mobile security for smartphones and tablets
DESCRIPTION
Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.TRANSCRIPT
MOBILE SECURITY FOR SMARTPHONES AND TABLETS
Are our mobile devices too ‘smart’ for their own good?
One Ring to Rule Them All • Smartphones and Tablets are the most
intimate pieces of IT that we've ever had:
– Personal digital assistant, High resolution cameras
– GPS navigation, Wi-Fi, Enhanced web browsers
– Apps to do almost anything
• Users (from healthcare, police, military) store/manage personal data & sensitive info
– View slides at http://www.slideshare.net/vcv1 One Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the darkness bind them. J. R. R. Tolkien
Mobile (via @LukeW) • Think Mobile First
• 3 Trends in Mobile Devices
– Processing Power
– Network Access
– Data in the Cloud
• 1.4 Million devices are activated each day
BYOD • Bring Your Own Disk
• Bathe Your Own Dog
• Be Your Own Detective
• Bring Your Own Dessert
• Bring Your Own Deck (a.k.a John Dorner)
• Bring Your Own Drink
• Bring Your Own Disaster
Bring Your Own Device
“Consumerization of IT,” refers to employees who bring their own computing devices – such as laptops, smartphones, and tablets to the workplace for use, using a corporate network for connectivity
How Are Smartphones Being Used? (9/20/2011)
Forrsights Workforce Employee Survey
• Q4 2011, asked 9,900 information workers in 17 countries about devices they use, personal devices they use for work purposes 1
• Typical information worker has manage their information from more than one device
• Interested in work systems and personal cloud services that enable easy multidevice access, such as Dropbox, Box, SugarSync, Google Docs/Apps, Windows Live, and Apple iCloud
Combination of Devices
Combination of Devices
Global Device Usage
• 33% use operating systems other than MS
Global Device Usage
• 25% are mobile devices, not PCs
Forrsights Workforce Employee Survey
• Shipping PCs still > 90% Win OS
• Share of PCs in companies is even higher
• Info workers, not IT, are voting with $$$, Microsoft is down to about two-thirds of the devices they use to get work done
• Report concludes that
– “mobile devices will become majority of devices used for work, surpassing PCs” and “Windows’ device share will fall below 50 % by 2016.”
Security Quotes
“Against the growing, unstoppable backdrop of consumerisation and BYOD [bring your own device], every mobile device is a risk to business.” Raimund Genes, Trend Micro CTO 2
Security Quotes “Security becomes a critical requirement (in mobile banking) and all parties involved in a financial transaction need to consider security. Mobility and freedom to transact anywhere, anytime is no longer negotiable - it is the nature of the lives we live today.” Schalk Nolte, Entersekt 3
Security Quotes “I'm sure you've seen this scenario. Halfway through [a] flight, a user switches from super-critical pieces of corporate work to checking out the app they downloaded while waiting in the airport terminal.” Cameron Camp, ESET 4
Security Quotes “Today what we’re seeing are malicious Android applications that have bundled legitimate apps such as Rovio ’s Angry Birds Space. First the malicious “wrapper” tricks and manipulates the user into granting permissions that allow the malware to subscribe to premium rate services. But then… the malware actually does install a working copy of the promised game. At this point, there is little to be suspicious of and nothing to troubleshoot. The user gets the game that he was promised.” Sean Sullivan F-Secure Labs 5
MDM vs. Mobile Security • What is Mobile Device Management (MDM)?
• By controlling and protecting the data and configuration settings for all mobile devices in the network, MDM can greatly reduce support costs and business risks. Gartner Aug 2011
• Software allows you to:
– Remote lock/wipe, Password enforcement
– Remote Configuration and Provisioning
– Logging and Reporting, Decommissioning
Why Do Criminals Want Access? • Smartphones are the new credit cards!
– This is where our "wallets" are
– This is where our information is
• Criminals will take any info for Identity Theft
• They can sell (make money) on online forums
• Targeted emails designed to be read on Smartphone/Tablets are just a matter of time
Security and Data Protection • Focus Four
– Apple iOS
– Blackberry
– Google Android
– MS Windows Phone 7
• Discussion will be Smartphone focused but will discuss tablets at the end
Smartphone Market Share 6
Which BOYD is most secure? Answer:
1. Blackberry
2. iPhone and Windows Phone 7.x
3. Android
That said, if you have poorly educated user, they can download malicious app on any Smartphone or Tablet and it can be compromised!
Which BOYD is most UN-secure? Answer:
1. Android
2. iPhone and Windows Phone 7.x
3. Blackberry
That said, this can change quickly.. Could have a Vulnerability that is quickly accessed on iPhone by attackers
Blackberry • Long history of being Enterprise Ready
• RIM's upcoming BlackBerry 10 (B10) OS is intended to be even more secure
• BB10 security will have multiple integrated layers, with tight relationship between hardware and software
• There will be a permissions-based security model for apps, coupled with a various OS-level security and safety features
B10 New Protections • Blocking root access, which enables a user or
hacker to gain administrative access to the OS
• Memory randomization, "scrambles" where in memory routines may run, making it harder for these to be leveraged by attackers
• Adding security management, including auditing, to the kernel
Source: Network World “BlackBerry 10 OS will have multi-layered security model” May 8, 2012
Apple iOS • Will growing popularity in iOS mean criminals
will target?
• Apple doesn’t allow 3rd party companies to develop antivirus software for iOS-based devices, such as the iPhone and iPad
• Enterprise iPhone security issues and how to address them (Dec 2011)
Apple iOS • iOS threats are largely satisfied by tweaking
native security settings
• VirusBarrier for iOS by Intego, $2.99
• “Flashback” Java Vulnerability Exploit
– 2 month delay for Apple’s Response
– 600,000 Mac users infected
• Can you jailbreak iOS? Yup!
– Absinthe 2.0 Untethered Jailbreak Released for iOS 5.1.1 (May 25 2012)
Apple iOS • Kaspersky CEO Eugene Kaspersky is very vocal
in his criticism of Apple
– Criminals “are happy with Windows computers. Now they are happy with Mac. They are happy with Android. It is much more difficult to infect iOS but it is possible and when it happens it will be the worst-case scenario because there will be no protection. The Apple SDK won’t let us do it.” 7
– Eugene Kaspersky frustrated by Apple’s iOS AV ban (May 22 2012)
Windows Phone 7 History 8,9
• Released in late 2010, 7 updates since then
– Microsoft shut down the Marketplace app store for older Windows Mobile 6.x phone platform on May 9, 2012
• Apps only from Windows Phone Marketplace
• Aimed at the Consumer market not Enterprise
• Smartphone OS market share 2011
– MS has only 1.9% market share
– IDC predicts a 20% share by 2015 (likely high)
Windows Phone 7 Platform Security • Chambers concept to enforce app isolation
and least privilege, 4 chambers, apps in LPC
• The fourth chambers is capabilities based
– Least Privileged Chamber (LPC)
• Three higher chambers have fixed permissions
– Standard Rights Chamber (SRC)
– Elevated Rights Chamber (ERC)
– Trusted Computing Base (TCB)
Windows Phone 7 App Security • Capability checks are enforced at runtime
• Requests for other resources == UnauthorizedAccessException
• Apps must have a valid MS signature to be installed & run in LPC sandbox
• Apps use their own “Isolated Storage”
• WP7 allows developers to encrypt data and databases
Windows Phone 7 - What’s Missing • Lack of native disk encryption
• No support for client side SSL certificates
• Lack of in built VPN functionality
– Source: Windows Phone 7 'not fit for big biz ... unlike Android, iOS'
Windows Phone 7 Tips • Only install apps from Marketplace. This
ensures that any app you install has been digitally signed, which reduces your risk and increases phone safety
• Windows Phone 7 includes a "Find My Phone" feature that allows you to find a lost phone, lock it remotely, and also wipe it remotely
• Best-windows-phone-7-apps#security
Android • Popularity makes Android a lucrative target for
malware authors
• New families and variants of malware keep cropping up each quarter, trend shows no sign of slowing down
• In Q1 2012, malware authors are focusing on improving their malware’s techniques in evading detection, as well as exploring new infection methods
F-SECURE Mobile Threat Report • In Q1 2011, 10 new families and variants were
discovered; In Q1 2012, 37 new families and variants were discovered
• Malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts. F-SECURE Mobile Threat Report, Q4 2011 (.pdf)
Kaspersky - # of Signatures
That Said... Perspective • Mobile malware numbers remain low -- about
1% or less of all malware globally
• Android threats now reach almost 7,000, with more than 8,000 total mobile malware in our database
• To put it in perspective, there are 83 million malware samples in McAfee’s database
McAfee Threats Report for First Quarter of 2012 (.pdf)
Android – Reducing Risk • Practice safe mobile computing, Be vigilant
and avoid risky behavior
• Don’t install apps that are new to the market – Yahoo’s Axis Browser Security Slip-Up (May 23 2012)
• Research apps before downloading, Check the publisher and app reviews, Use the official Android Market
• Avoid side-loading apps, unless software and its developer are familiar to you.
Android – Reducing Risk • Turn off the ability to install apps from
unknown sources in by going to Settings and then to the Security menu (in Android 4.0 or later) or the Applications menu (in earlier versions of Android)
• When installing an app, pay close attention to the permissions it requires, Use your phone’s app-management tools to make sure it’s using only the resources it promised to use
Android – Reducing Risk • Be wary of phishing scams and malware via
the Web browser or SMS messages
• Be cautious if you root a device, Keep an eye out for Superuse prompts displayed when an app requests root permissions
• Rooting allows you to use some powerful apps and even enhanced security functionality, but at the same time increases potential damage from infections
Android – Reducing Risk • Install an antivirus/security app
• Block or disable ability to send premium SMS subscriptions (prevent malware from sending messages that will automatically charge your account)
– AT&T (Manage Mobile Purchases & Downloads)
– Verizon FAQ
– More from c|net
Android – Mobile Security Apps • PC Mag Review (May 24 2012)
• Apps reviewed on 5 Stars
– Bitdefender Mobile Security
– F-Secure Mobile Security 7.6
– Lookout for Android
– McAfee Mobile Security 2.0
– TrustGo Antivirus and Mobile Security 1.0.6
– ESET Mobile Security 1.1
Infographic: Grand Theft Mobile
Source: http://blog.mylookout.com/blog/2012/05/04/infographic-grand-theft-mobile/
Security Checklist • Attevo is a global business and information
technology consulting firm based in Cleveland, OH
• Here is their 13-point checklist for addressing mobile technology threats 10
• Keep in mind security around Windows laptops from mid to late 1990s
Security Checklist 1. Where is My Device Again?
Always maintain physical control over your smartphone to prevent outright theft, unauthorized usage or the installation of malware (apps with malicious code) by seemingly mild-mannered co-workers or by ruthless digital predators; treat a smartphone like a wallet, never leave it unattended in public spaces.
vcv_note: @LukeW listed Near Field communication (NFC) as a positive, it is, I guess
Security Checklist 2. Yes, You Need to Use a Passcode
Enable the smartphone's password/passcode protection; a recent study reveals that only 38% of smartphone users enable this security feature. vcv_note: SIM-locks can be by-passed, but BlackBerrys 'a challenge' (May 17, 2012) Tip: Open Excel. In cell A1, enter =RAND() and press Enter. Fill Down to A10. Pick 5 random codes.
Security Checklist 3. You Still Need to Do Updates
Install operating system updates whenever they become available to reduce the number of system vulnerabilities; a 2011 report indicated that 90% of Android users were running outdated operating system versions with serious security vulnerabilities. vcv_note: Reinforce basics with your staff
Security Checklist 4. Use a Security App
Install an anti-malware protection app (if available for the device) to thwart infection from malicious apps and websites; all major platforms have been hacked and are susceptible. vcv_note: Free apps are good (better than nothing), but pay for apps give more features. Go ahead and spend 4.99 or 9.99
Security Checklist 5. Be Careful Where You Browse
When using the smartphone's or tablet’s web browser, avoid suspicious/questionable websites that can be the source of malicious code. vcv_note: Few security apps are available for iOS, but you can find secure Web browsers that offer extra features to lower risk of stumbling upon a malicious website, ex: Webroot SecureWeb Browser
Security Checklist 6. Download/Install with Care & Caution
Be selective when buying or installing apps; wait for app reviews, download only from trusted sources (known app stores) and be cautious/suspicious of free apps, because they are free for a reason (the reason could be access to your data). vcv_note: Google Android Market, Windows Phone Marketplace, RIM BlackBerry App World and Appstore for Android all disclose the permissions of apps. Apple iTunes App Store doesn’t (Apple vets apps)
Security Checklist 7. Review What You “Agree To”
Understand and control each downloaded apps "access" to smartphone data and personal information; game apps do not need access to phonebook contacts, photos, e-mails, location, browsing history, texting history and other phone features (avoid allowing automatic app updates). vcv_note: Double check, then go back AGAIN
Security Checklist 8. Credentials Management
Do not save passwords, PINs or other account information as Contacts or in Notes. vcv_note: In other words, don’t put your password on a sticky and attach it to the tablet
Security Checklist 9. Wild Wild Free Wi-Fi
Avoid using open Wi-Fi, especially for shopping and banking activities; Wi-Fi sniffing is a common occurrence that can have significant consequences like lost credit card numbers. vcv_note: Do not, I repeat, DO NOT do this at all
Security Checklist 10.Phishing is More Than Nigerian Spam
Avoid opening suspicious e-mail or SMS text messages, especially from unknown sources. Unwary readers may be unwillingly tricked into phishing by entering sensitive information from online prompts. vcv_note: If you are not certain, email your IT Specialist and ask, ;-)
Security Checklist 11.Shields Up! Go to Red Alert!
Turn the Bluetooth access feature off when not needed and avoid Bluetooth use in busy public areas. vcv_note: Commander Riker Audio
Security Checklist 12.PIN Use “Good”; PIN Default “Bad”
Utilize a PIN to access voice-mail and avoid using the carrier's default PIN setting. vcv_note: Beyond the default... Top ten iPhone passcodes: [1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998] 11
Security Checklist 13.Locked and Loaded
Insure that smartphone or tablet e-mail account access is through either a SSL or HTTPS connection so that transmitted data is encrypted. vcv_note: Quick web search should provide this answer. Example: Gmail
Encrypting Email Traffic • Android
– TouchDown for Smartphones by NitroDesk includes support for S/MIME keys from EchoWorx
• Blackberry
– BlackBerry devices provide encryption and policy from the BlackBerry Enterprise Server (BES); The implementation is trusted and validated by many government organizations
Encrypting Email Traffic • iPhone
– 3GS has hardware encryption (also enabled via ActiveSync option); AES256 employed by default; Pre-3GS devices do not provide encryption
– Encryption bypass vulnerabilities all require the iPhone to be already jail-broken
• Windows Phone
– Good for Enterprise by Good Technologies providing security at the application layer (in addition to device security)
Tablet Security Products • Pay-for Android tablet security, similar
features, protect 1 device for 1 year, $19.99
– Norton Mobile Security Lite
– Kaspersky Tablet Security
– Webroot Mobile Security
• Norton 360 Everywhere (May 4 2012)
– protects up to 5 devices, including PC, Mac, and Android smartphones and tablets, $99
Jumpstarting Your BYOD Policy 12 • Basic BYOD employee training include:
– Training on physical security
– Training on Wi-Fi security
– Information about social engineering attacks and how to avoid them
– A requirement to password-protect personal devices and education on strong passwords
– Clearly stated rules on what work-related data can be accessed from personal devices (Ohio State)
Intel’s Mobile Policy 13 • Policies and security expectations are same for
corporate and personally owned devices
• Communicated to employees...
– When employees sign up for particular services
– When staff connect a new device to the Intel network
– On a regular basis through security awareness articles and notices
– In an annual security refresher for the entire staff
Future for People • One Constant ... Human Nature
• People will look to do both good and bad things with technology
• Consumers will continue to drive new devices and technology
• Lack of Security Skills with today’s devices (and future devices) will haunt us going forward
Future for Technology • Advances in materials science will continue to
make devices smaller and faster
• Embedded devices
– iDermal, Strapless iPod Nano Watch
• Tokenless Two-Factor authentication
– PhoneFactor (Commercial) Video, White Paper
• Improved Security Built-In to devices (hope)
– ZTE Android Backdoor Vulnerability
Future Threats • Social Networks will continue to evolve and
change
• Transition to a more secure 3G/4G may take some time
• Those with bad intent (e.g. criminals) will always find way to outwit or outlast any security measures put into place
– One Constant ... Human Nature
Future Actions (by YOU) • BYOD is a done deal (mostly)
• Devices with very little effort can be made reasonably secure
• Mobile Device Management (MDM) still young – implement but review in 1 year
Final Thoughts • We come back to USER EDUCATION,
TRAINING, and RE-TRAINING
• Encourage the use of “Common Sense”
• Discourage the attitude of “No one would want my data” and “this can’t happen to me”
• Security - It's not your fault. It's your responsibility.
Sources 1. Employees Use Multiple Gadgets For Work — And Choose Much Of The Tech Themselves
2. BlackBerry still trumps Android for security, analysis finds
3. 41% of people believe online banking and shopping is akin to playing Russian Roulette
4. BYOD Smartphones, PCs and Tablets Raise Big Security Risks, Experts Say
5. Mobile Threat Report Q1 2012, F-Secure Labs
6. Android, Apple iOS run away from pack: Can Windows Phone challenge at all?
7. Apple iOS Needs Antivirus Protection: Kaspersky
8. SecurityBSides London - windows phone 7
9. Bsides London 2012 David Rook: Windows Phone 7 platform and application security overview
10. Attevo Offers A 13-Point Security Checklist For Smartphone Users
11. Most Common iPhone Passcodes
12. Jumpstarting Your BYOD Policy
13. How to Enforce Your Mobile Policy