20120418 Ward Solutions Mobility - Securing your Applications, Pat Larkin
-
date post
19-Oct-2014 -
Category
Technology
-
view
259 -
download
1
description
Transcript of 20120418 Ward Solutions Mobility - Securing your Applications, Pat Larkin
Mobility – Securing for Applications
Ward Solutions
1
CONFIDENTIAL
Mobility – Securing for Applications
www.ward.iePat Larkin
Business Development Director
087-2446093
Agenda
• Introductions
• Outline security issues for Mobility and Mobile Apps in the Cloud for Enterprises
• Outline Security Strategies to enable Mobile and Mobile Apps
• Share our experiences as a Security Consultancy,
2
CONFIDENTIAL
• Share our experiences as a Security Consultancy, Auditor/Tester as well as a Security Integrator
• Q&A
Introductions
3
CONFIDENTIAL
Introductions
What we do
4
CONFIDENTIAL
5
CONFIDENTIAL
Ward Solutions
• Irelands largest dedicated Information Security provider – 45 staff – growing to 60 by 2014
• Established 1999 - offices in Dublin, Belfast, Limerick and London
• Debt free – organic growth – profitable – strong reserves, growing 20% per annum
6
CONFIDENTIAL
• A Complete Security Service and Solution provider
• Broadest set of Information Security services and Solutions in Ireland
• A reputation for excellence and broad experience in
Government & Private Sector (all verticals) - blue chip
client base
7
CONFIDENTIAL
Partnerships
8
CONFIDENTIAL
Mobility - Some Context
9
CONFIDENTIAL
Mobility - Some Context
Mobility Statistics
• 35% of tablet sales by 2015 will be Enterprise (Gartner 2012)
• 17.7m mobile apps downloaded in 2011 (Cylabs 2011)
• 118.9M tablets forecast sales - 2012 (Gartner 2012)
• Enterprises now reliant on mobile devices (Cylabs 2011)
10
CONFIDENTIAL
• Enterprises now reliant on mobile devices (Cylabs 2011)
� 31% – “heavily reliant”
� 18% - “extremely reliant”
� 7 in 10 more reliant than 12 months ago
Lost Smartphone ProtectionEmployees/Enterprise consistently fail to protect their mobile devices
19%
31%
57%
Encryption
Anti-theft device
No protection
11
CONFIDENTIAL
4%
5%
11%
17%
0% 10% 20% 30% 40% 50% 60%
Other
Anti-virus/anti-malware
Client firewall
Password or keypad lock
3 Types of data loss of concern
12
CONFIDENTIAL
+ Data Loss from the Device – e.g. inadvertent or deliberate emailing or posting - bypassing normal corporate gateways etc.
Traditional Attack Vectors Shifting Trend:
PC Malware Growth Slows
New PC Malware SamplesNew PC Malware Samples
GGrowth rowth of PCof PC--based malware continued to based malware continued to decline but decline but don’t get complacent. The cumulative don’t get complacent. The cumulative
number of unique malware samples number of unique malware samples still still exceeds the 75 million exceeds the 75 million mark. (McAfee Q4 threat report 2011)mark. (McAfee Q4 threat report 2011)
6,000,000 6,000,000
7,000,000 7,000,000
13
CONFIDENTIAL
--
1,000,000 1,000,000
2,000,000 2,000,000
3,000,000 3,000,000
4,000,000 4,000,000
5,000,000 5,000,000
Q1 09Q1 09 Q2 09Q2 09 Q3 09Q3 09 Q4 09Q4 09 Q1 10Q1 10 Q2 10Q2 10 Q3 10Q3 10 Q4 10Q4 10 Q1 11Q1 11 Q2 11Q2 11 Q3 11Q3 11 Q4 11Q4 11
Mobile Devices is the new Malware growth
segment
Mobile malware has now established itself as the fastest growing category as attackers continue to Mobile malware has now established itself as the fastest growing category as attackers continue to
experiment with new attacks aimed primarily at the Android platform. experiment with new attacks aimed primarily at the Android platform.
1,2001,200
1,4001,400
1,6001,600
1,8001,800
14
CONFIDENTIAL
00
200200
400400
600600
800800
1,0001,000
1,2001,200
Q1 10Q1 10 Q2 10Q2 10 Q3 10Q3 10Q4 10Q4 10
Q1 11Q1 11Q2 11Q2 11
Q3 11Q3 11Q4 11Q4 11
The number of reports of data breaches via hacking, malware, fraud, and insiders has more than The number of reports of data breaches via hacking, malware, fraud, and insiders has more than
doubled since 2009. In doubled since 2009. In the Q4 2011 alone the Q4 2011 alone we saw more than 40 breaches publically reportedwe saw more than 40 breaches publically reported. .
(McAfee Q4 threat report)(McAfee Q4 threat report)
Reported data Breaches continue to rise Accelerate
Reported Data BreachesReported Data Breaches
200200
250250
Cost per data breach €96
15
CONFIDENTIAL
00
5050
100100
150150
200200
20052005 20062006 20072007 20082008 20092009 20102010 20112011
Cost per data breach €96 (Ponemon Inst. 2012)
Where we see the threats- server side
Services Layer
< 10%
Application Layer
> 80%
16
CONFIDENTIAL
Network Layer
< 5%
Host/OS Layer
< 1%
This is where Ward mobile app pen tests still finds >75% of critical and high
vulnerabilities!
Enabling Mobility Brings Risk
HRThere is a policy
disconnect between IT
and end users
More than half of all
users don’t lock their
devices
17
CONFIDENTIAL
IT
Finance
Sales
IT
Almost 1 in 5
devices are lost
each yearMobile devices
predicted to be New
Malware Frontier
The benefits are “unstoppable”
• Employees with mobile devices
� work 20% longer (Forrester 2011)
� respond 30% faster (Motorola 2011)
• 73% CIO’s - improved employee productivity (CIO magazine 2011)
• 70% of Consumers using mobile as their primary device
18
CONFIDENTIAL
• 70% of Consumers using mobile as their primary device (BusinessWeek 2011)
• Lower operating costs
Mobile Application Security
19
CONFIDENTIAL
Mobile Application Security
Strategy
Regulatory Sources
Policies
Mobile, non-mobile – principles are the same
Risk Assessment
20
CONFIDENTIAL
Management ControlsOrganizational Controls Technical Controls
ActivityActivity ProcessesProcesses ProceduresProcedures
Risk managementRisk management
Contingency planningContingency planningIncident Incident responseresponse
Physical securityPhysical security
Personnel securityPersonnel security
Certification/verificationCertification/verification
Access controlAccess control
ID & authenticationID & authenticationAuditingAuditing
EncryptionEncryption
Incident detectionIncident detection
NetworkingNetworking
Information classificationInformation classification
CommunicationsCommunications
Acceptable useAcceptable usePerimeter Perimeter
securitysecurity
Incident responseIncident response
Mobile Threats are similar & different
THREAT MODELS
PC Mobile
• Malware, Virus, Phishing,
Lost, Stolen Data, Trojans,
DoS, Social Engineering
• Similar to PC +
• Immaturity, policy gap,
ownership, device/data loss,
eavesdropping, premium SMS
fraud
• Browser, Bluetooth, Wi-Fi, • Similar to PC +
= + similar
and more
≠ divergent
= +
21
CONFIDENTIAL
Mobility’s Unique Challenges Call for Different Approaches to Security
ATTACK CHANNELS
COMPUTING
ENVIRONMENT
• Browser, Bluetooth, Wi-Fi,
Cellular Network, Cross
Channel, Email
• Similar to PC +
• Malware, trojans, client side
attacks, theft, SMS, MMS,
App downloads
• Homogenous OS
environment
• Largely local computing
centric
• Fragmented OS environment
• Cloud-centric, tethered to
OS provider
= +
≠
Approach
• Risk Assessment – end to end
• Risk Treatment on a prioritised basis – end to end
• Develop organisational, management and technical:
� Policies
22
CONFIDENTIAL
� Procedures
� Controls
• Implement
• Validate
• Improve
Regulatory Sources
Policies
Organisational & Management Controls
Risk Assessment
23
CONFIDENTIAL
Management ControlsOrganizational Controls Technical Controls
ActivityActivity ProcessesProcesses ProceduresProcedures
Risk managementRisk management
Contingency planningContingency planningIncident Incident responseresponse
Physical securityPhysical security
Personnel securityPersonnel security
Certification/verificationCertification/verification
Access controlAccess control
ID & authenticationID & authenticationAuditingAuditing
EncryptionEncryption
Incident detectionIncident detection
NetworkingNetworking
Information classificationInformation classification
CommunicationsCommunications
Acceptable useAcceptable usePerimeter Perimeter
securitysecurity
Incident responseIncident response
Controls- Technical remediation
• Limited remediation in existing Mobile platforms
� AD, ActiveSync
� Native encryption, authentication, app control
� Virtualisation
24
CONFIDENTIAL
• Strong mature remediation on existing Server side
� Secure development practices
� Hardening, patching, encryption, RBAC
� Firewalls, WAF’s, IPS, IDS, VPN’s etc.
Protecting the client side
Devices
Data
PROTECT MOBILE DEVICES• Device Management (MDM)
• Anti-Malware
• Web Protection
PROTECT MOBILE DATA
25
CONFIDENTIAL
Apps
Data
PROTECT MOBILE APPS• Enterprise App Store
• Application black list, white list,
• reputations
PROTECT MOBILE DATA• Data Protection (Locate, Lock, Wipe, Delete)
• Jailbroken and Rooted Device Exclusion
• Encryption
MDM or MDP Lifecycle Life Cycle
Provisioning
Define security policies, network
connectivity, and resources; user self-
service provisioning for automatic device
personalization
Application
ManagementProvisioning
Security and Authentication
Enable devices to strongly
IT Operations Support
Visualize and manage devices
Enterprise Application Management
Make apps available in a secure, role-based
way. Offer apps for download, links to third-
party app stores, and web links.
26
CONFIDENTIAL
ePO
Policy
Management
Compliance
IT Operations
Support
Security and
Authentication
Enable devices to strongly
authenticate against Microsoft CA.
Supports two-factor authentication.
Policy Management
Remotely perform helpdesk tasks
and push security policies and
configuration updates over-the-air
Compliance
Automatically check devices prior to
network access
Visualize and manage devices
centrally through Mobile Device
Management
Use vendors with capabilities, vision & deep pockets
27
CONFIDENTIAL
Questions & Answers
28
CONFIDENTIAL
Questions & Answers