modern security risks for big data and mobile applications

2014 © Trivadis

BASEL BERN BRUGG LAUSANNE ZUERICH DUESSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MUNICH STUTTGART VIENNA

2014 © Trivadis

Modern Security Risks for

Big Data and Mobile Applications

Florian van Keulen

Senior Consultant Information Security

IT Security Officer - Trivadis Group

12.09.2014

Trivadis TechEvent Sep. 2014

1

2014 © Trivadis

Florian van Keulen

Senior Consultant Information Security

IT Security Officer Trivadis

12.09.2014


2

„Telematics“ with focus on Security

University of Twente, The Netherlands

Since 2000 working in IT

Since 2009 specialized in IT-Security

Since 2014 at Trivadis AG, Zürich (BDS)

2014 © Trivadis

12.09.2014


3

When I step back from this terrible

scenario that happened and say

what more could we have done,

I think about the awareness piece

“ “Tim Cook, CEO Apple Inc.

9/5/14 Wall Street Journal*

*Interview on iCloud Nude Celebrity Photos Leak

2014 © Trivadis

Agenda

1. Past Incidents

Data Breaches

2. Big Data

Privacy and Data Protection

Mosaic effect (de-anonymizing / reidentification)

Lack of well-known Security Controls

3. Mobile applications

Application decomposition

Bad defined Permission

Data-in-Rest / Data-in-Transit

12.09.2014


4

2014 © Trivadis

Past Incidents

iCloud Celebrity Photo Leak

12.09.2014


5

145 million customer records

by compromising Employee credentials

attack lasted 2 Month

93.4% of Home Depot Stores Affected by Card Data Breach

- US largest home-improvement chain

- scope of the hack is not yet known,

- could be the biggest in US Retail history

152 million customer records

hack possible by weak password requirements

2014 © Trivadis

Past Incidents

12.09.2014


6

2014 © Trivadis

Data Breach types in 2004 - 2013

12.09.2014


7

2014 © Trivadis

Data Breach types in 2014

12.09.2014


8

Data Beach Report 2014 by: Risk Based Security

2014 © Trivadis

12.09.2014


9

2014 © Trivadis

Privacy und Data Protection

Who owns the Data?

Multiple sources

Usage public available data

Private Policies

Are user reading it?

New Regulations?

Deletion of Data

Impossible due to many

redundancy

Anonymization

private data must be

Anonymized

Legal Compliance

National / International

Country Borders

12.09.2014


10

2014 © Trivadis

Mosaic Effect

Combining large datasets

Privacy Policies?

Ownership?

reassemble in

unforeseen ways

in Good / Bad ways

De-Anonymization

By combining of data sets

Profiling

misuse / valuable target

Unanticipated Uses of

Big Data

Data collected now, used later

in an unwanted way

12.09.2014


11

2014 © Trivadis

Lack of well-known Security Controls

Security controls not applied

Focus on 3 V’s, not security

(Volume, Velocity, Varity)

What’s with the 3 A’s of security:

- Authorization

- Access Control

- Audit

NoSQL DBs lack of security

transactional integrity

Authentication

Consistency

Injection attacks (like SQL has)

Montoring & Logging

SIEM

Infrastruktur

Availability

Backup / Recovery

Disaster

12.09.2014


12

2014 © Trivadis

12.09.2014


13

2014 © Trivadis

Application decomposition

Identification / Manipulation

of client side logic

Static Analysis

File System Analysis

Dynamic Analysis

Reverse Engineering

Obfuscation

No Code obfuscation makes it

easier for the the bad guys

Own Client for attacking

One of the best ways to attack

a client-server application

Logical Flaws

implementing business logic

into applications, which should

be done on server side

12.09.2014


15

2014 © Trivadis

Bad defined Permission

App Isolation is not secure

enough

communications between

components are a critical area

- Activities

- Services

- Content Providers

- Broadcast Receivers

Permissions Granted to

Components

If not properly secured / set,

malicious or other rogue

programs can interact with them

3rd Party Libraries

Potentially threat as it might get

full access to your Application

12.09.2014


16

2014 © Trivadis

Data-in-Rest / Data-in-Transit

Data on device not secured

Files or use SQLite DB

Rooted / Jailbreak device

Stolen Device

Encryption?

Algorithms

Wrapper / Container

Communication

Weak Authentication / no 2FA

No verification of Endpoints

Bad Session-management

Harvesting User-information

Encryption

SSL

VPN

App VPN

Wrapper

12.09.2014


17

2014 © Trivadis

Awareness

Security

Florian van Keulen

BI / Big Data

Gregor Zeiler, Solution Manager

Peter Welker, Principal Consultant

Mobile

Martin Lukow,

Senior Solution Manager

Consult

Advice

Plan Together

12.09.2014


19

2014 © Trivadis

Questions and answers ...

2014 © Trivadis

BASEL BERN BRUGG LAUSANNE ZUERICH DUESSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MUNICH STUTTGART VIENNA

Florian van Keulen

IT Security Officer

[email protected]

12.09.2014


20

modern security risks for big data and mobile applications

Mobile

Transcript of modern security risks for big data and mobile applications