How Healthcare CISOs Can Secure Mobile Devices

Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 1

HOW HEALTHCARE CISOs CAN SECURE MOBILE DEVICES

Jim Routh, CSO, AetnaAdi Sharabani, CEO, Skycure


Meet Your Speakers

Jim RouthCSO

Aetna

Adi SharabaniCo-founder and CEO

Skycure


Quick Housekeeping

• Q&A panel is available if you have any questions• There will be time for Q&A at the end• We are recording this webinar for future viewing• All attendees will receive a copy of slides/recording

Join the discussion #MobileThreatDefense

Aetna Inc.

The Mobile Device is Our New Appendage

4

There are now more cell phones on the planet than there are people

90% of 19-29 year-olds in the U.S. sleep with their cell phones

65% of survey respondents said mobile phones make them better parents

75% of survey respondents bring their phones to the bathroom

Apple Siri captures everything you say to her for 6 months and aggregates it for 18 months

Social media apps have the ability to use your phone’s microphone to listen to your dialog

What is the mostcommonly usedmobile app?

Source: Qualcomm, Slick Text Surveys

The mobile phone is the best surveillance device in history

Aetna Inc.

Mobile Security Landscape

Security Changes

New Interaction Opportunities

Factors driving changes in mobile security • Frequent and shorter log-ins instead of long-on line sessions• Barriers to task completion

• Improved customer experience using native features they are familiar with…information presented in a format using native features• No browser- the application needs

hardening• Additive controls feasible

• Mobile customers want more security to have confidence in the channel. Customer adoption is slower due to security concerns

• Software distribution is a factor in security profile• Security vetting varies greatly• Fraudsters can scan mobile apps

for vulnerabilities in app stores more easily

• Mobile channel offers geo location, enhanced authentication capabilities (voice recognition, image and device attributes)

• Mobile can potentially offer better customer experience (location of ATMs, identification in a branch, authentication to a CSR, voice commands, etc.)

• 90% of 18-29 year olds sleep with their phone• 113 smartphones are lost or stolen

every minute• The theft of cell phones makes up

30-40% of all robberies nationwide

• Email, phone, browser used to be separate channels…now consolidating

Consolidated Channels

New Capabilities

App Stores

New Interaction Style

Native Applications

Security Sensitivity

Proximity with user

5

Aetna Inc.

Mobile Threats on the Rise

6

Aetna Inc. 7

The fourth dimension- Privacy

Dimensions of Mobile Application Risk

1. Application Development 2. Software Distribution The mobile ecosystem

3. Device Configuration

• Threat Models/Security features• Education & Developer Checklist• Application “wrapper” options

• Root detection• Authentication

• Security Test Selection Matrix• Static analysis• Dynamic scanning• Pen testing

• Different stores have different security vetting procedures• The probability of “application

collision” needs to be managed• Vetting mobile apps used by enterprise

users for security and privacy• Does the app need to be tamper

resistant?

• Consumer• Code protection• Root/malware detection• Authentication• Channel verification

• Enterprise• Mobile device configuration

standard- MDM• Authentication controls• VPN channel

Consumer Enterprise User

Aetna Inc.

Aetna Mobile App Security SDLC

Requirements Design Development Test Release

Technical Design Patterns• Key management• Encryption (data in

transit, data at rest)• Authentication• Version updates

Cost to fix

ENABLE VERIFYStatic Analysis Dynamic ScanningThreat Modeling

Design Patterns Ethical HackingOpen SourceRisk Classification

Mobile Mavens

Mobile Security Software Training (Role-Based Curriculum)

Preventive Detective

Security Reqs

Behavioral Auth SDK

Code Protection

DISTRIBUTEApp Signing

Process Guides

8

Aetna Inc.

Threat Modeling / App Risk Assessment

Key questions when threat modeling:• What are we building?• What information can be abused?• Are their flaws in the design?• How will the customer information captured be handled on

which platforms?

Benefits of threat modeling:• Early identification of security defects- lower cost• Increase product quality• Identify and understand security requirements

9

Aetna Inc.

Static Source Code Analysis• Performed during development

cycle• Includes exhaustive review of code

quality (E.g. Objective-C, Java or C#), security and privacy issues

• Goal to decrease defects during development lifecycle which results in longer term savings

• Benefits• Immediate feedback and

learnings for developers• Explicit references to areas

needing attention• Developer oversights• Increase product quality

Scan Results

10

Aetna Inc. 11

Next Generation Authentication

• Binary authentication is obsolete

• Behavioral- based modelis key

• Innovation applied to the interface

Authentication Hub

LOA

Advanced AnalyticsRisk Score API

Dynamic LOA API

Backend Analytics & Risk Engine

Prevent @ Inception

RT Push+TouchIDiWatch & Sign Out

Wearables + T/HapticSpatiotemporal +

Real-Time (RT)Authorization

SWIPE +Contextual

SWIPE + TAPAdvanced Contextual

Cognitive & Device Biometrics

FIDO UAF 1.0

FIDO 2.0When Available

DecentralizedAuthentication

The mobile device provides an opportunity to improve authentication

Aetna Inc.

Brand Protection – Tamper Resistance

12

• Reduce ability to perform app store scan for security vulnerabilities• Increase difficulty for attackers to create malware attacking our applications• Reduce ability to create clone applications• Provide brand protection

Aetna Inc.

Brand Protection – App Store Monitoring

13

Aetna Inc.

The 2 Most Widely Exploited Mobile Vulnerabilities

14

Apps for Android314,000,000 hits

TLS is brokenAny credentials shared are exposed

Title of Presentation DD/MM/YYYY© 2016 Skycure Inc. 15© 2015 Skycure Inc.

Mobile Attack Vectors


Mobile Security Trends in HealthcareExclusive Preview

Source: Skycure Mobile Threat Report

TREND

High Risk2.39%

Minimal-Risk31.78%

Low Risk24.43%

Medium-Risk41.40%

Report is available here:goo.gl/DJc5IF


Mobile Threat Landscape

Phys

ical

Netw

ork

Vuln

erab

ilitie

s

Mal

ware ?


Phys

ical

Netw

ork

Vuln

erab

ilitie

s

Mal

ware

Physical ThreatsAddressed by our partners


% of doctors accessing patient data and exposed to network threats

NUMBER OF DOCTORS SHARING DATA THROUGH…

Network ThreatsMobile devices connect to x100 more networks

Phys

ical

Netw

ork

Vuln

erab

ilitie

s

Mal

ware

Man in the MiddleWifigatePineapple

arpspoofdnsspoof

SSL stripping

SSL decryption

Content manipulation

https://www.youtube.com/watch?v=F9qIgSRD5vs




MalwareNow affects iOS as well

Phys

ical

Netw

ork

Vuln

erab

ilitie

s

Mal

ware

AndroidGoogle Play Store

Apple AppStore

”Chinese” Stores

XcodeGhostYiSpecter

Repackaged Apps

Malicious ProfilesiOS

NUMBER OF ANDROID DEVICES

WITH MALICIOUS APPS

INSTALLED

NUMBER OF ANDROID DEVICES

WITH AT LEAST ONE

MEDICAL APP AND HIGH RISK MALWARE


VulnerabilitiesOrganized & directed effort from hackers

2007 2008 2009 2010 2011 2012 2013 2014 20150

50

100

150

200

250

300

350

400

Number of CVEs Trajectory (Apr 15')

2007 2008 2009 2010 2011 2012 2013 2014 20150

50

100

150

200

250

300

350

400

Number of CVEs

Phys

ical

Netw

ork

Vuln

erab

ilitie

s

Mal

ware

iOS Vulnerabilities

Source: Skycure analysis based of CVEdetails.com

PERCENTAGE OF MOBILE DEVICES RUNNING OS WITH

HIGH-SEVERITY VULNERABILITIES AND STORED PATIENT DATA

Accessibility ClickjackingNo iOS ZoneCookie Stealer

HRHWiFiGate

LinkedOut


Skycure Solution OverviewMobile Threat Intelligence Platform

Phys

ical

Netw

ork

Vuln

erab

ilitie

s

Mal

ware

• Policy enforcement• Risk-based

management• Enterprise

integrations• Visibility

Security Visibility IT Satisfaction

Management• 24x7 detection and

protection• Network, device and

app analysis• Multi platform

Seamlessexperience

Privacy Minimalfootprint

End-User App

1 Million+ Global Threats Identifiedhttps://maps.skycure.com

Real-Time ThreatIntelligence

CrowdWisdom

Millions ofmonthly tests -

apps & networks

SkycureResearch

No iOS Zone, Malicious Profiles, WiFiGate,

LinkedOut

ThreatAggregator

Dozens of threat feeds from 3rd parties

LegitimateServices

Attackers & Threats

https://maps.skycure.com/

https://maps.skycure.com/


Assess Your Mobile Risk

Request a Free Trial: http://skycure.com/trial