Enterprise Mobile Security
•
1 gostou•833 visualizações
Session on enterprise mobile security by Ajay Gabale ( AVP - Technology) and Dwarakanathan LN (Head - TCG) during Endeavour Regional Mobility Conference - India. Also visit: http://www.techendeavour.com/mobility-offerings/security-architecture for more details on how we help our clients in enterprise mobile security.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais de Endeavour Software Technologies
Mais de Endeavour Software Technologies (20)
Último
Último (20)
Enterprise Mobile Security
- 1. Securing Mobile Apps in Enterprise Ajay Gabale AVP Technology and Head Enterprise Mobility Dwarakanathan LN Head – Technology Consulting Group Endeavour Regional Mobility Conference Bangalore, India 31st Oct 2012 Endeavour Software Technologies © 2012
- 2. Agenda 1. Mobile Security Threats 2. Planning for Security 3. Security Multilayered Approach 4. Differentiators in Enterprise Mobile Security 5. Security Updates in Mobile Platform 6. Recommendations for Mobile Security Strategy Endeavour Software Technologies © 2012
- 3. • Mobile Threats Statistics • Top Mobile Threats • Security Predictions Mobile Threats Endeavour Software Technologies © 2012
- 4. 1.0 Mobile Security Threats Mobile Security Threats Statistics Mobile Threats Platform Wise (2004-2011) Platform 2004 2005 2006 2007 2008 2009 2010 2011 Total Android 9 120 129 iOS 2 2 J2ME 2 2 7 2 5 18 PocketPC / Windows 1 1 2 7 8 19 2 40 Mobile Total 1 0 3 2 9 17 30 127 189 * Symbian Platform is ignored from this report Courtesy: F-Secure Trend Micro identified approximately 5,000 new malicious Android apps just this quarter. Endeavour Software Technologies © 2012
- 5. 1.0 Mobile Security Threats Mobile Security Threats Statistics Cont.. Mobile Threats – Profit and Non Profit Motivated Lookout predicts three increasing trends in malware for The New Year. According to its data, ‘mobile pick pocketing’ has already led to an ‘estimated $1 million dollars stolen from Android users in 2011, and will likely grow [during 2012].’ McAFee on Mobile Threats: Attackers have moved on from simple destructive malware to spyware and malware that makes them money. Endeavour Software Technologies © 2012 Courtesy: F-Secure
- 6. 1.0 Mobile Security Threats Top Mobile Security Threats Poor or Lack of a formal Data loss caused by gadget Security Strategy theft Less IT control Mobile Malware Immature security Application Proliferation solutions Network communication Enterprise data on device channels Endeavour Software Technologies © 2012
- 7. 1.0 Mobile Security Threats Security Predictions Mobile Landscape BIG IT Trends Threat Landscape Data Leaks and Breaches Endeavour Software Technologies © 2012
- 8. • Security at various stages of Project Life Cycle • End – to – End Security Implementation Planning for security Endeavour Software Technologies © 2012
- 9. 2.0 Planning for Security Security Assessment at various stages Requirements Architecture Construction Testing Deployment • End to End and Design • Best practices • Conduct Threat • Apply policies Security Elements • Use of API’s and Modeling • Integration • Platform Security Tools • Appstore • Eavesdropping criteria • Infrastructure • Manage guidelines • Data Exfiltration • Identity Security application data • Certificates and Management OTA updates • Sensitive Data Handling Endeavour Software Technologies © 2012
- 10. 2.0 Planning for Security Snapshot of “End to End” Security Implementation Endeavour Software Technologies © 2012
- 11. Security Multilayered Approach Endeavour Software Technologies © 2012
- 12. 3.0 Security Multilayered Approach Multilayered Approach Application Security Data Protection on Device Security 1. Runtime Security and Data Security 1. Password Protection 2. Secure Identity and Authentication Framework 2. Digital Signing 3. Cryptography Standards 3. Policy Enforcement 4. Compliance Management 4. Secure Device Configuration and data encryption 5. Information Obfuscation 5. Device Restriction Secure Mobile Enabled Framework Network Security Application Application Testing Security 1. Use of HTTPS (SSL/TLS) 1. Perform Secure Source Code Reviews 2. Mobile VPN 2. Testing application based on compliance 3. WebService Identity and Content Encryption 3. Performance Testing 4. Security Tokens Endeavour Software Technologies © 2012
- 13. • Differentiators in Enterprise Mobile Security Differentiators in Enterprise • Mobile Device Management – Security and Compliance features Mobile Security Endeavour Software Technologies © 2012
- 14. 4.0 Differentiators in Enterprise Mobile Security Differentiators in Enterprise Mobile Security ENTERPRISE DATA SECURITY - DIFFERENTIATORS Secure Channel a. Mobile VPN Increasing Access to corporate data with enhanced security Capabilities b. Certificate Accessibility a. Strong Authentication procedures ( Secure Confidential Login Credentials) Corporate Data Access b. Multifactor Authentication c. Authorization Manage secure data a. Standard Encryption procedures b. Key Management - Message Level c. Manage network eavesdropping and information disclosure Secure Manage Mobile Device Management a. Policies and Certificates Network Data Remote Data b. Remote Application Management c. Software Management - OTA Update Endeavour Software Technologies © 2012
- 15. 4.0 Differentiators in Enterprise Mobile Security Mobile Device Management – Security and Compliance features Local Data In-House Encryption inside Enterprise App sandbox for Email Distribution Remote Action Firewall and VPN Policies Support Mobile Device Management Rogue App Protection Enrollment & & Certificate based Authentication Antivirus Support Endeavour Software Technologies © 2012
- 16. iPhone Security updates in Mobile Platform Endeavour Software Technologies © 2012
- 17. 5.0 Security Updates in Mobile Platform Security updates in Mobile Platform Security Stack Protect Data with Chain Key Data Protection Application device pin Address Space API (DAPI) Layout Randomization Generic Security Own VPN Service Network Services Wi-FI Direct Framework MDM Policies Device Digital Rights Management Endeavour Software Technologies © 2012
- 18. 6.0 Recommendations for Mobile Security Strategy Recommendations for Mobile Security Strategy Train Developers on Secure Coding Practices Security assessments on mobile devices & infrastructure Perform Threat Modeling on applications Create IT Policies for Mobile Security Avoid Storing Sensitive data on device Best Practices Strategy & Policies Tools New Threats Use monitoring tools for mobile device Continuously evaluate new and connection points and other tools emerging threats Use MDM for password protected sandbox Assess classic threats Endeavour Software Technologies © 2012
- 19. Thank You! Ajay Gabale Dwarakanathan LN (AVP Technology and Head Enterprise (Head – Technology Consulting Group) Mobility) USA: +1 512 464 1218 UK: +44 77 4763 7159 India: +91 80 4288 5500 Singapore: +65 8421 4156 tcg@techendeavour.com info@techendeavour.com www.techendeavour.com Endeavour Software Technologies © 2012
Notas do Editor
- Over the past two decades, we have witnessed significant technology advances in mobile devices, from the personal data assistants (PDAs) of the late 1990s and early 2000s to the ubiquitous and multifunctional smartphones of today. These advances have extended the virtual boundaries of the enterprise, blurring the lines between home and office and coworker and competitor by providing constant access to email, enabling new mobile business applications and allowing the access to, and storing of, sensitive company data.In this presentation, we will outline the risks related to today’s most popular mobile device platforms and technologies, along with methods by which an organization may assess its exposure to these risks. Finally, we will outline means by which many of these risks may be mitigated through technical device controls, third-party software, and organizational policy. These components all contribute to an enterprise-grade mobility management program that will ultimately serve as a guide in the rapidly evolving mobile environmentAs the mobility of today’s workforce continues to grow, the phrase “out of the office” is less and less relevant, and the flow of information in and out of the organization is increasing dramatically and becoming more difficult to control. The mobile workforce’s demand for connectivity is driving change in the way organizations support their employees away from the office and on their personal computers. On the other side, companies are also expected to release and support robust and functional mobile device-friendly applications for their customers.With the increase in mobile device capabilities and subsequent consumer adoption, these devices have become an integral part of how people accomplish tasks, both at work and in their personal lives. Although improvements in hardware and software have enabled more complex tasks to be performed on mobile devices, this functionality has also increased the attractiveness of the platform as a target for attackers. Android’s “open application” model has led to multiple instances of malicious applicationswith hidden functionality that surreptitiously harvest user data.1 Similarly, third-party Android application markets in China have been identified as hosting applications with administrative remote command execution capability.Many organizations are concerned about data integrity, and increased regulation and data protection requirements have placed further obligations on organizations to properly secure data that interacts with mobile devices. As a result, higher levels of security and data protection assurance are required — potentially more than vendors or the platforms themselves are currently able to provide.As companies around the globe look to increase the productivity of their employees or deploy new applications to appeal to an ever- increasing mobile world, corresponding security challenges present themselves. Unfortunately, the benefits and rewards of using mobile devices are sometimes counteracted by fraud and security risks.As an example, security researchers have identified several iPhone security vulnerabilities that allowed users to bypass device restrictions and install their own firmware.2 This may result in the users’ ability to bypass many of the restrictions that prevent malicious software from running on the device. Such vulnerabilities must be considered when choosing which mobile platform(s) to support.
- Mobile device attack surface is narrow but deep The attack surface on mobile devices is small from a traditional network security perspective but very deep - both in terms of services (e.g., applications, messaging, push and web services), and attack vectors targeting the user (e.g., browser based attacks, social engineering attacks, phishing attacks targeting small screens, etc.).Mobile malware Highly standardized, rich, native APIs make mobile malware development and distribution straightforward and more scalable than on PCs. It is easy for malicious software to access device data and functionality, leading to consequences such as data disclosure and unforeseen charges.Application (and subsequently data) proliferation Vendor application stores and end user awareness are heavily relied upon lines of defense. However, vendor application store validation processes have their limitations, not focusing strictly on security, and users install applications with little due diligence.Device and data loss Mobile devices have a highly portable form factor and as a result are easily prone to loss or theft. Loss of a device can lead to the loss of sensitive information including stored credentials, personally identifiable information (PII), corporate data, etc.Device and data ownership When it comes to data stored on mobile devices, both corporate and employee owned, data ownership and liability questions are still not settled. Significant data privacy issues may arise between employees and enterprises as employees use corporate devices for personal activities and personal devices for business purposes.Network communication channels Data in transit between the mobile device and server may be intercepted. Transmission may occur over any supported medium such as Wi-Fi, Bluetooth, GSM, etc. These transmission methods can potentially be exploited in order to gain unauthorized access to sensitive data.Immature security solutions There are multiple dominant mobile operating systems and multiple carrier specific implementations of each. This results in a far more diverse ecosystem than today’s desktop environment and makes it difficult to deploy singular solutions for mobile security.Less IT control The rules of the game have changed – users and executives are driving decisions around devices, platforms and applications while IT teams are scrambling to provide secure, manageable solutions.Lack of a formal strategy Device churn is high, app growth explosive, products remain immature and the threats are evolving – the technical landscape will continue to change. Managing through rapid change without a formal program and strategy invites confusion and costly rework.
- 1. Though many organizations are still uncomfortable with consumerization, security and data breach incidents in 2012 will force them to face BYOD-related challenges.The Bring-Your-Own-Device (BYOD) Era is here to stay. As more and more corporate data is stored or accessed by devices that are not fully controlled by IT administrators, the likelihood of data loss incidents that are directly attributable to the use of improperly secured personal devices will rise. We will definitely see incidents of this nature in 2012.2. The real challenge for data center owners will be dealing with the increasing complexities of securing physical, virtual, and cloud-based systems.While attacks specifically targeting virtual machines (VMs) and cloud computing services remain a possibility, attackers will find no immediate need to resort to these because conventional attacks will remain effective in these new environments. Virtual and cloud platforms are just as easy to attack but more difficult to protect. The burden will thus fall on IT administrators who have to secure their company’s critical data as they adopt these technologies. Patching a big array of virtualized servers is a challenge, allowing hackers to hijack servers, to fork traffic, and/or to steal data from vulnerable systems.3. Smartphone and tablet platforms, especially Android, will suffer from more cybercriminal attacks.As smartphone usage continues to grow worldwide, mobile platforms will become even more tempting cybercriminal targets. The Android platform, in particular, has become a favorite attack target due to its app distribution model, which makes it completely open to all parties. We believe this will continue in 2012 although other platforms will also come under fire.4. Security vulnerabilities will be found in legitimate mobile apps, making data extraction easier for cybercriminals.To date, mobile platform threats come in the form of malicious apps. Moving forward, we expect cybercriminals to go after legitimate apps as well. They will likely find either vulnerabilities or coding errors that can lead to user data theft or exposure. Compounding this further is the fact that very few app developers have a mature vulnerability handling and remediation process, which means the window of exposure for these flaws may be longer.5. Even though botnets will become smaller, they will grow in number, making effective law enforcement takedowns more difficult to realize.Botnets, the traditional cybercrime tool, will evolve in response to actions taken by the security industry. The days of massive botnets may be over. These may be replaced by more, albeit smaller but more manageable, botnets. Smaller botnets will reduce risks to cybercriminals by ensuring that the loss of a single botnet will not be as keenly felt as before.6. Hackers will eye nontraditional targets so flawed Internet-connected equipment, ranging from SCADA-controlled heavy industrial machinery to medical gadgets, will come under attack.Attacks targeting supervisory control and data acquisition (SCADA) systems as well as other equipment accessible via networks will intensify in 2012 as certain threat actors go beyond stealing money and valuable data. STUXNET and other threats in 2011 highlighted how SCADA has become an active target. Proof-of-concept (POC) attacks against network-connected systems, including medical equipment, are expected to ensue.7. Cybercriminals will find more creative ways to hide from law enforcement.Cybercriminals will increasingly try to profit by abusing legitimate online revenue sources such as online advertising. This will help them hide from the eyes of both law enforcement and antifraud watchdogs hired by banks and other financial agencies.8. More hacker groups will pose a bigger threat to organizations that protect highly sensitive data.Online groups such as Anonymous and LulzSec rose to prominence in 2011, targeting companies and individuals for various political reasons. These groups are likely to become even more motivated in 2012. They will become more skilled both at penetrating organizations and at avoiding detection by IT professionals and law enforcement agencies. Organizations will have to deal with this new threat and to increase their efforts to protect vital corporate information.9. The new social networking generation will redefine “privacy.”Confidential user information is ending up online, thanks in large part to users themselves. The new generation of young social networkers have a different attitude toward protecting and sharing information. They are more likely to reveal personal data to other parties such as in social networking sites. They are also unlikely to take steps to keep information restricted to specific groups such as their friends. In a few years, privacy-conscious people will become the minority—an ideal prospect for attackers.10. As social engineering becomes mainstream, SMBs will become easy targets.To date, the craftiest social engineering ploys have been directed against large enterprises. However, cybercriminals are now so adept at social engineering that the effort to target companies individually—big or small—is becoming less costly. This and the greater volume of personal information available online will allow cybercriminals to launch more customized and fine-tuned attacks against small and medium-sized businesses (SMBs). As in previous attacks against SMBs, cybercriminals will continue focusing on gaining access to companies’ online banking accounts.11. New threat actors will use sophisticated cybercrime tools to achieve their own ends.Targeted attacks will continue to grow in number in 2012. Cybercriminals will not be the only ones using these attacks, however. As the effectiveness of advanced persistent threats (APTs) becomes more obvious, other parties such as activist groups, corporations, and governments will find themselves using similar cybercrime tools and tactics to achieve their goals.12. More high-profile data loss incidents via malware infection and hacking will occur in 2012.High-profile attacks will continue to hit major organizations in 2012. Important and critical company data will be extracted through malware infection and hacking. As a result, significant data loss incidents will ensue, potentially affecting thousands of users and their personal information. These incidents can result in significant direct and indirect losses to concerned parties.
- Requirements:End-to-End security requirements3rd Party app integration security requirementsIdentify Requirements for user data access (Offline)Accessing sensitive informationArchitecture and DesignConsider Platform security features (Security API’s)Consider Infrastructure security (VPN, 2 Factor, Multifactor)ConstructionFollow secure codding practicesUse Security Framework, Tools and API’s provided by platformManaging application dataTestingThreat Modeling Network testingApplication Data ExploitationDeploymentUse Deployment Policies as per platform guidelinesFollow App Store GuidelinesUse profiles certificates to avoid unauthorized accessOTA updates
- Devices can be configured remotely and made sure that the device remains IT policy complaint. Configuration policies can be configured manually or pushed over-the-air.The provision process involves installation of certificates on devices and authentication of users into theenterprise domain.In case of a loss of device or any other reason, data can be remotely wiped from the devices.Security policy can be enforced so that the users should not be able to downgrade or change the policies. Hardware features such as camera can be disabled remotely.MDM provides a mechanism to have a custom In-House Store, where enterprise applications can be hosted. The custom application catalogs enable enterprise to distribute and also update applications.