Widyatama.lecture.applied Networking.iv Week05 Mobile Security 1

8/9/2019 Widyatama.lecture.applied Networking.iv Week05 Mobile Security 1

1/22

Applied Networking-IV (2231114)

Lecture Week-5

Mobile Security-1

1818--MarMar--1010 WidyatamaWidyatama UniversityUniversity--InformaticsInformatics 11

Lecture by:Lecture by: Djadja.SardjanaDjadja.Sardjana, S.T., M.M., S.T., M.M.www.slideshare.net/djadjawww.slideshare.net/djadja

[email protected]@widyatama.ac.id


2/22

Mobile SecurityMobile Security--11

1818--MarMar--1010 Widyatama UniversityWidyatama University--InformaticsInformatics 22

MobileSecurity


3/22

The New Age of RiskThe New Age of Risk

Ubiquitous internet protocolUbiquitous internet protocol--basedbased

(Almost) everything connects to the Net(Almost) everything connects to the Net

Many vulnerabilities awaiting exploitationMany vulnerabilities awaiting exploitation

Mobility of people / information / devicesMobility of people / information / devices

Cyber crime: real and increasingCyber crime: real and increasing

Terrorist threat: physical now.blendedTerrorist threat: physical now.blendedlater?later?

1818--MarMar--1010 33Widyatama UniversityWidyatama University--InformaticsInformatics


4/22

Hostile WorldHostile World

99--11, 311, 3--11, 711, 7--7 and other major terror attacks7 and other major terror attacks

Wars and insurgenciesWars and insurgencies

SARS / Bird fluSARS / Bird flu -- global impact of diseaseglobal impact of disease

SE Asia tsunami disasterSE Asia tsunami disaster

Katrina hurricane disaster in USAKatrina hurricane disaster in USA

Tomorrows headlines?Tomorrows headlines?



5/22

Convergence Of Legal, IT,Convergence Of Legal, IT,

AndAnd BusinessBusinessLaws/Regulations Technologies Stakeholders

Web / Internet

Databases

Collaboration

Wireless

Mobile Devices

Customers

Competitors

GovernmentsSuppliers/Partners

Sarbanes-Oxley

GLB/HIPAA/Patriot

EU DataProtect

U.S. Identity TheftLaw(s)?

Pressure mounting on organizations to prove compliance withan increasing array of laws and regulations. This makes

information security much more challenging.



6/22

Joint Ventures Contract Manufacture

Organization CommunityOrganization Community

Hostile Internet Environment

Dissolution of Perimeter

Parts

Contract Design

Customers

UnUn--trustedtrusted

IntranetIntranet

Point defenses

Servicess

Transportation



7/22

Home/RemoteUsers

Business Systems

Current State of Network Security

HR Systems

Research/Development

Legacy Systems

Users

IntranetIntranet

Manufacturing

Labs

Communication/Messaging Systems

Mobile/Wireless

Hackers

Eroding Firewall Perimeter

Strategic PartnersSuppliersVendors

Etc

Hackers

ro ng rewa er me er



8/22

Mobile Viruses on the riseMobile Viruses on the rise

200406-15-04: Cabir A

06-16-04: Cabir B

07-10-2004: WinCE/Dust0101--1010--2005:2005: LascoLasco AA

2005

08-06-2004: Brador

11-19-04: Skulls A

11-29-04: Skull B

12-09-04: Cabir C

12-09-04: Cabir D

12-09-04: Cabir E

12-21-04: Cabir F

0202--0101--2005:2005: Locknut.ALocknut.A

0303--0707--2005:2005: CommwarriorCommwarrior

0303--0404--2005:2005: Dampig.ADampig.A

0303--1818--2005:2005: DreverDrever0404--0404--2005:2005: Mabir.AMabir.A

- -

12-21-04: Skulls C12-21-04: MGDropper

12-26-04: Cabir H

12-26-04: Cabir I



9/22

Wireless Enabled & MobileWireless Enabled & Mobile

AttacksAttacks BlueBlue--jacking, bugging, snarfing, snipingjacking, bugging, snarfing, sniping

ar r v ngar r v ngMalicious Mobile Code (Malicious Mobile Code (Virus, Worms, TrojansVirus, Worms, Trojans))

RFID SniffingRFID SniffingDenial of ServiceDenial of Service

SpywareSpyware

Social EngineeringSocial Engineering



10/22

Securing the Mobile WorkforceSecuring the Mobile Workforce

As the person responsiblefor an organization you

only have control in thisspace

But mobile employeesmove throughout the



11/22

Effective Security is ComplexEffective Security is Complex Many parts & piecesMany parts & pieces

Complex componentsComplex components

Too few qualified personnelToo few qualified personnel ~.005% of em lo ees~.005% of em lo ees

PKI Manager

Centralized

SecurityPolicy Manager

DigitalSignatureInterface

Other SecurityEntity Manager

Token CardManager

OS SecurityManagement

Tools

CertificateAuthorityInterface

Single Sign-onTools

Lack of standardsLack of standards Protection programs customProtection programs custom

builtbuilt

Failure of weakest link (s)Failure of weakest link (s)

Virus Interception& Correction

VPN Session orTunnel

Manager

Security EventReport

Writer(s)

EncryptionFacilities for

NetworkConnections

Security Policy

Distributor

Cyberwall/Firewall

Rule Base

ConnectionManager and

Logging

Application Proxy

Implementations

Security TrafficEvent Analyzer

ApplicationLogging Facility

VPN IPSec andVPN

ConnectionManager

IntrusionLogging

IntrusionSecurity Event Security IntegrityIntrusion

Network

Host-based

Application-based

Authentication

Cryptography

Anti-Virus

Intrusion Detection

Auditin

Network AccessControl Interceptionand Enforcement

Facility

StatefulInspection

ApplicationInspection

PacketInspection

FrameInspection

SecurityFilter Engine

Real-timeFrame

Management

Detection

Security Management



12/22

Security Must Make Business SenseSecurity Must Make Business Sense

COST OF SECURITYCOUNTERMEASURES

OPTIMAL LEVEL OF SECURITYAT MINIMUM COST

COST ($)SECURITY

LEVEL

TOTAL COST

COST OF SECURITYBREACHES

0% 100%



13/22

Next Generation SecurityNext Generation Security

Zones and compartmentsZones and compartments

Extensive use of cryptographyExtensive use of cryptography Identity and access managementIdentity and access management

Opt in for more protectionOpt in for more protection

Essential to enable seamless security !Essential to enable seamless security !



14/22

Legacy Zonee.g. manufacturing

Internet

CollaborativeSystems

Next Generation Design

Secure Zone

SOX CompliantSystems

Personal RegulatedData Systems

Custom Zone

Intranet ZoneSeamless MobilityMOT ISP

General PurposeSystems

Availability Not CriticalSystems

Not subject toRegulation

Systems

High Sensitivity Zone

Trade Secret, Race, age, ethnicity

an one

DMZZone

QZZone



15/22

Security is a ProcessSecurity is a Process

NotNot a Product!a Product! Security is achieved by the combination ofSecurity is achieved by the combination of

ProcessProcess

TechnologyTechnology Protections Address:Protections Address:

PreventionPrevention

ResponseResponse

RecoveryRecovery



16/22

Traditional security programs align people, processes andTraditional security programs align people, processes andtechnology to protect enterprise networkstechnology to protect enterprise networks

With seamless mobility, security must now expand to encompass theextended enterprise.

People

PoliciesProcessesQuickTime and a

TIFF (LZW) decompressorare needed to see this picture.

TechnologyRFID CHIP



17/22

Securing Seamless Mobility:Securing Seamless Mobility:

Wireless/MobilityWireless/Mobility Risk ManagementRisk Management

us nessus ness-- ocuse un ers an ng anocuse un ers an ng anprioritization of risks, vulnerabilities andprioritization of risks, vulnerabilities andcountermeasurescountermeasures

Include technical vulnerabilities as well asInclude technical vulnerabilities as well asother ke elements of the securit ro ramother ke elements of the securit ro ram

Assures most effective use of limitedAssures most effective use of limitedresourcesresources



18/22

Securing Seamless Mobility:Securing Seamless Mobility:

Network DesignNetwork Design

Build security into wireless network foundationsBuild security into wireless network foundations

Focus on points of connectivity, firewalls, DMZs,Focus on points of connectivity, firewalls, DMZs,

intrusion detection/prevention, VPNs andintrusion detection/prevention, VPNs andencryptionencryption

ax m ze w re ess ne wor ava a y,ax m ze w re ess ne wor ava a y,

operational security and performanceoperational security and performance

Secure devices in a system designed forSecure devices in a system designed for

securitysecurity1818--MarMar--1010 1818Widyatama UniversityWidyatama University--InformaticsInformatics


19/22

ApproachApproach to Information Securityto Information Security

INTERNAL IT

Confidentiality,Integrity, andAvailability ofMotorola I/T

Assets

Wireless Security

Services

Product Security

Support

development ofmore secure

Motorolaproducts

Services includePROTECTING assets,

DETECTING hostileactivities, RESPONDING toincidents, andRECOVERING to limit

Leverage our

expertise toprovide

customerservices



20/22

TugasTugas Mobile SecurityMobile Security

1.1. 06060220606022 -- FIRMANSAYH APNET4FIRMANSAYH APNET4

o e ecur yo e ecur y2.2. GentaGenta GemilangGemilang--Mobile SecurityMobile Security

3.3. HillmanHillman NurrachmanNurrachman--MobileMobileSecurity SoftwareSecurity Software

.. -- --0606P020606P02



21/22

Conclusion & Final WordsConclusion & Final Words


MobileSecurity

Demo


22/22

ConclusionConclusion

Threats to organizations are real andThreats to organizations are real and

ncreas ng, seam ess mo y requ resncreas ng, seam ess mo y requ rescareful security planningcareful security planning

Security incidents involving mobile andSecurity incidents involving mobile andwireless environment are increasingwireless environment are increasing

holistic approach that address people,holistic approach that address people,processprocess andand technologytechnology


Documents

Widyatama.lecture.applied Networking.iv Week05 Mobile Security 1