cis13: don't let mobile be the achilles heel for your enterprise security
DESCRIPTION
Michael Sutton, Vice President of Security Research, Zscaler Nothing will more dramatically alter the enterprise security landscape than mobile devices, especially those that are employee owned (BYOD). While mobile devices can greatly improve employee productivity, they don't play nice with legacy enterprise security controls. Are you stuck choosing between the lesser of two evils—lowering security by permitting mobile access or maintaining the status quo by banishing mobile access altogether? Despite the many hurdles that today's mobile OS's pose for enterprise security, with the right policies and technologies, it’s possible to ensure that mobile employees are just as secure as those sitting at their desks.TRANSCRIPT
Secure. Everywhere. ©2013 Zscaler, Inc. All rights reserved.
Secure. Everywhere.
©2012 Zscaler, Inc. All rights reserved.
Don't Let Mobile be the Achilles Heel for Your Enterprise Security
Michael SuGon VP, Security Research July 12, 2013
Secure. Everywhere.
whois
§ Zscaler – VP, Security Research – SaaS based soluLon for end user web security – ThreatLabZ – security research arm of the company
§ Background – Founding Member – Cloud Security Alliance
– SPI Dynamics – acquired by HP – iDefense – acquired by VeriSign
§ Research – Web security – Client-‐side vulnerabiliLes – Book – Fuzzing: Brute Force Vulnerability Discovery
Secure. Everywhere.
Three Mega Trends in IT
This turns tradi,onal security & networking upside down
Businesses adopt Mobile
Cloud goes mainstream
Social meets
Enterprise
Secure. Everywhere.
(In)visibility
§ HQ – Consolidate data from disparate
systems (IDS, IPS, Firewall, AV, etc.)
– Internal/external view
§ Regional offices – Consolidate data to obtain
comprehensive threatscape
§ AcquisiLon – IncompaLble technologies
§ Remote Employees – Poor user experience (forced VPN) vs
weak security (split tunnel)
§ Cloud – Losing control of data
©2012 Zscaler, Inc. All rights reserved.
HQ
Regional Office
AcquisiGon Remote Employees
Cloud
Secure. Everywhere.
Threat MiGgaGon
©2012 Zscaler, Inc. All rights reserved.
Appliances
Man Hours
Threat Com
plexity
Resource Complexity
APTs
Black/White LisGng
AnGvirus IDS
IPS Behavioral
Analysis
Targeted
AGacks
Secure. Everywhere.
Global Threat MiGgaGon
©2012 Zscaler, Inc. All rights reserved.
Appliances
Man Hours
Threat Com
plexity
Resource Complexity
APTs
BW List
AV
IDS IPS
BA
Targeted
AGacks
BW List
BW
List
BW List
BW
List
BW
List
BW List
AV
AV
AV
AV
AV
AV
IDS IPS
IDS IPS
IDS IPS
IDS IPS
IDS IPS
IDS IPS
BA
BA
BA
BA
BA
BA
Secure. Everywhere.
Why enterprise security is failing to keep pace
©2012 Zscaler, Inc. All rights reserved.
©2012 Zscaler, Inc. All rights reserved.
Security Threats Con,nually evolving a9acks defeat security – Dynamic aRacks
Malware only delivered when effecLve
– LegiGmate Resources Popular sites/results deliver aGacks
– Targeted ARacks Well funded, skilled aGackers leverage custom aGacks to exfiltrate sensiLve data and ocen go undetected for months
– Mobile Custom aGacks target always-‐on, mobile devices
Endpoint Security Host based security (An,-‐virus, HIPS, etc.) – Threats
AV struggles with dynamic, web based threats
– Signatures StaLc signatures to keep pace with the volume of aGacks seen in the wild
– Support Different soluLons from different vendors
– Mobile Degrades device performance and is not an opLon on iOS devices
Gateway Security Appliance based Secure Web Gateway solu,ons – URL filtering
StaLc blacklists cannot protect against threats on legiLmate sites
– Visibility Batch reporLng from individual appliances
– Support Enterprise remains responsible for patching and maint.
– Mobile Appliances cannot see traffic for remote employees
Security Needs How do we close the gap? – In-‐line, real-‐Gme
Block/allow decision based on actual content
– Full content inspecGon Complete bi-‐direcLonal inspecLon of all traffic
– Encrypted traffic Malware cannot hide in SSL encrypted channels
– Dynamic reputaGon Real-‐Lme reputaLon scoring
– Big data ConLnual cloud mining
– Any device/locaGon Consistent policy enforcement
Security Gap Current Enterprise Security
Secure. Everywhere.
How iOS is Forcing Enterprises to Rethink Security
Yesterday Tomorrow
Malware Host based AV Background apps/services prohibited
Network Controlled while on-‐premises
3G connecLvity bypasses network controls
Traffic Most HTTP(S) traffic browser based
Most HTTP(S) traffic app driven
Data leakage Appliance based DLP Device regularly off-‐premises
Ownership Corporate owned asset Personal asset
Secure. Everywhere.
Is this the Year?
To date, mobile devices such as smartphones and tablets have been preGy safe from malware. This era may well have come to end. The reason mobile devices have been immune is arguably because in many ways the opportuniLes to capitalize on weaknesses and flaws in the relaLvely young operaLng systems of these new products have been scarce in comparison to the millions of machines running, for example, Windows.
2013: The Year Android Users Get Pwned Mark Gibbs, Contributor CIO NETWORK | 4/24/2013 @ 10:43PM |124 views
Secure. Everywhere.
Is Mobile Malware on the Rise? Mobile
PC
Lookout Mobile Security
Secure. Everywhere.
All Devices Are Not Created Equal
§ PCs ocen run numerous server side services such as RDP, RPC, HTTP, FTP, etc.
§ Mobile app stores provide a validaLon layer § Mobile fragmentaLon (among both vendors and O/S versions) limits total exposure
§ PC browser plugin framework a significant malware entry point
§ Malicious apps can be revoked via official app stores
Secure. Everywhere.
Rapid Growth
§ Rapid adopLon of web development at the turn of the century ensured that security was an acerthought…
§ …history is repeaLng itself in the mobile space
§ Many apps are outsourced to 3rd parLes and not properly tested for vulnerabiliLes and data leakage
Secure. Everywhere.
Mobile Challenges
§ Ownership – BYOD, cloud and social are forcing CISOs to lose control of the devices
and data that they are tasked with managing
§ Visibility – Enterprises have significant blind spots and are no longer able to
understand total risk and exposure » Remote users bypass appliances
» ReporLng not consolidated
§ Hyper-‐growth – Lack of security tools and skills to fully understand security/privacy – Blind trust of App Store gatekeepers
§ TradiLonal endpoint security is dead – Host based – Resource constraints and restricLve O/S ecosystem
– Appliance Based – Can’t protect what it can’t see
Secure. Everywhere.
Mobile IdenGty
Passwords Pers. Ident. Info. Device ID (IMEI) No SSL Contacts …
Privacy XSS Command injecLon Insecure permissions Data thec Race condiLon …
Security
Games Social Networking Entertainment …
ProducGvity
Person Device
ApplicaGon
Secure. Everywhere.
ZAP – Zscaler ApplicaGon Analyzer
hGp://zap.zscaler.com
Secure. Everywhere.
ZAP Process
1 IdenLfy official app URL from iTunes/Google Play, enter into ZAP
4 Enter ZAP proxy seqngs in iOS/Android device (2 minute Lmeout)
5 Start ZAP proxy, launch app and use all funcLonality (2 minute Lmeout)
6 Stop proxy, download MiTM file (opLonal) and analyze traffic
1
4
Mobile Device
ZAP App Vendor
AdverGsers
3rd ParGes
5
6
3 Enter fake personally idenLfiable informaLon (PII) (opLonal)
3
2 Install mitmproxy SSL cerLficate (opLonal)
2
Secure. Everywhere.
Device Info Leakage – UDID App Name: Hangman ⓇⓈⓈ Version: 2.2.6 (July 20, 2012) Category: Games RaGngs: 22,356 Plaform: iOS
[+]http://ads.mopub.com/m/open?v=8&udid=sha:C6D279823C0BBEDC6E1751CEF09B2BD673FBBD41&id=366248637 [+]https://ws.tapjoyads.com/connect?mobile_network_code=&country_code=US&device_type=iPod%20touch&app_id=02aa9e96-7734-47b9-a199-187e294ca557&os_version=5.1.1&library_version=8.1.6&language_code=en&lad=0×tamp=1346830292&platform=iOS&allows_voip=yes&carrier_country_code=&mobile_country_code=&mac_address=00c610c03723&display_multiplier=1.000000&udid=c5a53500780d25743c08f079184903a2d246baad&app_version=1.20&carrier_name=&verifier=37d48f9d34a996dfcda2fd5bb8ee21229afa6f4bfd26d3b2f4edbcd70af81411 [-]https://www.chartboost.com/api/install.json Method: POST
Host: www.chartboost.com User-Agent: HangmanFree/1.20 CFNetwork/548.1.4 Darwin/11.0.0 Request Body:
sdk=2.5.11&os=5.1.1&uuid=c5a53500780d25743c08f079184903a2d246baad&app=4ed32026cb6015bd11000000&ui=0&signature=ecf69ddb296fe193d8963e8a12795707&country=US&bundle=1.20&language=en&model=iPod%20touch&
Secure. Everywhere.
Weak AuthenGcaGon – Password Hash App Name: Twitxr Version: 0.13 (September 5, 2012) Category: Social Networking RaGngs: 484 Plaform: iOS
[-]http://www.twitxr.com/api/rest/registerNewUser?username=unzscaler&password=42ef56a0090b7b29ab5ee54fc57dc156&[email protected] Method: GET Host: www.twitxr.com User-Agent: Twitxr/1.3 CFNetwork/548.1.4 Darwin/11.0.0 Server Response: EwNay , 6PvJ [+]http://www.twitxr.com/api/rest/checkUserData [+]http://m.twitxr.com/?user=unzscaler&md5pass=42ef56a0090b7b29ab5ee54fc57dc156 [+]http://m.twitxr.com/unzscaler/with_friends [+]http://m.twitxr.com/unzscaler/with_friends/ [+]http://m.twitxr.com/style_mobile_v1.0.css
Michael$ md5 -s Zscal3r! MD5 ("Zscal3r!") = 42ef56a0090b7b29ab5ee54fc57dc156
Secure. Everywhere.
Weak AuthenGcaGon – Clear Text Password App Name: Evenful Version: 1.0.4 (Oct 27, 2011) Category: Social Networking RaGngs: 9,415 Plaform: iOS
[+]http://eventful.com/json/apps/klaxon/start?stsess=(null) [-]http://eventful.com/json/apps/klaxon/users/validate Method: POST
Host: eventful.com User-Agent: Eventful/1.0.4 CFNetwork/548.1.4
Darwin/11.0.0 Request Body: password1=Zscal3r!
&yob=1980&password2=Zscal3r!&location_id=&gender=M&email=apps%40zscaler.com&opt_partners=1&location_type=&username=unzscaler
Server Response: {"errors":null,"is_default_eventful_site":"1","home_url":"http://eventful.com/sanjose/events"} [+]http://eventful.com/json/apps/klaxon/locations/search?location=38.951549,-77.333655&stsess=(null) [+]http://eventful.com/json/apps/klaxon/users/join [+]http://eventful.com/json/apps/klaxon/users/edit
Secure. Everywhere.
Weak AuthenGcaGon – Shared Libraries App Names: Zip Cloud, JustCloud, MyPCBackup, Novatech Cloud Version: 1.1.2 (September 22, 2012) Category: ProducGvity Vendor: JDI Backup Ltd Plaform: iOS
[+]http://data.flurry.com/aas.do [-]http://flow.backupgrid.net/account/create Method: POST
Host: flow.backupgrid.net User-Agent: ZipCloud 1.0.2 (iPod touch; iPhone OS 5.1.1; en_US) Request Body:
credentials={"app_time":"100","app":"jdi_ios","app_version":"1.0.2","secret":"","token":""}&payload={"name":"Fnzscaler","password":"Zscal3r!","verify":"1cac4c9b84b77738cb1ede06054ed664","email":"[email protected]","partner_id":"2"}&version=1.0.0
Server Response: ;;v# , r , '+4f , %eG} [+]http://flow.backupgrid.net/auth/request [+]http://flow.backupgrid.net/account/devices [+]http://flow.backupgrid.net/device/licence [+]http://flow.backupgrid.net/device/roots
Secure. Everywhere.
Mobile ApplicaGon Privacy
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00% 60.78% 54.99%
44.04% 42.49%
31.19%
9.52% 3.50% 3.33% 2.75% 1.72%
Android ApplicaGon Permissions
0% 10% 20% 30% 40% 50% 60% 70% 80%
79.08%
61.61% 59.69%
41.65% 35.51%
25.72% 13.82% 9.40%
iOS ApplicaGon Behaviors Device Info.
3rd ParLes
AuthenLcaLon
Secure. Everywhere.
Securing Mobile How enterprises must
adapt in a mobile world
Secure. Everywhere.
How Mobility turns Enterprise Security Upside Down
§ Devices, applicaLons & Data at Corp HQ or DC – Owned and controlled by the
enterprise
§ Traffic backhaul – Branch offices -‐ MPLS – Road warriors – VPN
§ Protect users with appliances – On-‐prem gateway proxies
(URL, AV, DLP) enforce policies for users accessing Internet
Regional Gateway Branch
HQ Home / Hotspot On the Road/Mobile
No policy or protecGon
VPN Backhaul
Branch
MPLS Backhaul
Ltd. protec,on and visibility for the mobile workforce
Yesterday
§ Mobility – Users go direct – Data, networks and
devices no longer owned/controlled by the enterprise
Today
Secure. Everywhere.
Zscaler Secure Cloud Gateway
©2012 Zscaler, Inc. All rights reserved.
Zscaler was the only one that truly delivered an ultra-‐low latency experience along with excep,onal protec,on from threats. And best of all, it works exactly as adver6sed.”
“
Mobile & Distributed Workforce
Business ApplicaGons
Home or Hotspot
Mobile Apps
HQ Cloud Apps
Regional Office
Email Services
Securely Enable Direct to Internet
Nothing good leaks out, nothing bad comes in Enforce Business Policy
NO HARDWARE | NO SOFTWARE
Web 2.0 and Social On-‐the-‐go
Secure. Everywhere.
Consider Three Users…
§ We must seek security solu,ons that ensure consistent policy, protec,on and visibility, regardless of device or loca,on.
§ Cloud provides the opportunity to level the playing field.
Office Coffee Shop Airport
Device PC Laptop Tablet/smartphone
ProtecLon IDS, IPS, FW, SWG, DLP, etc.
Host based AV and firewall
Nothing
Visibility LocaLon based reporLng
Nothing
Secure. Everywhere. ©2013 Zscaler, Inc. All rights reserved.
Secure. Everywhere.
©2012 Zscaler, Inc. All rights reserved.
zscaler.com threatlabz.com
Michael SuRon VP, Security Research