Cyber Security and Mobility “Are we on the edge of the cliff?” The Secure Software Acquisition Process – C Level 1

Cyber Security and Mobility“Are we on the edge of the cliff?”

The Secure Software Acquisition Process – C Level

1

Who am I?

• Chair

Computer Information Systems Department University of Detroit Mercy

• DirectorCenter for Cyber Security and Intelligence Studies

• Former EmployeeFord Motor CompanyIT Security & Strategy

• StudentUniversity of Michigan DearbornPhD Program – Writing dissertation

Thursday September 5th, 2013IAPP Detroit KnowledgeNet

(September Meeting)2

Aspirations



At the end of this presentation you will have a better understanding of:

• The cyber risks you face as Mobile Users

• The current state of the mobile payment space

• The steps you can take to protect yourself

Mobile Devices (ubuiquitous)



• Smartphone sales are greater than laptop sales.

• Purchases increasing at an annual growth rate of more than 40%

• About 40% of corporate devices are purchased by individuals who then use them in the enterprise.

• Number one mitigation strategy for organizations is limiting operating system diversity

•“We are going to limit ourselves to ONE risky platform”

* Source International Data Corporation

Mobile Devices (general worries)



• Gen Y has shown a propensity to accept risk.

• Antivirus/Antispyware tools are available but not as powerful as their laptop counterparts.

• Antivirus/Antispyware tools are often disabled because of performance.

• There is a lack of awareness of the differences between Wi-Fi and cellular technology.


(September Meeting)

• First Symbian malware (2004):• Cabir worm (spread via Bluetooth)• Skuller (spread via OS vulnerability)

• First iPhone virus (2009): Ike worm targeted jail broken iPhonesWritten by a Dutch hacker who was ripped off by a punk hacker. It targeted jailbroken phones running SSH

• First Android Malware (2010)

Trojan-SMS.AndroidOS.FakePlayerDistributed via websites not Android Market. Written by Russian virus writers.

Mobile Devices (Malware History)

• 1 in 3 breaches attributed to mobile devices includes lost or stolen devices

• Malware, hacking, and physical compromise were 5 of top 10 events in Verizon report • Others were malware, hacking of servers

• Breaches are not matching increased usage• My speculation is that people don’t report

loss of personally owned devices



Mobile Devices (breaches)

• 1 in 3 breaches attributed to mobile devices includes lost or stolen devices

• Malware, hacking, and physical compromise were 5 of top 10 events in Verizon report • Others were malware, hacking of servers

• Breaches are not matching increased usage• My speculation is that people don’t report

loss of personally owned devices



Mobile Devices (breaches)

• The Federal Trade Commission and the California Attorney General have recently published reports focused on mobile privacy.

• California AG’s “Privacy on the Go” report was issued in January 2013.

• The FTC’s “Mobile Privacy Disclosures” staff report, was released on February 1, 2013.

• recommendations on mobile privacy disclosures to 3 different audiences: mobile app marketplaces, mobile app developers, and mobile advertising networks.



Mobile Devices (what’s being done?)

• NIST

• “Guidelines for Managing the Security of Mobile Devices in the Enterprise”

• DRAFT Guidelines on Hardware-Rooted Security in Mobile Devices

• DRAFT Guidelines on Mobile Device Forensics



Mobile Devices (what’s being done?)

Mobile Devices (compromises)



• Accelerometer

• Confused Deputy.

• SSL

• NFC

• Charger

• GCM

Cyber Crime



• Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved.

• Annual loss estimates range from billions to nearly $1 trillion.

• Some claim cybercrime rivals the global drug trade in size• Estimates may be enormously exaggerated, but it would

be a mistake not to consider cybercrime a serious problem

• Cybercrime is actually a relentless, low-profit struggle for the majority.

• You have the power to limit your vulnerability to cyber crime.

*Source: The Cybercrime Wave That Wasn’t By DINEI FLORÊNCIO and CORMAC HERLEY, Published: April 14, 2012

What do they want?



• Assets that can be turned into money• SSNs• Bank accounts• Credit Card accounts• Identities

• Access to physical things• Cars• Places of business

• Underage candidates for exploitation



• NOT: browser based payments

• NOT: traditional Visa/Mastercard/Amex/Discover

• IS: “New Experience where the technology fades into the background”

• IS: SMS, ACH, eMAil, “trusted third parties”

• IS: Huge across the globe, burgeoning in the U.S.

Mobile Commerce (what is it?)



Mobile Commerce (players?)

Device Manufacturers

Banks

Credit Card Companies

Merchants Mobile Users

Industry Groups;

Payment Channel Creators

Corporations



• Google Wallet (not NFC)• Stalled until GoogleCash (email cash)

• ISIS (NFC)• AT&T, Verizon and T-Mobile have inked. Visa,

MasterCard, Discover and American Express are partners

• Western Union (SMS)• ACH transfers

• Square (not NFC, yes GPS)• SquareReader, SquareWallet, SquareCash,

SquareRegister • PayPal (eBay, headed to NFC)

• 20B in mobile payments, PayPal reader, cash cow

Mobile Commerce (examples)



• Google Wallet • Hacked twice, immediately

• ISIS• NFC vulnerabilities, Uses Secure Element

• Western Union• SMS vulnerabilities

• Square• GPS vulnerabilities, uses geofencing, uses proprietary

• PayPal• undetermined

Mobile Commerce (Protections)



• Move slowly

• Tie accounts to low balance credit card not a debit card

• Separate your phone and credit cards.

• Don’t put your phone in a “bumpable” place

• For a business, engage an expert for a threat assessment and policy inspection

Mobile Commerce (What to do)

Jeff Ingalsbe

Chair - Computer Information Systems

Center for Cyber Security and Intelligence Studies

University of Detroit Mercy

[email protected]

[email protected]

For more information



mailto:[email protected]

mailto:[email protected]

Documents

Cyber Security and Mobility “Are we on the edge of the cliff?” The Secure Software Acquisition Process – C Level 1