SlideShare une entreprise Scribd logo

Ascure session

B
bvandennotelaer
1  sur  11
Télécharger pour lire hors ligne
Ascure (c) - www.ascure.com March 2011 Mobile Security From a strategic, tactical and operational point of view Bart De Win March 28, 2011 About Ascure & the speaker • Ascure – Ascure is a leading, independent provider of information security services – We combine in-depth knowledge with the necessary experience to meet your organization’s information security challenges and needs. – Multi-disciplinary teams to provide the right strategic, architectural and operational services & technologies – Ascure Academy • Myself – Principal Risk Management Consultant – Leading the competence center on Secure Applications – Ph.D. in CS (topic: application security) – Author of >60 scientific publications Mobile Security - Mobile in Business 1
Ascure (c) - www.ascure.com March 2011 Mobile Platforms • Your enterprise will be faced with integrating mobile platforms • People will be using their favorite platform in your environment 3 Mobile malware 4 Mobile Security - Mobile in Business 2
Ascure (c) - www.ascure.com March 2011 Agenda • Enterprise strategy • Secure platform • Secure application Titel - Datum Enterprise Strategy Mobile Security - Mobile in Business 3
Ascure (c) - www.ascure.com March 2011 Philosophy • There is no such thing as the best platform • Strategic considerations: – Controlled vs. open platform – Within or beyond enterprise boundaries – Is it considered a trusted part of your network – Does it make sense to separate business/private or high/low risk 7 Data Protection • Enterprise data will be stored on smartphones – Mail, Office documents, Customer data, ... • Strategic considerations – Which data (public vs. confidential) – Enterprise policy – Full device encryption (including SD!) – Remote wipe & localization 8 Mobile Security - Mobile in Business 4
Ascure (c) - www.ascure.com March 2011 Application Management • A Smartphone without applications is like ... • Do you support trusted vs. arbitrary apps – Who defines and assesses trust ? • Think of the difference between the iPhone AppStore and the Android Market 9 Incident Management & Disaster Recovery ? 10 Mobile Security - Mobile in Business 5
Ascure (c) - www.ascure.com March 2011 Secure Platform Considerations Physical device security • Small & agile devices -> high risk of loss • Real solutions are scarce – Do they really provide benefits ? • Consider remote disabling & tracking software 12 Mobile Security - Mobile in Business 6
Ascure (c) - www.ascure.com March 2011 System hardening • User authentication • Update & Patch management – Core libraries vs. applications • Virus scanners • Running services • And then there is jailbreaking ... 13 Privilege management • Enforce whether users can: – Install/update software – Use communication technology • WLAN • Bluetooth – Synchronize with arbitrary devices – ... • And then there is jailbreaking ... 14 Mobile Security - Mobile in Business 7
Ascure (c) - www.ascure.com March 2011 Secure Application Considerations Titel - Datum 15 It’s life Jim, but not (exactly) as we know it … • Many commonalities with regular (web)applications – Computing paradigm – Fully functional platforms – Never trust the client – Insecure programming models • But, also important differences – Different security models – Restricted security mechanisms – Multiple communication mechanisms 16 Mobile Security - Mobile in Business 8
Ascure (c) - www.ascure.com March 2011 Common security models • All-or-nothing vs. more fine-grained models – Typically based on code signing • Sometimes apps can access each other ... 17 Rights Management • Typically based on application signatures • Application Rights Management can be complex • Android vs. iPhone approach – Android has 117 different permissions <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ... </manifest> 18 Mobile Security - Mobile in Business 9
Ascure (c) - www.ascure.com March 2011 Top 10 mobile risks (OWASP) • Insecure or unnecessary client-side data storage • Lack of data protection in transit • Personal data leakage • Failure to protect resources with strong authentication • Failure to implement least privilege authorization policy • Client-side injection • Client-side DOS • Malicious third-party code • Client-side buffer overflow • Failure to apply server-side controls 19 Top 10 Security Controls (OWASP) • Protect data at rest • Protect data in transport • Multi-factor authentication • Session management • Least privilege access control • Untrusted data validation • Output encoding • Enterprise device management • Keep business logic on the server • Platform security 20 Mobile Security - Mobile in Business 10
Ascure (c) - www.ascure.com March 2011 Application Testing • Importance of static & dynamic testing – Source code review, disassembly, reverse engineering, patch analysis – Debugging, network traffic analysis, remote service attacking =>Tools are available for key platforms • Emulators come in handy to “play” with security/platform assumptions • Communication facilities 21 Conclusion • Mobile security is not a new type of game, although it has its specificities • You’re working with a fully functional platform ! • Enterprise roll-out requires careful considerations • Application security is a must and a challenge 22 Mobile Security - Mobile in Business 11

Recommandé

Security In A Hybrid MAM and MDM World
Security In A Hybrid MAM and MDM WorldSecurity In A Hybrid MAM and MDM World
Security In A Hybrid MAM and MDM WorldApperian
 
Trend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youTrend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youGlobal Business Events
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonIBM Danmark
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & androidEndeavour Software Technologies
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Minh Le
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USIBM Danmark
 
Bridging the Marketing-Sales chasm
Bridging the Marketing-Sales chasmBridging the Marketing-Sales chasm
Bridging the Marketing-Sales chasmMarketing Network marcus evans
 
Ibm Mobile Device Security Datasheet V2.0
Ibm Mobile Device Security Datasheet V2.0Ibm Mobile Device Security Datasheet V2.0
Ibm Mobile Device Security Datasheet V2.0wendyking63
 

Recommandé

Security In A Hybrid MAM and MDM World
Security In A Hybrid MAM and MDM WorldSecurity In A Hybrid MAM and MDM World
Security In A Hybrid MAM and MDM WorldApperian
 
Trend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youTrend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youGlobal Business Events
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonIBM Danmark
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & androidEndeavour Software Technologies
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Minh Le
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USIBM Danmark
 
Bridging the Marketing-Sales chasm
Bridging the Marketing-Sales chasmBridging the Marketing-Sales chasm
Bridging the Marketing-Sales chasmMarketing Network marcus evans
 
Ibm Mobile Device Security Datasheet V2.0
Ibm Mobile Device Security Datasheet V2.0Ibm Mobile Device Security Datasheet V2.0
Ibm Mobile Device Security Datasheet V2.0wendyking63
 
Atea erfa microsoft mobile security
Atea erfa microsoft mobile securityAtea erfa microsoft mobile security
Atea erfa microsoft mobile securityJ Hartig
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
Smart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraSmart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraTrend Micro (EMEA) Limited
 
“8th National Biennial Conference on Medical Informatics 2012”
“8th National Biennial Conference on Medical Informatics 2012”“8th National Biennial Conference on Medical Informatics 2012”
“8th National Biennial Conference on Medical Informatics 2012”Ashu Ash
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityAndrew Wong
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Symosis Security (Previously C-Level Security)
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityLenin Aboagye
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012Agora Group
 
Mobile – Adoption and Adaption in 2012
Mobile – Adoption and Adaption in 2012Mobile – Adoption and Adaption in 2012
Mobile – Adoption and Adaption in 2012Global Business Events - the Heart of your Network.
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...Amazon Web Services
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGtovmug
 
Microsoft System Center 2012 Delivering better IT Management
Microsoft System Center 2012 Delivering better IT ManagementMicrosoft System Center 2012 Delivering better IT Management
Microsoft System Center 2012 Delivering better IT ManagementIntergen
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Securitytbeckwith
 
Secure Systems of Engagement
Secure Systems of EngagementSecure Systems of Engagement
Secure Systems of EngagementJohn Palfreyman
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019Identity Defined Security Alliance
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceDeepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceUNIT4 IT Solutions
 
WEBINAR - August 9, 2016: New Legal Requirements for Mobile Security
WEBINAR - August 9, 2016: New Legal Requirements for Mobile SecurityWEBINAR - August 9, 2016: New Legal Requirements for Mobile Security
WEBINAR - August 9, 2016: New Legal Requirements for Mobile SecurityMobileIron
 
Security White Paper
Security White PaperSecurity White Paper
Security White PaperMobiWee
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 

Contenu connexe

Tendances

Atea erfa microsoft mobile security
Atea erfa microsoft mobile securityAtea erfa microsoft mobile security
Atea erfa microsoft mobile securityJ Hartig
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
Smart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraSmart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraTrend Micro (EMEA) Limited
 
“8th National Biennial Conference on Medical Informatics 2012”
“8th National Biennial Conference on Medical Informatics 2012”“8th National Biennial Conference on Medical Informatics 2012”
“8th National Biennial Conference on Medical Informatics 2012”Ashu Ash
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityAndrew Wong
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityLenin Aboagye
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012Agora Group
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...Amazon Web Services
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGtovmug
 
Microsoft System Center 2012 Delivering better IT Management
Microsoft System Center 2012 Delivering better IT ManagementMicrosoft System Center 2012 Delivering better IT Management
Microsoft System Center 2012 Delivering better IT ManagementIntergen
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Securitytbeckwith
 
Secure Systems of Engagement
Secure Systems of EngagementSecure Systems of Engagement
Secure Systems of EngagementJohn Palfreyman
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceDeepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceUNIT4 IT Solutions
 
WEBINAR - August 9, 2016: New Legal Requirements for Mobile Security
WEBINAR - August 9, 2016: New Legal Requirements for Mobile SecurityWEBINAR - August 9, 2016: New Legal Requirements for Mobile Security
WEBINAR - August 9, 2016: New Legal Requirements for Mobile SecurityMobileIron
 
Security White Paper
Security White PaperSecurity White Paper
Security White PaperMobiWee
 

Tendances (20)

Atea erfa microsoft mobile security
Atea erfa microsoft mobile securityAtea erfa microsoft mobile security
Atea erfa microsoft mobile security
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
Smart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraSmart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC Era
 
“8th National Biennial Conference on Medical Informatics 2012”
“8th National Biennial Conference on Medical Informatics 2012”“8th National Biennial Conference on Medical Informatics 2012”
“8th National Biennial Conference on Medical Informatics 2012”
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012
 
Mobile – Adoption and Adaption in 2012
Mobile – Adoption and Adaption in 2012Mobile – Adoption and Adaption in 2012
Mobile – Adoption and Adaption in 2012
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUG
 
Microsoft System Center 2012 Delivering better IT Management
Microsoft System Center 2012 Delivering better IT ManagementMicrosoft System Center 2012 Delivering better IT Management
Microsoft System Center 2012 Delivering better IT Management
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
 
Secure Systems of Engagement
Secure Systems of EngagementSecure Systems of Engagement
Secure Systems of Engagement
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceDeepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
 
WEBINAR - August 9, 2016: New Legal Requirements for Mobile Security
WEBINAR - August 9, 2016: New Legal Requirements for Mobile SecurityWEBINAR - August 9, 2016: New Legal Requirements for Mobile Security
WEBINAR - August 9, 2016: New Legal Requirements for Mobile Security
 
Security White Paper
Security White PaperSecurity White Paper
Security White Paper
 

Similaire à Ascure session

Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Symantec Enterprise Mobility Enhancements
Symantec Enterprise Mobility EnhancementsSymantec Enterprise Mobility Enhancements
Symantec Enterprise Mobility EnhancementsSymantec
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionEnclaveSecurity
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Security
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
Axxera Security Solutions Ver 2.0
Axxera Security Solutions Ver 2.0Axxera Security Solutions Ver 2.0
Axxera Security Solutions Ver 2.0Reddy Marri
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
Mobile's influence on IAM
Mobile's influence on IAMMobile's influence on IAM
Mobile's influence on IAMAbhinaw Kumar
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about themBen Rothke
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Getting secure in a mobile-first world with EMS
Getting secure in a mobile-first world with EMSGetting secure in a mobile-first world with EMS
Getting secure in a mobile-first world with EMSSoftchoice Corporation
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...HyTrust
 
Securing a mobile oriented enterprise
Securing a mobile oriented enterpriseSecuring a mobile oriented enterprise
Securing a mobile oriented enterpriseinfra-si
 
Internet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsInternet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsHuntsman Security
 

Similaire à Ascure session (20)

Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon India
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Symantec Enterprise Mobility Enhancements
Symantec Enterprise Mobility EnhancementsSymantec Enterprise Mobility Enhancements
Symantec Enterprise Mobility Enhancements
 
Protecting Data on Laptops
Protecting Data on LaptopsProtecting Data on Laptops
Protecting Data on Laptops
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility Strategy
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
Axxera Security Solutions Ver 2.0
Axxera Security Solutions Ver 2.0Axxera Security Solutions Ver 2.0
Axxera Security Solutions Ver 2.0
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
Mobile's influence on IAM
Mobile's influence on IAMMobile's influence on IAM
Mobile's influence on IAM
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
Getting secure in a mobile-first world with EMS
Getting secure in a mobile-first world with EMSGetting secure in a mobile-first world with EMS
Getting secure in a mobile-first world with EMS
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
 
Securing a mobile oriented enterprise
Securing a mobile oriented enterpriseSecuring a mobile oriented enterprise
Securing a mobile oriented enterprise
 
Internet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsInternet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of things
 

Plus de bvandennotelaer

Ccb guide to convergent dooh
Ccb guide to convergent doohCcb guide to convergent dooh
Ccb guide to convergent doohbvandennotelaer
 
The Ring Ring Company session
The Ring Ring Company sessionThe Ring Ring Company session
The Ring Ring Company sessionbvandennotelaer
 
Mobile marketing, what's different?
Mobile marketing, what's different?Mobile marketing, what's different?
Mobile marketing, what's different?bvandennotelaer
 

Plus de bvandennotelaer (7)

Ccb guide to convergent dooh
Ccb guide to convergent doohCcb guide to convergent dooh
Ccb guide to convergent dooh
 
Mobco session
Mobco sessionMobco session
Mobco session
 
Jo Caudron session
Jo Caudron sessionJo Caudron session
Jo Caudron session
 
Introduction session
Introduction sessionIntroduction session
Introduction session
 
Arek dryer session
Arek dryer sessionArek dryer session
Arek dryer session
 
The Ring Ring Company session
The Ring Ring Company sessionThe Ring Ring Company session
The Ring Ring Company session
 
Mobile marketing, what's different?
Mobile marketing, what's different?Mobile marketing, what's different?
Mobile marketing, what's different?
 

Ascure session

  • 1. Ascure (c) - www.ascure.com March 2011 Mobile Security From a strategic, tactical and operational point of view Bart De Win March 28, 2011 About Ascure & the speaker • Ascure – Ascure is a leading, independent provider of information security services – We combine in-depth knowledge with the necessary experience to meet your organization’s information security challenges and needs. – Multi-disciplinary teams to provide the right strategic, architectural and operational services & technologies – Ascure Academy • Myself – Principal Risk Management Consultant – Leading the competence center on Secure Applications – Ph.D. in CS (topic: application security) – Author of >60 scientific publications Mobile Security - Mobile in Business 1
  • 2. Ascure (c) - www.ascure.com March 2011 Mobile Platforms • Your enterprise will be faced with integrating mobile platforms • People will be using their favorite platform in your environment 3 Mobile malware 4 Mobile Security - Mobile in Business 2
  • 3. Ascure (c) - www.ascure.com March 2011 Agenda • Enterprise strategy • Secure platform • Secure application Titel - Datum Enterprise Strategy Mobile Security - Mobile in Business 3
  • 4. Ascure (c) - www.ascure.com March 2011 Philosophy • There is no such thing as the best platform • Strategic considerations: – Controlled vs. open platform – Within or beyond enterprise boundaries – Is it considered a trusted part of your network – Does it make sense to separate business/private or high/low risk 7 Data Protection • Enterprise data will be stored on smartphones – Mail, Office documents, Customer data, ... • Strategic considerations – Which data (public vs. confidential) – Enterprise policy – Full device encryption (including SD!) – Remote wipe & localization 8 Mobile Security - Mobile in Business 4
  • 5. Ascure (c) - www.ascure.com March 2011 Application Management • A Smartphone without applications is like ... • Do you support trusted vs. arbitrary apps – Who defines and assesses trust ? • Think of the difference between the iPhone AppStore and the Android Market 9 Incident Management & Disaster Recovery ? 10 Mobile Security - Mobile in Business 5
  • 6. Ascure (c) - www.ascure.com March 2011 Secure Platform Considerations Physical device security • Small & agile devices -> high risk of loss • Real solutions are scarce – Do they really provide benefits ? • Consider remote disabling & tracking software 12 Mobile Security - Mobile in Business 6
  • 7. Ascure (c) - www.ascure.com March 2011 System hardening • User authentication • Update & Patch management – Core libraries vs. applications • Virus scanners • Running services • And then there is jailbreaking ... 13 Privilege management • Enforce whether users can: – Install/update software – Use communication technology • WLAN • Bluetooth – Synchronize with arbitrary devices – ... • And then there is jailbreaking ... 14 Mobile Security - Mobile in Business 7
  • 8. Ascure (c) - www.ascure.com March 2011 Secure Application Considerations Titel - Datum 15 It’s life Jim, but not (exactly) as we know it … • Many commonalities with regular (web)applications – Computing paradigm – Fully functional platforms – Never trust the client – Insecure programming models • But, also important differences – Different security models – Restricted security mechanisms – Multiple communication mechanisms 16 Mobile Security - Mobile in Business 8
  • 9. Ascure (c) - www.ascure.com March 2011 Common security models • All-or-nothing vs. more fine-grained models – Typically based on code signing • Sometimes apps can access each other ... 17 Rights Management • Typically based on application signatures • Application Rights Management can be complex • Android vs. iPhone approach – Android has 117 different permissions <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ... </manifest> 18 Mobile Security - Mobile in Business 9
  • 10. Ascure (c) - www.ascure.com March 2011 Top 10 mobile risks (OWASP) • Insecure or unnecessary client-side data storage • Lack of data protection in transit • Personal data leakage • Failure to protect resources with strong authentication • Failure to implement least privilege authorization policy • Client-side injection • Client-side DOS • Malicious third-party code • Client-side buffer overflow • Failure to apply server-side controls 19 Top 10 Security Controls (OWASP) • Protect data at rest • Protect data in transport • Multi-factor authentication • Session management • Least privilege access control • Untrusted data validation • Output encoding • Enterprise device management • Keep business logic on the server • Platform security 20 Mobile Security - Mobile in Business 10
  • 11. Ascure (c) - www.ascure.com March 2011 Application Testing • Importance of static & dynamic testing – Source code review, disassembly, reverse engineering, patch analysis – Debugging, network traffic analysis, remote service attacking =>Tools are available for key platforms • Emulators come in handy to “play” with security/platform assumptions • Communication facilities 21 Conclusion • Mobile security is not a new type of game, although it has its specificities • You’re working with a fully functional platform ! • Enterprise roll-out requires careful considerations • Application security is a must and a challenge 22 Mobile Security - Mobile in Business 11