1
Mobile Device Security
Shayne Champion, CISSP, CISA, GSEC, ABCP Program Manager, TVA GO Cyber Security
“There is no question that mobile security will eventually equal – if not surpass – PC security as a threat to IT departments.”Denise Culver, Heavy Reading Mobile Networks Insider
2
Agenda
Define Mobile Device Security
o Similarities
o Differences
Things you Should be Doing
3
Mobile Device vs. Computers:SIMILARITIES
4
Electronic device
Accept data
Perform prescribed mathematical and logical operations
High speed
Display the results
5
NEWS FLASH:
Mobile Devices
ARE Computers!!!
Sources: http://nordhaus.econ.yale.edu/prog_030402_all.pdf http://www.anandtech.com/show/4215/apple-ipad-2-benchmarked-dualcore-cortex-a9-powervr-sgx-543mp2/2http://www.slashgear.com/ipad-2-benchmarks-blast-competition-show-less-than-1ghz-processor-speed-13139678/
…and we can do something about that, can’t we?
6
Same Kind of Different…
Same kind of security controls you *should* use anyway:
EncryptionNetwork Access Control (NAC)Data Loss Protection (DLP)Anti-Virus (AV) / MalwareInventory ManagementControlled Admin PrivilegesPort & Service Management
7
Similarity: Order of Magnitude
Risk from an Open Systems Interconnection (OSI) perspective:
Most risk shifting to applications
Lower-level layers becoming relativelymore ‘tame’
Source: http://www.sans.org/top-cyber-security-risks/trends.php
Network
OS Transport
OS Libraries
Applications
8
Application Vulnerabilities
Native to many mobile OS (smart phone & tablet)Mobile Device Management (MDM)
Default Permissions may be invasivee.g., Apple log file stores all visited geo-locations
Open Web Application Security Consortium (OWASP)https://www.owasp.org/index.php/Mobile
Source: http://en.wikipedia.org/wiki/Mobile_device_management
“Application security is the next big trend in penetration testing… which means it’s already the big trend for hackers.”Joe McCray, Strategic Security LLC
9
Define: Metadata
Metadata : Data that defines or describes another piece of data.
Some examples of metadata include:File creation date and timeThe address or geographic location where the file was createdYour name, organization’s name, and computer’s name / Internet Protocol (IP) addressThe names of any contributors to the document or their commentsType of camera & its settings when the photo was takenMake, model, and service provider of your smart phone
Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf
10
Metadata Solutions
Metadata Tools:
Document Inspector : http://preview.tinyurl.com/3996c2a
EXIF Metadata Explanation: http://preview.tinyurl.com/775mbxc
Free Metadata Extraction Tool: http://meta-extractor.sourceforge.netor http://preview.tinyurl.com/aueb4
Disabling Geo-location for Smartphone Camerashttp://preview.tinyurl.com/3v4xznm
Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf
11
Mobile Device vs. Computers:DIFFERENCES
12
Risk Remediation
Mobile Device risks are the same as many of the risks we already face everyday. For example…
Source: http://www.youtube.com/watch?v=I4_qg22Onak&feature=related
13
Difference 1 : Platform(s) Support
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
14
Difference 2 : Bring Your Own Device (BYOD)
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012 http://www.networkworld.com/news/2012/041712-byod-258264.html?page=3
How do you handle user-owned devices?
ApplicationsData OwnershipEncryption
NetworkWorld BYOD Survey:65.3% necessary tools not in place46.2% increased end user productivity5.7% said it lead to breech, while 66.7% said no 47.2% increased end users' ability to work from home
SANS Survey:
15
Difference 3 : Short Messaging Service (SMS)
SMS: Also known as text messages
Common Vulnerabilities:
1) SMS of Death2) Midnight Raid Business Card Attack3) SMS Tokens4) Smishing Attacks
Source: http://www.infosecisland.com/blogview/12656-The-SMS-of-Death-Mobile-Phone-Attack-Explained.htmlhttp://www.csoonline.com/article/491200/3-simple-steps-to-hack-a-smartphone-includes-video-
16
Each platform – even within the same Operating System (OS) – have unique characteristics, default settings, and/or vulnerabilities:Personal Identification Number (PIN) settings
– Service Carrier– Like default passwords on
routers or admin accountsiPhone / iPad batteries
Scope: Android Fragmentation281+ different products850,000 daily activations300,000,000+ total devices
Sources: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdfhttp://en.wikipedia.org/wiki/Comparison_of_Android_devices
Difference 4 : Hardware / Carrier
17
Difference 5 : New Vectors
Wireless File Management – A cell phone based application that sets up a web server on a Dynamic Host Configuration Protocol (DHCP) connection. The web-based file sharing allows the circumvention of many DLP controls.
Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012http://searchnetworking.techtarget.com/answer/Be-aware-of-Wi-Fi-security-to-deal-with-Firesheep-at-public-hotspots
18
Hardware / Carrier: PIN Codes
Ten numbers represent 15% of all cell phone pass codes:
1) 12342) 00003) 25804) 11115) 5555
Sources: Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-a-good-password/. Retrieved 8 July 2011.
http://www.phonearena.com/news/Do-you-use-one-of-the-most-common-lock-PINs_id19533
6) 5683 (spells 'LOVE')7) 08528) 22229) 121210) 1998
Other popular choices include Year of birth & Year of graduation (social triangulation!).
Mike Jones, Symantec
19
Things You Should Be Doing
“For many professionals, the mobile phone has become a mobile office.”
Mike Jones, Symantec
20
Control Starts at the Policy
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
21
Mobile Policy Best Practices
Think from a threat controls perspective:
o Consider capabilities of mobile devices and apps in your environment
o Identify threat vectors & mitigate
o Identify non-technically enforceable controls and address with administrative policies & awareness
Assess how mobile devices are already managed
Use existing policies as a guideline
Consider how to test successful control implementation
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
22
Mobile Risk Management Tools
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
23
Protecting the Mobile Executive
Considerations for your Mobile Policy / Best Practices:
USER EDUCATION
Physical Security
Leave it at Home– Clean Loaner Devices– Prepaid Cellular devices– Blank SIM cards– * + Google Voice
Source: http://threatpost.com/en_us/slideshow/How%20to%20Avoid%20Getting%20Hacked%20While%20Traveling?page=0
Fear Public Wireless– Use Conference WAPs– Corporate VPNs
2G = No E!
Don’t Blab
24
Its About the Basics
Verizon Business 2011 Data Breach Investigations Report (DBIR)
Analysis of 2011 attacks determined that:
83% were targets of opportunity
92% were not highly difficult
95% were avoidable through simple or intermediate controls
Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
25
THREAT CONTROLS: 2012 SANS Mobile Device Security Summit
1) Jailbreaking & Rooting is BAD for mobile device security
2) The OWASP Mobile Top 10 is going to be just as important
3) Mobile Threats are an evolving, moving target; security teams have to be quick to adapt to new mobile technology
4) MDM solutions are a requirement for any deployment
5) Apple iOS devices are preferred over Android in the enterprise
Source: http://www.infosecisland.com/blogview/20752-Top-5-Things-Learned-at-the-SANS-Mobile-Device-Security-Conference
26
THREAT CONTROLS:2012 Top 5 Mobile Security Threats
1) Geolocation exploits2) Excessive Permissions3) Mobile Application Vulnerabilities4) Unsecure Wi-Fi5) Lost and Stolen Devices
Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012
27
Summary
Mobile Devices vs. Computerso Similarities (yes Virginia, they are computers)
o DifferencesMultiple PlatformsBYODSMSHardware / Carrier Issues (PINs, etc)Vectors: Wireless File Transfers
Things you Should be Doingo Policieso User Educationo Protect the Execso SANS Top 20 <-> Top 5 Mobile
28
Questions