Cloud, social networking and BYOD collide!

Cloud, social networkingand BYOD collide!

Peter WoodChief Executive Officer

First•Base Technologies

Slide 2 © First Base Technologies 2012

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’

Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa


Cloud


What's Different in Cloud

IaaSInfrastructure as a

Service

PaaSPlatform as a Service

SaaSSoftware as a Service

Security ~ YOU

Security ~ THEM

Security Ownership






Just a little brainstorm


Social Networking


Yada yada yada

• People have always talked about work to their friends• What has changed is the nature of how we interact• We talk about our lives on our blogs, on social networking sites such as

Facebook and Twitter, and on message boards pertaining to the work we're doing

• What was once intimate and ephemeral is now available to the whole world, indexed by Google, and archived for posterity

• A good open-source intelligence gatherer can learn a lot about what a company is doing by monitoring its employees’ online activities

Bruce Schneier


Social networks vulnerabilities


Social networks vulnerabilities


Why APT works


BYOD


Data loss

• Unencrypted storage and backup

• Poor or missing passwords and PINs

• No automatic screen lock

• Mobile apps often store sensitive data such

as banking and payment system PIN

numbers, credit card numbers, or online

service passwords


Network spoofing

• Mobile devices use wireless

communications exclusively and

often public WiFi

• SSL can fall victim to a downgrade

attack if app allows degrading

HTTPS to HTTP

• SSL could also be compromised if

app does not fail on invalid

certificates, enabling MITM attacks


Spyware

http://www.f-secure.com/en/web/labs_global/whitepapers/reports


UI impersonation

• Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application

• Victim is asked to authenticate and ends up sending their credentials to an attacker

http://blogs.mcafee.com/mcafee-labs/android-malware-pairs-man-in-the-middle-with-remote-controlled-banking-trojan


BYOD risks

• Data loss: a stolen or lost phone with unprotected memory allows an attacker to access the data on it

• Unintentional data disclosure: most apps have privacy settings but many users are unaware that data is being transmitted, let alone know of the existence of the settings to prevent this

• Network spoofing attacks: an attacker deploys a rogue network access point and intercepts user’s data or conducts MITM attacks

• Phishing: an attacker collects user credentials using fake apps or messages that seem genuine.

• Spyware: the smartphone has spyware installed allowing an attacker to access or infer personal data

• Surveillance: spying using open microphone and/or camera • Diallerware: an attacker steals money from the user by means of

malware that makes hidden use of premium SMS services or numbers. • Financial malware: malware specifically designed for stealing credit card

numbers, online banking credentials or subverting online banking or ecommerce transactions.


The Collision


How Security sees Management?


How Management sees Security?


The Solution?


Make it real!

Identify real threats

Identify real impact

Demonstrate the risk


Now for the science bit …


Business Impact Level

A successful exploit will result in compromise of Confidentiality, Integrity or Availability of an asset

• Level 1: negligible impact

• Level 2: limited consequences

• Level 3: significant impact

• Level 4: very high impact, requiring external assistance and possible financial support

• Level 5: major risk which seriously endangers business processes and prevents continuity


Threat Actors

• System and Service Users- Regular users, admins, end users, shared service users

• Direct Connections- Service providers, other business units

• Indirect Connections- Network users, internet users

• Supply Chain- Developers, hardware support

• Physically Present- Regular users, admins, visitors, war drivers, intruders


Threat Actor Capability

1. Very little: almost no capabilities or resources

2. Little: an average untrained computer user

3. Limited: a trained computer user

4. Significant: a full-time well-educated computer expert using publicly available tools

5. Formidable: a full-time well-educated computer expert using bespoke attacks


Threat Actor Motivation

1. Very low: Indifferent

2. Low: Curious

3. Medium: Interested

4. High: Committed

5. Very high: Focused


Threat = Capability x Motivation


Example Threat Actor Analysis


Risk = Impact x Threat


Example Risk for Impact Level of 3


Example Prioritised Risk List


Run a Workshop


Now you’ve added value!


Or …

Management Security


Which results in …


Peter WoodChief Executive Officer

First Base Technologies LLP

[email protected]

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Twitter: peterwoodx

Need more information?

Cloud, social networking and BYOD collide!

Technology

cloud security

sensitive data

social networkingslide

whats different

byod risks data loss

unintentional data disclosure

social networking sites

data loss unencrypted