2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not
DESCRIPTION
TRANSCRIPT
![Page 1: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/1.jpg)
Mobile Security – The impending apocalypse… or maybe not ISF Summer Chapter
![Page 2: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/2.jpg)
Before we begin…
Hopefully not a lesson in sucking eggs
![Page 3: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/3.jpg)
Agenda
•What the press would have you believe
•The reality
![Page 4: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/4.jpg)
Before we begin… Who is this guy?
• Information Cyber Security for > 15 years • Consultancy – 1997 – 2005 • Research – 2005 – 2011
• Symantec / BlackBerry • Research / Consultancy – 2012
• Recx / NCC Group
![Page 5: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/5.jpg)
What you are led to believe
•Mobile is as insecure the desktop •BYOD is insecure •Malware is rampant •Mobile security needs augmenting
![Page 6: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/6.jpg)
Motivations
• .… something to sell
•…. exposure
![Page 7: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/7.jpg)
![Page 8: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/8.jpg)
Mobile is as insecure as the desktop
• Incentivised •Defence in depth •App stores •Ubiquitous sandboxes •Security policy APIs •Vendors adopting SDLs
![Page 9: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/9.jpg)
BYOD is insecure
•BYOD is CHALLENGING
•Extending your security perimeter •Loosening your control (potentially) •Mixed domain devices •Policies
![Page 10: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/10.jpg)
Malware is rampant
•Malware is present NOT rampant
•Trojans (re-packaged apps) •Trojans (unique appealing apps)
•App store revocation •People using third party app stores
![Page 11: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/11.jpg)
Malware is rampant
![Page 12: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/12.jpg)
Mobile security needs augmenting
•Platforms have rich security stories •Samsung KNOX •BlackBerry Balance •MDM APIs / Policies ..
•Some augmentation may be needed
•on iOS •On device AV is not one of them
![Page 13: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/13.jpg)
But it is no utopia
![Page 14: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/14.jpg)
SDLs cost
•Vendors don’t have • limitless funds • limitless people • limitless time
•Market driven by features •not secure code
•Skills in short demand •Not evenly deployed
![Page 15: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/15.jpg)
Vulnerability v patching frequency
•No monthly patch Tuesday •Carrier certification
•desire • capacity
•Vendors •desire • capacity
![Page 16: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/16.jpg)
Vulnerability v patching frequency
•Handset cycle 12 to 36 months •HTC 10 Android models •ZTE 18 Android models •Samsung 12 Android models •Apple 1 iPhone model •BlackBerry 3 BB10 models
•Sustainment costs huge..
![Page 17: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/17.jpg)
Vulnerabilities can be exploited
![Page 18: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/18.jpg)
But… criminals are lazy …
![Page 19: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/19.jpg)
But… there are motivated enablers..
![Page 20: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/20.jpg)
Devices are complex
•Peripherals •Radio •OS •Apps = a large and complex attack surface
![Page 21: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/21.jpg)
Rapid change
![Page 22: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/22.jpg)
Use cases are different
•Physical interaction •Usage patterns
![Page 23: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/23.jpg)
Mobile security – the future
![Page 24: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/24.jpg)
Thanks? Questions?
![Page 25: 2013 05-21 --ncc_group_-_mobile security_-_the_impending_apocalypse…_or_maybe_not](https://reader034.vdocument.in/reader034/viewer/2022042623/5472bf7fb4af9fa30a8b50b0/html5/thumbnails/25.jpg)
UK Offices Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices San Francisco
Atlanta
New York
Seattle
Australian Offices Sydney
European Offices Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Ollie Whitehouse [email protected]