APP AND HIGH RISK MALWARE
Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 22
VulnerabilitiesOrganized & directed effort from hackers
2007 2008 2009 2010 2011 2012 2013 2014 20150
50
100
150
200
250
300
350
400
Number of CVEs Trajectory (Apr 15')
2007 2008 2009 2010 2011 2012 2013 2014 20150
50
100
150
200
250
300
350
400
Number of CVEs
Phys
ical
Netw
ork
Vuln
erab
ilitie
s
Mal
ware
iOS Vulnerabilities
Source: Skycure analysis based of CVEdetails.com
PERCENTAGE OF MOBILE DEVICES RUNNING OS WITH
HIGH-SEVERITY VULNERABILITIES AND STORED PATIENT DATA
Accessibility ClickjackingNo iOS ZoneCookie Stealer
HRHWiFiGate
LinkedOut
Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 23
Skycure Solution OverviewMobile Threat Intelligence Platform
Phys
ical
Netw
ork
Vuln
erab
ilitie
s
Mal
ware
• Policy enforcement• Risk-based
management• Enterprise
integrations• Visibility
Security Visibility IT Satisfaction
Management• 24x7 detection and
protection• Network, device and
app analysis• Multi platform
Seamlessexperience
Privacy Minimalfootprint
End-User App
1 Million+ Global Threats Identifiedhttps://maps.skycure.com
Real-Time ThreatIntelligence
CrowdWisdom
Millions ofmonthly tests -
apps & networks
SkycureResearch
No iOS Zone, Malicious Profiles, WiFiGate,
LinkedOut
ThreatAggregator
Dozens of threat feeds from 3rd parties
LegitimateServices
Attackers & Threats