mobile security
play

Mobile Security Information Security Hans Georg Schaathun - PowerPoint PPT Presentation

Aug 11, 2023 •139 likes •508 views

Mobile Security Information Security Hans Georg Schaathun University of Surrey Autumn 2011 Week 10 Hans Georg Schaathun Mobile Security Autumn 2011 Week 10 1 / 1 The session Outline Hans Georg Schaathun Mobile Security Autumn

  1. Mobile Security Information Security Hans Georg Schaathun University of Surrey Autumn 2011 – Week 10 Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 1 / 1

  2. The session Outline Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 2 / 1

  3. The session Session objectives Have the necessary overview to do a risk analysis for mobile computing platforms Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 3 / 1

  4. The session Mobile Equipment Portable computers Smartphones USB sticks Why is mobile equipment used? 1 What are the risks? 2 Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 4 / 1

  5. Mobile Risk Outline Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 5 / 1

  6. Mobile Risk User controlled Typically, the user administrates laptops and smartphones Lacking competence, constency, and policy awareness contrary to dedicated IT support staff Possibly mixing private and organisation data Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 6 / 1

  7. Mobile Risk Easy to lose Equipment left behind in Oslo cabs during six months period 400 PDA-s 1700 mobile phnes 110 portable PC-s according to Pointsec Mobile Technologies USB sticks are even easier to mislay The risk of theft is on top of that ... Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 7 / 1

  8. Mobile Risk Difficult to control A dozen USB sticks used ad hoc to transfer data stored in different pockets and drawers How do you remember what is stored on which stick? Where are all your sticks? Have you lost one? Even as a private user this is difficult how do you deal with 1000 staff each with a dozen sticks? Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 8 / 1

  9. Mobile Risk More exposed Mobile means leaving the safety of company perimeters ... Outside network security perimeter Using public networks Outside physical security perimeters Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 9 / 1

  10. Case Study: Sensitive Data Outline Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 10 / 1

  11. Case Study: Sensitive Data Sensitive Data on Mobile Units Consider sensitive data, e.g. trade secrets personal information Some sensitive data (especially trade secrets) are necessary staff need to do research and development on portable units How do you design a system with controls to protect sensitive information on portable units? Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 11 / 1

  12. Case Study: Sensitive Data Example 1: Encrypted Hard Drive Hard Drive Encryption makes it impossible to read from disk without a secret key What residiual risk remains? Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 12 / 1

  13. Case Study: Sensitive Data Residual Risk Encrypted Hard Drive An attacker who steals an encrypted hard drive cannot read it. What about an encrypted hard drive in a laptop? Is the box running with the drive mounted? Is the secret key protected by a strong password? Is the password cached in memory or swap space? Is it possible for to spy out the password or key? Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 13 / 1

  14. Case Study: Sensitive Data Supplemental Controls Encrypted Hard Drive When the box is suspended or left unattended for even an instant it must be screenlocked Furthermore, wipe memory and swap files containing passwords and keys Preferably, wipe decrypted data Note that data may be retrieved from memory by turning off the computer and quickly taking the memory into another device to read. It is not wiped immediately. Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 14 / 1

  15. Case Study: Sensitive Data Control Example 2 Need to know (need to have) Limit available data. Only data needed for the work should be stored. Delete data no longer needed On a laptop, this may mean only data needed for the next two days/week/month depending on risk analysis This requires good policies (what to have and what to delete) awareness and training (remember to delete) Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 15 / 1

  16. Case Study: Sensitive Data Control Example 3 System Separation A work computer is for work only. Not necessarily efficient easier to work with one system But high-risk activities require high-risk awareness and who can keep up that awareness during private surfing? Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 16 / 1

  17. Case Study: Sensitive Data Control Example 4 Policy, Awareness, and Training Due care from the user’s side is critical Many technical controls require co-operation from user Issues include backup upgrades and patches sensible and careful use avoid people peaking during work Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 17 / 1

  18. Case Study: Sensitive Data Summary of the Case Note. Ignoring controls which do not specifically adress sensitive information. Encrypted Hard Drives is useful 1 but not sufficient supplemental controls to avoid vulnerabilities Limit the risk by strictly limiting assets on the mobile unit 2 Dedicated system for work reduces risk 3 Many vulnerabilities can be reduced by user awareness training 4 Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 18 / 1

  19. Case Study: Sensitive Data Case Study: availability Outline Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 19 / 1

  20. Case Study: Sensitive Data Case Study: availability Question — Availability We have discussed controls to limit sensitivity-related loss Now consider loss of availability of data as a result of a lost box What controls would you propose? Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 20 / 1

  21. Case Study: Sensitive Data Case Study: availability Control 1 Backup Backup is the most obvious control. What challenges are particular for a laptop? Not always connected automated, periodical backup impossible User cooperation is essential run backup manually or at least connect (if backup system detects connection) A professional backup system should sti easy to use as automatic as possible Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 21 / 1

  22. Case Study: Sensitive Data Case Study: availability Control 1 Backup Backup is the most obvious control. What challenges are particular for a laptop? Not always connected automated, periodical backup impossible User cooperation is essential run backup manually or at least connect (if backup system detects connection) A professional backup system should sti easy to use as automatic as possible Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 21 / 1

  23. Case Study: Sensitive Data Case Study: availability Control 2 Markings Marking the box with company contact details cheap and simple control will return most boxen left behind Special secure markings exist detectible by police Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 22 / 1

  24. Case Study: Sensitive Data Case Study: availability Control 3 Due care Mobile units are popular objects of theft. Don’t be an easy target Don’t leave it unattended Don’t leave it visible (e.g. in a locked car) This is – of course – standard advice. Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 23 / 1

  25. Case Study: Sensitive Data Other issues and controls Outline Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 24 / 1

  26. Case Study: Sensitive Data Other issues and controls Mobile and Connected A mobile unit is insufficient. It must connect to. What risks are associated with connecting a mobile unit? Use untrusted networks local WiFi for connection global Internet for transfer End-to-end encryption is required for most or all services Blanket access Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 25 / 1

  27. Case Study: Sensitive Data Other issues and controls Mobile and Connected A mobile unit is insufficient. It must connect to. What risks are associated with connecting a mobile unit? Use untrusted networks local WiFi for connection global Internet for transfer End-to-end encryption is required for most or all services Blanket access Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 25 / 1

  28. Case Study: Sensitive Data Other issues and controls Use of Inhouse Network Services Every network service exposed to outside (mobile) users pose a risk. Don’t expose services unnecessarily Take care with the access control mechanisms both client and server side Encrypted link Two-way identification and authentication Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 26 / 1

  29. Case Study: Sensitive Data Other issues and controls Use of External Network Services All use of external services pose a risk. Mobile units do not benefit from corporate firewalls trusted inhouse DNS servers trafic monitoring intrusion detection Requires local protection Prudent use becomes (even) more critical Hans Georg Schaathun Mobile Security Autumn 2011 – Week 10 27 / 1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security & Privacy

1.03k views • 57 slides
Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues. Mobile access is expected to become the main access method. Services and mobile commerce (mCommerce) are expected to become a major business.

818 views • 20 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Announcement Course Evaluations Now online Will be available from Friday, Dec 7 Will also allow students to do

864 views • 50 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Mobile Communications Mobile Communications Confidentiality Security No access to information

Mobile Communications Mobile Communications Confidentiality Security No access to information

Security Requirements Authorization Which objects are accessible by whom? Authentication Reliable identification of users identity . Mobile Communications Mobile Communications Confidentiality Security No access to information for

577 views • 11 slides
Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices Presented by Michael Harris [MS, CISSP, WAPT] Systems Security Analyst University of Missouri Overview What data needs to be protected, what

407 views • 18 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g.

506 views • 34 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

827 views • 54 slides
CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

780 views • 54 slides
Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords

520 views • 38 slides
CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mobile Phones Networked device

302 views • 11 slides
Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami

Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami

Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami R&D Team Member @ viaForensics I work mainly on Android/iOS The Problem We want to trace the code in mobile applications that we

632 views • 48 slides
Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security

Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security

Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security Access Control Lists Access Control Lists GSM Security GSM Security WEP Authentication WPA/WPA2 Encryption 802.1X/EAP

409 views • 15 slides
Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia

Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia

Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia University January 18, 2007 1 / 9 What is Routing Security? Bad guys play games with routing protocols. What is Routing Security? How is it

95 views • 9 slides
Managing Greenhouse Gas Emissions in California California Climate Change Center UC Berkeley

Managing Greenhouse Gas Emissions in California California Climate Change Center UC Berkeley

Managing Greenhouse Gas Emissions in California California Climate Change Center UC Berkeley David Roland-Holst Department of Agricultural and Resource Economics UC Berkeley, dwrh@berkeley.edu 10 February 2006 Objectives 1. Improve

870 views • 32 slides
fife minutes for the secretary some informations about the Dr. Niels Wieth-Knudsen Award of

fife minutes for the secretary some informations about the Dr. Niels Wieth-Knudsen Award of

fife minutes for the secretary some informations about the Dr. Niels Wieth-Knudsen Award of IOTA/ES Congratulations BY STANDING OVATIONS THE END

661 views • 7 slides
Cindy Adams Dunn DCNR Secretary www.dcnr.pa.gov Sustainability New Solar Array Laurel Hill

Cindy Adams Dunn DCNR Secretary www.dcnr.pa.gov Sustainability New Solar Array Laurel Hill

Laurel Highlands Climate Change Event Cindy Adams Dunn DCNR Secretary www.dcnr.pa.gov Sustainability New Solar Array Laurel Hill State Park www.dcnr.pa.gov Landscape Scale Conservation www.dcnr.pa.gov Land and Water www.dcnr.pa.gov

436 views • 7 slides
- '.(. Pre- September o 11,2001, 50s and EAs identified specific , " (6')(2) -

- '.(. Pre- September o 11,2001, 50s and EAs identified specific , " (6')(2) -

~ ~.: ;:~.' .~: TSA Watch Lists ' ..... . . ' . . ' .. .. . , ' . ' . December 2002 ", '. ~. '.' " .,' .. ,# .: ..' , ..... . ' ' . " ........ . .' " Transportation Security Intelligenc Seivi

468 views • 8 slides
CSC2412: The Projection Mechanism Sasho Nikolov 1 Motivation Reminder: Query Release qi :D

CSC2412: The Projection Mechanism Sasho Nikolov 1 Motivation Reminder: Query Release qi :D

CSC2412: The Projection Mechanism Sasho Nikolov 1 Motivation Reminder: Query Release qi :D do I } , Recall the query release problem: gilt ) - tu j Yik ;) Workload Q = { q 1 , . . . , q k } of k counting queries 0 q 1 ( X ) 1 . . A

838 views • 16 slides
The Sower, the Seed, and the Soil Part 3 QUICK REVIEW: Possible Responses to the Gospel

The Sower, the Seed, and the Soil Part 3 QUICK REVIEW: Possible Responses to the Gospel

The Sower, the Seed, and the Soil Part 3 QUICK REVIEW: Possible Responses to the Gospel #1 Soil: Path Description: Hard Heart Response: Clear Rejection Problem: Hardened by sin s deception Expect: Rejection QUICK

540 views • 34 slides
Richard C. Brower (speaker), George Fleming and Herbert Neuberger

Richard C. Brower (speaker), George Fleming and Herbert Neuberger

Richard C. Brower (speaker), George Fleming and Herbert Neuberger New Frontiers in Lattice Gauge Theory Galileo Galilei Institute, Firenze, Italy, Sept 27, 2012 2012 (near) Conformal Field

730 views • 24 slides

More recommend