Embed Size (px)
Citation preview
SECURING SMART PHONES AND
OTHER PORTABLE ELECTRONIC
DEVICES
Effective Compliance Systems in Higher Education
Paul J. Millis
06/13/2011 - Austin, TX
‘Enterprises must now
support more devices than
ever before, in effect extending
their corporate firewalls and their corporate firewalls and
services to places they may
not be prepared for.’-- MacAfee Q4 2010 Report
IS THERE A POINT?
The objective of this discussion is to
encourage the best controlled
implementation of smart phone
technology possible in a business technology possible in a business
context given that smart phones are
a valid business tool that will
become a normal part of the
business landscape.
HIGHLIGHTS
� Crafting Proper Use Policy for Portable
Electronic Devices
� Configuring Portable Electronic Devices
for Securityfor Security
� Examining device encryption and other
tools
WHY DO YOU ROB BANKS, WILLY?
“CAUSE THAT'S WHERE THE MONEY IS”. WILLY SUTTON
� Over 4.5 billion people use a cell phone every day,
creating an attractive target for cyber criminals
� 3 times as many people as use the Internet on
a daily basisa daily basis
�“… hackers will be where people are, and as
more …it is not surprising to find the
number of malware soaring …”
AVG Community Powered Threat Report - Q1 2011
INTRODUCTION
� As smart phones become more ubiquitous, attackers
are beginning to target them both:
� As a means to access data stored on the phones themselves
� As a vector for gaining access to the business network
and/or introducing viruses and malware onto it.
� The phones must be protected from both over-the-� The phones must be protected from both over-the-
network intrusion (which can include over the 3G/4G
network, over wi-fi networks, and even over short
range Bluetooth connections) and from direct access
to data on the device if it is lost or stolen or otherwise
falls into the wrong hands.
-- Windows Security.com; ‘Windows Phone7 Security Implications’
SECURING SMART PHONES: SOME ISSUES
� Mobile devices are:
� Constantly connected
� Substantially less protected than a personal
computer
� USERS IGNORE MOBILE SECURITY solutions and broadcast
both sensitive and personal data (such as their exact
location while on the go)
� One third of smart phone USERS ARE NOT AWARE OF THE
INCREASING SECURITY RISKS associated with using their
phones for financial purposes and to store personal data
(AVG and Ponemon Institute)
� Vulnerable to multiple attack vectors
� Email, Internet applications, Internet surfing, and text
messaging
SECURING A SMART PHONE: SOME
SECURITY CONCEPTS
� The SANDBOX CONCEPT is used to provide an environment where applications have limited privileges and don’t have access to the file system, other applications and system resources that could be exploited.
� DATA ISOLATION occurs when each app also has its � DATA ISOLATION occurs when each app also has its very own local storage area on the phone that’s fully isolated from the data stored by other apps.
� Another way to implement DATA PROTECTION is to store information not on the phone itself but on a secure server that you can access from the phone. However, this exposes the data to security threats while it’s in transit. Thus it’s also important to secure data while it’s in transit.
SPENDING A $1,000 TO SAFEGUARD $100
The trick is knowing what
your company needs—and
doesn’t—on the security frontdoesn’t—on the security front
�Response depends upon your
organization’s need for security
SECURITY ESSENTIALS
• email message encryption
• Passcode locks
• Autolock
• Device wipes
• Automatic autowipes• Automatic autowipes
• Protected configuration profiles
• Continuous refresh
• Hardware encryption
DEVICES OF CONCERN
� Blackberry
� iOS 1 devices
� Android
� Windows Phone 7� Windows Phone 7
1 Includes iPhone, iPod Touch and iPad
SECURITY PROFILE: BLACKBERRY
RIM’s BlackBerry platform allows
more fine-grained application
controls for enterprises and remains
the go-to choice for many companiesthe go-to choice for many companies
SECURITY PROFILE: IOS DEVICES1
The iPhone (and iPad) gives
enterprises enough security options
to enable them to say "yes" instead of
"no" to Apple in a business context
Apple chief operating officer Tim Cook said almost 20 � Apple chief operating officer Tim Cook said almost 20
percent of Fortune 100 companies have purchased
10,000 or more iPhones apiece; multiple corporations
and government organizations have purchased 25,000
iPhones each; and the iPhone has been approved in
more than 300 higher education institutions. -- Brian X.
Chen
1 Includes iPhone, iPod Touch and iPad
SECURITY PROFILE: ANDROID
The Android operating system
allows for broader multitasking than
other popular smart phone OS’s,
� Android devices are able to support a wide range of
mobile security functionality that runs in the mobile security functionality that runs in the
background on an ongoing basis, such as automated
backups and virus scanning.
SECURITY PROFILE: WINDOWS PHONE 7
Windows Phone 7 is targeted at
businesses:
� WP7 needs to mature and allow time for the
development of a third party security ecosystem
for the platformfor the platform
THREATS
� Malware
� Hackers
� Thieves
Industrial espionage� Industrial espionage
� Untrained users
� Careless users
VULNERABILITIES
� Loss of physical control
� Phone Hacks
� Weak encryption
� Weak authorization� Weak authorization
� Insecure configuration
� Unprotected system data
� Shoulder Surfing
� Social Engineering
� Mobile Malware
LOSS OF PHYSICAL CONTROL
Losing the phone is the top concern
about any mobile device� Smartphones are small and that makes them easy to
lose or steal. Many mobile devices are left on tables
in restaurants and cafes, in taxis and on aircraft, or in restaurants and cafes, in taxis and on aircraft, or
are stolen from busy places. Each of these devices
may store sensitive corporate emails, customer
contact details and financial reports and analyses, as
well as personal data like mobile banking details and
more. – Kapersky Lab
PHONE HACKS
� Hacking the apps�Forrester sees application control as the next
"battleground" for enterprises adopting iOS and
Android devices--How to Secure the iPhone and iPad for the Enterprise by Klint
Finley / August 2, 2010Finley / August 2, 2010
� Hacking the system� iPhone encryption hack
WEAK ENCRYPTION
� “It is kind of like storing all your secret messages
right next to the secret decoder ring,” said
Jonathan Zdziarski, an iPhone developer and a
hacker who teaches forensics courses on
recovering data from iPhones. recovering data from iPhones.
� “I don’t think any of us [developers] have ever
seen encryption implemented so poorly before,
which is why it’s hard to describe why it’s such a
big threat to security.” -- Brian X. Chen
WEAK AUTHORIZATION
�The first thing you should do with a
smartphone is enable password-
protection. This is the most important
aspect of smartphone security.� Employing a password that's easy to guess defeats the purpose � Employing a password that's easy to guess defeats the purpose
of password-protecting the device; use a passphrase of pick a
random password that isn't the word "password" or something
readily identifiable to the user like a birthday or a spouse’s
name
� Don't store that password anywhere on the phone, unless it's in
a secure password keeper app
�PINs vs. Passwords vs. Patterns� Are 4 numeric digits enough?
INSECURE CONFIGURATION
Relying upon user configuration is always risky; you may also want to consider basic processes that let administrators enable smart phone PINs and passwords.PINs and passwords.
� Where possible, enforce compliance by blocking devices that you didn't configure
WHAT MAKES AN INSECURE
CONFIGURATION?
� No security software
� Passwords not in use� Power-up
� No timeout configured
� Lack of anti-malware� Lack of anti-malware
� Inability to wipe remotely
UNPROTECTED SYSTEM DATA
�Keystroke cache�Passwords, PINs, SSN’s and Credit
Card numbers
They are all typed sometime�They are all typed sometime
SHOULDER SURFING
� Wikipedia defines shoulder surfing as ,using
direct observation techniques, such as looking
over someone’s shoulder, to get information’.
Shoulder surfing is particularly effective in
crowded places because it is relatively easy to crowded places because it is relatively easy to
observe someone as they:
� fill out a form
� enter their PIN at an automated teller machine or a
POS terminal
� use a calling card at a public pay phone
� enter passwords at a cybercafe, public and university
libraries, or airport kiosks
� enter a code in a public place
SOCIAL ENGINEERING
� The key to getting sensitive information,
passwords, etc is to sound authoritative and to
ask them nicely
MOBILE MALWARE
� An increase of mobile malware by 46%
compared 2009 to 2010:
� Only recently Google removed applications from the
Android market and remotely uninstalled malicious
application from infected Smart Phones. Some of these
applications tend to steal financial informationapplications tend to steal financial information
� During the first quarter of 2011 we have seen a major increase
in malware targeting Android smart phones.
� As the number of Internet-enabled handheld mobile
devices continues to grow (including smartphones and
tablets), web-based threats will continue to grow in
number and sophistication. Not just viruses and
botnets, but also phishing from malicious domains
and social networks, identity theft and spam
MALWARE -- WHAT IS OUT THERE
�Some of these malware are legitimate
pieces of software that were reversed
engineered and malicious code was
injected prior to a re-publishing of the
binary on non-Google markets around the binary on non-Google markets around the
globe.
MALWARE – WHY IT WORKS
� Malware takes advantage of users’ interest in
popular applications for distribution
� Hackers prey on user emotions like fear – don't
assume that security apps are legitimate. Check
out sellers and read reviewsout sellers and read reviews
RISKS
� Lack of adequate policy
� Lack of security training
� Degradation of security through personalization
of settings
Not physically securing devices� Not physically securing devices
� Insecure configuration
� Rights not consistent with user job requirements
� Inappropriate data stored on the device
� Failure to encrypt sensitive data
� Users connecting to the network in insecure ways
� Other risks
LACK OF SECURITY POLICY
�A baseline is needed to ensure users
know what your expectations are
and what standard their conduct will
be judged againstbe judged against
LACK OF SECURITY TRAINING
�If you don’t tell your users what you
want them to do they aren’t going to
do it
� E.g., Just what types of � E.g., Just what types of
organizational data can I store on
this smartphone?
�Personal use of smartphones may be
‘learn as you go’ but can you afford
that approach in a business context
DEGRADATION OF SECURITY THROUGH
PERSONALIZATION OF SETTINGS
�Can the user change security
settings?
� Just how cumbersome is that
password?password?
�Who controls what apps are
downloaded?
FAILURE TO PHYSICALLY SECURE THE
DEVICE
�You probably can’t bolt it down, but
you do need to get it back (or get it
reset) when someone transfers or
terminates.terminates.
� What does your policy say about this?
INSECURE CONFIGURATION
�Without security software
�Lack of passwords
�Power-up�Power-up
�No timeout configured
�Lack of anti-malware
�Inability to wipe remotely
RIGHTS NOT CONSISTENT WITH USER JOB
REQUIREMENTS
�Use of business devices, in this case
smartphones, need to be consistent
with capabilities a user needs to do
their jobtheir job
INAPPROPRIATE DATA STORED ON THE
DEVICE
� For now, however, most organizations are more
worried about protecting the data on their
devices than about the devices themselves, says
Derek Brink, vice president and research fellow
in the IT security practice at market research in the IT security practice at market research
firm Aberdeen.
� The risks associated with leaving corporate
smartphones unprotected include:
� Corporate data leakage if the smartphone is lost or
stolen
� Corporate data misuse in the event of unauthorized
smartphone access – Kapersky Lab
FAILURE TO ENCRYPT SENSITIVE DATA
� Encrypting message is something every
organization relies on in-case the mobile
equipment accidentally falls into the wrong
hands to prevent trade secrets from being stolen
� Use of weak encryption is security through obscurity and may � Use of weak encryption is security through obscurity and may
not be adequate when what is being encrypted is sensitive data
USERS CONNECTING TO THE NETWORK IN
INSECURE WAYS
� Insecure synch
� Unsecured wireless access
INSECURE APPLICATIONS
� ‘Contrary to popular belief, smartphones are no better protected against denial-of-service attacks or malware infections than an unprotected PC. In fact, the applications that run on smartphonesare subject to all of the same vulnerabilities. Consider Web applications, which have been used Consider Web applications, which have been used to spread malware, spyware, phishing attempts, etc., via PCs. Users are downloading similar applications to their smartphones, the difference being that smartphones typically do not have antivirus protection, so these infected files can propagate onto an IP network.’
-- Smartphone security: Risks and protection measures by Shon Harris, November 8, 2010
BASIC SECURITY
1. Require encryption.
2. Wipe devices if they are lost or stolen.
3. Protect devices with a passcode lock.
4. Autolock devices after periods of 4. Autolock devices after periods of
inactivity.
5. Autowipe devices after a specific
number of failed unlock attempts.
6. Use protected configuration profiles
7. Implement Continuous Refresh
policies
Encryption.
�Encryption "scrambles" the information so
it can't be transferred and interpreted if
your device falls into the wrong hands or
gets hacked.
You can encrypt data stored on your device � You can encrypt data stored on your device
and/or your media card.
� ‘Think of e-mail encryption as protecting data
on the move and secure it as you would a
portable device in a data loss prevention
strategy.’-- Don’t ignore smart phone e-mail encryption, itWorldCanada.com
Wipe devices if they are lost or stolen
�Device locks
� Lost or stolen smart phones pose
serious security risks to data, but
remote device lock technology and GPS remote device lock technology and GPS
tracking can help mitigate those risks.
Protect devices with a passcode lock.
� Whenever a device's display locks, whether due to Auto-Lock or other actions the device requires a four-digit code (or similar) to be entered before the device can be used again.
� Access control is the simplest safeguard you can apply to any mobile device. All contemporary mobile apply to any mobile device. All contemporary mobile operating systems support power-on PINs or passwords -- but many users just don't bother to enable them. Yes, entering a PIN before checking email means a taking an extra step, several times a day. But doing so could inhibit unauthorized use of a lost or stolen smartphone without major productivity drain for many workers.
Autolock devices after periods of inactivity.
� One of the most basic mobile security functions is
the Auto-Lock feature. Auto-Lock locks the device
after a preset time period of inactivity.
� Users can usually choose to set their devices to
lock after not being used for anywhere from one lock after not being used for anywhere from one
to five minutes.
� Though Auto-Lock is not a total security solution on
its own, it goes a long way to provide some essential
security to a mobile device and the data currently
displayed in it
Autowipe devices after failed unlock attempts.
� Second easiest measure to deploy is often a "kill
pill" -- that is, the ability to invoke a hard reset
or data wipe on a lost or stolen mobile device,
thereby turning it into a high-tech brick
� On some devices, data wipe can be triggered � On some devices, data wipe can be triggered
asynchronously by authentication failure policies
("three strikes and you're out") or long periods of
inactivity
� In some cases, you can use server synchronization
after loss to invoke a remote wipe.
Protected configuration profiles
�A protected configuration is a
collection of safety measures or
checks that guard the connection
and client system against various and client system against various
kinds of attacks or threats.
IMPLEMENT CONTINUOUS REFRESH
POLICIES
�Updates and bug fixes
� System software
� Applications
OTHER SECURITY TIPS
�Other Security Tips:
� Don't Auto-Save
Usernames/Passwords
Use Wi-Fi Safely on Mobile � Use Wi-Fi Safely on Mobile
Devices
� Manage Pop-ups and Cookies
� Take Action Quickly When Mobile
Devices are Lost
COMPLICATIONS
�Personally Supplied Devices
�High-Profile Users
�Policy
Configuration�Configuration
�Security Technology
�Security Implementation
PERSONALLY SUPPLIED DEVICES
�Who controls the device?
� Who has administrator rights?
�What happens if the device is lost
What happens when the owner gets �What happens when the owner gets
another job?
IS ROOTING YOUR DROID LIKE
JAILBREAKING YOUR IPHONE ?
� At its core, jailbreaking a device gives access to its root file system, allowing modification and installing Third-party software components. This gives the user more control over the device and may allow features that were previously unavailable without jailbreaking which will make the user of this device liable for a void of warranty for their Apple product. (WikiPedia)� Jailbreaking is different from SIM unlocking, which, once completed, means � Jailbreaking is different from SIM unlocking, which, once completed, means
that the mobile phone will accept any SIM card without restriction, thus allowing the user access to alternative phone companies. (WikiPedia)
� As far as what you can do when your phone is rooted, rooting (and jailbreaking) DO NOT let you make free calls or free texts - those capabilities still go through your phone company (Verizon, AT&T, etc.) and it makes no difference if your phone is rooted or not, you still have to pay for those things. (Yahoo Answers)
� In Droid-land, the word is "rooting", not "jailbreaking", but it's basically the same thing - in either case you get the ability to install apps that do more than the usual ones.
--Yahoo Answers
� About the only thing rooting an Android phone does is let some apps get access to lower-level parts of the system - but none of those apps will give you get totally free calling or free Internet
Jailbreaking: Legal Issues:
� Under the DMCA of 2010, jailbreaking is legal in the United States, although Apple has announced that the practice "can violate the warranty."It is also legal in many other countries including those of the EU. However, the jailbreaking process does not include any modification to the hardware, so it can be quickly and easily reversed simply by restoring the operating and easily reversed simply by restoring the operating system. -- Wikipedia
� The U.S. Copyright Office explicitly recognized an exemption to the DMCA to permit jailbreaking in order to allow iPhone owners to use their phones with applications that are not available from Apple's store, and to unlock their iPhones for use with unapproved carriers. -- WikiPedia
� These exemptions also allow phone users to unlock their phone in order to switch carriers. -- WikiPedia
OPERATIONAL ISSUES:
� Another issue is the lack of a means to
separate private and business use. For
example, sensitive information could be
copied from a business e-mail account into a
personal account, and uses could have all personal account, and uses could have all
their personal data remote-wiped as well.
PAINTING A BULL’S EYE
�High-Profile Users
� Make sure enterprise security
extends to those people with the
most to losemost to lose
POLICY
�Proper Use Policy
� Address personally supplied
hardware
Security Policy�Security Policy
� Address wiping at termination or
transfer
� Reinitializing and reissuing
SPECIFIC PORTABLE ELECTRONIC DEVICE
POLICY
� Portable Electronic Device Policy requires appropriate protection of sensitive information when it is stored, transferred to, or accessed from portable electronic devices or removable media. This policy requires:� Password, biometric, or similar protection, is necessary in all
settings.
� Sensitive information stored on portable electronic devices or removable media shall be encrypted with the strongest removable media shall be encrypted with the strongest encryption method practicable.
� Approval is required to store unencrypted sensitive information on portable electronic devices or removable media.
� Where encryption is not practicable, measures shall be taken to physically secure the device or media.
� Loss or theft of portable electronic devices or removable media containing sensitive information shall be reported immediately as an information security incident.
� Exceptions for systems or devices not meeting the standards of this policy require approval by management.
CONFIGURATION
�Protecting user identity
� To protect users, trust and confidence in the
mobile platform, it is essential to protect user
privacy and security of applications.-- Mobile cloud computing and smartphone security by Olafur Ingthorsson on April 18, 2011 in Cloud
Computing and Mobile Cloud Computing. Computing and Mobile Cloud Computing.
SECURITY TECHNOLOGY
�Encryption
� Encrypting credentials
� Full disk encryption
Remote Wiping�Remote Wiping
�LoJack (for laptops)
� Where’s My iPhone?
�New Technologies
SECURITY IMPLEMENTATION
�Not allowing connections from
SmartPhones to sensitive data
repositories
�How do you allow people to connect �How do you allow people to connect
to the network?
� Remote access
�Security Access is not an all-or-
nothing proposition
CONTROLLING APPLICATIONS
�Of particular note is the lack of the
ability to control applications on
smartphones, tablets and other
portable electronic devices. portable electronic devices.
�IT managers can either turn off the
ability to install apps, or leave it on -
there's no means for creating white
lists.
SECURING THE DEVICES
�View smartphones like unsecured
PCs
�When downloading applications,
check that they are coming from check that they are coming from
trustworthy source
� Unsure about the validity of an
application; don’t install it.
�Protect smart phones with security
software
SMART PHONES AND TAXES
�Personally supplied devices can
be an issue
� Stipends for business use
SUMMARY AND NEXT STEPS:
� Summary:
� … smart phone security levels are in its infancy,
people's attitude to mobile security has to change.
� In 2011, tablet computers and smart phones will
become a prime target for hackers/cyber criminals
since they do follow the same rule of targeting the since they do follow the same rule of targeting the
most popular platform used by the majority of the
people.
� Next Steps:
� Proper policy
� Proper training
� Secure configuration
� Making technology your friend
BIBLIOGRAPHY
� Smartphone Security: How to Keep Your Handset Safe:� http://www.pcworld.com/businesscenter/article/216420/smartphon
e_security_how_to_keep_your_handset_safe.html
� McAfee Threats Report: Fourth Quarter 2010 By McAfee® Labs™� http://www.mcafee.com/us/resources/reports/rp-quarterly-� http://www.mcafee.com/us/resources/reports/rp-quarterly-
threat-q4-2010.pdf
� Google yanks over 50 infected apps from Android Market� http://www.computerworld.com/s/article/9212598/Google_y
anks_over_50_infected_apps_from_Android_Market?taxonomyId=85
� Windows Phone 7 Security Implications, Windows Security.com, Jan 12, 2011� http://www.windowsecurity.com/articles/Windows-Phone-7-
Security-Implications.html
BIBLIOGRAPHY
� Top 20 Android Security Apps by Jeff
Goldman, September 3, 2010 � http://www.esecurityplanet.com/features/article.php/3901686/Top-
20-Android-Security-Apps.htm
� Mobile cloud computing and smartphone security by Olafur Ingthorsson on April 18, 2011 security by Olafur Ingthorsson on April 18, 2011 in Cloud Computing and Mobile Cloud Computing.� http://cloudcomputingtopics.com/2011/04/mobile-cloud-computing-
and-smartphone-security/
� BlackBerry Security Basics: Five Tips to Keep Your Smartphone Safe by Al Sacco Tue, March 02, 2010 � http://www.cio.com/article/561313/BlackBerry_Security_Basics_Fi
ve_Tips_to_Keep_Your_Smartphone_Safe
