1

Mobile Device Security

Shayne Champion, CISSP, CISA, GSEC, ABCP Program Manager, TVA GO Cyber Security

“There is no question that mobile security will eventually equal – if not surpass – PC security as a threat to IT departments.”Denise Culver, Heavy Reading Mobile Networks Insider

2

Agenda

Define Mobile Device Security

o Similarities

o Differences

Things you Should be Doing

3

Mobile Device vs. Computers:SIMILARITIES

4

Electronic device

Accept data

Perform prescribed mathematical and logical operations

High speed

Display the results

5

NEWS FLASH:

Mobile Devices

ARE Computers!!!

Sources: http://nordhaus.econ.yale.edu/prog_030402_all.pdf http://www.anandtech.com/show/4215/apple-ipad-2-benchmarked-dualcore-cortex-a9-powervr-sgx-543mp2/2http://www.slashgear.com/ipad-2-benchmarks-blast-competition-show-less-than-1ghz-processor-speed-13139678/

…and we can do something about that, can’t we?

6

Same Kind of Different…

Same kind of security controls you *should* use anyway:

EncryptionNetwork Access Control (NAC)Data Loss Protection (DLP)Anti-Virus (AV) / MalwareInventory ManagementControlled Admin PrivilegesPort & Service Management

7

Similarity: Order of Magnitude

Risk from an Open Systems Interconnection (OSI) perspective:

Most risk shifting to applications

Lower-level layers becoming relativelymore ‘tame’

Source: http://www.sans.org/top-cyber-security-risks/trends.php

Network

OS Transport

OS Libraries

Applications

8

Application Vulnerabilities

Native to many mobile OS (smart phone & tablet)Mobile Device Management (MDM)

Default Permissions may be invasivee.g., Apple log file stores all visited geo-locations

Open Web Application Security Consortium (OWASP)https://www.owasp.org/index.php/Mobile

Source: http://en.wikipedia.org/wiki/Mobile_device_management

“Application security is the next big trend in penetration testing… which means it’s already the big trend for hackers.”Joe McCray, Strategic Security LLC

9

Define: Metadata

Metadata : Data that defines or describes another piece of data.

Some examples of metadata include:File creation date and timeThe address or geographic location where the file was createdYour name, organization’s name, and computer’s name / Internet Protocol (IP) addressThe names of any contributors to the document or their commentsType of camera & its settings when the photo was takenMake, model, and service provider of your smart phone

Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf

10

Metadata Solutions

Metadata Tools:

Document Inspector : http://preview.tinyurl.com/3996c2a

EXIF Metadata Explanation: http://preview.tinyurl.com/775mbxc

Free Metadata Extraction Tool: http://meta-extractor.sourceforge.netor http://preview.tinyurl.com/aueb4

Disabling Geo-location for Smartphone Camerashttp://preview.tinyurl.com/3v4xznm

Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf

11

Mobile Device vs. Computers:DIFFERENCES

12

Risk Remediation

Mobile Device risks are the same as many of the risks we already face everyday. For example…

Source: http://www.youtube.com/watch?v=I4_qg22Onak&feature=related

13

Difference 1 : Platform(s) Support

Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

14

Difference 2 : Bring Your Own Device (BYOD)

Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012 http://www.networkworld.com/news/2012/041712-byod-258264.html?page=3

How do you handle user-owned devices?

ApplicationsData OwnershipEncryption

NetworkWorld BYOD Survey:65.3% necessary tools not in place46.2% increased end user productivity5.7% said it lead to breech, while 66.7% said no 47.2% increased end users' ability to work from home

SANS Survey:

15

Difference 3 : Short Messaging Service (SMS)

SMS: Also known as text messages

Common Vulnerabilities:

1) SMS of Death2) Midnight Raid Business Card Attack3) SMS Tokens4) Smishing Attacks

Source: http://www.infosecisland.com/blogview/12656-The-SMS-of-Death-Mobile-Phone-Attack-Explained.htmlhttp://www.csoonline.com/article/491200/3-simple-steps-to-hack-a-smartphone-includes-video-

16

Each platform – even within the same Operating System (OS) – have unique characteristics, default settings, and/or vulnerabilities:Personal Identification Number (PIN) settings

– Service Carrier– Like default passwords on

routers or admin accountsiPhone / iPad batteries

Scope: Android Fragmentation281+ different products850,000 daily activations300,000,000+ total devices

Sources: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdfhttp://en.wikipedia.org/wiki/Comparison_of_Android_devices

Difference 4 : Hardware / Carrier

17

Difference 5 : New Vectors

Wireless File Management – A cell phone based application that sets up a web server on a Dynamic Host Configuration Protocol (DHCP) connection. The web-based file sharing allows the circumvention of many DLP controls.

Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012http://searchnetworking.techtarget.com/answer/Be-aware-of-Wi-Fi-security-to-deal-with-Firesheep-at-public-hotspots

18

Hardware / Carrier: PIN Codes

Ten numbers represent 15% of all cell phone pass codes:

1) 12342) 00003) 25804) 11115) 5555

Sources: Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-a-good-password/. Retrieved 8 July 2011.

http://www.phonearena.com/news/Do-you-use-one-of-the-most-common-lock-PINs_id19533

6) 5683 (spells 'LOVE')7) 08528) 22229) 121210) 1998

Other popular choices include Year of birth & Year of graduation (social triangulation!).

Mike Jones, Symantec

19

Things You Should Be Doing

“For many professionals, the mobile phone has become a mobile office.”

Mike Jones, Symantec

20

Control Starts at the Policy

Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

21

Mobile Policy Best Practices

Think from a threat controls perspective:

o Consider capabilities of mobile devices and apps in your environment

o Identify threat vectors & mitigate

o Identify non-technically enforceable controls and address with administrative policies & awareness

Assess how mobile devices are already managed

Use existing policies as a guideline

Consider how to test successful control implementation

Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

22

Mobile Risk Management Tools

Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

23

Protecting the Mobile Executive

Considerations for your Mobile Policy / Best Practices:

USER EDUCATION

Physical Security

Leave it at Home– Clean Loaner Devices– Prepaid Cellular devices– Blank SIM cards– * + Google Voice

Source: http://threatpost.com/en_us/slideshow/How%20to%20Avoid%20Getting%20Hacked%20While%20Traveling?page=0

Fear Public Wireless– Use Conference WAPs– Corporate VPNs

2G = No E!

Don’t Blab

24

Its About the Basics

Verizon Business 2011 Data Breach Investigations Report (DBIR)

Analysis of 2011 attacks determined that:

83% were targets of opportunity

92% were not highly difficult

95% were avoidable through simple or intermediate controls

Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf

25

THREAT CONTROLS: 2012 SANS Mobile Device Security Summit

1) Jailbreaking & Rooting is BAD for mobile device security

2) The OWASP Mobile Top 10 is going to be just as important

3) Mobile Threats are an evolving, moving target; security teams have to be quick to adapt to new mobile technology

4) MDM solutions are a requirement for any deployment

5) Apple iOS devices are preferred over Android in the enterprise

Source: http://www.infosecisland.com/blogview/20752-Top-5-Things-Learned-at-the-SANS-Mobile-Device-Security-Conference

26

THREAT CONTROLS:2012 Top 5 Mobile Security Threats

1) Geolocation exploits2) Excessive Permissions3) Mobile Application Vulnerabilities4) Unsecure Wi-Fi5) Lost and Stolen Devices

Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012

27

Summary

Mobile Devices vs. Computerso Similarities (yes Virginia, they are computers)

o DifferencesMultiple PlatformsBYODSMSHardware / Carrier Issues (PINs, etc)Vectors: Wireless File Transfers

Things you Should be Doingo Policieso User Educationo Protect the Execso SANS Top 20 <-> Top 5 Mobile

28

Questions