Cloud, social networking and BYOD collide!
-
Upload
peter-wood -
Category
Technology
-
view
110 -
download
2
description
Transcript of Cloud, social networking and BYOD collide!
![Page 1: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/1.jpg)
Cloud, social networkingand BYOD collide!
Peter WoodChief Executive Officer
First•Base Technologies
![Page 2: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/2.jpg)
Slide 2 © First Base Technologies 2012
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’
Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
![Page 3: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/3.jpg)
Slide 3 © First Base Technologies 2012
Cloud
![Page 4: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/4.jpg)
Slide 4 © First Base Technologies 2012
What's Different in Cloud
IaaSInfrastructure as a
Service
PaaSPlatform as a Service
SaaSSoftware as a Service
Security ~ YOU
Security ~ THEM
Security Ownership
![Page 5: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/5.jpg)
Slide 5 © First Base Technologies 2012
What's Different in Cloud
![Page 6: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/6.jpg)
Slide 6 © First Base Technologies 2012
What's Different in Cloud
![Page 7: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/7.jpg)
Slide 7 © First Base Technologies 2012
Just a little brainstorm
![Page 8: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/8.jpg)
Slide 8 © First Base Technologies 2012
Social Networking
![Page 9: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/9.jpg)
Slide 9 © First Base Technologies 2012
Yada yada yada
• People have always talked about work to their friends• What has changed is the nature of how we interact• We talk about our lives on our blogs, on social networking sites such as
Facebook and Twitter, and on message boards pertaining to the work we're doing
• What was once intimate and ephemeral is now available to the whole world, indexed by Google, and archived for posterity
• A good open-source intelligence gatherer can learn a lot about what a company is doing by monitoring its employees’ online activities
Bruce Schneier
![Page 10: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/10.jpg)
Slide 10 © First Base Technologies 2012
Social networks vulnerabilities
![Page 11: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/11.jpg)
Slide 11 © First Base Technologies 2012
Social networks vulnerabilities
![Page 12: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/12.jpg)
Slide 12 © First Base Technologies 2012
Why APT works
![Page 13: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/13.jpg)
Slide 13 © First Base Technologies 2012
BYOD
![Page 14: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/14.jpg)
Slide 14 © First Base Technologies 2012
Data loss
• Unencrypted storage and backup
• Poor or missing passwords and PINs
• No automatic screen lock
• Mobile apps often store sensitive data such
as banking and payment system PIN
numbers, credit card numbers, or online
service passwords
![Page 15: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/15.jpg)
Slide 15 © First Base Technologies 2012
Network spoofing
• Mobile devices use wireless
communications exclusively and
often public WiFi
• SSL can fall victim to a downgrade
attack if app allows degrading
HTTPS to HTTP
• SSL could also be compromised if
app does not fail on invalid
certificates, enabling MITM attacks
![Page 16: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/16.jpg)
Slide 16 © First Base Technologies 2012
Spyware
http://www.f-secure.com/en/web/labs_global/whitepapers/reports
![Page 17: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/17.jpg)
Slide 17 © First Base Technologies 2012
UI impersonation
• Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application
• Victim is asked to authenticate and ends up sending their credentials to an attacker
http://blogs.mcafee.com/mcafee-labs/android-malware-pairs-man-in-the-middle-with-remote-controlled-banking-trojan
![Page 18: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/18.jpg)
Slide 18 © First Base Technologies 2012
BYOD risks
• Data loss: a stolen or lost phone with unprotected memory allows an attacker to access the data on it
• Unintentional data disclosure: most apps have privacy settings but many users are unaware that data is being transmitted, let alone know of the existence of the settings to prevent this
• Network spoofing attacks: an attacker deploys a rogue network access point and intercepts user’s data or conducts MITM attacks
• Phishing: an attacker collects user credentials using fake apps or messages that seem genuine.
• Spyware: the smartphone has spyware installed allowing an attacker to access or infer personal data
• Surveillance: spying using open microphone and/or camera • Diallerware: an attacker steals money from the user by means of
malware that makes hidden use of premium SMS services or numbers. • Financial malware: malware specifically designed for stealing credit card
numbers, online banking credentials or subverting online banking or ecommerce transactions.
![Page 19: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/19.jpg)
Slide 19 © First Base Technologies 2012
The Collision
![Page 20: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/20.jpg)
Slide 20 © First Base Technologies 2012
How Security sees Management?
![Page 21: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/21.jpg)
Slide 21 © First Base Technologies 2012
How Management sees Security?
![Page 22: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/22.jpg)
Slide 22 © First Base Technologies 2012
The Solution?
![Page 23: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/23.jpg)
Slide 23 © First Base Technologies 2012
Make it real!
Identify real threats
Identify real impact
Demonstrate the risk
![Page 24: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/24.jpg)
Slide 24 © First Base Technologies 2012
Now for the science bit …
![Page 25: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/25.jpg)
Slide 25 © First Base Technologies 2012
Business Impact Level
A successful exploit will result in compromise of Confidentiality, Integrity or Availability of an asset
• Level 1: negligible impact
• Level 2: limited consequences
• Level 3: significant impact
• Level 4: very high impact, requiring external assistance and possible financial support
• Level 5: major risk which seriously endangers business processes and prevents continuity
![Page 26: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/26.jpg)
Slide 26 © First Base Technologies 2012
Threat Actors
• System and Service Users- Regular users, admins, end users, shared service users
• Direct Connections- Service providers, other business units
• Indirect Connections- Network users, internet users
• Supply Chain- Developers, hardware support
• Physically Present- Regular users, admins, visitors, war drivers, intruders
![Page 27: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/27.jpg)
Slide 27 © First Base Technologies 2012
Threat Actor Capability
1. Very little: almost no capabilities or resources
2. Little: an average untrained computer user
3. Limited: a trained computer user
4. Significant: a full-time well-educated computer expert using publicly available tools
5. Formidable: a full-time well-educated computer expert using bespoke attacks
![Page 28: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/28.jpg)
Slide 28 © First Base Technologies 2012
Threat Actor Motivation
1. Very low: Indifferent
2. Low: Curious
3. Medium: Interested
4. High: Committed
5. Very high: Focused
![Page 29: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/29.jpg)
Slide 29 © First Base Technologies 2012
Threat = Capability x Motivation
![Page 30: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/30.jpg)
Slide 30 © First Base Technologies 2012
Example Threat Actor Analysis
![Page 31: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/31.jpg)
Slide 31 © First Base Technologies 2012
Risk = Impact x Threat
![Page 32: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/32.jpg)
Slide 32 © First Base Technologies 2012
Example Risk for Impact Level of 3
![Page 33: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/33.jpg)
Slide 33 © First Base Technologies 2012
Example Prioritised Risk List
![Page 34: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/34.jpg)
Slide 34 © First Base Technologies 2012
Run a Workshop
![Page 35: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/35.jpg)
Slide 35 © First Base Technologies 2012
Now you’ve added value!
![Page 36: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/36.jpg)
Slide 36 © First Base Technologies 2012
Or …
Management Security
![Page 37: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/37.jpg)
Slide 37 © First Base Technologies 2012
Which results in …
![Page 38: Cloud, social networking and BYOD collide!](https://reader035.fdocuments.in/reader035/viewer/2022081414/54c920794a795905448b45b1/html5/thumbnails/38.jpg)
Slide 38 © First Base Technologies 2012
Peter WoodChief Executive Officer
First Base Technologies LLP
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Twitter: peterwoodx
Need more information?