Vladimir Jirasek: Top 10 Mobile Risks 1

TOP 10 MOBILE RISKSVladimir JirasekCISSP-ISSAP & ISSMP, CISM, CISA

Senior Enterprise Security Architect, Nokia

Steering Group, Common Assurance Maturity Model

Non-executive director, CSA UK & Ireland

2011-07-13

Vladimir Jirasek: Top 10 Mobile Risks 2

I am going to talk about ….• Risks associated with mobile devices• Mobile Applications threat model• Mobile risks in an Enterprise • Mobile device as a Trusted device• Mobile security models• Mobile Top 10• Not all doom and gloom: What to look for

2011-07-13

Vladimir Jirasek: Top 10 Mobile Risks 3

Mobile devices are ubiquitous for most people

Mobile devices with power of

average computer

Used by people around the globe in personal and business life

To access services they want, communicate with other people, shop and

playEither online or via mobile

apps

2011-07-13

Vladimir Jirasek: Top 10 Mobile Risks 4

And the risks associated with the use cases are

Mobile devices with power of

average computer

Used by people around the globe in personal and business life

To access services they want, communicate with other people, shop and

playEither online or via mobile

appsMobile phone is your most personal computer and it needs to be well

protected to become a trusted device.

Power (CPU) and storage with seamless

and always on connectivity

Traveling with people all the time.

Millions lost everyday

Accessing potentially private and sensitive

data, managing critical transactions.

2011-07-13

Vladimir Jirasek: Top 10 Mobile Risks 5

Mobile device use cases threat model

2011-07-13

Mobile device is compromised with malware

Mobile device is lost or stolen

Mobile device is is used to conduct malicious

activity

Malicious activity, Loss of data, Monitoring of

activity, Botnet

Loss of data, potential

malicious activity

Unauthorised transactions,

Botnets, Attack on web services

Vladimir Jirasek: Top 10 Mobile Risks 6

Mobile device risk in an Enterprise

2011-07-13

Un-managed mobile device

Enterprise control

Enterprise control

Un-controlled data sync

Un-controlled data access

Un-managed personal device

Vladimir Jirasek: Top 10 Mobile Risks 7

Mobile threats summary [2]

2011-07-13

• Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content, malicious proxy servers

• Malware – traditional viruses, worms, and Trojan horses

• Social engineering attacks – phishing. Also used to install malware.

• Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls)

• Malicious and unintentional data loss – exfiltration of information from phone

• Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)

Vladimir Jirasek: Top 10 Mobile Risks 8

Mobile device as a trusted device: [4,5]

How does mobile HW and OS hold up?

2011-07-13

Typically contains System on Chip (SoC)

Load Kernel and mobile OS

Load mobile applications

If Trust is not assured from HW up then there is no trust at all!

Enterprise apps accessed from mobile devices

OS security capabilities are crucial

Application segregation, security reviews

Vladimir Jirasek: Top 10 Mobile Risks 9

Mobile Security Models [2]

• Traditional Access Control: passwords and idle-time screen locking.

• Application Provenance: Application signing and Application review in App store

• Encryption: Encryption of device data and application data

• Isolation: traditional Sandboxing and Storage separation

• Permissions-based access control: Limiting application to needed functionality only

2011-07-13

All must be supported by Trust from HW up.

Jailbreaking breaks the security model!

Vladimir Jirasek: Top 10 Mobile Risks 10

Veracode Mobile Top 10 [1]

Malicious Functionality

1. Activity monitoring and data retrieval

2. Unauthorized dialing, SMS, and payments

3. Unauthorized network connectivity (exfiltration or command & control)

4. UI Impersonation

5. System modification (rootkit, APN proxy config)

6. Logic or Time bomb

Vulnerabilities

7. Sensitive data leakage (inadvertent or side channel)

8. Unsafe sensitive data storage

9. Unsafe sensitive data transmission

10. Hardcoded password/keys

2011-07-13

Vladimir Jirasek: Top 10 Mobile Risks 11

Summary: What to look for

Device and applications

• Do not jail-break the device• Utilise mobile OS security

features (access control, encryption)

• Follow data classification policies – what data can be on mobile devices and what protection is required

• Follow best practices for mobile application development

Enterprise Network

• Configure VPN for mobile devices

• Provision VPN profiles for seamless connectivity

• Monitor traffic for data exfiltration

• Enable processes to wipe devices

• Data security policy includes device capabilities and position

2011-07-13

Vladimir Jirasek: Top 10 Mobile Risks 12

Resources1. Veracode Mobile app Top 10 -

http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/

2. Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=20110627_02

3. Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile

4. Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture-of-smartphones

5. A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec-comparison-ETHZ-mar2011.pdf

6. Security in Windows Phone 7 - http://msdn.microsoft.com/en-us/library/ff402533(v=VS.92).aspx

2011-07-13