2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not

•

1 j'aime•828 vues

NCC Group

Technologie

Mobile Security – The impending
apocalypse… or maybe not
ISF Summer Chapter

Before we begin…
Hopefully not a lesson
in sucking eggs

Agenda
•What the press would have
you believe
•The reality

Before we begin… Who is this guy?
• Information Cyber Security for > 15 years
• Consultancy – 1997 – 2005
• Research – 2005 – 2011
• Symantec / BlackBerry
• Research / Consultancy – 2012
• Recx / NCC Group

What you are led to believe
•Mobile is as insecure the desktop
•BYOD is insecure
•Malware is rampant
•Mobile security needs augmenting

Motivations
•.… something to sell
•…. exposure

Mobile is as insecure as the desktop
•Incentivised
•Defence in depth
•App stores
•Ubiquitous sandboxes
•Security policy APIs
•Vendors adopting SDLs

BYOD is insecure
•BYOD is CHALLENGING
•Extending your security perimeter
•Loosening your control (potentially)
•Mixed domain devices
•Policies

Malware is rampant
•Malware is present NOT rampant
•Trojans (re-packaged apps)
•Trojans (unique appealing apps)
•App store revocation 
•People using third party app stores 

Mobile security needs augmenting
•Platforms have rich security stories
•Samsung KNOX
•BlackBerry Balance
•MDM APIs / Policies ..
•Some augmentation may be needed
•on iOS
•On device AV is not one of them

SDLs cost
•Vendors don’t have
•limitless funds
•limitless people
•limitless time
•Market driven by features
•not secure code
•Skills in short demand
•Not evenly deployed

Vulnerability v patching frequency
•No monthly patch Tuesday
•Carrier certification
•desire
•capacity
•Vendors
•desire
•capacity

Vulnerability v patching frequency
•Handset cycle 12 to 36 months
•HTC 10 Android models
•ZTE 18 Android models
•Samsung 12 Android models
•Apple 1 iPhone model
•BlackBerry 3 BB10 models
•Sustainment costs huge..

Devices are complex
•Peripherals
•Radio
•OS
•Apps
= a large and complex attack surface

Use cases are different
•Physical interaction
•Usage patterns

UK Offices
Manchester - Head Ofﬁce
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Ollie Whitehouse
ollie.whitehouse@nccgroup.com

Contenu connexe

En vedette

Practical SME Security on a Shoestring

NCC Group

Pki 202 Architechture Models and CRLs

NCC Group

Mobile App Security: Enterprise Checklist

Jignesh Solanki

Exploiting appliances presentation v1.1-vids-removed

NCC Group

NCC Group 44Con Workshop: How to assess and secure ios apps

NCC Group

Cryptography101

NCC Group

07182013 Hacking Appliances: Ironic exploits in security products

NCC Group

Cryptography - 101

n|u - The Open Security Community

Current & Emerging Cyber Security Threats

NCC Group

USB: Undermining Security Barriers

NCC Group

Real World Application Threat Modelling By Example

NCC Group

单反相机

Jacky Wu

HAPPYWEEK 184 - 2016.09.05.

Jiří Černák

삼색신호등 공청회 발표자료

kimjint

Situación de Aprendizaje basada en la Didáctica Crítica

ADORACION RODRIGUEZ

A decentralized future – the technology of next century

Blockchain Conferences

As part of the sessions at the 2016 California Public Higher Education Collaborative Business Conference, the presentation covers why Shared Services has become such an important part of your toolkit for delivering improved “back office” services to support your institution’s core mission. It explains why the true meaning of the words “shared” and “services” is so important. It also defines and distinguishes between “clients”, “consumers” and “stakeholders”.

Shared Services in Higher Education: conceps, clients, consumers and stakehol...

Chazey Partners

不一樣的台灣

honan4108

En vedette (18)

Practical SME Security on a Shoestring

Pki 202 Architechture Models and CRLs

Mobile App Security: Enterprise Checklist

Exploiting appliances presentation v1.1-vids-removed

NCC Group 44Con Workshop: How to assess and secure ios apps

Cryptography101

07182013 Hacking Appliances: Ironic exploits in security products

Cryptography - 101

Current & Emerging Cyber Security Threats

USB: Undermining Security Barriers

Real World Application Threat Modelling By Example

单反相机

HAPPYWEEK 184 - 2016.09.05.

삼색신호등 공청회 발표자료

Situación de Aprendizaje basada en la Didáctica Crítica

A decentralized future – the technology of next century

Shared Services in Higher Education: conceps, clients, consumers and stakehol...

不一樣的台灣

Dernier

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Mcleodganj Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Mcleodganj Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Mcleodganj Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

DBX First Quarter 2024 Investor Presentation

Dropbox

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Dernier (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

CNIC Information System with Pakdata Cf In Pakistan

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Apidays New York 2024 - The value of a flexible API Management solution for O...

Boost Fertility New Invention Ups Success Rates.pdf

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

How to Troubleshoot Apps for the Modern Connected Worker

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Vector Search -An Introduction in Oracle Database 23ai.pptx

Six Myths about Ontologies: The Basics of Formal Ontology

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Why Teams call analytics are critical to your entire business

DBX First Quarter 2024 Investor Presentation

presentation ICT roal in 21st century education

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Strategies for Landing an Oracle DBA Job as a Fresher

AWS Community Day CPH - Three problems of Terraform

2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not

1. Mobile Security – The impending apocalypse… or maybe not ISF Summer Chapter

2. Before we begin… Hopefully not a lesson in sucking eggs

3. Agenda •What the press would have you believe •The reality

4. Before we begin… Who is this guy? • Information Cyber Security for > 15 years • Consultancy – 1997 – 2005 • Research – 2005 – 2011 • Symantec / BlackBerry • Research / Consultancy – 2012 • Recx / NCC Group

5. What you are led to believe •Mobile is as insecure the desktop •BYOD is insecure •Malware is rampant •Mobile security needs augmenting

6. Motivations •.… something to sell •…. exposure

8. Mobile is as insecure as the desktop •Incentivised •Defence in depth •App stores •Ubiquitous sandboxes •Security policy APIs •Vendors adopting SDLs

9. BYOD is insecure •BYOD is CHALLENGING •Extending your security perimeter •Loosening your control (potentially) •Mixed domain devices •Policies

10. Malware is rampant •Malware is present NOT rampant •Trojans (re-packaged apps) •Trojans (unique appealing apps) •App store revocation  •People using third party app stores 

11. Malware is rampant

12. Mobile security needs augmenting •Platforms have rich security stories •Samsung KNOX •BlackBerry Balance •MDM APIs / Policies .. •Some augmentation may be needed •on iOS •On device AV is not one of them

13. But it is no utopia

14. SDLs cost •Vendors don’t have •limitless funds •limitless people •limitless time •Market driven by features •not secure code •Skills in short demand •Not evenly deployed

15. Vulnerability v patching frequency •No monthly patch Tuesday •Carrier certification •desire •capacity •Vendors •desire •capacity

16. Vulnerability v patching frequency •Handset cycle 12 to 36 months •HTC 10 Android models •ZTE 18 Android models •Samsung 12 Android models •Apple 1 iPhone model •BlackBerry 3 BB10 models •Sustainment costs huge..

17. Vulnerabilities can be exploited

18. But… criminals are lazy …

19. But… there are motivated enablers..

20. Devices are complex •Peripherals •Radio •OS •Apps = a large and complex attack surface

21. Rapid change

22. Use cases are different •Physical interaction •Usage patterns

23. Mobile security – the future

24. Thanks? Questions?

25. UK Offices Manchester - Head Ofﬁce Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Ollie Whitehouse ollie.whitehouse@nccgroup.com

2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (18)

Dernier

Dernier (20)

2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not