(PDF) Yury Chemerkin Deepintel 2013
-
Upload
sto-strategy -
Category
Documents
-
view
229 -
download
0
Transcript of (PDF) Yury Chemerkin Deepintel 2013
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
1/45
COMPLIANCE AND TRANSPARENFEATURES vs. SECURITY
STA
YU
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
2/45
EXPERIENCED IN :
REVERSE ENGINEERING & AVSOFTWARE PROGRAMMING & DOCUMENTATIONMOBILE SECURITY AND MDMCYBER SECURITY & CLOUD SECURITY
COMPLIANCE & TRANSPARENCYFORENSICS AND SECURITY WRITINGHAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA
PARTICIPATION AT CONFERENCES
INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,DEFCONMOSCOW, HACTIVITY, HACKFESTCYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC,ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin
http://sto
-
strategy.com yury.s@che
http://www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com/http://sto-strategy.com/http://sto-strategy.com/mailto:[email protected]://sto-strategy.com/mailto:[email protected]://www.linkedin.com/in/yurychemerkinhttp://eforensicsmag.com/http://pentestmag.com/http://hakin9.org/mailto:[email protected]://sto-strategy.com/http://www.linkedin.com/in/yurychemerkin -
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
3/45
I. Opinions & Facts
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
4/45
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
5/45
Top clouds are not OpenSource
OpenStack is APIs compatible with Amazon EC2and Amazon S3 and thus client applications writtenfor AWS can be used with OpenStack with minimalporting effort, while Azure is not
Platform lock-in
There are Import/Export tools to migrate from/toVMware, while Azure doesnt have
Data Lock-in
Native AWS solutions linked with Cisco routers toupload, download and tunneling as well as 3 rd partystorage like SMEStorage (AWS, Azure, Dropbox,Google, etc.)
Tools Lock-in
Longing for an inter-cloud manaindustrial and built with complian
APIs Lock-In
Longing for inter-cloud APIs, howknown inter-OS APIs for PC, MD
No TransparencyWeak compliance and transparencand NDA relationships between cthird party auditors and experts
Abuse
Abusing is not a new issue and is eAWS Vulnerability Bulletins as a kresponse and stay tuned
What is about Public Clouds
Some known facts about AWS & Azure in order to issues men
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
6/45
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
7/45
[AWS] :: Xen Security Advisories
There are known XEN attacks (Blue Pills, etc.)No one XEN vulnerability was not applied to theAWS, Azure or SaaS/PaaS servicesVery customized clouds
[CSA] :: CSA The Notorious Nine Cloud Computing TopThreats in 2013
Replaced a document published in 2009Such best practices provides a least securityNo significant changes since 2009, even examples
Top Threats Examples
1.0. Threat: Data Breaches // Cross-VM SideChannels and Their Use to Extract private Keys,
7.0. Threat: Abuse of Cloud SerSide Channels and Their Use to EKeys4.0. Threat: Insecurity Interface
Besides of Reality of CSA Threats
1.0 & 7.0 cases highlight how thee.g. AWS EC2 are vulnerable1.0 & 7.0 cases are totally focusecloud case (VMware and XEN), known way to adopt it to AWS.4.0 case presents issues raised bynot related to public clouds (exceSkyDrive) and addressed to insec
Clouds: Public vs. Private
It is generally known, that private clouds are most secureThere is no a POC to prove a statemen
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
8/45
II. CSA Framework
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
9/45
CompliaModel
EnhancedSecurity
Model
BasicSecurityModel
CloudModel
Cloud CSACAIQ
MappingCSACMM
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
10/45
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
11/45
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
12/45
II. NIST Framework
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
13/45
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
14/45
The consolidated framework over all NIST documentsLogically clearly defined documents, e.g.
Categorization systemsSelecting controlFIPSForensicsLogging (SCAP)Etc.
ComplementarityInterchangeabilityExpansibilityDependenceMapping (NIST, ISO only)
NIST Framework
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
15/45
ComplementarityNIST Enhance ControlYour own security control
InterchangeabilityReplacing basic controls by enhanced controls
Expansibilityimpact or support the implementation of a particular security control or control enhancementYour own way to improve a framework
Mapping (NIST, ISO only)NIST->ISOISO->NISTNIST->Common Criteria (rev4 only)
NIST Framework
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
16/45
Basic controls arent applicable in case ofInformation systems need to communicate with other systems across different policyAPTInsiders ThreatsMobility (mobile location, non-fixed)Single-User operations
Interchangeability
Replacing basic controls by enhanced controlsExpansibility
impact or support the implementation of a particular security control or control enhancementYour own way to improve a framework
Mapping (NIST, ISO only)NIST->ISOISO->NISTNIST->Common Criteria (rev4 only)
NIST Framework
Interchangeability
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
17/45
III. Clouds
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
18/45
Amazon Web ServicesGenerally IaaS+SaaS, PaaS
Microsoft AzureGenerally PaaS
Recent changes IaaSBlackBerry Enterprise Service
SeparatedIntegrated with Office365
SaaS as a MDM solution
Clouds
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
19/45
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
20/45
BlackBerr BlackBerry
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
21/45
Office Office365
Cisco/VoI
Android, iOS Unified
Management
BlackBerr4,5,6,7
BlackBerryZ10/Q10,
Playbook
BES 10 BES 5
Officeintegration
UnifiedDevice
Platform
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
22/45
IV. Cloud & Compliance Speci
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
23/45
There is no one cloud
There is no one standard
What vision is adopted by cloud vendors?
What vision is adopted by cloud operators(3rd party)?
What is your way to use and manage cloud?
All of that reflected in the
There are many models and archi
There are many ways to built cloualignment to
Virtualizing of anything able to b
Data distribution, service distribumanagement
Clear
compliance requirements
Cloud & ComplianceSpecific
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
24/45
The Goal is bringing a transparency of cloud controls andfeatures, especially security controls and featuresSuch documents have a claim to be up-to-date withexpert-level understanding of significant threats andvulnerabilities
Unifying recommendations for all cloudsUp to now, it is the 3 rd revisionAll recommendations are linked with other standards
PCI DSS, ISO, COBITNIST, FEDRAMPCSA own vision how it must be referred
Top known cloud vendors announcecompliance with itSome of reports are getting old by nowCustomers have to control their environeeds
Customers want to know whether it is inespecially local regulations and how farCustomers want to know whether it maktransparency to let to build an appropriate
Cloud & Compliance Specific
There is no one cloudThere is no one standard
There are many models and architectu
There are many ways to built cloud in a
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
25/45
CAIQ/CCM provides equivalent of recommendations overseveral standards, CAIQ provides more details on securityand privacy but NIST more specific
CSA recommendations are pure with technical details
It helps vendors not to have their solutions worked
out in details and/or badly documentedIt helps them to put a lot of references on 3 rd partyreviewers under NDA (SOC 1 or SAS 70)
Bad idea to let vendors fills such documents
They provide fewer public detailsThey take it to NDA reports
Vendors general explanations multiplstandards recommendations are extremelytransparencyClouds call for specific levels of audreporting, security controlling and data reten
It is often not a part of SLA offere
It is outside recommendationsAWS often falls in details with their architecAWS solutions are very well to be in costandards and specific local regulations
NIST 800-53, or even Russian sec(however the Russian framework iframework)
Cloud & Compliance Specific
Compliance, Transparency, Elab
Description DIFFERENCE (AWS vs. AZURE)Third Party Audits As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to p
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
26/45
Compliance: fromCloud Vendors view
Compliance, Transparency, Elab
y pp , y pvulnerability test
Information System RegulatoryMapping
AWS falls in details to comply it that results of differences between CAIQ and CMM
Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not
Retention Policy AWS points to the customers responsibility to manage data, exclude moving between Availability Zonesensures on validation and processing with it, and indicate about data historical auto-backup
Secure Disposal Not seriously, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only
Information Leakage AWS relies on AMI and EBS services, while Azure does on Integrity data
Policy, User Access, MFA No both haveBaseline Requirements AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMware, AzureEncryption, Encryption KeyManagement
AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure Storage)
Vulnerability / Patch Management AWS provides their customers to ask for their own pentest while Azure does not
Nondisclosure Agreements, ThirdParty Agreements
AWS highlights that they does not leverage any 3 rd party cloud providers to deliver AWS services to thethe procedures, NDA undergone with ISO
User ID Credentials Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements whthe AD to perform these actions
(Non)Production environments,Network Security
AWS provides more details how-to documentsto having a compliance
Segmentation Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure poininfrastructureon a vendor side
Mobile Code AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions track
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
27/45
Consumer Relationship onlyEverything except SA- 13 Location -aware technologies may be used to validate conauthentication integrity based on known equipment location
Vendor Relationship onlyRequirements include technical and management solutions
Consumer Relationship shared with VendorInclude non-technical solutions only
Such policies, roles, procedures, trainingAll requirements cover SaaS, PaaS, IaaS cloud typesGeneral requirements onlyMissing details (like DoD)
Compliance: from CSAs viewpo
Examination of CSA
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
28/45
Data Governance - Information Leakage (DG-07) .Security mechanisms shall be implemented to prevent data leakage refer
AC-2 Account ManagementAC-3 Access EnforcementAC-4 Information Flow Enforcement
AC-6 Least Privilege (the most correct reference)AC-11 Session Lock General requirements only
Security mechanisms shall be implemented to prevent data leakage missed in turn (no refAC-7 Unsuccessful Login Attempts
AC-8 System Use NotificationAC-9 Previous Logon (Access) Notification
AC-10 Concurrent Session Control
Compliance: from CSAs viewpo
Examination of CSA References NIS
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
29/45
Data Governance - Information Leakage (DG-07) .Security mechanisms shall be implemented to prevent data leakage also refers to ISO
A.10.6.2 Security of network servicesA.10.6.2 refers to NIST in turn
CA-3 Information System Connections
SA-9 External Information System ServicesSC-8 Transmission IntegritySC-9 Transmission Confidentiality
DG-07 should refer to PE-19 Information Leakage in fact
It could include the NIST requirement AC-6. Least Privilege tooA few of them applicable in case of Cloud MDM and should be extended by different toolkit
Compliance: from CSAs viewpo
Examination of CSA References ISO
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
30/45
Data Governance NIST :: access control, media
management, etc.
Ownership / StewardshipClassificationHandling / Labeling / Security Policy
Retention PolicySecure DisposalNon-Production DataInformation Leakage
Risk Assessments
Azures vision - Distribution of informat
CSA , ISO is better applicable thaNIST is applicable as a custom conBest way is adopt NIST enhancem
Need to remap CSA->NIST rev4Technical / Access ControlAttributesAttribute ConfigurationPermitted Attributes for SpInfoSystemsPermitted Values and Rang
Cloud & Compliance Specifics. Ex
CSA Cloud :: Azure
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
31/45
Access Control
Account, Session ManagementAccess / Information Flow EnforcementLeast Privilege, Security Attributes
Remote / Wireless Access
AWSs Vision is not Data Distribution
NIST is better applicable than CSNIST is applicable as a custom conThere are many enhancements to i
Dynamic Account CreationRestrictions on Use of ShaAccountsGroup Account RequestsAppovals/RenewalsAccount Monitoring - Atype.g. :: log-delivery-write fo
Cloud & Compliance Specifics. Ex
NIST Cloud :: AWS
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
32/45
AWSs Vision is not Data Distribution, howeverCSA :: Data Governance is applicable from theresource-based viewpoint
Resource based policy Attached toresource
AWSs Vision is not Data Distribution, however
NIST :: Access Control is applicable from the user-based viewpoint
Account based policy Attached to usersdefine that policy for MDM users toaccess internal network resources
Combine with a mobile policy
Cloud & Compliance Specifics. Ex
CSA / NIST Cloud :: AWS
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
33/45
Device diversityConfiguration managementSoftware DistributionDevice policy compliance & enforcementEnterprise ActivationLoggingSecurity SettingsSecurity Wipe, LockIAM
Make you sure to start managing security underuncertain terms without AI
Refers to NIST-800-53 and otherSometimes missed requiremenlocking device, however it is in
A bit details than CSANo statements on permission managem
Make you sure to start managing secuuncertain terms without AI
COMPLIANCE AND MDM
CSA Mobile Device Management: KeyComponents NIST-124
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
34/45
= , , , set of OS permissions, set of device permissions, set
of MDM permissions, set of missed permissions (lack ofcontrols), set of rules are explicitly should be applied to gaina compliance
= + , set of APIs , set of APIs that interact with sensitive data, set of APIs that do not interact with sensitive data
To get a mobile security designed with full granularity the setshould be empty set to get instead of , sothe matter how is it closer to empty. On another hand it shouldfind out whether assumptions , are true and if it ispossible to get .
Set of permissions < Set of activities efftypical case < 100%,ability to control each API = 100%More than 1 permission per APIs >10
lack of knowledge about possible improper granularity
[ DEVICE MANAGEMENT
Concurrency over native& additional security features The situation is very seri
MDM features
P
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
35/45
GOALS - MOBILE RESOURCES / AIM OF ATTACK
DEVICE RESOURCESOUTSIDE-OF-DEVICE RESOURCES
ATTACKS SET OF ACTIONS UNDER THE THREATAPIs - RESOURCES WIDELY AVAILABLE TO CODERSSECURITY FEATURES
KERNEL PROTECTION , NON-APP FEATURESPERMISSIONS - EXPLICITLY CONFIGURED
3RD PARTYAV, FIREWALL, VPN, MDM
COMPLIANCE - RULES TO DESIGN A MOBILE SECURITYIN ALIGNMENT WITH COMPLIANCETO
[ DEVICE MANAGEMENT
APPLICATION LEVEL ATTACKS VECTOR
AV, MDM,DLP, VPN
Attacks
APIs
MDM features
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
36/45
[ BLACKBERRY. PERMISSIOBB 10 Cascades SDK BB 10 AIR SDK PB (ND
Background processing + +
BlackBerry Messenger - -Calendar, Contacts + via invoke
Camera + +Device identifying information + +
Email and PIN messages + via invokeGPS location + +
Internet + +Location + -
Microphone + +Narrow swipe up - +
Notebooks + -Notifications + +
Player - +Phone + -Push + -
Shared files + +Text messages + -
Volume - +
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
37/45
[ iOS. Settings ]Component Unit
Restrictions :: Native application
SafariCamera, FaceTime
iTunes Store, iBookstoreSiri
Manage applications*
Restrictions :: 3 rd application
Manage applications*Explicit Language (Siri)
Privacy*, Accounts*Content Type Restrictions*
Unit subcomponents
Privacy :: Location Per each 3rd party app
For system services
Privacy :: Private InfoContacts, Calendar, Reminders, Photo
Bluetooth Sharing
Twitter, Facebook
AccountsDisables changes to Mail, Contacts, Calendars, iCloud, and
Find My FriendsVolume limit
Content Type Restrictions
Ratings per country and regionMusic and podcasts
Movies, Books, Apps, TV showsIn-app purchases
Require Passwords (in-app purchases
Game Center Multiplayer GamesAdding Friends (Game Center)
Manage applications Installing AppsRemoving Apps
[ d d ]
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
38/45
ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,
ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM
ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE,
ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_
MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT
TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET
,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE
VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL
PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_
PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY,
BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA
MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO
NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M
ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C
LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE
TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN
OSTIC,DISABLE_KEYGUARD,DUMP,EXPAND_STATUS_BAR,FAC
TORY_TEST,FLASHLIGHT,FORCE_BACK,GET_ACCOUNTS,GET_
PACKAGE_SIZE,GET_TASKS,GLOBAL_SEARCH,HARDWARE_TE
ST,INJECT_EVENTS,INSTALL_LOCATION_PROVIDER,INSTALL_P
ACKAGES,INTERNAL_SYSTEM_WINDOW,INTERNET,KILL_BACK
GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T
OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_
PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN
MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_
OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_
CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE
R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L
OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_
SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS,
READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET
ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
RD_AUDIO,REORDER_TASK
,SET_ACTIVITY_WATCHER,S
SET_ANIMATION_SCALE,SE
,SET_POINTER_SPEED,SET_
ROCESS_LIMIT,SET_TIME,SE
ET_WALLPAPER_HINTS,SIG
TUS_BAR,SUBSCRIBED_FEE
ITE,SYSTEM_ALERT_WINDO
REDENTIALS,USE_SIP,VIBRA
TINGS,WRITE_CALENDAR,W
TS,WRITE_EXTERNAL_STOR
STORY_BOOKMARKS,WRIT
GS,WRITE_SETTINGS,WRITE
RITE_SYNC_SETTINGS,WRIT
[ Android. Permissions ]
List contains ~150 permissions I have ever seen that on old BlackBe
[ A d id P i i G
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
39/45
ACCOUNTSAFFECTS_BATTERYAPP_INFOAUDIO_SETTINGSBLUETOOTH_NETWORKBOOKMARKSCALENDARCAMERACOST_MONEYDEVELOPMENT_TOOLSDEVICE_ALARMSDISPLAYHARDWARE_CONTROLS
LOCATIONMESSAGESMICROPHONENETWORKPERSONAL_INFOPHONE_CALLSSCREENLOCKSOCIAL_INFOSTATUS_BARSTORAGESYNC_SETTINGSSYSTEM_CLOCKSYSTEM_TOOLS
USER_DICTIONVOICEMAILWALLPAPERWRITE_USER_D
[ Android. Permission Groups
But there only 30 permissions groups Ihave everseen that on old BlackBerr
MDM
E d
d i i
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
40/45
CAMERA AND VIDEOHIDE THE DEFAULT CAMERA APPLICATION
PASSWORDDEFINE PASSWORD PROPERTIESREQUIRE LETTERS (incl. case)REQUIRE NUMBERS
REQUIRE SPECIAL CHARACTERSDELETE DATA AND APPLICATIONS FROM THEDEVICE AFTERINCORRECT PASSWORD ATTEMPTSDEVICE PASSWORDENABLE AUTO-LOCK
LIMIT PASSWORD AGELIMIT PASSWORD HISTORRESTRICT PASSWORD LENMINIMUM LENGTH FOR TPASSWORD THAT IS ALLO
ENCRYPTIONAPPLY ENCRYPTION RULENCRYPT INTERNAL DEV
TOUCHDOWN SUPPORTMICROSOFT EXCHANGE EMAIL PROFILESACTIVESYNC
MDM .Extend your device security cap
Android CONTROLLEDFOUR GRO
MDM E d d i i
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
41/45
BROWSER
DEFAULT APP,AUTOFILL, COOKIES, JAVASCRIPT, POPUPS
CAMERA, VIDEO, VIDEO CONF
OUTPUT, SCREEN CAPTURE, DEFAULT APP
CERTIFICATES(UNTRUSTED CERTs)
CLOUD SERVICES
BACKUP / DOCUMENT / PICTURE / SHARINGCONNECTIVITY
NETWORK, WIRELESS, ROAMINGDATA, VOICE WHEN ROAMING
CONTENT
CONTENT (incl. EXPLICIT)RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS
DIAGNOSTICS AND USAGE(SUBMISSION LOGS)
MESSAGING(DEFAULT APP)
BACKUP / DOCUMENT PICTURE / SHA
ONLINE STORE
ONLINE STORES , PURCHASES, PASSW
DEFAULT STORE / BOOK / MUSIC APP
MESSAGING(DEFAULT APP)
PASSWORD(THE SAME WITH ANDROID, NEW BL
PHONE AND MESSAGING(VOICE DIALING)PROFILE & CERTs(INTERACTIVE INSTALLATION)
SOCIAL(DEFAULT APP)
SOCIAL APPS / GAMING / ADDING FRDEFAULT SOCIAL-GAMING / SOCIAL
STORAGE AND BACKUP
DEVICE BACKUP AND ENCRYPTION
VOICE ASSISTANT(DEFAULT APP)
MDM . Extend your device security c
iOS CONTROLLED16 GROU
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
42/45
MDM E t d d i it
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
43/45
THERE55 GROUPS CONTROLLED IN ALLEACH GROUPCONTAINSFROM 10 TO 30 UNITSARE CONTROLLED TOOEACH UNIT IS UNDER A LOT OFFLEXIBLE PARAMsINSTEADOF A WAY DISABLE/ENABLED &HIDE/UNHIDEEACH EVENT IS
CONTROLLED BY CERTAIN PERMISSIONALLOWED TO CONTROL BY SIMILARPERMISSIONS TO BE MORE FLEXIBLE
DESCRIBED360 PAGES IN ALL THAT IN FOUR TIMEMORE THAN OTHER DOCUMENTS
EACH UNIT CANT CONTROL AITSELF
CREATE, READ, WRITE/DELETE ACTIONS IN REMESSAGES LEAD TO SPREQUESTING A MESSA
ONLYSOME PERMISSIONS ARDELETE ANY OTHER APSOME PERMISSIONS ARWHICH 3RD PARTY PLUGIN, INSTEAD OF THAT PL
MDM . Extend your device security c
Blackberry(old) Huge amountofpermissions are MD
CONCLUSION
-
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
44/45
The best Security & Permissions ruled by AWSMost cases are not clear in according to the rolesand responsibilities of cloud vendors & customersMay happen swapping responsibilities and shiftingthe vendor job on to customer shouldersReferring to independent audits reports underNDA as many times as they canCSA put the cross references to other standardsthat impact on complexity & lack of clarity morethan NIST SP800-53
CONCLUSION
SelectSecurityControls
CheckScope
CSA
DefGranu
ApplyCSA as
common
Remapto NIST
Improvebasic
CSA
Nenha
http://scribd.com/ychemerkin -
8/13/2019 (PDF) Yury Chemerkin Deepintel 2013
45/45
Q & A
https://plus.google.com/108216608239392698703mailto:[email protected]://twitter.com/sto_bloghttps://twitter.com/yury.chemerkinhttp://scribd.com/ychemerkinhttps://www.facebook.com/yury.chemerkinhttp://www.slideshare.net/YuryChemerkin/http://www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com/http://eforensicsmag.com/http://pentestmag.com/http://hakin9.org/