© 2014 all rights reserved 1 @codenomicon mohit rampal shubika soni mobile & wireless threats...

© 2014 All Rights Reserved

1

@codenomicon

Mohit RampalShubika Soni

MOBILE & WIRELESS THREATS AND BUILDING CAPACITY FOR SECURITY


2

Strength in visibility


3

Today’s world is filled with complexityNew threats are waiting for cracks to appear See the cracks Know the threats

Build a more resilient world

LANDSCAPE TODAY


4

CYBER THREATS : MORE PROFESSIONAL & SOPHISTICATED• Cyber Attacks: Internet-based incidents involving politically or

financially motivated attacks on information and information systems.

• Zero-day Vulnerabilities, Or Unknown Vulnerabilities: Software flaws that make exploitation and other illegal activities towards information systems possible

• Proactive Cyber Defense: acting in anticipation to oppose an attack against computers and networks.


5

Top 10 risks in terms of Likelihood1. Interstate conflict2. Extreme weather events3. Failure of national governance4. State collapse or crisis5. Unemployment or underemployment6. Natural catastrophes7. Failure of climate-change adaptation8. Water crises9. Data fraud or theft10. Cyber attacks

GLOBAL RISKS FOR 2015

Source: Global Risks Perception Survey 2014. 7 representing a risk most likely to occur


6

Top 10 risks in terms of Impact1. Water crises2. Spread of infectious diseases3. Weapons of mass destruction4. Interstate conflict5. Energy price shock6. Critical information infrastructure

breakdown7. Failure of climate-change adaptation8. Fiscal crises9. Unemployment or underemployment10. Biodiversity loss and ecosystem collapse

GLOBAL RISKS FOR 2015



7

• Large-scale cyber attacks : considered above average on both dimensions of impact and likelihood

• Reflects : growing sophistication of cyber attacks and the rise of hyperconnectivity

• In the United States alone, cybercrime already costs an estimated $100 billion each year

• IOT delivers technology with new risks

TECHNOLOGICAL RISKS: BACK TO THE FUTURE



8

TECHNOLOGICAL RISKS: BACK TO THE FUTURE

• Attacks against infrastructure are targeting significant resources across the Internet

• Malicious actors are using trusted applications to exploit gaps in perimeter security

• Evidence of internal compromise in Organisations with suspicious traffic emanating from their networks and attempting to connect to questionable sites

• Trust with greater attack surfaces, sophistication of attacks and the complexity of threats and solutions

• Lack of threat intelligence with malicious actors using trusted applications to exploit gaps


9

RELOOK AT THREATS AND ATTACKSHEARTBLEED, SHELLSHOCK, POODLE

Year 2014:…


10

RELOOK AT THREATS AND ATTACKS CYBER SUPPLY CHAIN MANAGEMENT AND TRANSPARENCY ACT OF 2014 TL;DR

1. HW/SW/FW sold to any Agency must come

with Bill of Materials

2. Cannot use known vulnerable components

1. Must use less vulnerable version

2. (or need waiver)

3. Must design software so that it can be patched


11

CHALLENGES


12

SOME WIRELESS SECURITY CONCERNS

• Wireless (WiFi) • BYOD (Device) • Virtual WiFi • Accidental associations • Rogue APs • RF congestion / interference (DoS)

• Mobile (Cellular) • BYOD / BYOA (Application) • Tethered devices connected to infra. • Mobile Malware • 3G/4G LTE offload to WiFi (interference / DoS)

• Bluetooth


13

MITIGATING THE RISKS

• Known Vulnerability Management which is Grey Box Testing• Application testing for Associated 3rd party library

vulnerabilities which is testing integrated components for known vulnerabilities

• Unknown Vulnerability Management which is Black Box Testing

• Lastly, a process • Requirement gathering=>Pre-Tender=>Tender=>Technical Qualify=>Purchase


14

THE KNOWN AND THE UNKNOWN

Known Vulnerability Management

Unknown Vulnerability Management (UVM)

TotalVulnerability Management

SAST Approach1980-

PC Lint, OSS, Coverity, Fortify,

IBM, Microsoft ...

Whitebox testing

DAST Approach2000-

Fuzzing:Codenomicon

Defensics, Peach, Sulley

Blackbox testing

1995-2000Satan/Saint

1999-Nessus, ISS

Reac

tive

Proa

ctive

Bottom line: All systems have vulnerabilities.- Both complimentary categories needs to be covered.

2000-Qualys, HP, IBM, Symantec ...2013: Codenomicon AppCheck


15

ATTACK POINTS

• WiFi end points• Network elements • Unlicensed and unmanaged applications running on Desktop and

Mobiles• Device Firmware’s• Lack of threat monitoring and threat intelligence


16

• Process of:• Detecting attack vectors• Finding zero-day vulnerabilities• Building defenses• Performing patch verification• Deployment in one big security push

UNKNOWN VULNERABILITY MANAGEMENT (UVM)


17

UVM- WORKFLOW

Execute tests

Configure fuzzerand target Test interoperability

Analyze results Remediate Repeat


18

18

FUZZ TEST EFFECTIVENESS AGAINST WIFI


19

19

MODEL BASED FUZZING TECHNIQUES

• Template Based Fuzzing• Quality of tests is based on the used seed and modeling technique• Very quick to develop, but slow to run• Editing requires deep protocol know-how• Good for testing around known vulnerabilities

• Specification Based Fuzzing• Full test coverage• Always repeatable• Short test cycle, more optimized tests• Easy to edit and add tests


20

• Codenomicon Defensics is unsurpassed in finding unknown vulnerabilities.

• No other solution does more to quickly empower organizations to discover unknown vulnerabilities that put business performance and reputation at critical risk.• World’s most powerful platform for stress testing • Fast, reliable, efficient deployment • Support for 270+ protocols—continuously updated • Capable of finding subtle security flaws • Run at pace of product development lifecycle and process • Discovered Heartbleed

PROACTIVE SECURITY TESTING - DEFENSICSUnknown Vulnerability Management (UVM)


21

• Codenomicon is the industry leader in identifying the threat factors that weaken business trust • First to report Heartbleed • Global authorities with vast knowledge of known and unknown vulnerabilities• Protect customer trust & confidence • Trusted partner to Verizon, AT&T, Cisco, Alcatel-Lucent, the FDA, Homeland

Security, and notable global governments and agencies • Global advocate for improved software development and responsible network

safeguarding

WHO WE ARE


22

SAMPLE CUSTOMER LIST


23

QuestionsEmail:

[email protected] [email protected]

mailto:[email protected]

mailto:[email protected]

© 2014 all rights reserved 1 @codenomicon mohit rampal shubika soni mobile & wireless threats...

Documents

cyber threats

global risks perception

sophistication of attacks

complexity of threats

complexitynew threats

theftcyber attacksglobal

ecosystem collapseglobal

new riskstechnological