Peter Wood invited me to present mobile to White Hats in December 2011.

1. SECURING MOBILE
POPULATION
Vladimir Jirasek
About.me/jirasek
2nd Dec 2011

2. About me
• Security professional (11 years), current work at WorldPay
as Head of Security Solutions
• Director, CSA UK & Ireland
• I love reading books: thrillers (Clive Cusler) and business
management (Jo Owen)
• Apple fan

3. I will cover three topics today
• Consumerisation opportunities and challenges
• Threats related to mobile devices
• Smart devices security architecture
• How to fit mobile devices to company security architecture

4. Consumerisation Hmm, might
be tricky but
I want to use here is what
one device for we can do….
both personal
and work stuff
Say yes and give clear
policies!
Access to data and systems
based on risk
Agree forensic policy and
investigations rules for
personal devices.

5. How to manage access – not binary
Access decisions based on accuracy of following:
• Identity – Google apps ID vs. Active directory ID, one
factor auth vs. two factor auth
• Role – FTE, contractor, cleaner, executive
• Device – trusted, non-trusted
• Location – inside fw or outside, US vs. China, IPv6 vs
IPv4, changes in locations in time
• Time – inside working hours or outside,
• Data/Application – business impact, approved apps vs
consumer apps.

6. Classifications of systems
M anaged U nmanaged
Domain joined or mobile Non-domain joined
managed
T r usted syst ems I solated syst ems
· Domain joi ned devices · Non domain joined but
· M anaged mobile devices passed t he compliance
Compliant (TPM , Bit locker ,
· Confi gur at ion assessed and checks
confi g and pat ch)
compliant St r at egy: Offer managed pat h t o
St r at egy: K eep incr ease number of apps and dat a
access
Vulner able syst ems Rogue systems
· Domain joi ned devices · Unknown devices
· M anaged mobile devices · Not compliant or
N on-Compliant
· Non-compliant st at us cannot assess
St r at egy: M igr at e t o compliant compliance
St r at egy: Block

7. Evolution of connected world
Source: McAfee
100B
10B
Number of Devices
1B
Mobile, Cloud…
100M Connected
PC
10M PC
Minicomputer
1M
Mainframe
1960 1970 1980 1990 2000 2010

8. Revolution in mobile device capabilities
Source: McAfee
• Microsoft Windows Vista
• Blackberry & Palm
• iOS App Store
• iOS ActiveSync email
Apple iPhone launches • Gartner approves iPhone
• Gartner says never for the enterprise
ready for enterprise • Android G1
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1
2007 2008 2009

9. And its acceleration
• iPad2 RIM
• Microsoft Windows 7 Playbook
• Android Honeycomb
with Encryption
• iOS 3GS w/ encryption
iPad • iCloud
launches • iPhone 4s
Android
tablets
• Windows Phone 7
• webOS
• Next gen Blackberry
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1
2009 2010 2011 2012

10. Mobile devices threats
• Web-based and network-based attacks
• Malware
• Social engineering attacks
• Resource and service availability abuse.
• Malicious and unintentional data loss.
• Attacks on the integrity of the device’s data.

11. Mobile platforms – security architecture
• Traditional Access Control: Traditional access
control seeks to protect devices using techniques
such as pass- words and idle-time screen locking.
• Application Provenance: Provenance is an
approach where each application is stamped with
the identity of its author and then made tamper
resistant (using a digital signature).
• Encryption: Encryption seeks to conceal data at
rest on the device to address device loss or theft.
• Isolation: Isolation techniques attempt to limit an
application’s ability to access the sensitive data or
systems on a device.
• Permissions-based access control: Permission-
based access control grants a set of permissions to
each application and then limits each application to Source: Symantec
accessing device data/systems that are within the
scope of those permissions, blocking the
applications if they attempt to perform actions that
exceed these permissions.

12. iOS
• The iOS is based on Mac OS X
• The number of vulnerabilities and attacks on iOS is very
small and usually occurs in 3rd party applications installed
on iOS
• The OS offers very good security, data
protection, encryption, access control
• Lack of anonymity in application developer community. It
is far more risky to develop malware for iOS.
• Certified for Microsoft ActiveSync program

13. Android
Android is based on Linux and uses the best security
features Linux can offer, such as robust access control and
application isolation. However, the main security problem
with Android is that:
• It is very easy to jailbreak
• Users can install any application from any Marketplace
• Confusing application access permission confirmations
• Many devices do not implement strong device encryption
• Google does not control final deployment – vendors and
operators may add “features”

14. Updating of old devices is an an issue for
Android…
By Michael DeGusta
TheUnderstatement.com

15. Windows Phone (Mango release)
• Robust security model
• Mandatory access control – 4 privilege chambers– similar
to Windows 7 (trusted, elevated, standard, least
privileged)
• Application isolation
• Application code-signing
• Data isolation
• Controlled developer environment
• Lack of enterprise VPN features
• Immature certificate and key support
• Capability notifications and enforcement

16. Correct approach to mobile security
• Secure Device, Applications and Data
• Use risk based approach for access control decisions
• Less emphasis on whether device is procured by company or
user
• Extend DLP to mobile
• Extend security event and forensic services
• Monitor installed apps, jail-breaking and configuration
compliance
Source: McAfee

17. References
• “A Window Into Mobile Device Security”, Carey Nachenberg, Symantec, 2011
• McAfee EMM Site
• Mobile Security: Looking Back, Looking Forward, David Goldschlag, McAfee, 2011
• Microsoft ActiveSync certification program, http://technet.microsoft.com/en-us/exchange/gg187968.aspx
• Microsoft Consumerization Site, http://www.microsoft.com/enterprise/viewpoints/consumerization/default.aspx
• “CISO Perspective: Consumerization of IT” @ RSA Europe 2011, Bret Arsenault, CISO Microsoft,
• “Magic Quadrant for Mobile Device Management Software”, Document ID G00211101, Gartner, 2011
• “Your Apps Are Watching You,” The Wall Street Journal, December 17, 2010
• Windows Phone 7.5 (Mango) Security model explained, http://j4ni.com/blog/?p=59, Jani Nevalainen
• Windows Phone Platform
Security, http://www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security, Nokia
• Windows Phone Security page, http://msdn.microsoft.com/en-us/library/ff402533(v=vs.92).aspx, Microsoft
• VMware Mobile virtual platform, http://www.vmware.com/products/mobile/overview.html
• Revolution or Evolution: Information Security
2020, http://www.pwc.co.uk/eng/publications/revolution_or_evolution_information_security_2020.html, PWC, 2010
• Consumerisation and Corporate IT
Security, http://www.schneier.com/blog/archives/2010/09/consumerization.html, Bruce Schneier, September 2010
• Android Orphans: Visualizing a Sad History of Support, http://theunderstatement.com/post/11982112928/android-
orphans-visualizing-a-sad-history-of-support, Michael Degusta, October 2011