James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton.

Slides:

Advertisements

Similar presentations

OWASP Mobile Top 10 Beau Woods

Advertisements

Chapter 17: WEB COMPONENTS

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

OWASP Top 10 Mobile Risks Appsec USA Minneapolis, MN

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Man-In-The-Front Ray Kelly.

Securing Online Transactions with a Trusted Digital Identity Dave Steeves - Security Software Engineer Microsoft’s.

Security Issues and Challenges in Cloud Computing

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Web Application Security

Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.

OWASP Mobile Top 10 Why They Matter and What We Can Do

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

NW Security and Firewalls Network Security

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

PART THREE E-commerce in Action Norton University E-commerce in Action.

Software Confidence. Achieved. Mobile Security and Payments Infrastructure 1 AJ Dexter Sr. Security Consultant.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Software Security Testing Vinay Srinivasan cell:

Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.

An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.

Protecting e -Government Against Attacks Gernot Heiser NICTA and University of New South Wales.

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

OWASP ESAPI SwingSet An introduction by Fabio Cerullo.

Enforcing Cyber security in Mobile Applications – Public Sector Use Case SAPHINA MCHOME, VIOLA RUKIZA TANZANIA REVENUE AUTHORITY INFORMATION AND COMMUNICATION.

Wireless and Mobile Security

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.

The Benefits of Indigo SMS Aumne, Inc. Tel: Fax: Commerce Ct Suite 200, Lisle, IL USA.

Dilip Dwarakanath.  The topic I’m about to present was taken from a paper titled “Apple iOS 4 Security Evaluation” written by Dino A Dai Zovi.  Dino.

Computer Security By Duncan Hall.

Bring Your Own Security (BYOS™): Deploy Applications in a Manageable Java Container with Waratek Locker on Microsoft Azure MICROSOFT AZURE ISV PROFILE:

Cybersecurity Test Review Introduction to Digital Technology.

IoT BBQ Carve Systems. Outline About us (Carve) About IoT Our IoT assessment methodology The Sacred Tenants of IoT Security Some bugs IoT IRL.

1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.

Embedded system security

External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.

INTRODUCTION CHARLES MUIRURI

Securing Your Web Application in Azure with a WAF

Canberra OWASP Chapter meeting

Information Security.

Secure Software Confidentiality Integrity Data Security Authentication

E-commerce Application Security

Sioux Falls OWASP Jan-2018 Mobile Top 10

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton

Let me tell you a story… About a man… … his phone…

… and his Bank. Normally this is a private affair… Normally.

Today is something different Someone is watching Everything on the phone EVERYTHING…

So when the man uses his phone to do a money transfer… …Something different is happening today

Someone is in the middle with a front row seat to everything …This watcher sees what they see… … anything that happens on the phone… … data, SMS, transmissions… …anything. How Did This Happen? This means that they can do whatever the man can do

The man’s phone has been hacked… … and now gives up all of its secrets.

Who does this? But more and more… …it’s a team… …who isn’t? Single Hackers Script Kiddies A better question… …and a Business Hacker, Inc. For All Your Nefarious Needs Over 5,000,000 Hacked

Today hacking is self service …and it is just getting started. About as difficult as buying on Amazon… How-to Guides Custom Made Malware “Renting” Infected Machines Today cyber attack are: Easy to build Uses highly paid specialists Highly distributed Are “For Profit” Today cyber attack are: Easy to build Uses highly paid specialists Highly distributed Are “For Profit”

How can the enterprise protect itself? Mobile App Data In-motion Mobile Backend You need to protect it all. Any vulnerability at any layer creates a path to a successful exploit

Bad actors take advantage of all of the vulnerabilities… Mobile Comms Mobile AppBackend Infrastructure Application Back Doors Decompiling an Application Abuse of a Device Feature Successful Exploit Borrowed or Stolen Device Mobile Web Service Attack …so you have to protect against all of them

Mobile Application Mobile Communication Backend Infrastructure Borrowed or Stolen Device Application Back Doors Mobile Web Service Attack Decompiling an Application Abuse of a Device Feature Successful Exploit We need to develop strategies that address each of the threats Protection or Control

How do they hack a phone? How Can a Phone Hack Happen? Stolen Device Installing a Malicious App Attacks on the Mobile Backend Modifying a Trusted App Abuse of a Device Feature There are 5 ways… … and only one needs to work

There are ten mobile app vulnerabilities to address… Source: OWASP Insecure Data Storage 1 1 Weak Server Side Controls 2 2 Transport Layer Penetration 3 3 Client Side Injection 4 4 Poor Authentication 5 5 Improper Session Handling 6 6 Security Decisions via Untrusted Inputs 7 7 Side Channel Leakage 8 8 Broken Encryption 9 9 Sensitive Data Disclosure 10

Key Mobile Security “Take Aways” 6 Key Points To Remember There is no Silver Bullet to Mobile App Security Use Defense-in-Depth Follow a Stringent Process During App Dev Do not Integrate Mobile Apps Directly into the Enterprise Test, Test, Test… Third Party Code Review & Pen-Testing

James F. Fox MENA Cyber Security Practice Lead Mobile Presenters Thank You!

17