Identifying and Responding to the Evolving Converged IT & Telecom - Michalis Mavis - iCompetences...

7/30/2019 Identifying and Responding to the Evolving Converged IT & Telecom - Michalis Mavis - iCompetences RSI2012

http://slidepdf.com/reader/full/identifying-and-responding-to-the-evolving-converged-it-telecom-michalis 1/38

1

Identifying and responding to the

evolving converged IT & Telecom

Security (ENISA view) By Michalis Mavis, MSc, MSc

f. Chairman of Hellenic Fraud Forum



2

Interesting opinions from Ernst & Young

see report ‘Top 10 risks in Telecom 2012’

• Customers place more trust in Operators than in social networks, on

security issues across, a range of services.

• They hold Operators responsible for threats from third parties evenfor mobile malware attacks and rogue applications (apps).

• The market expects that they should collaborate with suppliers and

partners to tackle privacy and security issues in new service areas

such as cloud security and mobile apps.

• Operators should work closely with governments

to clarify their responsibilities in areas such as

anti-terrorism and content for children.



3

What are the best paid IT jobs ?

1. Mobile applications developer .

2. Wireless network engineer.

3. Network engineer.

4. Data modeler.

5. Portal administrator.

6. Data warehouse manager.

7. Business intelligence analyst.

8. Senior web developer .

9. Web developer.

10. Network architect.

11. Network manager.

12. Data architect.

13. Data security analyst.14. Software engineer.

15. Network administrator.

Reference : Online Associate News Editor



4

Mobile applications developers,

one of the best paid jobs in 2013…



5

Agenda

• Mobility trend in the modern businessenvironment.

• Benefits and risks when private owned mobilegadgets are used in the business environment.

• ENISA, Ernst & Young and Networks AsiaReports views.

• Security concerns and solutions in the modernbusiness environment.

• Conclusions



6

The ENISA point of view

• The European Network and Information

Security Agency (ENISA) is a centre of

network and information security expertise

for the European Union. In its recent report

ENISA stated inter alia that:

• ‘Security controls need to be installed

outside the perimeter of an organizationin order to protect business assets on the

move…’.



7

Bring your own device, trend…

• Employee-owned, privately-used deviceslike smart phones, tablets, ultra-light

laptops, etc., are used for business related

tasks with permission and support of theemployer.

• Privately-used IT, like Social Networking,

Cloud Storage, mail, smart phones, tablets, etc. are becoming part of

professional IT life.



8

Benefits ?

• Employees using their own devices tobusiness save time and money.

• They are more mobile and productive due

to permanent access to business data,transactions, and communication facilities.

• Increased staff availability,

is achieved since urgentmatters can be better co-

ordinated and resolved.



9

Mobile Phone Trends - user aspects

• Smartphones are becoming a placeholder for your entire life (photos, addresses, phonebook, personal notes, location/presence).

• Smartphones are used for businessapplications

– Storage of sensitive information.

– Access to internal company networks.• Smartphone is easy to carry along and you

can always bring it with you.

• Unintentional/intentional user acts

– Authorizing installation of malicious

software. – Forwarding sensitive business

information to an unauthorized user.

• Contacts

• Emails

• Photos/videos

• applications

• Attachments

• Calendar



10

Variety and complexity of devices,

systems and applications

• Additional IT management resources are

needed in order to accommodate the

various systems (e.g. different OS).

• Additional investments are needed to

achieve desired level of protection and

compliance, when opening

network perimeter security.



11

What are the main Risks ?



12

Loss of confidential data

• By improper use of such services, users mayneglect existing security policies and transfer

company information outside the security

domain, thus enabling access to non-authorized

individuals.

• Sharing of such devices (with family and friends,

for example), may cause significant losses to the

organization.

• On the other hand high usage of mobile devices

is likely to result in more lost devices.



14

How to discriminate between

user and company data

• Business data mixed with private info.• There is always a risk related to the

intervention of businesses in the private

life and property of employees.• Security controls may allow businesses to

access user’s personal

data stored on their devices.



15

Mobile devices targeted by

cybercriminals

• Malicious software aimed at mobile devices hasreportedly risen about 185% in less than a year.

• Mobile devices face an array of threats that take

advantage of numerous vulnerabilities commonlyfound in such devices.

• In most cases consumers are not aware of the

importance of enabling security controls on their

mobile devices.Report by Michael Cooney (Sep 20, 2012)



16

Security issues on mobile devices

• Pattern screen locks for authentication, PIN, passwordand/or use of biometric reader to scan a fingerprint .

• Two-factor authentication with non static passwords

should be used when conducting sensitive transactions

on mobile devices.• Many applications (e.g. Email) do not

encrypt the data they transmit and

receive over the network, making it

easy for the data to be intercepted.

Pattern screen lock



17

Unauthorized access to sensitive info

• Consumers may download applications thatcontain malware.

• An application could be repackaged with

malware and a consumer could inadvertently

download it onto a mobile device. The data then

may be easily intercepted.

• When a wireless transmission is not encrypted,

data can be easily intercepted byeavesdroppers, who may gain unauthorizedaccess to sensitive information.



18

Mobile devices normally do not include

pre-installed security software.

• Security software may slow operations andaffect battery life on some mobile devices.

• But without it, the risk may be increased that an

attacker could successfully distribute malware

such as viruses, Trojans, spyware, and spam to

lure users into revealing passwords or other

confidential information.



19

Operating systems may be out-of-date

• Many manufacturers stop supportingsmartphones as soon as 12 to 18 months

after their release.

• Such devices may face increased risk if manufacturers do not develop patches for

newly discovered vulnerabilities.

• Unlike traditional web browsers, mobilebrowsers rarely get updates.



20

Firewall on mobile units

• Without a firewall, a mobile device may be

open to intrusion through an unsecured

communications port, and an intruder may

be able to obtain sensitive information onthe device and misuse it.



21

NOT



23

Mobile malware

• Androids topped the list of mobile malwaretargets.

• When a mobile phone is infected the

malware tries to propagate the infection.This may be done even through SMS.

• In the case of mobile malware threats, the DNS

layer can be analyzed to detect and mitigate

suspicious activity. Mobile Operators should takeresponsibility on that.

• Social Networks, like FB, propagate malware.



24

Use of public WiFi networks

• Using unsecured public wireless Internetnetworks or WiFi spots could allow an

attacker to connect to the device and view

sensitive information.



25

Man-in-the-middle attack

• Connecting to an unsecured WiFi network

could let an attacker access personal

information from a device, putting users at

risk for data and identity theft.

• One type of attack that exploits the WiFi

network is the man-in-the-middle, where

an attacker inserts himself in the middle of the communication stream and steals

information.



26

Is VPN a good solution ?

• Using non-secured public Wi-Fi hotspotscan leave you vulnerable to identity theft,

data theft, snooping, impersonation and

malware infection.• That's why so many people rely on public

virtual private network services, but VPNs

are no panacea.



28

Sensitive transactions

• Enable two-factor authentication for sensitive transactions, e.g. Mobile banking

or financial transactions.

• Verify the authenticity of downloaded applications.

• Procedures can be implemented for

assessing the digital signatures of

downloaded applications to ensurethat they have not been tampered

with.



29

Remotely disable lost or stolen devices

• The best mobile security applications giveyou the ability to :

– lock your phone and SIM card remotely

– wipe important information from your memorycard and

– activate your phone's built-in GPS

chip to locate your lost or stolendevice.



30

Don’t panic when mobile is stolen…

• Remote disabling is a feature for lost or

stolen devices that either locks the device

or completely erases its contents remotely.

• Locked devices can be unlocked

subsequently by the user if they

are recovered.

• Enable encryption for datastored on device or memory card.



31

How to encrypt my data in SD card ?

•

Smartphone is fingerprintprotected but SD card is not.

• Some Smartphones include

build in encryption capability.Others no.

• There are free apps allowing

encryption of files and folders of

your phone SD card. Check if encryption works.

• But in order to see…

foto gallery

you should decrypt first. This

may be a bit boring…



32

• A stealth (invisible) SMS is send to the mobile phone. Noneed to accept installation of the program. It isautomatically installed in the mobile phone memory.

• The program allows monitoring of calls and incoming –outgoing SMSes.

• Well known programs of this type are RexSpy andFlexySpy.

• The attacker may pay by credit card. No need to movefrom his chair or visit a detective…

STEALTH SMS

Séminaire International RSI'2012 Morocco, 19 & 20 Novemre 2012



33



34

A mobile phone with a RFID tag may beused as ATM card (technology already

present in various countries)

The mobile phone may be used instead of

keys to activate the car and open your

house door. It will also participate in variousfinancial X-ctions.

Mobile phone including RFID tag



35

NFC risks

• Fraud risks, when using NFC for mobilepayments and other financial X-ctions, by

using your mobile phone.

• Attacks to steal a person's identity and/or money.



36

• Interception of M-Commercetransactions.

• Credit Card Not Present

Transactions.

• Inexistent paid products or services.

• Liability for content theft and piracy.

• Employee internal abuse of

customers Credit Card details.

Pay Fraud (in M – Commerce)



37

CONCLUSIONS

• There is a clear mobility trend in themodern business environment.

• Mobile apps although useful includemany risks. Mobile apps may turn tospying applications.

• The user should be able to distinguishmalware apps, before installing them.

• There are benefits and risks when privateowned mobile gadgets are used in thebusiness environment.



38

THANK YOU

Mr. Michalis Mavis, MSc, MSc //gr.linkedin.com/in/mmavis

Identifying and Responding to the Evolving Converged IT & Telecom - Michalis Mavis - iCompetences...

Documents

Transcript of Identifying and Responding to the Evolving Converged IT & Telecom - Michalis Mavis - iCompetences...