Top 10 Mobile Risks

Arya MirMobile - Wireless

Jan 9, 2012 (5 years and 5 months ago)

904 views

Risks associated with mobile devices Mobile Applications threat model Mobile risks in an Enterprise Mobile device as a Trusted device Mobile security models Mobile Top 10 Not all doom and gloom: What to look for

TOP 10 MOBILE RISKS

Vladimir Jirasek

CISSP
-
ISSAP & ISSMP
, CISM, CISA

Senior Enterprise Security Architect, Nokia

Steering Group, Common Assurance Maturity Model

Non
-
executive director, CSA UK & Ireland

1

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

I am going to talk about ….


Risks associated with mobile devices


Mobile Applications threat model


Mobile risks in an Enterprise


Mobile device as a Trusted device


Mobile security models


Mobile Top 10


Not all doom and gloom: What to look for


2

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

Mobile devices are ubiquitous for most people

Mobile devices
with power of
average computer

Used by people
around the globe
in personal and
business life

To access services they
want, communicate with
other people, shop and
play

Either online or via mobile
apps

3

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

And the risks associated with the use cases
are

Mobile devices
with power of
average computer

Used by people
around the globe
in personal and
business life

To access services they
want, communicate with
other people, shop and
play

Either online or via mobile
apps

Mobile phone is your most personal computer and it needs to be well
protected to become a trusted device.

Power (CPU) and
storage with seamless
and always on
connectivity

Traveling with people
all the time.

Millions lost everyday

Accessing potentially
private

and sensitive
data, managing critical
transactions.

4

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

Mobile device use cases threat model

5

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

Mobile device is
compromised
with malware

Mobile device is
lost or stolen

Mobile device is is used
to conduct malicious
activity

Malicious
activity, Loss of
data, Monitoring
of activity, Botnet

Loss of data,
potential
malicious activity

Unauthorised

transactions,
Botnets, Attack
on web services

Mobile device risk in an Enterprise

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

6

Un
-
managed
mobile device

Enterprise
control

Enterprise
control

Un
-
controlled
data sync

Un
-
controlled
data access

Un
-
managed
personal device

Mobile threats summary
[2]

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

7


Web
-
based and network
-
based
attacks


mobile device is connected,
browsing websites with malicious content, malicious proxy servers



Malware



traditional viruses, worms, and Trojan horses



Social
engineering
attacks


phishing. Also used to install malware.



Resource
and service availability
abuse


botnet, spamming,
overcharging (SMS and calls)



Malicious
and unintentional data
loss


exfiltration of information from
phone



Attacks
on the integrity of the device’s
data



malicious encryption with
ransom, modification of data (address book)

Mobile device as a trusted device:
[4,5]

How does mobile HW and OS hold up?

8

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

Typically
contains System
on Chip (
SoC
)

Load Kernel and
mobile OS

Load mobile
applications

If Trust is not assured from HW up then
there is no trust at all!

Enterprise apps
accessed from
mobile devices

OS security
capabilities are
crucial

Application
segregation,
security reviews

Mobile Security Models
[2]


Traditional Access Control
:
passwords
and idle
-
time screen locking.


Application
Provenance
:
Application
signing and Application review in App store


Encryption
:
Encryption of device data and
application data


Isolation
:
traditional Sandboxing and
Storage separation


Permissions
-
based access control
:
Limiting application to needed functionality
only

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

9

All must be supported by Trust from
HW up.

Jailbreaking

breaks

the security model!

Veracode

Mobile Top 10
[1]

Malicious Functionality

1.
Activity
monitoring and
data retrieval

2.
Unauthorized dialing,
SMS, and payments

3.
Unauthorized network
connectivity (exfiltration or
command & control)

4.
UI Impersonation

5.
System modification
(rootkit, APN proxy
config
)

6.
Logic or Time bomb

Vulnerabilities

7.
Sensitive
data leakage
(inadvertent or side
channel)

8.
Unsafe sensitive data
storage

9.
Unsafe sensitive data
transmission

10.
Hardcoded
password/keys

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

10

Summary: What to look for

Device and applications


Do not jail
-
break the device


Utilise

mobile OS security
features (access control,
encryption)


Follow data classification
policies


what data can be
on mobile devices and what
protection is required


Follow best practices for
mobile application
development


Enterprise Network


Configure VPN for mobile
devices


Provision VPN profiles for
seamless connectivity


Monitor traffic for data
exfiltration


Enable processes to wipe
devices


Data security policy includes
device capabilities and
position

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks

11

Resources

1.
Veracode

Mobile app Top 10
-

http://www.veracode.com/blog/2010/12/mobile
-
app
-
top
-
10
-
list
/

2.
Symantec Security Analysis of
iOS

and Android
-

http://www.symantec.com/about/news/release/article.jsp?prid=
2011
0627_02

3.
Mobile Trusted
Computing Platform
-

http://www.trustedcomputinggroup.org/developers/
mobile

4.
Understanding HW architecture
of Smartphones
-

http://hubpages.com/hub/Understanding
-
the
-
hardware
-
architecture
-
of
-
smartphones

5.
A Perspective on the Evolution of
Mobile
Platform Security
Architectures,
Nokia
-

http
://asokan.org/asokan/research/platsec
-
comparison
-
ETHZ
-
mar2011.
pdf

6.
Security in
Windows Phone 7
-

http://msdn.microsoft.com/en
-
us/library/ff402533(v=VS.92).
aspx





12

2011
-
07
-
13

Vladimir Jirasek: Top 10 Mobile Risks