SlideShare a Scribd company logo

SN-Security Architecture for Mobile Computing and IoT

Sukumar Nayak
Sukumar Nayak

The document provides an overview of security architecture for mobile computing and the Internet of Things. It discusses the growth trends in these areas and outlines some of the key components of a mobile security reference architecture, including mobile device management, identity and access management, data loss prevention, intrusion detection systems, and mobile application management. It also covers potential security vulnerabilities and factors to consider when designing a mobile security solution.

1 of 47
Downloaded 299 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Security Architecture for Mobile Computing and Internet of Things (IoT) Sukumar Nayak, Chief Technologist Cloud Services Integration & Automation Date Created: 10/28/2015 Date last updated: 11/17/2015
2 Objective: Provide an overview of Security Architecture for Mobile Computing and IoT. Scope: • Motivation • Scope of Mobile Computing and Internet of Things (IoT) • Growth trends • Factors that Influence Mobile Security Solution • Mobile Security Reference Architecture • Mobile Infrastructure Components • The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI) • Potential Vulnerabilities for Mobile applications and mitigation strategies • Security Controls • Mobile Security Tools & Technologies • Q&A Agenda
3 Audience Poll Technologist, CTO Finance, CFO Audit, CFO Security & Compliance, CISO, CCO What is your primary role at your company? IT Operation, CIO Business Services, Executive Consultant, Entrepreneur What is your level of experience with Mobile Development? What is your level of experience with DevOps? What is your level of experience with Cloud environment? What is your level of experience with Big Data environment? Evaluating 5+ years 1-3 years 3-5 years Government, Nonprofit Org
4 Motivation “Companies rarely fail because of poor financial controls, but they fail frequently due to their inability to understand and address disruptive technologies, market fluctuations, changing customer expectations, and competitive pressures.” 2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
5 Scope of Mobile Computing and Internet of Things (IoT) Mobile Computing Definition: • Human–computer interaction by which a computer is expected to be transported during normal use. • Technology that allows collection / transmission of data, voice and video via a computer or any other wireless enabled device without having to be connected to a fixed physical link. • Scope: • Hardware / Devices • Software • Communication Internet of Things (IoT) Definition: • Network of physical objects or "things" embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. • It allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy and economic benefit. • Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure. • Scope: • Hardware / Devices, Software, Communication
6 Mobile Computing & IoT Trends 2000 2010 2020 2030+ RFID tags: Supply-Chain & Logistics. ex: smart routing, inventory management, and prevention of supply-chain leakage Surveillance, security, healthcare, transport, tolls, food safety, document management. ex: cameras, sensors, tags, wearables, smart-phones, smart-cards, smart- houses, wearables. Locating people, vehicles, and everyday objects. ex: geo- location sensors, GPS, smart- houses, consumable sensors. Teleoperation & telepresence: Ability to monitor and control distant objects. Miniaturization, power efficient electronics, and available spectrum. Software agents and advanced sensor fusion ex: cognitive & humanized computing, remote controlled drones.
7 Scope of Mobile Computing and Internet of Things (IoT) Mobile Computing Networks Smartphones Cloud Internet of Things Smartphone technology everywhere Self-learning Cloud Internet of Everything Humanized technology everywhere Pervasive Computing Ubiquitous Computing Cognitive Computing Humanized Computing Emerging futureCurrently evolving Vehicle Tracking Device Surveillance Cameras Smart House Automation Temperature/Occupancy/Flow/Light/ Humidity/Smoke/Fire Sensors Humanized Computing Geolocation Sensors
8 The vision of cognitive / humanized computing Current Medical Computing Cognitive Computing • Electronic Medical Records • Latest research findings • Best practice recommendations on treatments • Personal genomics data • Multiple observations from the patient • Observations from personal environment & history • Understand medical records content • Understand research publications • Able to discern new patterns • Able to suggest experiments • Explain hypothesis to humans • Able to modify theories, and learn • Human-like machine intelligence • Software that emulates more of the brain • Computer transitioning from “Dumb machines” to “Trusted Partners” • Computers that have common sense • Systems that understand natural language • Enabling “hybrid intelligence” • Humans and computers working better together
9 Internet of Things (IoT) Industry sectors Types of Applications Types of Devices IT CRM, ERP, SCM, HR, Finance Servers, Storage, Network, PCs, Desktops, Laptops, Smartphones, Switches, Routers, PBXs, Embedded Systems Manufacturing Planning, Scheduling, Distribution, Discrete / Process Engineering Compressors, Conveyors, Pumps, Pipelines, Motors, Turbines, Fabrication Assembly, Packaging Retail & Hospitality Inventory Management, Order Management, Incident Management, Service Management Receiving, Store, RFID Tags, Point-of-Sales, Cash Register, Workforce Management, Vending Machines Logistics / Transportation Planning, Scheduling, Loading, Unloading, Bill of Lading, Delivery Tracking Vehicles, Storage, Put Away, Tracking, Maintenance, RFID Tags Healthcare & Lifesciences Patient Care, Testing, Health Monitoring, Imaging Wearables, MRIs, PDAs, Telemedicine, Surgical equipment, Monitors, Implants, Bio-sensors Energy Supply & Demand Management, Drilling, Purification, Storage, Transport Turbines, Windmills, UPS, Batteries, Generators, Compressors, Cells, Meters, Drills Home Care Education, Convenience, Entertainment, Safety Digital Cameras, Appliances, Gaming, Audio / Video Systems, Vehicles, Smart homes, Alarms, Refrigerators, Sprinklers Construction Commercial / Residential Buildings Management HVAC, Transport, Fire and Safety, Lights / Power / Water Control, Access Control Public Sector Safety, Security, Emergency Response, Surveillance, Environmental, Weather Tanks, Trucks, Cars, Vans, Fighter Planes, Ambulances, Fire Trucks, Satellites, Spaceships, Ships, Beacons, Weather Sensors
10 IoT Growth Predictions Source: Hewlett Packard Enterprise Community 2015 report http://community.hpe.com I-Scoop IoT report http://www.i-scoop.eu/internet-of-things/ Automotive $202B Healthcare $69B Consumer electronics $445B Utilities $36B Manufacturing $99B
11 IoT Security Vulnerabilities Research Findings Source: Hewlett Packard Enterprise IoT Research Findings URL: http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf Computer World: http://www.computerworld.com/article/2476543/cybercrime-hacking/researchers-find-about-25-security-vulnerabilities-per-internet-of-things-device.html 90% of devices collected at least one piece of personal information via the device, the cloud or, it’s mobile application. 80% of devices, their cloud & mobile application components failed to require passwords of a sufficient complexity and length. Researchers find about 25 security vulnerabilities per IoT device. Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS and weak credentials. 70% of devices, their cloud and mobile application enable an attacker to identify valid user accounts through account enumeration. 70% of devices used unencrypted network service.
12 Securing Mobile Enterprise Chief Information Officer (CIO) / Chief Information Security Officer (CISO) • Mitigate security risks across the enterprise i.e. people, process, devices, applications, content and transactions • Monitor & Manage enterprise security across all endpoints Manage the mobile devices BYOD, BYOA, secure email and document sharing. Enroll, provision, configure, retire, lock/wipe lost devices. Fingerprint devices i.e. unique device IDs. Enforce Security Compliance: passcode, encryption, jailbreak / root detection Secure file and document sharing across mobile devices and employees. Restrict copy, paste & share. Validate Integrations with other sources. Secure access to enterprise data. Data separation, Leakage, Encryption, Scan, Automation. Instrument applications with security protection by design. Identify vulnerabilities in new and existing applications; and integration among the applications. Secure Development & Application Management Platforms. ex: IDE, Scanning, App Wrapping, SDK Container, Whitelist / Blacklist Applications Secure mobile transactions between employees, customers, partners, and suppliers. Access: Mobile Access Management, Identity Federation & API Connectivity Transactions: Mobile Fraud Management, Browser Security / URL Filtering, IP Velocity. Device Security Content Security Application Security Transaction Security Security Intelligence Collect, Correlate, and Visualize mobile security data ex: events, incidents, log data, and detect anomaly. Manage vulnerability and proactive threat avoidance. Mobile Security Information and Event Management (SIEM), Log Analysis, and data mining. IT Operations Line-of-Business App Developers Security Specialists
13 Factors that Influence Mobile Security Solution Criteria Considerations 1. Type of Users Employees, Customers, Partners, Suppliers. 2. Types of Devices Form factors: Smartphones (low end), handheld PDAs, Ultra-Mobile PCs, Tablet PCs. OS: Android/Google Devices, BlackBerry, iOS/Apple Device, Palm, WebOS. Browsers: WAP-based, Feature Phones, Smartphones, iPhones. 3. Mobile Devices Features User owned varied device types or BYOD or Company defined device ex: Device register, locate, lock or wipe capabilities 4. Services used by mobile app Central or, distributed compute, Service-enabled or, legacy access 5. Types of access Intranet/extranet or, internet; Is a VPN required? 6. Number of users Small (10-100), medium (1000s) or, large (many thousands); Known or, unknown number; Is it necessary to protect surges of workload/requests? Is it necessary to protect against denial of service attacks? 7. Authentication User authentication, Device authentication, Application authentication 8. Authorization User authorization; Does the user need to be authorized to access Mobile Enterprise Application Platform (MEAP); Limit access when mobile user connects from unsecure network; Limit access based on mobile user location; What authorization token will be used e.g. OAuth, SAML
14 Factors that Influence Mobile Security Solution Criteria Considerations 9. Audit Should access to specific application be audited? What information needs to be Audited e.g. mobile user id, device location, resource accessed, device id 10. Confidentiality What is the nature of the data? Does the data in transit need to be encrypted? What hardware offload capabilities are currently used for SSL/TLS? Is the data stored on the device? Does data on the device need to be encrypted? 11. Integrity Does the integrity of the data in transit need to be protected? 12. Existing security infrastructure Will the existing security infrastructure be reused for securing mobile access? What components and products are used in the existing security infrastructure? e.g. Security gateway, User registry, Identity management and mapping, Network security, Digital certificates, Security intelligence solution 13. Security standards What company standards need to be respected e.g. limits on encryption algorithms or authentication protocols, FIPS-140; What industry & government standards need to be respected e.g. PCI-DSS, HIPAA, FIPS 140, FedRAMP, FISMA
15 Camera Microphone GPS Bluetooth/NFC Tethering 802.11a/b/g/n Cellular USB Virtual OS (optional) Managed Apps Managed Apps Untrusted Apps White Listed Apps MDM Plugin Encrypted Storage Unencrypted Storage Mobile Device Mobile Security Reference Architecture (MSRA) Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf Voice/Unified Capabilities Web Applications E-mail Databases Virtual Desktop/Apps SEIM / Log Correlation … Enterprise Core Services Gateway&SecurityStack Identity & Access Management (IAM) Mobile Device Manager (MDM) Mobile Application Manager (MAM) VirtualPrivateNetwork (VPN) Enterprise Mobile Services Mobile Application Store(s) (MAS) Mobile Application Gateway (MAG) IntrusionDetection System(IDS) DataLossPrevention (DLP) Mobile Application Stores(s) Mobile Application Gateways External Facing Mobile Services External Application Store(s) Cellular Networks Wireless Ethernet Networks Network Traffic Log Data Legend:
16 Mobile Infrastructure Components • Virtual Private Networks (VPNs) • Intrusion Detection System (IDS) • Data Loss Prevention (DLP) • Identity and Access Management (IAM) • Mobile Device Management (MDM) • Mobile Application Management (MAM) • Mobile Application Store (MAS) • Mobile Application Gateway (MAG) • Gateway and Security Stack (GSS)
17 Mobile Virtual Private Networks (mVPNs) Enterprise Network Gateway&SecurityStack A mobile virtual private network (mobile VPN or mVPN) provides mobile devices with access to network resources and software applications on their home network, when they connect via other wireless or wired networks. Functions: Persistence, Roaming, Application compatibility, Security, Acceleration, Strong authentication Management Functions: Management console, Policy management, Quality of service, Network Access Control, Mobility Analytics, Monitoring & Notification
18 Intrusion Detection System (IDS) IDS activities Prevention Intrusion Monitoring Intrusion Detection Response Simulation Analysis Notification IoT Components (Sensor nodes, smart physical objects) Database (IDS Configuration) Database (IDS Knowledge DB) Attack Response Module Sensor & Analyzer Pattern matching algorithms Information Collection Policy Event Generator Set of Events (Syslogs, System Stats, Network Packets) Detection Policy Response Policy System Information Protected System Audit Trails & Network Monitoring Monitoring & Notification Actions Information Collection Detection Response IDS Components
19 Data Loss Prevention (DLP) Data Governance Regulatory Requirements Data Classifications Policies Tools / Technologies Discovery / Monitoring / Notification Education / Training Intelligence / Analytics Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer. Methods for DLP: Text analysis, Metatagging, monitoring, blocking via Gateway server, or native mobile app or backing content management into applications.
20 Identity and Access Management (IAM) Source: http://blog.cmlgroup.com/identity-access-management-iam/ Source: https://it.ubc.ca/what-identity-and-access-management
21 Mobile Device Management (MDM) Mobile Device Management Decentralized Global Services No One Solution or, Provider Performance Management / Support More Employee Choice No Dominant Platform Increasing Smartphone Adoption More Worker Mobility Changing Business Styles Corporate Data Risk Business Continuity Planning Mobile Device Management Challenges for CIOs source: Gartner
22 Mobile Application Management (MAM) • Enterprise Application Store • Application Distribution / Delivery • Application Policies • Application Whitelists / Blacklists • Application Security • Application updates & patch management • User authentication & authorization • Version checking • Push services • Reporting, Monitoring & Tracking • Wrapping, Secure Container, SDK • Licensing • Billing • Internal App Storage • Bulk purchase Mobile Application Management (MAM) • Over-the-air updates • Remote Configuration and Provisioning • Device Security • Backup & Restore • Network Usage and Support • Remote Login, Lock and Wipe • Device Provisioning & De-provisioning (Retire) • Software Installation • Certificate Authority & On-device encryption • PIN enforcement • Support mVPN • Restrict Wireless • Enable / Disable Camera • Stop Email Forwarding • Prevent Automated Cloud Backup Mobile Device Management
23 Mobile Application Store (MAS) Key Features Source: VisionMobile research URL: http://www.visionmobile.com/blog/2008/11/the-mobile-application-store-phenomenon/
24 Mobile Application Gateway (MAG) A Mobile Application Gateway (MAG) is a piece of software that provides application-specific network security for mobile application infrastructures. The purpose of a MAG is to act as a network proxy, accepting connections on behalf of the application’s network infrastructure, filtering the traffic, and relaying the traffic to mobile application servers. This proxy relationship allows the MAG to apply application layer filters to network traffic, providing focused security designed to protect the mobile application service. Following are the mobile security functions associated with MAGs. • Personnel and Facilities Management • Monitoring and Auditing
25 Gateway and Security Stack (GSS) The unique dual-connected nature (cellular and wireless Ethernet) of mobile devices makes them ideal platforms for circumventing traditional network security boundary protections. To prevent damage to the enterprise from a compromised mobile device, access to the enterprise must be restricted through one or more known network routes (i.e., Gateways) and inspected by standard network defenses such as stateful packet inspection, intrusion detection, and application and protocol filters. These standard defenses are collectively known as a “filter stack” because they serve to filter unwanted network traffic and are usually configured in a “stack” with traffic traversing each filter in sequence. The GSS typically functions at the session and below layers of the OSI network model. Following are the mobile security functions associated with the Gateway and Security Stack. • Content Filtering • Packet Filtering • Traffic Inspection
26 Mobile Security Functions • Personnel and Facilities Management • Identity and Access Management • Application and Data Security • Device Management • Secure Communications • Continuous Monitoring and Auditing • Security Intelligence / Reporting • Incident Response
27 Mobile Security Functions • Personnel and Facilities Management • Training • Physical Controls • Identity and Access Management • Identity and Access Management Mechanisms • Authorization • Network Access Control • Application and Data Security • Digital Asset Protection • Diagnostic Data Management (DDM) • Device Management • Host Security • Configuration • Software Validation and Patch Management • Secure Communications • Continuous Monitoring and Auditing • Traffic Inspection • Packet Filtering • Content Filtering • Logging • Security Intelligence / Reporting • Incident Response
28 The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI) Source: The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer ExceptionHandling Logger IntrusionDetector SecurityConfiguration EnterpriseSecurityAPI(ESAPI) CustomEnterpriseWebApplications ExistingEnterpriseSecurityServices/ Libraries Browser Web Server App Server DB Server Gateway&SecurityStack 1. Authenticate the users 2. Authorize the users 4. Session Management 5. Audit Logs 6. Protect the reserved data 8. Error Handling 6. Protect the reserved data 3. Prevent “Parameter manipulation” OWASP Overview of Security Controls 3. Data Validation 7. Secure Config Management
29 OWASP Top 10 Source: The Open Web Application Security Project (OWASP) 2013 Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10 OWASP Top Ten 2013 How does it work OWASP ESAPI A1- Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Encoder A2-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. Authenticator, User, HTTPUtils A3-Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Validator, Encoder A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. AccessReference Map A5-Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. SecurityConfigura tion
30 OWASP Top 10 Source: The Open Web Application Security Project (OWASP) 2013 Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10 OWASP Top Ten 2013 How does it work OWASP ESAPI A6-Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. Encryptor, EncryptedPropert ies A7-Missing Function Level Access Control Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. AccessController, AccessReference Map A8-Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. User (csrftoken) A9-Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. IntrusionDetector A10-Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Validator
31 Mobile Threat Model Spoofing Repudiation Denial of Service (DoS) Improper Session Handling Social Engineering Weak Authentication Weak Authorization Malicious Application Untrusted NFC Tag or Peer Malicious QR Code Missing Device Malware Client Side Injection Toll Fraud Crashing Apps Excessive API Usage DDoS Push Notification Flooding Tampering Modifying Local Data Insecure WiFi network Carrier Network Breach Information Disclosure Malware Backward Breach Reverse Engineering Apps Lost Device Elevation of Privilege Sandbox Escape Weak Authorization Compromised Device Compromised Credentials Make Unauthorized Purchases Push Apps Remotely Flawed Authentication Rooted Jailbroken Rootkits Source: OWASP Top 10 Mobile Risks Jack Mannino URL: http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks
32 Possible vulnerabilities of mobile web applications • Information Disclosure • SSL Weakness • Configuration management weakness • Old, backup and unreferenced files • Access to Admin interfaces • HTTP methods enables, XST permitted, HTTP Verb • Credentials transport over an encrypted channel • User enumeration • Guessable user account • Bypassing authentication schema • Vulnerable remember password weak password reset • Logout function • Browser cache weakness • Bypassing Session Management Schema, Weak Session Token • Cookies not secure • Session Fixation • Exposed sensitive session variables • Cross-Site Request Forgery (CSRF) • Path Traversal • Bypassing authorization schema • Privilege Escalation • Bypassable business logic • Reflected Cross-Site Scripting (XSS), Stored XSS, Document Object Model (DOM) XSS • Cross Site Flashing • SQL, LDAP, ORM, XML, SSI, Code Injection • OS Commanding • Buffer overflow • Locking Customer Accounts • Buffer Overflows • WSDL Weakness
33 Possible vulnerabilities of mobile web applications Source: Mobile Top 10 2014 OWASP URL: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks URL: http://www.net-security.org/secworld.php?id=14556
34 Mitigating Common Mobile Devices Threats • Software-based threats and mitigations • Exploitation of vulnerable mobile OS • Web-based threats and mitigations • Network-based threats and mitigations • Physical threats and mitigations • Mobile device threats to the enterprise and mitigations • User-based threats and mitigations • Service provider-based threats and mitigations Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
35 Mitigating Common Mobile Devices Threats • Software-based threats and mitigations • Malware threats • Exploitation of vulnerable mobile OS • Exploitation of Vulnerable Mobile Application • Web-based threats and mitigations • Mobile Code • Drive-by Downloads • Exploitation of Vulnerable Browser • Network-based threats and mitigations • Voice/Data Collection Over the Air • Voice/Data Collection Over the Network • Manipulation of Data in Transit • Data Exposure Through RF Emission • Connection to Untrusted Service • Jamming • Flooding • GPS/Geolocation • Physical threats and mitigations • Loss of Device • Physical Tamper • Device-Specific Features • Supply Chain • Mobile Peripherals • Mobile device threats to the enterprise and mitigations • Access to enterprise resources • User-based threats and mitigations • Social engineering • Classified information spill • Incident involving mobile device features • Theft/misuse of Services • Tracking • Service provider-based threats and mitigations • Location tracking • Usage behavior tracking via applications • Routing/forwarding • Data ownership and retention Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
36 Policy Issues When Adopting Mobile Devices Mobile Device: • Accreditation • Acquisition • Provisioning • Configuration, Monitoring, and Control • Service Management • Security Management • Expense Management • Customer Care • Retirement and Reuse Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
37 Security Information Event Management (SIEM) Tools • AccelOps • AlienVault Unified Security Management (USM) • BlackStratus Log Strom, SIEM Strom, Compliance Strom • EMC RSA • EventTracker • Hewlett Packard Enterprise ArcSight & Fortify • IBM QRadar Platform • Intel Security McAfee Enterprise Security Manager, Event Receiver (ERC) & Enterprise Log Manager • LogRhythm • Micro Focus (NetIQ) • Securonix • SolarWinds Log & Event Manager (LEM) • Spunk • Trustwave Growth areas for Mobile Security: • Event Management, Monitoring & Notification • Log Analysis & Data mining
38 OWASP Security Guidelines, Tools and Technologies Automated Security Verification • Vulnerability Scanners • Static Analysis Tools • Fuzzing AppSec Education: • Flawed Applications • Learning Environments • LiveCD • SiteGenerators Web Goat: WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. Security Architecture: • ESAPI: Enterprise Security API CSRFGuard: A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks. ESAPI: Enterprise Security API AntiSamy: A library for HTML and Cascading Style Sheets (CSS) encoding. AppSensor: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications. Secure Coding: • AppSec Libraries • ESAPI Reference Implementation • Guards and Filters Orizon: A source code static analysis tool like findbugs, pmd or their commercial counterpart such as Fortify SCA or IBM Rational Ounce 6 (formerly known as Ounce 6 by Ounce labs). O2: Defines how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Application Security Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge. LAPSE+: Is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. Manual Security Verification Tools: • Penetration Testing Tools • Code Review Tools AppSec Management: • Reporting Tools WebScarab: Web security tool & framework for analyzing applications that communicate using the HTTP and HTTPS. SWF Intruder: first tool specifically developed for analyzing and testing security of Flash applications at runtime. SQL Ninja: A Perl tool, helps a penetration tester to gain a shell on a system running Microsoft SQL server, exploiting a web application resulted vulnerable to SQL Injection. SQL Map: Automated Audit tool DirBuster: Directory & File names tool Before Development Define & Design Development Deploy & Maintenance
39 Security Testing Tools and Technologies Dynamic Scanners: Acunetix Arachni Burp Suite HP Webinspect IBM Security AppScan Standard IBM Secruity AppScane Enterprise Movituna Security Netsparker NTO Spider OWASP Zed Attack Proxy Tenable Nessus Skipfish w3aF Static Scanners: FindBugs IBM Security AppScan Source HPE Fortify SCA Microsoft CAT.NET Brakeman SaaS Testing Platforms: WhiteHat Veracode QualysGuard WAS IDS/IPS and WAF: DenyAll F5 Imperva Mod_Security Snort Defect Trackers: Atlassian JIRA Microsoft Team Foundation Server Mozilla Bugzilla Known Vulnerable Component Scanner: Dependency Check
40 Conclusion • Explosion of Mobile Devices, Internet of Things (IoT) and interconnection among them will continue due to value-add efficiencies and economics. • Cloud is key enabler to support Mobile & IoT growth. • Cloud is all about secured services architecture, design, development, deployment, and management. • Security Architecture, Risk Management & Audit practices are at the center for Mobile, IoT, Agile, DevOps, and Cloud Management transformation.
41 Definitions of Key Terms & Acronyms • ADFS: Active Directory Federated Services • CADF: Cloud Auditing Data Federation • CSA: Cloud Security Alliance • CSCC: Cloud Standards Customers Council • CSS: Cascading Style Sheets • DMTF: Distributed Management Task Force • ENISA: European Network and Information Security Agency • GRC: Global Regulatory Compliance • LDAP: Lightweight Directory Access Protocol • LTPA: Lightweight Third Party Authentication is a single-sign on (SSO) credential format intended for use in distributed, multiple application server environments. • NIST: National Institute of Standards and Technology • NIST CC SRA: Cloud Computing Standard Reference Architecture • Payment Card Industry Data Security Standard (PCI DSS) • SAML: Security Authorization Markup Language • SCIM: System for Cross-domain Identity Management • WAP: Wireless Application Protocol • XSS: Cross-Site Scripting
42 References & Credits
43 Reference URLs • The Open Web Application Security Project (OWASP) • CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf • NIST Cloud Computing Standards Roadmap • Detailed CSA TCI Reference Architecture • NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations • URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm • CRCnetBASE: http://www.crcnetbase.com/action/showPublications?display=bySubject&category=40001730&collapse=40001730 • FedRAMP: https://www.fedramp.gov/ • FISMA: http://www.dhs.gov/federal-information-security-management-act-fisma • Mobile security reference architecture MSRA URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security- Reference-Architecture.pdf • IBM mobile security architecture URL: http://www- 03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a/f7f18938e631eb6986257da2007729a8/$FILE/M obile%20Security%20Guide%20and%20Security%20Reference%20Architecture.pdf • Open web security architecture project OWSAP URL: https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet
sukumar.nayak@hpe.com sukumar.nayak@gmail.com 240.506.2305 linkedin.com/in/sukumarnayak/
45 Backup
46 Internet of Things
47 The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI) 14 Modules Source: The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page

More Related Content

Viewers also liked (20)

PPTX
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Symosis Security (Previously C-Level Security)
 
PDF
The 5 elements of IoT security
Julien Vermillard
 
PDF
Malicious android-applications-risks-exploitation 33578
skowshik
 
PPT
Open Source & Identity Management
JISC Netskills
 
PDF
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
PPTX
IoT World - creating a secure robust IoT reference architecture
Paul Fremantle
 
PDF
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
PDF
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
Cyren, Inc
 
PPTX
Mobile Application Security
Lenin Aboagye
 
PDF
IoT Meets Security
Samsung Open Source Group
 
PDF
Dcag service optimization offering01
Thomas Bronack
 
PDF
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
PDF
UX and Security for the IoT
Kevin Rohling
 
PDF
VMworld 2013: Moving Enterprise Application Dev/Test to VMware’s Internal Pri...
VMworld
 
PDF
Cloud-powered Cross-platform Mobile Apps on AWS
Danilo Poccia
 
PDF
The Case For Next Generation IAM
Patrick Harding
 
PDF
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Stanford School of Engineering
 
PPTX
Tuebora Self Driven IAM
Iranna Hurakadli
 
PDF
Mobile Application Security Code Reviews
Denim Group
 
PPTX
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Symosis Security (Previously C-Level Security)
 
The 5 elements of IoT security
Julien Vermillard
 
Malicious android-applications-risks-exploitation 33578
skowshik
 
Open Source & Identity Management
JISC Netskills
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
IoT World - creating a secure robust IoT reference architecture
Paul Fremantle
 
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
Cyren, Inc
 
Mobile Application Security
Lenin Aboagye
 
IoT Meets Security
Samsung Open Source Group
 
Dcag service optimization offering01
Thomas Bronack
 
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
UX and Security for the IoT
Kevin Rohling
 
VMworld 2013: Moving Enterprise Application Dev/Test to VMware’s Internal Pri...
VMworld
 
Cloud-powered Cross-platform Mobile Apps on AWS
Danilo Poccia
 
The Case For Next Generation IAM
Patrick Harding
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Stanford School of Engineering
 
Tuebora Self Driven IAM
Iranna Hurakadli
 
Mobile Application Security Code Reviews
Denim Group
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 

Similar to SN-Security Architecture for Mobile Computing and IoT (20)

PPSX
IT trends – 2013 & beyond
Neha Mehta
 
PDF
Mobile government presentation - Bull and Citrix - March 6th 2014
Jeff Spencer
 
PDF
Time for a New Mobile-Cloud Desktop Architecture
ITOutcomes
 
PDF
Bgg Mobile: Top 10 Tech Trends 2014
BGGMobile-- Sheila Bacon
 
PDF
WSO2Con EU 2015: IoT in Finance
WSO2
 
PDF
Sgcp14phillips
Justin Hayward
 
DOC
AndriodMobileComputingAssignment
Rebecca Patient
 
PDF
Bob Gourley
AFCEA International
 
PDF
IOT_PPT1.pdf
laxmikanth45
 
PPTX
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
Barry Caplin
 
PPTX
UCISA 2013 Presentation
DataIntegration
 
PPTX
PoV on Latest technology Trends impact on Insurance Industry
Jishnu Mithre
 
PPTX
PoV on Latest technology Trends impact on Insurance Industry
Jishnu Mithre
 
PDF
Top 10 technology trends for 2014
Manish Mohan
 
PDF
Evanta 2018 msp big 3 tech
Cristene Gonzalez-Wertz
 
PPT
Technology Vision 2008 at ICCG HD08
niklaus
 
PDF
(Ebook) AI Is Ciming for The Class Room by MIT Techonology Review
nacnacmoble
 
PDF
Successful Industrial IoT Patterns
WSO2
 
PPTX
Internet of Things
Mphasis
 
PPTX
about IoT evolution and its trends in upcoming years.
Pooja G N
 
IT trends – 2013 & beyond
Neha Mehta
 
Mobile government presentation - Bull and Citrix - March 6th 2014
Jeff Spencer
 
Time for a New Mobile-Cloud Desktop Architecture
ITOutcomes
 
Bgg Mobile: Top 10 Tech Trends 2014
BGGMobile-- Sheila Bacon
 
WSO2Con EU 2015: IoT in Finance
WSO2
 
Sgcp14phillips
Justin Hayward
 
AndriodMobileComputingAssignment
Rebecca Patient
 
Bob Gourley
AFCEA International
 
IOT_PPT1.pdf
laxmikanth45
 
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
Barry Caplin
 
UCISA 2013 Presentation
DataIntegration
 
PoV on Latest technology Trends impact on Insurance Industry
Jishnu Mithre
 
PoV on Latest technology Trends impact on Insurance Industry
Jishnu Mithre
 
Top 10 technology trends for 2014
Manish Mohan
 
Evanta 2018 msp big 3 tech
Cristene Gonzalez-Wertz
 
Technology Vision 2008 at ICCG HD08
niklaus
 
(Ebook) AI Is Ciming for The Class Room by MIT Techonology Review
nacnacmoble
 
Successful Industrial IoT Patterns
WSO2
 
Internet of Things
Mphasis
 
about IoT evolution and its trends in upcoming years.
Pooja G N
 
Ad

SN-Security Architecture for Mobile Computing and IoT

  • 1. Security Architecture for Mobile Computing and Internet of Things (IoT) Sukumar Nayak, Chief Technologist Cloud Services Integration & Automation Date Created: 10/28/2015 Date last updated: 11/17/2015
  • 2. 2 Objective: Provide an overview of Security Architecture for Mobile Computing and IoT. Scope: • Motivation • Scope of Mobile Computing and Internet of Things (IoT) • Growth trends • Factors that Influence Mobile Security Solution • Mobile Security Reference Architecture • Mobile Infrastructure Components • The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI) • Potential Vulnerabilities for Mobile applications and mitigation strategies • Security Controls • Mobile Security Tools & Technologies • Q&A Agenda
  • 3. 3 Audience Poll Technologist, CTO Finance, CFO Audit, CFO Security & Compliance, CISO, CCO What is your primary role at your company? IT Operation, CIO Business Services, Executive Consultant, Entrepreneur What is your level of experience with Mobile Development? What is your level of experience with DevOps? What is your level of experience with Cloud environment? What is your level of experience with Big Data environment? Evaluating 5+ years 1-3 years 3-5 years Government, Nonprofit Org
  • 4. 4 Motivation “Companies rarely fail because of poor financial controls, but they fail frequently due to their inability to understand and address disruptive technologies, market fluctuations, changing customer expectations, and competitive pressures.” 2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf
  • 5. 5 Scope of Mobile Computing and Internet of Things (IoT) Mobile Computing Definition: • Human–computer interaction by which a computer is expected to be transported during normal use. • Technology that allows collection / transmission of data, voice and video via a computer or any other wireless enabled device without having to be connected to a fixed physical link. • Scope: • Hardware / Devices • Software • Communication Internet of Things (IoT) Definition: • Network of physical objects or "things" embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. • It allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy and economic benefit. • Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure. • Scope: • Hardware / Devices, Software, Communication
  • 6. 6 Mobile Computing & IoT Trends 2000 2010 2020 2030+ RFID tags: Supply-Chain & Logistics. ex: smart routing, inventory management, and prevention of supply-chain leakage Surveillance, security, healthcare, transport, tolls, food safety, document management. ex: cameras, sensors, tags, wearables, smart-phones, smart-cards, smart- houses, wearables. Locating people, vehicles, and everyday objects. ex: geo- location sensors, GPS, smart- houses, consumable sensors. Teleoperation & telepresence: Ability to monitor and control distant objects. Miniaturization, power efficient electronics, and available spectrum. Software agents and advanced sensor fusion ex: cognitive & humanized computing, remote controlled drones.
  • 7. 7 Scope of Mobile Computing and Internet of Things (IoT) Mobile Computing Networks Smartphones Cloud Internet of Things Smartphone technology everywhere Self-learning Cloud Internet of Everything Humanized technology everywhere Pervasive Computing Ubiquitous Computing Cognitive Computing Humanized Computing Emerging futureCurrently evolving Vehicle Tracking Device Surveillance Cameras Smart House Automation Temperature/Occupancy/Flow/Light/ Humidity/Smoke/Fire Sensors Humanized Computing Geolocation Sensors
  • 8. 8 The vision of cognitive / humanized computing Current Medical Computing Cognitive Computing • Electronic Medical Records • Latest research findings • Best practice recommendations on treatments • Personal genomics data • Multiple observations from the patient • Observations from personal environment & history • Understand medical records content • Understand research publications • Able to discern new patterns • Able to suggest experiments • Explain hypothesis to humans • Able to modify theories, and learn • Human-like machine intelligence • Software that emulates more of the brain • Computer transitioning from “Dumb machines” to “Trusted Partners” • Computers that have common sense • Systems that understand natural language • Enabling “hybrid intelligence” • Humans and computers working better together
  • 9. 9 Internet of Things (IoT) Industry sectors Types of Applications Types of Devices IT CRM, ERP, SCM, HR, Finance Servers, Storage, Network, PCs, Desktops, Laptops, Smartphones, Switches, Routers, PBXs, Embedded Systems Manufacturing Planning, Scheduling, Distribution, Discrete / Process Engineering Compressors, Conveyors, Pumps, Pipelines, Motors, Turbines, Fabrication Assembly, Packaging Retail & Hospitality Inventory Management, Order Management, Incident Management, Service Management Receiving, Store, RFID Tags, Point-of-Sales, Cash Register, Workforce Management, Vending Machines Logistics / Transportation Planning, Scheduling, Loading, Unloading, Bill of Lading, Delivery Tracking Vehicles, Storage, Put Away, Tracking, Maintenance, RFID Tags Healthcare & Lifesciences Patient Care, Testing, Health Monitoring, Imaging Wearables, MRIs, PDAs, Telemedicine, Surgical equipment, Monitors, Implants, Bio-sensors Energy Supply & Demand Management, Drilling, Purification, Storage, Transport Turbines, Windmills, UPS, Batteries, Generators, Compressors, Cells, Meters, Drills Home Care Education, Convenience, Entertainment, Safety Digital Cameras, Appliances, Gaming, Audio / Video Systems, Vehicles, Smart homes, Alarms, Refrigerators, Sprinklers Construction Commercial / Residential Buildings Management HVAC, Transport, Fire and Safety, Lights / Power / Water Control, Access Control Public Sector Safety, Security, Emergency Response, Surveillance, Environmental, Weather Tanks, Trucks, Cars, Vans, Fighter Planes, Ambulances, Fire Trucks, Satellites, Spaceships, Ships, Beacons, Weather Sensors
  • 10. 10 IoT Growth Predictions Source: Hewlett Packard Enterprise Community 2015 report http://community.hpe.com I-Scoop IoT report http://www.i-scoop.eu/internet-of-things/ Automotive $202B Healthcare $69B Consumer electronics $445B Utilities $36B Manufacturing $99B
  • 11. 11 IoT Security Vulnerabilities Research Findings Source: Hewlett Packard Enterprise IoT Research Findings URL: http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf Computer World: http://www.computerworld.com/article/2476543/cybercrime-hacking/researchers-find-about-25-security-vulnerabilities-per-internet-of-things-device.html 90% of devices collected at least one piece of personal information via the device, the cloud or, it’s mobile application. 80% of devices, their cloud & mobile application components failed to require passwords of a sufficient complexity and length. Researchers find about 25 security vulnerabilities per IoT device. Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS and weak credentials. 70% of devices, their cloud and mobile application enable an attacker to identify valid user accounts through account enumeration. 70% of devices used unencrypted network service.
  • 12. 12 Securing Mobile Enterprise Chief Information Officer (CIO) / Chief Information Security Officer (CISO) • Mitigate security risks across the enterprise i.e. people, process, devices, applications, content and transactions • Monitor & Manage enterprise security across all endpoints Manage the mobile devices BYOD, BYOA, secure email and document sharing. Enroll, provision, configure, retire, lock/wipe lost devices. Fingerprint devices i.e. unique device IDs. Enforce Security Compliance: passcode, encryption, jailbreak / root detection Secure file and document sharing across mobile devices and employees. Restrict copy, paste & share. Validate Integrations with other sources. Secure access to enterprise data. Data separation, Leakage, Encryption, Scan, Automation. Instrument applications with security protection by design. Identify vulnerabilities in new and existing applications; and integration among the applications. Secure Development & Application Management Platforms. ex: IDE, Scanning, App Wrapping, SDK Container, Whitelist / Blacklist Applications Secure mobile transactions between employees, customers, partners, and suppliers. Access: Mobile Access Management, Identity Federation & API Connectivity Transactions: Mobile Fraud Management, Browser Security / URL Filtering, IP Velocity. Device Security Content Security Application Security Transaction Security Security Intelligence Collect, Correlate, and Visualize mobile security data ex: events, incidents, log data, and detect anomaly. Manage vulnerability and proactive threat avoidance. Mobile Security Information and Event Management (SIEM), Log Analysis, and data mining. IT Operations Line-of-Business App Developers Security Specialists
  • 13. 13 Factors that Influence Mobile Security Solution Criteria Considerations 1. Type of Users Employees, Customers, Partners, Suppliers. 2. Types of Devices Form factors: Smartphones (low end), handheld PDAs, Ultra-Mobile PCs, Tablet PCs. OS: Android/Google Devices, BlackBerry, iOS/Apple Device, Palm, WebOS. Browsers: WAP-based, Feature Phones, Smartphones, iPhones. 3. Mobile Devices Features User owned varied device types or BYOD or Company defined device ex: Device register, locate, lock or wipe capabilities 4. Services used by mobile app Central or, distributed compute, Service-enabled or, legacy access 5. Types of access Intranet/extranet or, internet; Is a VPN required? 6. Number of users Small (10-100), medium (1000s) or, large (many thousands); Known or, unknown number; Is it necessary to protect surges of workload/requests? Is it necessary to protect against denial of service attacks? 7. Authentication User authentication, Device authentication, Application authentication 8. Authorization User authorization; Does the user need to be authorized to access Mobile Enterprise Application Platform (MEAP); Limit access when mobile user connects from unsecure network; Limit access based on mobile user location; What authorization token will be used e.g. OAuth, SAML
  • 14. 14 Factors that Influence Mobile Security Solution Criteria Considerations 9. Audit Should access to specific application be audited? What information needs to be Audited e.g. mobile user id, device location, resource accessed, device id 10. Confidentiality What is the nature of the data? Does the data in transit need to be encrypted? What hardware offload capabilities are currently used for SSL/TLS? Is the data stored on the device? Does data on the device need to be encrypted? 11. Integrity Does the integrity of the data in transit need to be protected? 12. Existing security infrastructure Will the existing security infrastructure be reused for securing mobile access? What components and products are used in the existing security infrastructure? e.g. Security gateway, User registry, Identity management and mapping, Network security, Digital certificates, Security intelligence solution 13. Security standards What company standards need to be respected e.g. limits on encryption algorithms or authentication protocols, FIPS-140; What industry & government standards need to be respected e.g. PCI-DSS, HIPAA, FIPS 140, FedRAMP, FISMA
  • 15. 15 Camera Microphone GPS Bluetooth/NFC Tethering 802.11a/b/g/n Cellular USB Virtual OS (optional) Managed Apps Managed Apps Untrusted Apps White Listed Apps MDM Plugin Encrypted Storage Unencrypted Storage Mobile Device Mobile Security Reference Architecture (MSRA) Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf Voice/Unified Capabilities Web Applications E-mail Databases Virtual Desktop/Apps SEIM / Log Correlation … Enterprise Core Services Gateway&SecurityStack Identity & Access Management (IAM) Mobile Device Manager (MDM) Mobile Application Manager (MAM) VirtualPrivateNetwork (VPN) Enterprise Mobile Services Mobile Application Store(s) (MAS) Mobile Application Gateway (MAG) IntrusionDetection System(IDS) DataLossPrevention (DLP) Mobile Application Stores(s) Mobile Application Gateways External Facing Mobile Services External Application Store(s) Cellular Networks Wireless Ethernet Networks Network Traffic Log Data Legend:
  • 16. 16 Mobile Infrastructure Components • Virtual Private Networks (VPNs) • Intrusion Detection System (IDS) • Data Loss Prevention (DLP) • Identity and Access Management (IAM) • Mobile Device Management (MDM) • Mobile Application Management (MAM) • Mobile Application Store (MAS) • Mobile Application Gateway (MAG) • Gateway and Security Stack (GSS)
  • 17. 17 Mobile Virtual Private Networks (mVPNs) Enterprise Network Gateway&SecurityStack A mobile virtual private network (mobile VPN or mVPN) provides mobile devices with access to network resources and software applications on their home network, when they connect via other wireless or wired networks. Functions: Persistence, Roaming, Application compatibility, Security, Acceleration, Strong authentication Management Functions: Management console, Policy management, Quality of service, Network Access Control, Mobility Analytics, Monitoring & Notification
  • 18. 18 Intrusion Detection System (IDS) IDS activities Prevention Intrusion Monitoring Intrusion Detection Response Simulation Analysis Notification IoT Components (Sensor nodes, smart physical objects) Database (IDS Configuration) Database (IDS Knowledge DB) Attack Response Module Sensor & Analyzer Pattern matching algorithms Information Collection Policy Event Generator Set of Events (Syslogs, System Stats, Network Packets) Detection Policy Response Policy System Information Protected System Audit Trails & Network Monitoring Monitoring & Notification Actions Information Collection Detection Response IDS Components
  • 19. 19 Data Loss Prevention (DLP) Data Governance Regulatory Requirements Data Classifications Policies Tools / Technologies Discovery / Monitoring / Notification Education / Training Intelligence / Analytics Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer. Methods for DLP: Text analysis, Metatagging, monitoring, blocking via Gateway server, or native mobile app or backing content management into applications.
  • 20. 20 Identity and Access Management (IAM) Source: http://blog.cmlgroup.com/identity-access-management-iam/ Source: https://it.ubc.ca/what-identity-and-access-management
  • 21. 21 Mobile Device Management (MDM) Mobile Device Management Decentralized Global Services No One Solution or, Provider Performance Management / Support More Employee Choice No Dominant Platform Increasing Smartphone Adoption More Worker Mobility Changing Business Styles Corporate Data Risk Business Continuity Planning Mobile Device Management Challenges for CIOs source: Gartner
  • 22. 22 Mobile Application Management (MAM) • Enterprise Application Store • Application Distribution / Delivery • Application Policies • Application Whitelists / Blacklists • Application Security • Application updates & patch management • User authentication & authorization • Version checking • Push services • Reporting, Monitoring & Tracking • Wrapping, Secure Container, SDK • Licensing • Billing • Internal App Storage • Bulk purchase Mobile Application Management (MAM) • Over-the-air updates • Remote Configuration and Provisioning • Device Security • Backup & Restore • Network Usage and Support • Remote Login, Lock and Wipe • Device Provisioning & De-provisioning (Retire) • Software Installation • Certificate Authority & On-device encryption • PIN enforcement • Support mVPN • Restrict Wireless • Enable / Disable Camera • Stop Email Forwarding • Prevent Automated Cloud Backup Mobile Device Management
  • 23. 23 Mobile Application Store (MAS) Key Features Source: VisionMobile research URL: http://www.visionmobile.com/blog/2008/11/the-mobile-application-store-phenomenon/
  • 24. 24 Mobile Application Gateway (MAG) A Mobile Application Gateway (MAG) is a piece of software that provides application-specific network security for mobile application infrastructures. The purpose of a MAG is to act as a network proxy, accepting connections on behalf of the application’s network infrastructure, filtering the traffic, and relaying the traffic to mobile application servers. This proxy relationship allows the MAG to apply application layer filters to network traffic, providing focused security designed to protect the mobile application service. Following are the mobile security functions associated with MAGs. • Personnel and Facilities Management • Monitoring and Auditing
  • 25. 25 Gateway and Security Stack (GSS) The unique dual-connected nature (cellular and wireless Ethernet) of mobile devices makes them ideal platforms for circumventing traditional network security boundary protections. To prevent damage to the enterprise from a compromised mobile device, access to the enterprise must be restricted through one or more known network routes (i.e., Gateways) and inspected by standard network defenses such as stateful packet inspection, intrusion detection, and application and protocol filters. These standard defenses are collectively known as a “filter stack” because they serve to filter unwanted network traffic and are usually configured in a “stack” with traffic traversing each filter in sequence. The GSS typically functions at the session and below layers of the OSI network model. Following are the mobile security functions associated with the Gateway and Security Stack. • Content Filtering • Packet Filtering • Traffic Inspection
  • 26. 26 Mobile Security Functions • Personnel and Facilities Management • Identity and Access Management • Application and Data Security • Device Management • Secure Communications • Continuous Monitoring and Auditing • Security Intelligence / Reporting • Incident Response
  • 27. 27 Mobile Security Functions • Personnel and Facilities Management • Training • Physical Controls • Identity and Access Management • Identity and Access Management Mechanisms • Authorization • Network Access Control • Application and Data Security • Digital Asset Protection • Diagnostic Data Management (DDM) • Device Management • Host Security • Configuration • Software Validation and Patch Management • Secure Communications • Continuous Monitoring and Auditing • Traffic Inspection • Packet Filtering • Content Filtering • Logging • Security Intelligence / Reporting • Incident Response
  • 28. 28 The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI) Source: The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer ExceptionHandling Logger IntrusionDetector SecurityConfiguration EnterpriseSecurityAPI(ESAPI) CustomEnterpriseWebApplications ExistingEnterpriseSecurityServices/ Libraries Browser Web Server App Server DB Server Gateway&SecurityStack 1. Authenticate the users 2. Authorize the users 4. Session Management 5. Audit Logs 6. Protect the reserved data 8. Error Handling 6. Protect the reserved data 3. Prevent “Parameter manipulation” OWASP Overview of Security Controls 3. Data Validation 7. Secure Config Management
  • 29. 29 OWASP Top 10 Source: The Open Web Application Security Project (OWASP) 2013 Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10 OWASP Top Ten 2013 How does it work OWASP ESAPI A1- Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Encoder A2-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. Authenticator, User, HTTPUtils A3-Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Validator, Encoder A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. AccessReference Map A5-Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. SecurityConfigura tion
  • 30. 30 OWASP Top 10 Source: The Open Web Application Security Project (OWASP) 2013 Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10 OWASP Top Ten 2013 How does it work OWASP ESAPI A6-Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. Encryptor, EncryptedPropert ies A7-Missing Function Level Access Control Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. AccessController, AccessReference Map A8-Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. User (csrftoken) A9-Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. IntrusionDetector A10-Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Validator
  • 31. 31 Mobile Threat Model Spoofing Repudiation Denial of Service (DoS) Improper Session Handling Social Engineering Weak Authentication Weak Authorization Malicious Application Untrusted NFC Tag or Peer Malicious QR Code Missing Device Malware Client Side Injection Toll Fraud Crashing Apps Excessive API Usage DDoS Push Notification Flooding Tampering Modifying Local Data Insecure WiFi network Carrier Network Breach Information Disclosure Malware Backward Breach Reverse Engineering Apps Lost Device Elevation of Privilege Sandbox Escape Weak Authorization Compromised Device Compromised Credentials Make Unauthorized Purchases Push Apps Remotely Flawed Authentication Rooted Jailbroken Rootkits Source: OWASP Top 10 Mobile Risks Jack Mannino URL: http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks
  • 32. 32 Possible vulnerabilities of mobile web applications • Information Disclosure • SSL Weakness • Configuration management weakness • Old, backup and unreferenced files • Access to Admin interfaces • HTTP methods enables, XST permitted, HTTP Verb • Credentials transport over an encrypted channel • User enumeration • Guessable user account • Bypassing authentication schema • Vulnerable remember password weak password reset • Logout function • Browser cache weakness • Bypassing Session Management Schema, Weak Session Token • Cookies not secure • Session Fixation • Exposed sensitive session variables • Cross-Site Request Forgery (CSRF) • Path Traversal • Bypassing authorization schema • Privilege Escalation • Bypassable business logic • Reflected Cross-Site Scripting (XSS), Stored XSS, Document Object Model (DOM) XSS • Cross Site Flashing • SQL, LDAP, ORM, XML, SSI, Code Injection • OS Commanding • Buffer overflow • Locking Customer Accounts • Buffer Overflows • WSDL Weakness
  • 33. 33 Possible vulnerabilities of mobile web applications Source: Mobile Top 10 2014 OWASP URL: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks URL: http://www.net-security.org/secworld.php?id=14556
  • 34. 34 Mitigating Common Mobile Devices Threats • Software-based threats and mitigations • Exploitation of vulnerable mobile OS • Web-based threats and mitigations • Network-based threats and mitigations • Physical threats and mitigations • Mobile device threats to the enterprise and mitigations • User-based threats and mitigations • Service provider-based threats and mitigations Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
  • 35. 35 Mitigating Common Mobile Devices Threats • Software-based threats and mitigations • Malware threats • Exploitation of vulnerable mobile OS • Exploitation of Vulnerable Mobile Application • Web-based threats and mitigations • Mobile Code • Drive-by Downloads • Exploitation of Vulnerable Browser • Network-based threats and mitigations • Voice/Data Collection Over the Air • Voice/Data Collection Over the Network • Manipulation of Data in Transit • Data Exposure Through RF Emission • Connection to Untrusted Service • Jamming • Flooding • GPS/Geolocation • Physical threats and mitigations • Loss of Device • Physical Tamper • Device-Specific Features • Supply Chain • Mobile Peripherals • Mobile device threats to the enterprise and mitigations • Access to enterprise resources • User-based threats and mitigations • Social engineering • Classified information spill • Incident involving mobile device features • Theft/misuse of Services • Tracking • Service provider-based threats and mitigations • Location tracking • Usage behavior tracking via applications • Routing/forwarding • Data ownership and retention Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
  • 36. 36 Policy Issues When Adopting Mobile Devices Mobile Device: • Accreditation • Acquisition • Provisioning • Configuration, Monitoring, and Control • Service Management • Security Management • Expense Management • Customer Care • Retirement and Reuse Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
  • 37. 37 Security Information Event Management (SIEM) Tools • AccelOps • AlienVault Unified Security Management (USM) • BlackStratus Log Strom, SIEM Strom, Compliance Strom • EMC RSA • EventTracker • Hewlett Packard Enterprise ArcSight & Fortify • IBM QRadar Platform • Intel Security McAfee Enterprise Security Manager, Event Receiver (ERC) & Enterprise Log Manager • LogRhythm • Micro Focus (NetIQ) • Securonix • SolarWinds Log & Event Manager (LEM) • Spunk • Trustwave Growth areas for Mobile Security: • Event Management, Monitoring & Notification • Log Analysis & Data mining
  • 38. 38 OWASP Security Guidelines, Tools and Technologies Automated Security Verification • Vulnerability Scanners • Static Analysis Tools • Fuzzing AppSec Education: • Flawed Applications • Learning Environments • LiveCD • SiteGenerators Web Goat: WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. Security Architecture: • ESAPI: Enterprise Security API CSRFGuard: A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks. ESAPI: Enterprise Security API AntiSamy: A library for HTML and Cascading Style Sheets (CSS) encoding. AppSensor: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications. Secure Coding: • AppSec Libraries • ESAPI Reference Implementation • Guards and Filters Orizon: A source code static analysis tool like findbugs, pmd or their commercial counterpart such as Fortify SCA or IBM Rational Ounce 6 (formerly known as Ounce 6 by Ounce labs). O2: Defines how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Application Security Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge. LAPSE+: Is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. Manual Security Verification Tools: • Penetration Testing Tools • Code Review Tools AppSec Management: • Reporting Tools WebScarab: Web security tool & framework for analyzing applications that communicate using the HTTP and HTTPS. SWF Intruder: first tool specifically developed for analyzing and testing security of Flash applications at runtime. SQL Ninja: A Perl tool, helps a penetration tester to gain a shell on a system running Microsoft SQL server, exploiting a web application resulted vulnerable to SQL Injection. SQL Map: Automated Audit tool DirBuster: Directory & File names tool Before Development Define & Design Development Deploy & Maintenance
  • 39. 39 Security Testing Tools and Technologies Dynamic Scanners: Acunetix Arachni Burp Suite HP Webinspect IBM Security AppScan Standard IBM Secruity AppScane Enterprise Movituna Security Netsparker NTO Spider OWASP Zed Attack Proxy Tenable Nessus Skipfish w3aF Static Scanners: FindBugs IBM Security AppScan Source HPE Fortify SCA Microsoft CAT.NET Brakeman SaaS Testing Platforms: WhiteHat Veracode QualysGuard WAS IDS/IPS and WAF: DenyAll F5 Imperva Mod_Security Snort Defect Trackers: Atlassian JIRA Microsoft Team Foundation Server Mozilla Bugzilla Known Vulnerable Component Scanner: Dependency Check
  • 40. 40 Conclusion • Explosion of Mobile Devices, Internet of Things (IoT) and interconnection among them will continue due to value-add efficiencies and economics. • Cloud is key enabler to support Mobile & IoT growth. • Cloud is all about secured services architecture, design, development, deployment, and management. • Security Architecture, Risk Management & Audit practices are at the center for Mobile, IoT, Agile, DevOps, and Cloud Management transformation.
  • 41. 41 Definitions of Key Terms & Acronyms • ADFS: Active Directory Federated Services • CADF: Cloud Auditing Data Federation • CSA: Cloud Security Alliance • CSCC: Cloud Standards Customers Council • CSS: Cascading Style Sheets • DMTF: Distributed Management Task Force • ENISA: European Network and Information Security Agency • GRC: Global Regulatory Compliance • LDAP: Lightweight Directory Access Protocol • LTPA: Lightweight Third Party Authentication is a single-sign on (SSO) credential format intended for use in distributed, multiple application server environments. • NIST: National Institute of Standards and Technology • NIST CC SRA: Cloud Computing Standard Reference Architecture • Payment Card Industry Data Security Standard (PCI DSS) • SAML: Security Authorization Markup Language • SCIM: System for Cross-domain Identity Management • WAP: Wireless Application Protocol • XSS: Cross-Site Scripting
  • 43. 43 Reference URLs • The Open Web Application Security Project (OWASP) • CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf • NIST Cloud Computing Standards Roadmap • Detailed CSA TCI Reference Architecture • NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations • URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm • CRCnetBASE: http://www.crcnetbase.com/action/showPublications?display=bySubject&category=40001730&collapse=40001730 • FedRAMP: https://www.fedramp.gov/ • FISMA: http://www.dhs.gov/federal-information-security-management-act-fisma • Mobile security reference architecture MSRA URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security- Reference-Architecture.pdf • IBM mobile security architecture URL: http://www- 03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a/f7f18938e631eb6986257da2007729a8/$FILE/M obile%20Security%20Guide%20and%20Security%20Reference%20Architecture.pdf • Open web security architecture project OWSAP URL: https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet
  • 47. 47 The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI) 14 Modules Source: The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page