2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not
25
Mobile Security – The impending apocalypse… or maybe not ISF Summer Chapter
-
Upload
ncc-group -
Category
Technology
-
view
447 -
download
2
description
Transcript of 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not
Mobile Security – The impending apocalypse… or maybe not ISF Summer Chapter
Before we begin…
Hopefully not a lesson in sucking eggs
Agenda
•What the press would have you believe
•The reality
Before we begin… Who is this guy?
• Information Cyber Security for > 15 years • Consultancy – 1997 – 2005 • Research – 2005 – 2011
• Symantec / BlackBerry • Research / Consultancy – 2012
• Recx / NCC Group
What you are led to believe
•Mobile is as insecure the desktop •BYOD is insecure •Malware is rampant •Mobile security needs augmenting
Motivations
• .… something to sell
•…. exposure
Mobile is as insecure as the desktop
• Incentivised •Defence in depth •App stores •Ubiquitous sandboxes •Security policy APIs •Vendors adopting SDLs
BYOD is insecure
•BYOD is CHALLENGING
•Extending your security perimeter •Loosening your control (potentially) •Mixed domain devices •Policies
Malware is rampant
•Malware is present NOT rampant
•Trojans (re-packaged apps) •Trojans (unique appealing apps)
•App store revocation •People using third party app stores
Malware is rampant
Mobile security needs augmenting
•Platforms have rich security stories •Samsung KNOX •BlackBerry Balance •MDM APIs / Policies ..
•Some augmentation may be needed
•on iOS •On device AV is not one of them
But it is no utopia
SDLs cost
•Vendors don’t have • limitless funds • limitless people • limitless time
•Market driven by features •not secure code
•Skills in short demand •Not evenly deployed
Vulnerability v patching frequency
•No monthly patch Tuesday •Carrier certification
•desire • capacity
•Vendors •desire • capacity
Vulnerability v patching frequency
•Handset cycle 12 to 36 months •HTC 10 Android models •ZTE 18 Android models •Samsung 12 Android models •Apple 1 iPhone model •BlackBerry 3 BB10 models
•Sustainment costs huge..
Vulnerabilities can be exploited
But… criminals are lazy …
But… there are motivated enablers..
Devices are complex
•Peripherals •Radio •OS •Apps = a large and complex attack surface
Rapid change
Use cases are different
•Physical interaction •Usage patterns
Mobile security – the future
Thanks? Questions?
UK Offices Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices San Francisco
Atlanta
New York
Seattle
Australian Offices Sydney
European Offices Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Ollie Whitehouse [email protected]
