Securing BYOD

Giri Sreenivas

VP and GM, Mobile

Dirk Sigurdson

Director of Engineering

2

Giri Sreenivas VP and GM, Mobile

Rapid7

Presenters

Dirk Sigurdson Director of Engineering

Rapid7

Big, pervasive trend

• 80+% of companies experience it today

Fewer than half of all companies have begun to manage it

• Do nothing, ActiveSync or MDM

What can you be doing to secure BYOD?

BYOD Is Here To Stay

3

IT - Enforcer

Roles of IT and Security for BYOD

4

Security – Advisor

Rest of IT Resources

Written, legally vetted acceptable use

policies

Dedicated operations staff

Controls, tools

Risk assessment

Remediation / mitigation plans

5

Going With What You Know To Enable BYOD

BYOD + Mobile

Acceptable use policy is under revision for

end user acceptance

Yet another “system” for existing staff

MDM, MAM, EMM, MCM, …

?

?

Lost/Stolen Devices and Terminated Employees

Jailbroken Devices / Custom ROMs

Malware / Trojans

User Behavior with apps

Promiscuous apps

Phishing

Sniffing / MITM

Top Mobile Threats

6

Numerous examples where policies and controls fail to protect data

• DroidDream

• PDF exploits

• Web site exploits

• iOS Lockscreen Bypass

Today’s focus: DroidDream and iOS Lockscreen Bypass Attacks

Know your vulnerability risk

“But We Have Policies And Controls?!”

7

Initially showed up in iOS 4.1

• Took approximately 1 month for an OS update to patch the vulnerability

Regressed in iOS 6.1 with one bypass attack

• http://www.youtube.com/watch?v=MP-w436CfvQ

A second bypass attack was discovered shortly after the initial attack

No assurances on policies and controls for lost/stolen devices

iOS Lockscreen Bypass

8

9

Approximately 60 apps and games in the Google Play Market were pirated and

had DroidDream embedded in them in 2011

These pirated/infected copies were downloaded by approx. 250,000 phones

The malware looked to exploit two vulnerabilities to gain root access

Upon gaining root access, the malware package downloaded and installed

another malicious application from a C&C server

From there, information was exfiltrated off devices

DroidDream Malware: Breaking It Down

10

11

Get visibility into all devices and users accessing corporate resources

Assess the vulnerability risk these devices present

• 49% of Android and 18% of iOS devices have at least one high severity vulnerability

Take mitigation and remediation steps to reduce or eliminate risks to

your data

• Only 6% of devices with latest firmware version have a high severity vulnerability

Manage Your Mobile Risks

12

Available for on premise Exchange and starting last week, available for

Office365

Demo to follow

Mobilisafe: Mobile Risk Management

13

Mobilisafe available for on premise Exchange and starting last week,

available for Office365

Take Mobilisafe for a test drive! Try our online demo:

http://information.rapid7.com/mobilisafe-demo.html

Q&A

14

Thanks!

Contact: giri_sreenivas@rapid7.com