mobile & security? - telenet...owasp top 10 mobile risks 1. weak server side controls 2....
TRANSCRIPT
![Page 1: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/1.jpg)
Telenet for BusinessTelenet for Business
Mobile & Security?Brice Mees
Security Services Operations Manager
![Page 2: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/2.jpg)
Agenda
�Mobile Trends
�Where to start?
� Risks and Threats
� Risk mitigation
� Conclusion
![Page 3: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/3.jpg)
Agenda
�Mobile Trends
�Where to start?
� Risks and Threats
� Risk mitigation
� Conclusion
![Page 4: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/4.jpg)
The mobile era
The PC/Web Era The Post-PC EraThe Mobile-First Era
![Page 5: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/5.jpg)
"Apps Storm" VS "Security"
![Page 6: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/6.jpg)
Looks suspicious?
Ready to accept unmanaged deviceson your network?
![Page 7: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/7.jpg)
BYOD Trend
� Devices become cheaper and more powerful
� The Generation “Y”
� Company owned devices are sometimes old-fashioned
� Will you allow personal devices on your network ?
� What are the risks ?
![Page 8: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/8.jpg)
Agenda
�Mobile Trends
�Where to start?
� Risks and Threats
� Risk mitigation
� Conclusion
![Page 9: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/9.jpg)
Understand Enterprise Objectives
“If you don’t know where you are going, any road will get you there”
– Lewis Caroll
![Page 10: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/10.jpg)
Start from your requirements
Your Business
YourManagement
InformationTechnology
![Page 11: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/11.jpg)
Create a Mobile Security Policy
![Page 12: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/12.jpg)
Agenda
�Mobile Trends
�Where to start?
� Risks and Threats
� Risk mitigation
� Conclusion
![Page 13: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/13.jpg)
BYOD: Risks related to costs
� Brand disrepute by uncontrolled use of services/devices
� Increased variety and complexity
� Device loss
� Enabling infrastructure
Source: ENISA
![Page 14: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/14.jpg)
Physical Risks
![Page 15: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/15.jpg)
Increased variety and complexity
![Page 16: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/16.jpg)
There is an app for that...
� To steal your data
� To steal your money (premium SMS services)
� To spy on you
� To evade regular controls
![Page 17: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/17.jpg)
Accept or Decline?
![Page 18: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/18.jpg)
Apps are programs
� Apps act like normal programs:
� They may have bugs
� They may be badly designed
� They may be altered (backdoors)
OutputInput Processing
![Page 19: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/19.jpg)
Apps are programs
� Apps must be developed using best practices with more focus on mobile devices specs like small keyboard not ideal to input passwords
� OWASP has a top-10 mobile risks(1)
that must be reviewed
(1) https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks
![Page 20: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/20.jpg)
Malicious Marketplace – Social
Engineering
![Page 21: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/21.jpg)
BYOD: Risks related to
Legal and Regulatory
� Governance & compliance controls of employee-owned devices
� Difficult enforcement of controls dueto constantly changing context
� e-discovery limitation due to ownership & personal data
Source: ENISA
![Page 22: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/22.jpg)
Privacy risks
![Page 23: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/23.jpg)
BYOD: Risks related to data
� Device sharing can lead to unauthorized release of corporate info
� Enterprise network access by unknownusers & unmanaged devices
� Application rich devices difficult to control
� Devices as targets of attacksSource: ENISA
![Page 24: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/24.jpg)
Risks related to data
![Page 25: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/25.jpg)
OWASP Top 10 Mobile Risks
1. Weak Server Side Controls
2. Insecure Data Storage
3. Insufficient Transport Layer Protection
4. Unintended Data Leakage
5. Poor Authorization and Authentication
6. Broken Cryptography
7. Client Side Injection
8. Security Decisions Via Untrusted Inputs
9. Improper Session Handling
10.Lack of Binary Protections
![Page 26: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/26.jpg)
Threats related to device
![Page 27: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/27.jpg)
Agenda
�Mobile Trends
�Where to start?
� Risks and Threats
� Risk Mitigation
� Conclusion
![Page 28: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/28.jpg)
Risk Mitigation
Governance Management
Legal and HR Mana-gement
Technical Management
Device Management
Application Management
User & Data Management
![Page 29: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/29.jpg)
General Policy and Organisation
� Define appropriate usage (physical, data, application)
� Create “Awareness”
�Monitor, detect, report
� Collaborate with HR/ Legal
![Page 30: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/30.jpg)
MDM?
“Mobile Device Management (MDM) software secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises.”
![Page 31: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/31.jpg)
Mobile Device Management
� Do you need MDM?
�Microsoft Exchange includes ActiveSync for free
� Security Vendors propose some tools to handle and manage Mobile devices
![Page 32: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/32.jpg)
Mobile Device Management
� Enforce policy compliance
� Inventory Management
� Software/ Application Management
� Authentication
� Encrypted data
� Encrypted communication
![Page 33: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/33.jpg)
Mobile Device Management
� Remote wipe
� Physical protection
� Password enforcement
� Audit and Reporting
� Cost control (Geolocalization)
� Access Control
![Page 34: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/34.jpg)
Mobile Device Management
Enterprise Appstore
![Page 35: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/35.jpg)
Mobile Device Management
� Data segmentation
� Containerization
� Privacy protection
� Backup management
� Data Loss Prevention
![Page 36: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/36.jpg)
MDS?
“Mobile Device Security(MDS) concentrates on the security of personal and business information stored on smartphones.”
![Page 37: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/37.jpg)
Mobile Device Security
� Focus on identity, data and availability protection using:
• URL Filtering
• Web Application Filtering
• Malware detection: Check Traffic, Apps & SMS
• Antivirus
![Page 38: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/38.jpg)
Unity Makes Strength
� Combine multiple technologies to efficiently protect mobile devices
� Use solutions which are “open” (API, logs)
� Think about “Lego” blocks
� Telenet might help you to build your solution
![Page 39: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/39.jpg)
Unity Makes Strength
![Page 40: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/40.jpg)
Solutions delivered by Telenet
![Page 41: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/41.jpg)
Conclusion
� Combination of MDM & MDS is ideal solution to cover most of mobile security related aspects
� Invite us to discuss your requirements and define together the best solution for your business
![Page 42: Mobile & Security? - Telenet...OWASP Top 10 Mobile Risks 1. Weak Server Side Controls 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage](https://reader030.vdocuments.mx/reader030/viewer/2022041021/5ed07658cb98f31e1f3341a3/html5/thumbnails/42.jpg)
Let’s have a drink!