A1cNow For Iphone by Bayer - NYMISSA

idleheadedceleryΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

111 εμφανίσεις

The Truth About

Smartphone Security:


Separating



Fact



from



䙩捴楯n



1

Eric Green
-

M@D Partners


Advisory board member at Mobile Application Development
(MAD) Partners who have an industry leading smartphone
security product
-

Mobile Active Defense.


In that role I’ve been consulting as a subject matter expert with
primarily the FORTUNE 1000 and Federal Agencies on the
subject of mobile security and management.


Outside of that role, I have been involved in the security industry
for over a decade.


Past experience also includes running a technology book
division publishing 12 books with a wide variety of industry
luminaries, primarily in security.


I am also program director for SC Magazines SC World
Congress events and for the last 6 years have also produced,
hosted and syndicated the SecureIT Live podcast show,
available online at www.secureitlive.com.


Smartphone security should be treated
differently then tablet security on
enterprise networks

Fact

or
Fiction
?



Fiction




The biggest threats to these devices are apps and the
threat associated with personal email and browser
vulnerabilities


Apps are the greatest malware delivery mechanism
created by mankind


Personal email loaded with spam and phishing as well as
malware exploit browser vulnerabilities on devices


iOS is iOS and in general Android is Android. So
smartphone or tablet
-

the risk is the same


If just protecting corporate data and not controlling
personal email, apps and the browser
-

not addressing
the true risk to either of these devices


iPhone and iPad hardware encryption has
been broken

Fact

or
Fiction
?



Fiction




Many confuse jailbreak with breaking encryption


rooting the phone simply is removing access
control, hardware encryption is still in place


iPhone and iPad encryption is currently in for FIPS
140
-
2 Validation
(
http://csrc.nist.gov/groups/STM/cmvp/inprocess.html
)



There is word of a hack to the profile file wherein
the perpetrator can get to the encryption key


however no one has cracked the AES 256 bit
encryption

It is possible for
administrators to
remove blacklisted
apps from
smartphones

Fact

or
Fiction
?



Fact



and



䙩捴楯F




Enterprise administrators ability to remove blacklisted
apps varies by operating system


Android, Windows Mobile and Symbian operating
systems can allow for administrator removal of
blacklisted


or any apps


iOS does not permit administrators to remove app store
installed apps


iOS however does now, using Apple’s MDM permit
administrators to do selective remote wipe, removing an
enterprises own apps and corporate data

Apple’s Mobile Device
Management (MDM)
offers a good way to
secure your iPhones
and iPads

Fact

or
Fiction
?



Fiction




To begin with people should be careful not to confuse
the industry term of MDM with Apple’s MDM


Apple’s MDM does provide certain useful functionality
like app cataloging and white listing and blacklisting of
apps………..BUT………


Apple’s MDM can be removed by the user at any time


thus if you stage profile files using MDM, they

get removed as well


Does this remove corporate data? Perhaps.

However as a security pro, if a device falls

off your network, are you willing to simply

assume it was due to MDM being removed?

Apple MDM Removal Demo

iOS, Android, Windows
Mobile and Symbian
operating systems all
have encryption for
both data at rest
(hardware) and in
motion (VPN)

Fact

or
Fiction
?



Fiction



Hardware encryption:


Yes for iOS, Windows Mobile and Symbian


No for Android


Data in motion (VPN):


Yes for iOS, Android, Symbian and Windows Mobile
up to 6.5


No for Windows Mobile 7

You cannot prevent a
user from jailbreaking
an iPhone or iPad

Fact

or
Fiction
?



Fact



Each iOS has been shortly followed by a
jailbreak or rooting of that iOS


To date there is no way to prevent iOS
jailbreaking


If you chose to jailbreak all of your enterprise
devices, you could then both prevent
jailbreaking and lock them down far more
rigorously
-

this obviously has its cons

Summary and Recommendations

A smartphone security solution should

a)
Treat smartphones and tablets the same

b)
Provide blacklisting and remediation for bad apps

c)
Have the ability to either clean personal email or prevent it

d)
Ensure user cannot remove or disrupt

e)
Offer jail break and rogue behavior detection & remediation

f)
support multiple plaftorms via single console

g)
Encrypt and force all traffic to VPN

h)
Offer both cloud and appliance based solution

i)
Offer same level of security as that of laptops or Blackberrys
including content filtering for any and all browsers, stateful
inspection firewall, email scanning, etc.

Questions?


Eric Green

egreen@mobileactivedefense.com


914.244.0160


www.MobileActiveDefense.Com

12/10/2013

M@D Partners LLC 2010
-
2011 Confidential