Online Reputation Risks for Startups and Big Brands - w3Police
modern security risks for big data and mobile applications
description
Transcript of modern security risks for big data and mobile applications
2014 © Trivadis
BASEL BERN BRUGG LAUSANNE ZUERICH DUESSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MUNICH STUTTGART VIENNA
2014 © Trivadis
Modern Security Risks for
Big Data and Mobile Applications
Florian van Keulen
Senior Consultant Information Security
IT Security Officer - Trivadis Group
12.09.2014
Trivadis TechEvent Sep. 2014
1
2014 © Trivadis
Florian van Keulen
Senior Consultant Information Security
IT Security Officer Trivadis
12.09.2014
Trivadis TechEvent Sep. 2014
2
„Telematics“ with focus on Security
University of Twente, The Netherlands
Since 2000 working in IT
Since 2009 specialized in IT-Security
Since 2014 at Trivadis AG, Zürich (BDS)
2014 © Trivadis
12.09.2014
Trivadis TechEvent Sep. 2014
3
When I step back from this terrible
scenario that happened and say
what more could we have done,
I think about the awareness piece
“ “Tim Cook, CEO Apple Inc.
9/5/14 Wall Street Journal*
*Interview on iCloud Nude Celebrity Photos Leak
2014 © Trivadis
Agenda
1. Past Incidents
Data Breaches
2. Big Data
Privacy and Data Protection
Mosaic effect (de-anonymizing / reidentification)
Lack of well-known Security Controls
3. Mobile applications
Application decomposition
Bad defined Permission
Data-in-Rest / Data-in-Transit
12.09.2014
Trivadis TechEvent Sep. 2014
4
2014 © Trivadis
Past Incidents
iCloud Celebrity Photo Leak
12.09.2014
Trivadis TechEvent Sep. 2014
5
145 million customer records
by compromising Employee credentials
attack lasted 2 Month
93.4% of Home Depot Stores Affected by Card Data Breach
- US largest home-improvement chain
- scope of the hack is not yet known,
- could be the biggest in US Retail history
152 million customer records
hack possible by weak password requirements
2014 © Trivadis
Past Incidents
12.09.2014
Trivadis TechEvent Sep. 2014
6
2014 © Trivadis
Data Breach types in 2004 - 2013
12.09.2014
Trivadis TechEvent Sep. 2014
7
2014 © Trivadis
Data Breach types in 2014
12.09.2014
Trivadis TechEvent Sep. 2014
8
Data Beach Report 2014 by: Risk Based Security
2014 © Trivadis
12.09.2014
Trivadis TechEvent Sep. 2014
9
2014 © Trivadis
Privacy und Data Protection
Who owns the Data?
Multiple sources
Usage public available data
Private Policies
Are user reading it?
New Regulations?
Deletion of Data
Impossible due to many
redundancy
Anonymization
private data must be
Anonymized
Legal Compliance
National / International
Country Borders
12.09.2014
Trivadis TechEvent Sep. 2014
10
2014 © Trivadis
Mosaic Effect
Combining large datasets
Privacy Policies?
Ownership?
reassemble in
unforeseen ways
in Good / Bad ways
De-Anonymization
By combining of data sets
Profiling
misuse / valuable target
Unanticipated Uses of
Big Data
Data collected now, used later
in an unwanted way
12.09.2014
Trivadis TechEvent Sep. 2014
11
2014 © Trivadis
Lack of well-known Security Controls
Security controls not applied
Focus on 3 V’s, not security
(Volume, Velocity, Varity)
What’s with the 3 A’s of security:
- Authorization
- Access Control
- Audit
NoSQL DBs lack of security
transactional integrity
Authentication
Consistency
Injection attacks (like SQL has)
Montoring & Logging
SIEM
Infrastruktur
Availability
Backup / Recovery
Disaster
12.09.2014
Trivadis TechEvent Sep. 2014
12
2014 © Trivadis
12.09.2014
Trivadis TechEvent Sep. 2014
13
2014 © Trivadis
Mobile Application Risks
12.09.2014
Trivadis TechEvent Sep. 2014
14
2014 © Trivadis
Application decomposition
Identification / Manipulation
of client side logic
Static Analysis
File System Analysis
Dynamic Analysis
Reverse Engineering
Obfuscation
No Code obfuscation makes it
easier for the the bad guys
Own Client for attacking
One of the best ways to attack
a client-server application
Logical Flaws
implementing business logic
into applications, which should
be done on server side
12.09.2014
Trivadis TechEvent Sep. 2014
15
2014 © Trivadis
Bad defined Permission
App Isolation is not secure
enough
communications between
components are a critical area
- Activities
- Services
- Content Providers
- Broadcast Receivers
Permissions Granted to
Components
If not properly secured / set,
malicious or other rogue
programs can interact with them
3rd Party Libraries
Potentially threat as it might get
full access to your Application
12.09.2014
Trivadis TechEvent Sep. 2014
16
2014 © Trivadis
Data-in-Rest / Data-in-Transit
Data on device not secured
Files or use SQLite DB
Rooted / Jailbreak device
Stolen Device
Encryption?
Algorithms
Wrapper / Container
Communication
Weak Authentication / no 2FA
No verification of Endpoints
Bad Session-management
Harvesting User-information
Encryption
SSL
VPN
App VPN
Wrapper
12.09.2014
Trivadis TechEvent Sep. 2014
17
2014 © Trivadis
Mobile Application Assessment
12.09.2014
Trivadis TechEvent Sep. 2014
18
©
2014 © Trivadis
Awareness
Security
Florian van Keulen
BI / Big Data
Gregor Zeiler, Solution Manager
Peter Welker, Principal Consultant
Mobile
Martin Lukow,
Senior Solution Manager
Consult
Advice
Plan Together
12.09.2014
Trivadis TechEvent Sep. 2014
19
2014 © Trivadis
Questions and answers ...
2014 © Trivadis
BASEL BERN BRUGG LAUSANNE ZUERICH DUESSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MUNICH STUTTGART VIENNA
Florian van Keulen
IT Security Officer
12.09.2014
Trivadis TechEvent Sep. 2014
20