Post on 08-Jun-2015
description
transcript
Security around BYOD
& Consumerization
Act now to have comfort!
Heliview Consumerization of IT
December 11 2012
Feijenoord Stadion
Marc Smeets
1 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Who am I
Marc Smeets:
■ Loves IT security
■ Loves fast cars
■ Loves champagne
IT security advisor / ethical hacker @ KPMG IT Advisory
■ Team of over 40 IT security advisors, 25 penetration testers
■ Combining strong technical skills with IT auditing skills
■ Hacking and testing mobile since 2009
2 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
What are the challenges with current
security of mobile devices?
What to do now in order to have comfort?
The challenges
4 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Mobile security
New platforms and new terms
Bring Your Own Device
Select Your Own Device
Apps & AppStore
Cloud integration & online ID
New vendors on the market
Mobile Device Management
Question: Are we
more secure than
before?
6 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Mobile Security
Are we becoming more secure?
Yes, new mobile platforms are more secure in several aspects
■ Disk encryption built-in
■ New core security features
■ Tight down platforms with eco-system
No, new platforms still fail at basic security
■ Size and complexity of the eco-system
■ Basic security checks ineffective
■ Remote wipe
■ Easy installation of Apps
■ Security update cycle
■ Apps Apps Apps | Insecure Insecure Insecure
7 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: remote wipe
8 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: remote wipe
9 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: encryption
iOS Disk encryption:
■ Technically it is hard disk encryption
■ But, it decrypts itself without user input
■ Main reason: fast wiping via crypto-shredding
Android Disk encryption:
■ Better implementation
■ But depending on version
10 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: encryption
11 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: encryption
12 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: encryption
13 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: the mobile eco-system
INTERNET
CORPORATE EXCHANGE SERVICES
DEVICES
WIFI / UMTS / GPRS
Mobile Device Management
14 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: the mobile eco-system
INTERNET
CORPORATE EXCHANGE SERVICES
Mobile Device Management IN
TE
RN
ET
SE
RV
ICE
S
DEVICES
WIFI / UMTS / GPRS
WIFI / USB
USB
WEB
CLOUD
SE
RV
ICE
S
Bluetooth
LO
CA
L S
ER
VIC
ES
CORPORATE / PRIVATE
NETWORK
PERIPHERALS
Legacy ActiveSync conn.
15 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: basic management of security checks
Two major security issues with Exchange ActiveSync
■ 1. Security checks are device local security checks
■ 2. Relies on communication over HTTP(S)
16 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: basic management of security checks
17 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Challenge: Apps Apps Apps | Insecure Insecure Insecure
Change in usage
■ Email & Contacts External Apps Line-of-Business Apps
Not all App developers of desired maturity level
Main issues we encounter when security testing Mobile Apps:
■ Insecure local storage of data
■ Data in transit not secured
■ Insecure server side controls
■ Weak identification and authentication
What to do?
19 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
What to do?
Quick and easy fixes for mobile:
■ Implement MDM with proper policy
■ Educate and train your users
■ Have your Apps tested on security issues
■ Be aware of residual risks
But, more important: be ready for cybercrime
■ “Online banking two-factor authentication compromised by a hybrid trojan (PC + mobile),
36M EUR stolen: ”
■ “3,325% increase in malware targeting the Android OS”
NCSC – Beveiligingsrichtlijnen voor mobiele apparaten :
■ “Kwetsbaarheden waardoor malware geïnstalleerd kan worden”
■ “Een aanvaller steelt geld van de gebruiker door middel van malware die op de achtergrond
gebruikmaakt van betaalde SMS-diensten of telefoonnummers.”
20 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Cybercrime
What is cybercrime?
Cybercrime concerns performing illegal activities towards an organization, using digital
means.
The term cybercrime covers a proliferation of purposes and methods of attack.
Fun
Financial gain
Activism
Espionage
Terrorism
Digital warfare
Breaking the chain
Purpose of Attack Method of Attack
Hacking
Phishing
Identity theft
Denial of Service
Advanced Persistent Threat
Traditional InfoSec
Value of info to organization
(confidentiality, integrity,
availability)
Focus on crown jewels
Shifting viewpoint in InfoSec
New InfoSec
Value of info to attacker
Security awareness and
understanding of risks is crucial
Attackers understand the risks
of technology, so should you. Think like a hacker!
21 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Examples of cybercrime attack
22 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Examples of a cybercrime attack
Non default attacks
23 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Cybercrime defence
What should you do on the short term?
Short term action response
Implement standby incident
response organisation
Short term action detection
Identify and monitor critical
assets
Short term action prevention
Perform risk analysis from
perspective of attacker
Detect Respond
Prevent
24 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
It is not about technology alone
People + Process + Technology!
Cybercrime defence
What should you do on the long term?
CYBERCRIME DEFENSE FRAMEWORK
PREVENT DETECT RESPOND
PEOPLE /
ORGANISATION
Security awareness
training
Appoint cybercrime
defence as
responsibility
Security operations
centre 24/7
Crisis organisation
Communications
PROCESSES Compliance monitoring
Vulnerability monitoring
Security testing
Patch management
Incident preparedness
training
Procedures for follow-
up on security events
Cybercrime response
plan
High-value asset
isolation procedures
TECHNOLOGY Segmentation
Endpoint and
perimeter protection
Logging and
alarming
Incident dashboards
Forensic analysis
25 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and
‘cutting through complexity’ are registered trademarks of KPMG International.
Cybercrime defence
Main message
■ ‘Everything mobile’ changes your
security posture.
■ The cybercrime threat is real and
here to stay.
■ Take a look at your company from
an attacker’s perspective.
■ Prevention is insufficient.
Invest in detection and response.
■ 100% security is not possible.
And undesirable!
© 2012 KPMG Advisory N.V., registered with the trade
register in the Netherlands under number 33263682,
is a subsidiary of KPMG Europe LLP and a member
firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative
(‘KPMG International’), a Swiss entity. All rights
reserved. Printed in the Netherlands.
The KPMG name, logo and ‘cutting through
complexity’ are registered trademarks of KPMG
International.
Marc Smeets
smeets.marc@kpmg.nl
+31 6 51 36 66 80
@MRAMSMEETS