cyber security and mobility “are we on the edge of the cliff?” the secure software acquisition...
TRANSCRIPT
Cyber Security and Mobility“Are we on the edge of the cliff?”
The Secure Software Acquisition Process – C Level
1
Who am I?
• Chair
Computer Information Systems Department University of Detroit Mercy
• DirectorCenter for Cyber Security and Intelligence Studies
• Former EmployeeFord Motor CompanyIT Security & Strategy
• StudentUniversity of Michigan DearbornPhD Program – Writing dissertation
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)2
Aspirations
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)3
At the end of this presentation you will have a better understanding of:
• The cyber risks you face as Mobile Users
• The current state of the mobile payment space
• The steps you can take to protect yourself
Mobile Devices (ubuiquitous)
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)4
• Smartphone sales are greater than laptop sales.
• Purchases increasing at an annual growth rate of more than 40%
• About 40% of corporate devices are purchased by individuals who then use them in the enterprise.
• Number one mitigation strategy for organizations is limiting operating system diversity
•“We are going to limit ourselves to ONE risky platform”
* Source International Data Corporation
Mobile Devices (general worries)
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)5
• Gen Y has shown a propensity to accept risk.
• Antivirus/Antispyware tools are available but not as powerful as their laptop counterparts.
• Antivirus/Antispyware tools are often disabled because of performance.
• There is a lack of awareness of the differences between Wi-Fi and cellular technology.
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)
• First Symbian malware (2004):• Cabir worm (spread via Bluetooth)• Skuller (spread via OS vulnerability)
• First iPhone virus (2009): Ike worm targeted jail broken iPhonesWritten by a Dutch hacker who was ripped off by a punk hacker. It targeted jailbroken phones running SSH
• First Android Malware (2010)
Trojan-SMS.AndroidOS.FakePlayerDistributed via websites not Android Market. Written by Russian virus writers.
Mobile Devices (Malware History)
• 1 in 3 breaches attributed to mobile devices includes lost or stolen devices
• Malware, hacking, and physical compromise were 5 of top 10 events in Verizon report • Others were malware, hacking of servers
• Breaches are not matching increased usage• My speculation is that people don’t report
loss of personally owned devices
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)7
Mobile Devices (breaches)
• 1 in 3 breaches attributed to mobile devices includes lost or stolen devices
• Malware, hacking, and physical compromise were 5 of top 10 events in Verizon report • Others were malware, hacking of servers
• Breaches are not matching increased usage• My speculation is that people don’t report
loss of personally owned devices
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)8
Mobile Devices (breaches)
• The Federal Trade Commission and the California Attorney General have recently published reports focused on mobile privacy.
• California AG’s “Privacy on the Go” report was issued in January 2013.
• The FTC’s “Mobile Privacy Disclosures” staff report, was released on February 1, 2013.
• recommendations on mobile privacy disclosures to 3 different audiences: mobile app marketplaces, mobile app developers, and mobile advertising networks.
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)9
Mobile Devices (what’s being done?)
• NIST
• “Guidelines for Managing the Security of Mobile Devices in the Enterprise”
• DRAFT Guidelines on Hardware-Rooted Security in Mobile Devices
• DRAFT Guidelines on Mobile Device Forensics
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)10
Mobile Devices (what’s being done?)
Mobile Devices (compromises)
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)11
• Accelerometer
• Confused Deputy.
• SSL
• NFC
• Charger
• GCM
Cyber Crime
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)12
• Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved.
• Annual loss estimates range from billions to nearly $1 trillion.
• Some claim cybercrime rivals the global drug trade in size• Estimates may be enormously exaggerated, but it would
be a mistake not to consider cybercrime a serious problem
• Cybercrime is actually a relentless, low-profit struggle for the majority.
• You have the power to limit your vulnerability to cyber crime.
*Source: The Cybercrime Wave That Wasn’t By DINEI FLORÊNCIO and CORMAC HERLEY, Published: April 14, 2012
What do they want?
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)13
• Assets that can be turned into money• SSNs• Bank accounts• Credit Card accounts• Identities
• Access to physical things• Cars• Places of business
• Underage candidates for exploitation
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)14
• NOT: browser based payments
• NOT: traditional Visa/Mastercard/Amex/Discover
• IS: “New Experience where the technology fades into the background”
• IS: SMS, ACH, eMAil, “trusted third parties”
• IS: Huge across the globe, burgeoning in the U.S.
Mobile Commerce (what is it?)
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)15
Mobile Commerce (players?)
Device Manufacturers
Banks
Credit Card Companies
Merchants Mobile Users
Industry Groups;
Payment Channel Creators
Corporations
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)16
• Google Wallet (not NFC)• Stalled until GoogleCash (email cash)
• ISIS (NFC)• AT&T, Verizon and T-Mobile have inked. Visa,
MasterCard, Discover and American Express are partners
• Western Union (SMS)• ACH transfers
• Square (not NFC, yes GPS)• SquareReader, SquareWallet, SquareCash,
SquareRegister • PayPal (eBay, headed to NFC)
• 20B in mobile payments, PayPal reader, cash cow
Mobile Commerce (examples)
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)17
• Google Wallet • Hacked twice, immediately
• ISIS• NFC vulnerabilities, Uses Secure Element
• Western Union• SMS vulnerabilities
• Square• GPS vulnerabilities, uses geofencing, uses proprietary
• PayPal• undetermined
Mobile Commerce (Protections)
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)18
• Move slowly
• Tie accounts to low balance credit card not a debit card
• Separate your phone and credit cards.
• Don’t put your phone in a “bumpable” place
• For a business, engage an expert for a threat assessment and policy inspection
Mobile Commerce (What to do)
Jeff Ingalsbe
Chair - Computer Information Systems
Center for Cyber Security and Intelligence Studies
University of Detroit Mercy
For more information
Thursday September 5th, 2013IAPP Detroit KnowledgeNet
(September Meeting)19