Presentation is loading. Please wait.

Presentation is loading. Please wait.

MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.

Published byRoy Reed Modified over 9 years ago

Similar presentations

Presentation on theme: "MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD."— Presentation transcript:

1 MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD into your Enterprise Security Testing Program Georgia Weidman

2 Is this a mobile device?

3 Toilet Mobile Vulnerability Trustwave SpiderLabs Security Advisory TWSL2013-020: Hard-Coded Bluetooth PIN Vulnerability in LIXIL Satis Toilet Controlled via an Android app with a hardcoded pin “0000” “Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.”

4 Is this a mobile device?

5 Car Hacked through Mobile Modem

6 Is this a mobile device?

7 Mobile Risks

8

9 Mobile Remote Attacks Malicious Carrier Update Remote Code Execution Bugs Vulnerable Listening Services

10 Mobile Client Side Attacks Browser and Web Extensions Mobile Apps Mobile Protocols

11 Mobile Phishing Attacks

12 Malicious Applications  Repackage apps with malicious code  Appears normal to the user, malicious functionality in the background  Sign apps with stolen developer keys (avoids iOS restrictions), signing vulnerability (Android master key), or attacker created keys.  Stealthy malware can be uploaded into official stores and company app stores

13 Mobile Post Exploitation Steal Data (emails, passwords, text messages, location information) Control device (send messages, post on Twitter, record video of user) Privilege Escalation (break out of sandboxes, get access to additional information/control) Mobile Pivoting (attacking other devices on the network, bypassing perimeter controls)

14 Mobile Pivoting

15

16 Mobile Security Controls Enterprise Mobility Management/Mobile Device Management Mobile Antivirus Data Containers Hardened Platforms Data Loss Prevention at Perimeter

17 Mobile Security Testing Getting sensitive data out of a sandbox/container Known malware running on device undetected Root/jailbreak undetected Downloading and running applications outside of policy Bypass perimeter controls with mobile pivoting

18 DEMOS!

19 Questions to Ask Operations Is my Mobile Device Management (MDM) solution set up correctly and providing value? Does it actually do what it says on the box it will do? Are my users responding correctly to mobile based phishing attacks? Do my users install apps from 3 rd party app stores? Is my mobile anti-virus solution warning users before they install something potentially malicious? Does it at least match known threat samples? What would a compromised mobile device be able to access over the network? What sort of sensitive data is stored or transmitted through mobile devices? Would a compromised mobile device in my network be able to compromise and exfiltrate data?

20 Contact Georgia Weidman Bulb Security LLC/Shevirah Inc. georgia@bulbsecurity.com www.bulbsecurity.com @georgiaweidman

Download ppt "MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Embrace Mobility. Without Compromise. The apps they need. On the devices they want. Without sacrificing compliance. Strategic Approach to Mobile Security.

Embrace Mobility. Without Compromise. The apps they need. On the devices they want. Without sacrificing compliance. Strategic Approach to Mobile Security.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” emails to counterfeit sites Users “give up” personal financial.

A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” s to counterfeit sites Users “give up” personal financial.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Windows 8.1 Device Management With Windows Intune Mark O’Shea MVP Windows Expert – IT Pro 30 June 2014.

Windows 8.1 Device Management With Windows Intune Mark O’Shea MVP Windows Expert – IT Pro 30 June 2014.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Smartphone Security How safe are you?. Main Points 1. Malware/Spyware 2. Other Mischief 3. How a phone might get infected 4. Staying Safe a. Malware b.

Smartphone Security How safe are you?. Main Points 1. Malware/Spyware 2. Other Mischief 3. How a phone might get infected 4. Staying Safe a. Malware b.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Remote Access. What is the Remote Access Domain? remote access: the ability for an organization’s users to access its non-public computing resources from.

Remote Access. What is the Remote Access Domain? remote access: the ability for an organization’s users to access its non-public computing resources from.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC.

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Presentation By Deepak Katta

Presentation By Deepak Katta
Mobile Policy. Overview Security Risks with Mobile Devices Guidelines for Managing the Security of Mobile Devices in the Enterprise Threats of Mobile.

Mobile Policy. Overview Security Risks with Mobile Devices Guidelines for Managing the Security of Mobile Devices in the Enterprise Threats of Mobile.
Introduction Our Topic: Mobile Security Why is mobile security important?

Introduction Our Topic: Mobile Security Why is mobile security important?
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
THREATS TO MOBILE NETWORK SECURITY

THREATS TO MOBILE NETWORK SECURITY

Similar presentations

Ads by Google