(PDF) Yury Chemerkin Ita 2013

8/13/2019 (PDF) Yury Chemerkin Ita 2013

1/45

SECURITY COMPLIANCE CHALLENGES ON

YU


2/45

EXPERIENCED IN :

REVERSE ENGINEERING & AV

SOFTWARE PROGRAMMING & DOCUMENTATION

MOBILE SECURITY AND MDM

CYBER SECURITY & CLOUD SECURITY

COMPLIANCE & TRANSPARENCY

FORENSICS AND SECURITY WRITING

HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA

PARTICIPATION AT CONFERENCES

INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,

DEFCONMOSCOW, HACTIVITY, HACKFEST

CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC,

ICITST, CTICON (CYBERTIMES), DeepIntel/DeepSec, I-SOCIETY

[ YURY CHEMERKIN ]

www.linkedin.com/in/yurychemerkin

http://sto

-

strategy.com yury.s@che
http://www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com/http://sto-strategy.com/http://sto-strategy.com/mailto:[email protected]://sto-strategy.com/mailto:[email protected]://www.linkedin.com/in/yurychemerkinhttp://eforensicsmag.com/http://pentestmag.com/http://hakin9.org/mailto:[email protected]://sto-strategy.com/http://www.linkedin.com/in/yurychemerkin


3/45

I. Opinions & Facts


4/45

Threats

Privacy

Compliance

Legal

Vendor lock-in

Open source / Open standards

Security

Abuse

IT governance

Ambiguity of terminology

Customization , security solu

Crypto anarchism

CSA, ISO, PCI, SAS 70

Typically US Location

Platform, Data, Tools Lock-In

Top clouds are not open-sou

Physical clouds more secure

Botnets and Malware Infect

Depends on organization ne

Reference to wide services,

Cloud Issues

Known Issues Known Solutions/Opi


5/45

Top clouds are not OpenSource

OpenStack is APIs compatible with Amazon EC2

andAmazon S3 and thus client applications written

for AWS can be used with OpenStack with minimal

porting effort, whileAzure is not

Platform lock-in

There are Import/Export tools to migrate from/toVMware, whileAzuredoesnthave

Data Lock-in

Native AWS solutions linked with Cisco routers to

upload, download and tunneling as well as 3rd party

storage like SMEStorage (AWS, Azure, Dropbox,

Google, etc.)

Tools Lock-in

Longing for an inter-cloud ma

industrial and built with comp

APIs Lock-In

Longing for inter-cloud APIs, h

known inter-OS APIs for PC, M

No Transparency

Weak compliance and transpa

and NDA relationships betwee

third party auditors and exper

Abuse

Abusing is not a new issue and

AWS Vulnerability Bulletins as

response and stay tuned

What is about Public Clouds

Some known facts about AWS & Azure in order to issues mention


6/45

"All Your Clouds are Belong to us Security Analysis of

Cloud Management Interfaces", 3rd CCSW, October 2011

A black box analysis methodology of AWS control

interfaces compromised via the XSS techniques,

HTML injections, MITM

[AWS] :: Reported SOAP Request Parsing Vulnerabilities

Utilizing the SSL/HTTPS only with certificate

validation and utilizing API access mechanisms

like REST/Query instead of SOAP

Activating access via MFA and creating IAM

accounts limited in access, AWS credentials

rotation enhanced with Key pairs and X.509

Limiting IP access enhanced with API/SDK & IAM

The most dangerous code in the w

certificates in non-browser soft

Conference on Computer and Com

October 2012

Incorrect behavior in the SSL

mechanisms of AWS SDK for

[AWS] :: Reported SSL Certificate VaTools and SDKs

Despite of that, AWS has upd

services) to redress it

Clouds: Public vs. Private

Known security issues of Public Clouds and significant researches on


7/45

[AWS] :: Xen Security Advisories

There are known XEN attacks (Blue Pills, etc.)

No one XEN vulnerability was not applied to the

AWS, Azure or SaaS/PaaS services

Very customized clouds

[CSA] :: CSA The Notorious Nine Cloud Computing Top

Threats in 2013

Replaced a document published in 2009

Such best practices provides a least security

No significant changes since 2009, even examples

Top Threats Examples

1.0. Threat: Data Breaches // Cross-VM Side

Channels and Their Use to Extract private Keys,

7.0. Threat: Abuse of Cloud

Side Channels and Their Use

Keys

4.0. Threat: Insecurity Interf

Besides of Reality of CSA Threats

1.0 & 7.0 cases highlight how

e.g. AWS EC2 are vulnerable

1.0 & 7.0 cases are totally foc

cloud case (VMware and XEN

known way to adopt it to AW

4.0 case presents issues raise

not related to public clouds (e

SkyDrive) and addressed to in

Clouds: Public vs. Private

It is generally known, that private clouds are most secure There is no a POC to prove a statement


8/45

II. CSA Framework


9/45

CompliaModel

EnhancedSecurity

Model

BasicSecurityModel

CloudModel

Cloud CSACAIQ

MappingCSACMM


10/45


11/45


12/45

II. NIST Framework


13/45


14/45


15/45

Complementarity

NIST Enhance Control

Your own security control

Interchangeability

Replacing basic controls by enhanced controls

Expansibility

impact or support the implementation of a particular security control or control enha

Your own way to improve a framework

Mapping (NIST, ISO only)

NIST->ISO

ISO->NIST

NIST->Common Criteria (rev4 only)

NIST Framework


16/45

Basic controls arent applicable in case of

Information systems need to communicate with other systems across different policy

APT

Insiders Threats

Mobility (mobile location, non-fixed)

Single-User operations

Interchangeability

Replacing basic controls by enhanced controls Expansibility

impact or support the implementation of a particular security control or control enhancement

Your own way to improve a framework

Mapping (NIST, ISO only)

NIST->ISO

ISO->NIST

NIST->Common Criteria (rev4 only)

NIST Framework

Interchangeability


17/45

III. Clouds


18/45

Amazon Web Services

Generally IaaS

+SaaS, PaaSMicrosoft Azure

Generally PaaS

Recent changes IaaSBlackBerry Enterprise Service

Separated

Integrated with Office365

SaaS as a MDM solution

Clouds


19/45


20/45

BlackBer BlackBerry


21/45

Office

Office365

Cisco/Vo

Android, iOS

UnifiedManagement

BlackBer4,5,6,7

BlackBerryZ10/Q10,

Playbook

BES 10 BES 5

Officeintegration

UnifiedDevice

Platform


22/45

IV. Cloud & Compliance Specific


23/45

There is no one cloud

There is no one standard

What vision is adopted by cloud vendors?

What vision is adopted by cloud operators(3rd party)?

What is your way to use and manage cloud?

All of that reflected in the

There are many models and a

There are many ways to built alignment to

Virtualizing of anything able t

Data distribution, service distmanagement

Clear

compliance requirements

Cloud & Compliance Specific


24/45

The Goal is bringing a transparency of cloud controls and

features, especially security controls and features

Such documents have a claim to be up-to-date with

expert-level understanding of significant threats and

vulnerabilities

Unifying recommendations for all clouds

Up to now, it is the 3rd revision

All recommendations are linked with other standards

PCI DSS, ISO, COBIT

NIST, FEDRAMP

CSA own vision how it must be referred

Top known cloud vendors anno

compliance with it

Some of reports are getting old by no

Customers have to control their e

needs

Customers want to know whether itespecially local regulations and how f

Customers want to know whether i

transparency to let to build an approp


There is no one cloud

There is no one standard

There are many models and architectu

There are many ways to built cloud in a


25/45

CAIQ/CCM provides equivalent of recommendations over

several standards, CAIQ provides more details on security

and privacy but NIST more specific

CSA recommendations are pure with technical details

It helps vendors not to have their solutions worked

out in details and/or badly documented It helps them to put a lot of references on 3rd party

reviewers under NDA (SOC 1 or SAS 70)

Bad idea to let vendors fills such documents

They provide fewer public details

They take it to NDA reports

Vendors general explanations mu

standards recommendations are extr

transparency

Clouds call for specific levels of a

reporting, security controlling and data

It is often not a part of SLA offe

It is outside recommendations AWS often falls in details with their arc

AWS solutions are very well to be in

standards and specific local regulations

NIST 800-53, or even Russian s

(however the Russian framew

framework)


Compliance, Transparency, Elabo

Description DIFFERENCE (AWS vs. AZURE)Third Party Audits As opposed to AWS, Azure does not have a clearly defined statement whether their custo


26/45

Compliance: from Cloud Vendors viewp

Compliance, Transparency, Elabo

y pp , y

vulnerability test

Information System Regulatory

Mapping

AWS falls in details to comply it that results of differences between CAIQ and CMM

Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not

Retention Policy AWS points to the customersresponsibility to manage data, exclude moving between Availabil

ensures on validation and processing with it, and indicate about data historical auto-backup

Secure Disposal Not seriously, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only

Information Leakage AWS relies on AMI and EBS services, while Azure does on Integrity data

Policy,User Access, MFA No both have

Baseline Requirements AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMw

Encryption, Encryption Key

Management

AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure

Vulnerability / Patch Management AWS provides their customers to ask for their own pentest while Azure does not

Nondisclosure Agreements, ThirdParty Agreements

AWS highlights that they does not leverage any 3 rd party cloud providers to deliver AWS servicesthe procedures, NDA undergone with ISO

User ID Credentials Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requi

the AD to perform these actions

(Non)Production environments,

Network Security

AWS provides more details how-to documentsto having a compliance

Segmentation Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, whi

infrastructureon a vendor side

MobileCode AWS points their clients to be responsible to meet such requirements, while Azure points to build


27/45

Consumer Relationship only

Everything except SA-13 Location-aware technologies may be used to valida

authentication integrity based on known equipment locationVendor Relationship only

Requirements include technical and management solutions

Consumer Relationship shared with Vendor Include non-technical solutions only

Such policies, roles, procedures, trainingAll requirements cover SaaS, PaaS, IaaS cloud typesGeneral requirements onlyMissing details (like DoD)

Compliance: from CSAs viewpoint

Examination of CSA


28/45

Data Governance - Information Leakage (DG-07).

Security mechanisms shall be implemented to prevent data leakage refer

AC-2 Account Management

AC-3 Access Enforcement

AC-4 Information Flow Enforcement

AC-6 Least Privilege (the most correct reference) AC-11 Session Lock General requirements only

Security mechanisms shall be implemented to prevent data leakage missed in turn (no r

AC-7 Unsuccessful Login Attempts

AC-8 System Use Notification

AC-9 Previous Logon (Access) Notification

AC-10 Concurrent Session Control


Examination of CSA References NIST


29/45

Data Governance - Information Leakage (DG-07).

Security mechanisms shall be implemented to prevent data leakage also refers to ISO

A.10.6.2 Security of network services

A.10.6.2 refers to NIST in turn

CA-3 Information System Connections

SA-9 External Information System Services SC-8 Transmission Integrity

SC-9 Transmission Confidentiality

DG-07 should refer to PE-19 Information Leakage in fact

It could include the NIST requirement AC-6. Least Privilege too

A few of them applicable in case of Cloud MDM and should be extended by different to


Examination of CSA References ISO


30/45

Data Governance

NIST :: access control, media

management, etc.

Ownership / Stewardship

Classification

Handling / Labeling / Security Policy

Retention Policy

Secure Disposal

Non-Production Data

Information Leakage

Risk Assessments

Azures vision - Distribution of inform

CSA , ISO is better applicable t

NIST is applicable as a custom

Best way is adopt NIST enhanc

Need to remap CSA->NIST rev4

Technical / Access Contr

Attributes

Attribute Configuration

Permitted Attributes for

InfoSystems

Permitted Values and Ra

Cloud & Compliance Specifics. Examp

CSA Cloud :: Azure


31/45

Access Control

Account, Session Management

Access / Information Flow Enforcement

Least Privilege, Security Attributes

Remote / Wireless Access

AWSs Vision is not Data Distributio

NIST is better applicable than

NIST is applicable as a custom

There are many enhancement

Dynamic Account Creat

Restrictions on Use of S

Accounts

Group Account Request

Appovals/Renewals

Account Monitoring - At

e.g. :: log-delivery-write


NIST Cloud :: AWS


32/45

AWSs Vision is not Data Distribution, however

CSA :: Data Governance is applicable from the

resource-based viewpoint

Resource based policy Attached to

resource

AWSs Vision is not Data Distribution, however

NIST :: Access Control is applicable from the user-based viewpoint

Account based policy Attached to users

define that policy for MDM users to

access internal network resources

Combine with a mobile policy


CSA / NIST Cloud :: AWS


33/45

Device diversity

Configuration management

Software Distribution

Device policy compliance & enforcement

Enterprise Activation

Logging

Security Settings

Security Wipe, Lock

IAM

Make you sure to start managing security under

uncertain terms without AI

Refers to NIST-800-53 and other

Sometimes missed requirem

locking device, however it i

A bit details than CSA

No statements on permission man

Make you sure to start managing uncertain terms without AI

COMPLIANCE AND MDM

CSA Mobile Device Management: KeyComponents NIST-124

[ ]


34/45

= , , ,

set of OS permissions, set of device permissions, set

of MDM permissions, set of missed permissions (lack of

controls), set of rules are explicitly should be applied to gain

a compliance

= + ,

set of APIs , set of APIs that interact with sensitive data,

set of APIs that do not interact with sensitive data

To get a mobile security designed with full granularity the set

should be empty set to get instead of , so

the matter how is it closer to empty. On another hand it should

find out whether assumptions , are true and if it is

possible to get .

Set of permissions < Set of activities ef

typical case < 100%,

ability to control each API = 100%

More than 1 permission per APIs >10

lack of knowledge about possi

improper granularity

[ DEVICE MANAGEMENT ]

Concurrency over native& additional security features The situation is very serio

MDM features

P

[ ]


35/45

GOALS - MOBILE RESOURCES / AIM OF ATTACK

DEVICE RESOURCES

OUTSIDE-OF-DEVICE RESOURCES

ATTACKS SET OF ACTIONS UNDER THE THREAT

APIs - RESOURCES WIDELY AVAILABLE TO CODERS

SECURITY FEATURES

KERNEL PROTECTION , NON-APP FEATURES PERMISSIONS - EXPLICITLY CONFIGURED

3RD PARTY

AV, FIREWALL, VPN, MDM

COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY

IN ALIGNMENT WITH COMPLIANCE TO

[ DEVICE MANAGEMENT ]

APPLICATION LEVEL ATTACKS VECTOR

AV, MDM,

DLP, VPN

Attacks

APIs

MDM feature

[ BLACKBERRY PERMISSIONS ]


36/45

[ BLACKBERRY. PERMISSIONS ]

BB 10 Cascades SDK BB 10 AIR SDK PB (ND

Background processing + +

BlackBerry Messenger - Calendar, Contacts + via invo

Camera + +

Device identifying information + +

Email and PIN messages + via invo

GPS location + +

Internet + +

Location +

Microphone + +

Narrow swipe up - +

Notebooks +

Notifications + +

Player - +

Phone +

Push +

Shared files + +

Text messages +

Volume - +

[

iOS

S i ]


37/45

[ iOS. Settings ]

Component Unit

Restrictions :: Native application

Safari

Camera, FaceTime

iTunes Store, iBookstoreSiri

Manage applications*

Restrictions :: 3rd application

Manage applications*Explicit Language (Siri)

Privacy*, Accounts*

Content Type Restrictions*

Unit subcomponents

Privacy :: Location Per each 3rd party app

For system services

Privacy :: Private Info

Contacts, Calendar, Reminders, P

Bluetooth Sharing

Twitter, Facebook

Accounts

Disables changes to Mail, Contacts, Calendars, iClou

Find My Friends

Volume limit

Content Type Restrictions

Ratings per country and regio

Music and podcasts

Movies, Books, Apps, TV show

In-app purchasesRequire Passwords (in-app purch

Game Center Multiplayer Games

Adding Friends (Game Center

Manage applications Installing Apps

Removing Apps

[ A d id P i i ]


38/45

ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,

ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM

ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,

ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_

MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT

TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET

,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE

VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL

PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_

PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,

BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA

MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO

NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M

ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C

LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE

TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN

OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC

TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_

PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE

ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P

ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK

GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T

OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_

PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN

MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_

OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_

CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE

R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L

OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_

SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,

READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET

ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO

RD_AUDIO,REORDER_TASKS

,SET_ACTIVITY_WATCHER,SE

SET_ANIMATION_SCALE,SET

,SET_POINTER_SPEED,SET_P

ROCESS_LIMIT,SET_TIME,SET

ET_WALLPAPER_HINTS,SIGN

TUS_BAR,SUBSCRIBED_FEED

ITE,SYSTEM_ALERT_WINDOW

REDENTIALS,USE_SIP,VIBRAT

TINGS,WRITE_CALENDAR,W

TS,WRITE_EXTERNAL_STORA

STORY_BOOKMARKS,WRITE_

GS,WRITE_SETTINGS,WRITE_

RITE_SYNC_SETTINGS,WRITE

[ Android. Permissions ]

List contains ~150 permissions I have ever seen that on old BlackBerry

[ A d id P i i G ]


39/45

ACCOUNTS

AFFECTS_BATTERY

APP_INFO

AUDIO_SETTINGS

BLUETOOTH_NETWORK

BOOKMARKS

CALENDAR

CAMERA

COST_MONEY

DEVELOPMENT_TOOLS

DEVICE_ALARMS

DISPLAY

HARDWARE_CONTROLS

LOCATION

MESSAGES

MICROPHONE

NETWORK

PERSONAL_INFO

PHONE_CALLS

SCREENLOCK

SOCIAL_INFO

STATUS_BAR

STORAGE

SYNC_SETTINGS

SYSTEM_CLOCK

SYSTEM_TOOLS

USER_DICTIONA

VOICEMAIL

WALLPAPER

WRITE_USER_D

[ Android. Permission Groups ]

But there only 30 permissions groups Ihave everseen that on old BlackBerry

MDM

E d

d i i


40/45

CAMERA AND VIDEO

HIDE THE DEFAULT CAMERA APPLICATION

PASSWORD

DEFINE PASSWORD PROPERTIES

REQUIRE LETTERS (incl. case)

REQUIRE NUMBERS

REQUIRE SPECIAL CHARACTERS DELETE DATA AND APPLICATIONS FROM THE

DEVICE AFTER

INCORRECT PASSWORD ATTEMPTS

DEVICE PASSWORD

ENABLE AUTO-LOCK

LIMIT PASSWORD AGE

LIMIT PASSWORD HISTORY

RESTRICT PASSWORD LENG

MINIMUM LENGTH FOR TPASSWORD THAT IS ALLOW

ENCRYPTION

APPLY ENCRYPTION RULES

ENCRYPT INTERNAL DEVIC

TOUCHDOWN SUPPORT

MICROSOFT EXCHANGE SY

EMAIL PROFILES

ACTIVESYNC

MDM . Extendyour device security capa

Android CONTROLLEDFOUR GROU

MDM E t d d i it


41/45

BROWSER

DEFAULT APP,

AUTOFILL, COOKIES, JAVASCRIPT, POPUPS

CAMERA, VIDEO, VIDEO CONF

OUTPUT, SCREEN CAPTURE, DEFAULT APP

CERTIFICATES (UNTRUSTED CERTs)

CLOUD SERVICES

BACKUP / DOCUMENT / PICTURE / SHARING

CONNECTIVITY

NETWORK, WIRELESS, ROAMING

DATA, VOICE WHEN ROAMING

CONTENT

CONTENT (incl. EXPLICIT)

RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS

DIAGNOSTICS AND USAGE (SUBMISSION LOGS)

MESSAGING (DEFAULT APP)

BACKUP / DOCUMENT PICTURE / SHA

ONLINE STORE

ONLINE STORES , PURCHASES, PASSW

DEFAULT STORE / BOOK / MUSIC APP

MESSAGING (DEFAULT APP)

PASSWORD (THE SAME WITH ANDROID, NEW BLA

PHONE AND MESSAGING (VOICE DIALING)

PROFILE & CERTs (INTERACTIVE INSTALLATION)

SOCIAL (DEFAULT APP)

SOCIAL APPS / GAMING / ADDING FRI

DEFAULT SOCIAL-GAMING / SOCIAL-V

STORAGE AND BACKUP

DEVICE BACKUP AND ENCRYPTION

VOICE ASSISTANT (DEFAULT APP)

MDM . Extend your device security capa

iOS CONTROLLED16 GROUP

MDM E t d d i it


42/45

GENERAL

MOBILE HOTSPOT AND TETHERING

PLANS APP, APPWORLD

PASSWORD (THE SAME WITH ANDROID, iOS)

BES MANAGEMENT (SMARTPHONES, TABLETS)

SOFTWARE

OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER

TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE

BBM VIDEO ACCESS TO WORK NETWORK

VIDEO CHAT APP USES ORGANIZATIONS WI-FI/VPN NETWORK

SECURITY

WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE

VOICE CONTROL & DICTATION IN WORK & USER APPS

BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE

PC ACCESS TO WORK & PERSONAL SPACE (USB, BT)

PERSONAL SPACE DATA ENCRYPTION

NETWORK ACCESS CONTROL FOR WO

PERSONAL APPS ACCESS TO WORK CO

SHARE WORK DATA DURING BBM VID

WORK DOMAINS, WORK NETWORK U

EMAIL PROFILES

CERTIFICATES & CIPHERS & S/MIME

HASH & ENCRYPTION ALGS AND KEY P

TASK/MEMO/CALENDAR/CONTACT/D

WI-FI PROFILES

ACCESS POINT, DEFAULT GATEWAY, D

PROXY PASSWORD/PORT/SERVER/SU

VPN PROFILES

PROXY, SCEP, AUTH PROFILE PARAMS

TOKENS, IKE, IPSEC OTHER PARAMS

PROXY PORTS, USERNAME, OTHER PA


BlackBerry (new, 10,qnx) CONTROLLED7 GROUPSONLY

MDM Extend yo r device sec rity capa


43/45

THERE 55 GROUPS CONTROLLED IN ALL

EACH GROUP CONTAINS FROM 10 TO 30 UNITS

ARE CONTROLLED TOO

EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs

INSTEAD OF A WAY DISABLE/ENABLED &

HIDE/UNHIDE

EACH EVENT IS

CONTROLLED BY CERTAIN PERMISSION

ALLOWED TO CONTROL BY SIMILAR

PERMISSIONS TO BE MORE FLEXIBLE

DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME

MORE THAN OTHER DOCUMENTS

EACH UNIT CANT CONTROL ACT

ITSELF

CREATE, READ, WRITE/S

DELETE ACTIONS IN REG

MESSAGES LEAD TO SPO

REQUESTING A MESSAG

ONLY SOME PERMISSIONS ARE

DELETE ANY OTHER APP

SOME PERMISSIONS ARE

WHICH 3RD PARTY PLUGI

IN, INSTEAD OF THAT PLU


Blackberry(old) Huge amountofpermissions are MD

CONCLUSION


44/45

The best Security & Permissions ruled by AWS

Most cases are not clear in according to the roles

and responsibilities of cloud vendors & customers

May happen swapping responsibilities and shifting

the vendor job on to customer shoulders

Referring to independent audits reports under

NDA as many times as they can

CSA put the cross references to other standardsthat impact on complexity & lack of clarity more

than NIST SP800-53

CONCLUSION

SelectSecurityControls

CheckScope

CSA

DefGranu

ApplyCSA as

common

Remapto NIST

Improvebasic

CSA

Nenh
http://scribd.com/ychemerkin


45/45

Q & A
https://plus.google.com/108216608239392698703mailto:[email protected]://twitter.com/sto_bloghttps://twitter.com/yury.chemerkinhttp://scribd.com/ychemerkinhttps://www.facebook.com/yury.chemerkinhttp://www.slideshare.net/YuryChemerkin/http://www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com/http://eforensicsmag.com/http://pentestmag.com/http://hakin9.org/

(PDF) Yury Chemerkin Ita 2013

Documents

Transcript of (PDF) Yury Chemerkin Ita 2013