Digital Insights for SDG oriented Development organizations - Debrief from We...
The enemy in your pocket
1. The enemy in your pocket
Securing smartphones in the enterprise
Vicente Diaz, Senior Security Analyst, GReAT
Gartner Symposium/ITxpo 2012, Barcelona
PAGE 1 |
2. BYOD will come regardless you have a
policy or not
Human behavior has shifted, BYOD is a
response to that
My CEO heard we can save money
through BYOD
PAGE 2 |
21. Abusing Consumerization - Mobile devices
Are they dangerous?
It depends on what you do with it!
Facebook
Twitter
Gmail
Corporate e-mail
Reading corporate documents
Writing confidential e-mails?
PAGE 21 | 1 2
30. Conclusions
BYOD: Myth vs Reality
Policies are necessary, but they are not enough
Is the problem in the device or in educating users?
Who is responsible for the security of the device?
We all love chocolates!
PAGE 30 | 1 2
31. Thank You
Questions?
Vicente Diaz, Senior Security Researcher, Global Research and Analysis Team
@trompi
vicente.diaz@kaspersky.com
PAGE 31 |
Notes de l'éditeur
When preparing my presentation I read a lot of materials to see what was this BYOD thing, and this is what I got
Let´s start analyzing the terms and trying to find out what we exactly mean and what the problem is.To start with, you don´t want me to bring my devices to the office? Or to use them in the company´s network? Or to use them at all?And what devices are we talking about? Is just the device the problem? Is ok to use the coorporate phone and then to use Facebook?I know that this is a bit vague but so it is the problem. Let´s get to business.
What are weafraidthathappenswhenwebringourowndevices?Problem 1: youbringsomedevice and everybodygetsinfected
Thisis averylikelyscenario, rememberconficker? However, whatdevices are involvedhere?Nothing new here. Isreallyallthis new fancyfuzz-word BYOD so fashionablethesedaysjustbecausepeopleisbringing laptops and USBstowork?Yes there are someconcerns: USBs and otherdeviceshave OS, howtoupdatethem? Whoisresponsible?Wehavebeenprovidingsolutionsforthesesinceyearsago! Antivirus, policies, IDS, IPS, allthis has beenaroundforyears!
Basicallytosomeonegettingintoourorganization and stealingoursecrets, toour data.Ifwebring a wormintoourorganization, likeconficker, wemaybringitdownfor a fewhours: thisisverybad.Ifwebring a backdoor and theygetoursecrets: wemay lose ourresearch, strategies, products, publicimage … we can lose everything.
Coca-Cola Co. infiltrated in 2009 by hackers seekingdocson a pendingacquisition; dealfallsapartthreedayslater
Smartphones and tablets
Surethey are! Don´twanttoscarewithtypicalmobilestuff, just a simple examples. We are notyet in thebig spread (althoughlastyearwesawsomeexamplesthankstogoogle).Enrollarse un poco con el tema de malware para mobile, casos el año pasado en el googleplayetcDevicesmay be the bridge fortheseattacks, butunlikelyto be themaindoortothem. Stillspearphishingisthemainmethodused.So again, whyweworryaboutthem?
Wouldyoucarry a tracking device?Smartphones are the new mine of goldforspies & attackers: tracking, conversations, camera, micro, email, contacts, gps, etc
Big data-gatherers and small spies.What do you think are all 0day researchers trying to exploit?
Contar la historia del FinSpy.What do you think are all 0day researchers trying to exploit?
Whatsecuritymeasuresyouhave in yourmobile? Howeasyitistogetitwhileyouhave a coffee and installwhatever so I get control of thedevice
Sysadmin now have devices difficult for them to control in their networks. And all the CEOs are around worrying on how people can now steal everything because they bring their smartphones
Isthat a new thing? Isthatbecause of themobilething? BradleyManningdidthebiggest data leakknownto date with a Lady Gaga CD in hishands
I have some really boring figures for you!
Evolution of socialengineeringlately – ontherise, as well as remotehacks of allkind, no more stolen laptops
Twopoints of interestwhere social engineering and/orinstallation of malware on targets mayhad lead tocompromisethevictim´snetwork
Oneyearago I wastalkingabouttheconsumerization of mobiledevices, how using personal and work life together brings trouble.Comment about information gathering and facebook reverse lookup for mobile numbers, even for private numbers – feature deactivated today.
Theproblemhereisnotthedevice,buthowwe use new technologies and tools, howwechangeourlives, and howweinadvertidly can putouremployee in danger.And as such, attackers try allkind of trickstogettheirwaytowhatthey look after. Mobile isnotthe real problemhere, justanothertoolthey can use
Mr. Barksdale shows how people is people, leaks exist.The same on a enterprise level: do we know who else Google provide access to our data?
Information divided in levels, only access depending on a risk score, depends on who, where and how