Security Architecture for Mobile Computing and Internet of Things (IoT)

Sukumar Nayak, Chief Technologist Cloud Services Integration & Automation

Date Created: 10/28/2015Date last updated: 11/17/2015

2

Objective: Provide an overview of Security Architecture for Mobile Computing and IoT.Scope:

• Motivation• Scope of Mobile Computing and Internet of Things (IoT)• Growth trends• Factors that Influence Mobile Security Solution• Mobile Security Reference Architecture• Mobile Infrastructure Components• The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI)• Potential Vulnerabilities for Mobile applications and mitigation strategies• Security Controls• Mobile Security Tools & Technologies• Q&A

Agenda

3

Audience Poll

Technologist, CTO

Finance, CFO

Audit, CFO

Security & Compliance, CISO, CCO

What is your primary role at your company?

IT Operation, CIO

Business Services, Executive

Consultant, Entrepreneur

What is your level of experience with Mobile Development?

What is your level of experience with DevOps?

What is your level of experience with Cloud environment?

What is your level of experience with Big Data environment?

Evaluating

5+ years

1-3 years

3-5 years

Government, Nonprofit Org

4

Motivation

“Companies rarely fail because of poor financial controls, but they fail frequently due to their inability to understand and address disruptive technologies, market fluctuations, changing customer expectations, and competitive pressures.”

2014 Forrester report by Chris McClean, Stepahnie Balaouras & Jennie Duong

URL: http://www.metricstream.com/pdf/Extend-compliance-and-risk-Forrester-play-book.pdf

5

Scope of Mobile Computing and Internet of Things (IoT)Mobile Computing Definition:• Human–computer interaction by which a computer

is expected to be transported during normal use.

• Technology that allows collection / transmission of data, voice and video via a computer or any other wireless enabled device without having to be connected to a fixed physical link.

• Scope:• Hardware / Devices• Software• Communication

Internet of Things (IoT) Definition:• Network of physical objects or "things" embedded

with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data.

• It allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy and economic benefit.

• Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.

• Scope: • Hardware / Devices, Software, Communication

6

Mobile Computing & IoT Trends

2000 2010 2020 2030+

RFID tags: Supply-Chain & Logistics. ex: smart routing, inventory management, and prevention of supply-chain leakage

Surveillance, security, healthcare, transport, tolls, food safety, document management. ex: cameras, sensors, tags, wearables, smart-phones, smart-cards, smart-houses, wearables.

Locating people, vehicles, and everyday objects. ex: geo-location sensors, GPS, smart-houses, consumable sensors.

Teleoperation & telepresence: Ability to monitor and control distant objects. Miniaturization, power efficient electronics, and available spectrum. Software agents and advanced sensor fusion ex: cognitive & humanized computing, remote controlled drones.

7

Scope of Mobile Computing and Internet of Things (IoT)

Mobile Computing Networks

Smartphones

Cloud

Internet of Things

Smartphone technology everywhere

Self-learning Cloud

Internet of Everything

Humanized technology everywhere

Pervasive ComputingUbiquitous Computing

Cognitive ComputingHumanized Computing

Emerging futureCurrently evolving

Vehicle Tracking Device Surveillance Cameras Smart House AutomationTemperature/Occupancy/Flow/Light/Humidity/Smoke/Fire Sensors Humanized Computing

Geolocation Sensors

8

The vision of cognitive / humanized computingCurrent Medical Computing Cognitive Computing

• Electronic Medical Records• Latest research findings• Best practice recommendations on treatments• Personal genomics data• Multiple observations from the patient• Observations from personal environment & history

• Understand medical records content• Understand research publications• Able to discern new patterns• Able to suggest experiments• Explain hypothesis to humans• Able to modify theories, and learn• Human-like machine intelligence

• Software that emulates more of the brain

• Computer transitioning from “Dumb machines” to “Trusted Partners”

• Computers that have common sense• Systems that understand natural language

• Enabling “hybrid intelligence”• Humans and computers working better together

9

Internet of Things (IoT)Industry sectors Types of Applications Types of Devices

IT CRM, ERP, SCM, HR, Finance Servers, Storage, Network, PCs, Desktops, Laptops, Smartphones, Switches, Routers, PBXs, Embedded Systems

Manufacturing Planning, Scheduling, Distribution, Discrete / Process Engineering

Compressors, Conveyors, Pumps, Pipelines, Motors, Turbines, Fabrication Assembly, Packaging

Retail & Hospitality Inventory Management, Order Management, Incident Management, Service Management

Receiving, Store, RFID Tags, Point-of-Sales, Cash Register, Workforce Management, Vending Machines

Logistics / Transportation

Planning, Scheduling, Loading, Unloading, Bill of Lading, Delivery Tracking

Vehicles, Storage, Put Away, Tracking, Maintenance, RFID Tags

Healthcare & Lifesciences

Patient Care, Testing, Health Monitoring, Imaging Wearables, MRIs, PDAs, Telemedicine, Surgical equipment, Monitors, Implants, Bio-sensors

Energy Supply & Demand Management, Drilling, Purification, Storage, Transport

Turbines, Windmills, UPS, Batteries, Generators, Compressors, Cells, Meters, Drills

Home Care Education, Convenience, Entertainment, Safety Digital Cameras, Appliances, Gaming, Audio / Video Systems, Vehicles, Smart homes, Alarms, Refrigerators, Sprinklers

Construction Commercial / Residential Buildings Management HVAC, Transport, Fire and Safety, Lights / Power / Water Control, Access Control

Public Sector Safety, Security, Emergency Response, Surveillance, Environmental, Weather

Tanks, Trucks, Cars, Vans, Fighter Planes, Ambulances, Fire Trucks, Satellites, Spaceships, Ships, Beacons, Weather Sensors

10

IoT Growth Predictions

Source: Hewlett Packard Enterprise Community 2015 report http://community.hpe.comI-Scoop IoT report http://www.i-scoop.eu/internet-of-things/

Automotive$202B

Healthcare$69B

Consumer electronics

$445B

Utilities$36B

Manufacturing$99B

11

IoT Security Vulnerabilities Research Findings

Source: Hewlett Packard Enterprise IoT Research Findings URL: http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdfComputer World: http://www.computerworld.com/article/2476543/cybercrime-hacking/researchers-find-about-25-security-vulnerabilities-per-internet-of-things-device.html

90% of devices collected at least one piece of personal information via the device, the cloud or, it’s mobile application.

80% of devices, their cloud & mobile application components failed to require passwords of a sufficient complexity and length.

Researchers find about 25 security vulnerabilitiesper IoT device.

Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS and weak credentials.

70% of devices, their cloud and mobile application enable an attacker to identify valid user accounts through account enumeration.

70% of devicesused unencrypted network service.

12

Securing Mobile EnterpriseChief Information Officer (CIO) / Chief Information Security Officer (CISO)• Mitigate security risks across the enterprise i.e. people, process, devices, applications, content and transactions• Monitor & Manage enterprise security across all endpoints

Manage the mobile devices BYOD, BYOA, secure email and document sharing.Enroll, provision, configure, retire, lock/wipe lost devices.Fingerprint devices i.e. unique device IDs.Enforce Security Compliance: passcode, encryption, jailbreak / root detection

Secure file and document sharing across mobile devices and employees.Restrict copy, paste & share.Validate Integrations with other sources.Secure access to enterprise data. Data separation, Leakage, Encryption, Scan, Automation.

Instrument applications with security protection by design.Identify vulnerabilities in new and existing applications; and integration among the applications.Secure Development & Application Management Platforms. ex: IDE, Scanning, App Wrapping, SDK Container, Whitelist / Blacklist Applications

Secure mobile transactions between employees, customers, partners, and suppliers.Access: Mobile Access Management, Identity Federation & API ConnectivityTransactions: Mobile Fraud Management, Browser Security / URL Filtering, IP Velocity.

Device Security Content Security Application Security Transaction Security

Security IntelligenceCollect, Correlate, and Visualize mobile security data ex: events, incidents, log data, and detect anomaly. Manage vulnerability and proactive threat avoidance. Mobile Security Information and Event Management (SIEM), Log Analysis, and data mining.

IT Operations Line-of-BusinessApp Developers Security Specialists

13

Factors that Influence Mobile Security SolutionCriteria Considerations

1. Type of Users Employees, Customers, Partners, Suppliers.

2. Types of DevicesForm factors: Smartphones (low end), handheld PDAs, Ultra-Mobile PCs, Tablet PCs.OS: Android/Google Devices, BlackBerry, iOS/Apple Device, Palm, WebOS.Browsers: WAP-based, Feature Phones, Smartphones, iPhones.

3. Mobile Devices Features User owned varied device types or BYOD or Company defined deviceex: Device register, locate, lock or wipe capabilities

4. Services used by mobile app Central or, distributed compute, Service-enabled or, legacy access

5. Types of access Intranet/extranet or, internet; Is a VPN required?

6. Number of usersSmall (10-100), medium (1000s) or, large (many thousands); Known or, unknown number; Is it necessary to protect surges of workload/requests? Is it necessary to protect against denial of service attacks?

7. Authentication User authentication, Device authentication, Application authentication

8. Authorization

User authorization; Does the user need to be authorized to access Mobile Enterprise Application Platform (MEAP); Limit access when mobile user connects from unsecure network; Limit access based on mobile user location; What authorization token will be used e.g. OAuth, SAML

14

Factors that Influence Mobile Security SolutionCriteria Considerations

9. Audit Should access to specific application be audited? What information needs to be Audited e.g. mobile user id, device location, resource accessed, device id

10. ConfidentialityWhat is the nature of the data? Does the data in transit need to be encrypted? What hardware offload capabilities are currently used for SSL/TLS? Is the data stored on the device? Does data on the device need to be encrypted?

11. Integrity Does the integrity of the data in transit need to be protected?

12. Existing security infrastructure

Will the existing security infrastructure be reused for securing mobile access? What components and products are used in the existing security infrastructure? e.g. Security gateway, User registry, Identity management and mapping, Network security, Digital certificates, Security intelligence solution

13. Security standardsWhat company standards need to be respected e.g. limits on encryption algorithms or authentication protocols, FIPS-140; What industry & government standards need to be respected e.g. PCI-DSS, HIPAA, FIPS 140, FedRAMP, FISMA

15

Camera

Microphone

GPS

Bluetooth/NFC

Tethering

802.11a/b/g/n

Cellular

USB

Virtual OS (optional)

Managed Apps

Managed Apps

Untrusted Apps

White Listed Apps

MDM Plugin

Encrypted Storage

Unencrypted Storage

Mobile Device

Mobile Security Reference Architecture (MSRA)

Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf

Voice/Unified Capabilities

Web Applications

E-mail Databases

Virtual Desktop/Apps

SEIM / Log Correlation

…

Enterprise Core Services

Gate

way

& S

ecur

ity S

tack

Identity & Access Management (IAM)

Mobile Device Manager (MDM)

Mobile Application Manager (MAM)

Virt

ual P

rivat

e N

etw

ork

(VPN

)

Enterprise Mobile Services

Mobile Application Store(s) (MAS)

Mobile Application Gateway (MAG)

Intr

usio

n De

tect

ion

Syst

em (I

DS)

Data

Loss

Pre

vent

ion

(DLP

)

Mobile Application Stores(s)

Mobile Application Gateways

External Facing Mobile Services

External Application Store(s)

Cellular Networks

Wireless Ethernet Networks

Network TrafficLog Data

Legend:

16

Mobile Infrastructure Components• Virtual Private Networks (VPNs)• Intrusion Detection System (IDS)• Data Loss Prevention (DLP)• Identity and Access Management (IAM)• Mobile Device Management (MDM)• Mobile Application Management (MAM)• Mobile Application Store (MAS)• Mobile Application Gateway (MAG)• Gateway and Security Stack (GSS)

17

Mobile Virtual Private Networks (mVPNs)

Enterprise Network

Gate

way

& S

ecur

ity S

tack

A mobile virtual private network (mobile VPN or mVPN) provides mobile devices with access to network resources and software applications on their home network, when they connect via other wireless or wired networks.

Functions: Persistence, Roaming, Application compatibility, Security, Acceleration, Strong authentication

Management Functions: Management console, Policy management, Quality of service, Network Access Control, Mobility Analytics, Monitoring & Notification

18

Intrusion Detection System (IDS)IDS activities

Prevention Intrusion Monitoring

Intrusion Detection Response

Simulation Analysis Notification

IoTComponents(Sensor nodes, smart physical

objects)

Database (IDS Configuration)

Database (IDS Knowledge DB)

Attack Response Module

Sensor & AnalyzerPattern matching algorithms

Information Collection Policy

Event GeneratorSet of Events

(Syslogs, System Stats, Network Packets)

Detection Policy

Response Policy

System Information

Protected System

Audit Trails & Network Monitoring

Monitoring & Notification Actions

Information Collection Detection Response

IDS Components

19

Data Loss Prevention (DLP)Data

GovernanceRegulatory

Requirements

Data Classifications

Policies

Tools / Technologies

Discovery / Monitoring / Notification

Education / Training

Intelligence / Analytics

Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

Methods for DLP: Text analysis, Metatagging, monitoring, blocking via Gateway server, or native mobile app or backing content management into applications.

20

Identity and Access Management (IAM)

Source: http://blog.cmlgroup.com/identity-access-management-iam/Source: https://it.ubc.ca/what-identity-and-access-management

21

Mobile Device Management (MDM)

Mobile Device Management

Decentralized Global Services

No One Solution or, Provider

Performance Management / Support

More Employee Choice

No Dominant Platform

Increasing Smartphone Adoption

More Worker Mobility

Changing Business Styles

Corporate Data Risk

Business Continuity Planning

Mobile Device Management Challenges for CIOs source: Gartner

22

Mobile Application Management (MAM)

• Enterprise Application Store• Application Distribution / Delivery• Application Policies• Application Whitelists / Blacklists• Application Security• Application updates & patch management• User authentication & authorization• Version checking• Push services• Reporting, Monitoring & Tracking• Wrapping, Secure Container, SDK• Licensing• Billing• Internal App Storage• Bulk purchase

Mobile Application Management (MAM)

• Over-the-air updates• Remote Configuration and Provisioning• Device Security• Backup & Restore• Network Usage and Support• Remote Login, Lock and Wipe• Device Provisioning & De-provisioning (Retire)• Software Installation• Certificate Authority & On-device encryption• PIN enforcement• Support mVPN• Restrict Wireless• Enable / Disable Camera• Stop Email Forwarding• Prevent Automated Cloud Backup

Mobile Device Management

23

Mobile Application Store (MAS) Key Features

Source: VisionMobile research URL: http://www.visionmobile.com/blog/2008/11/the-mobile-application-store-phenomenon/

24

Mobile Application Gateway (MAG)A Mobile Application Gateway (MAG) is a piece of software that provides application-specific network security for mobile application infrastructures. The purpose of a MAG is to act as a network proxy, accepting connections on behalf of the application’s network infrastructure, filtering the traffic, and relaying the traffic to mobile application servers. This proxy relationship allows the MAG to apply application layer filters to network traffic, providing focused security designed to protect the mobile application service.

Following are the mobile security functions associated with MAGs.• Personnel and Facilities Management• Monitoring and Auditing

25

Gateway and Security Stack (GSS)The unique dual-connected nature (cellular and wireless Ethernet) of mobile devices makes them ideal platforms for circumventing traditional network security boundary protections. To prevent damage to the enterprise from a compromised mobile device, access to the enterprise must be restricted through one or more known network routes (i.e., Gateways) and inspected by standard network defenses such as stateful packet inspection, intrusion detection, and application and protocol filters. These standard defenses are collectively known as a “filter stack” because they serve to filter unwanted network traffic and are usually configured in a “stack” with traffic traversing each filter in sequence. The GSS typically functions at the session and below layers of the OSI network model.

Following are the mobile security functions associated with the Gateway and Security Stack.• Content Filtering• Packet Filtering• Traffic Inspection

26

Mobile Security Functions• Personnel and Facilities Management• Identity and Access Management• Application and Data Security• Device Management• Secure Communications• Continuous Monitoring and Auditing• Security Intelligence / Reporting• Incident Response

27

Mobile Security Functions• Personnel and Facilities Management

• Training• Physical Controls

• Identity and Access Management• Identity and Access Management Mechanisms• Authorization• Network Access Control

• Application and Data Security• Digital Asset Protection• Diagnostic Data Management (DDM)

• Device Management• Host Security• Configuration• Software Validation and Patch Management

• Secure Communications• Continuous Monitoring and Auditing

• Traffic Inspection• Packet Filtering• Content Filtering• Logging

• Security Intelligence / Reporting• Incident Response

28

The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI)

Source: The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page

Authenticator

User

AccessController

AccessReferenceMap

Validator

Encoder

HTTPUtilities

Encryptor

EncryptedProperties

Randomizer

ExceptionHandling

Logger

IntrusionDetector

SecurityConfiguration

Ente

rpris

e Se

curit

y AP

I (ES

API)

Cust

om E

nter

pris

e W

eb A

pplic

atio

ns

Exis

ting

Ente

rpris

e Se

curit

y Se

rvic

es /

Li

brar

ies

Browser Web Server App Server DB Server

Gate

way

& S

ecur

ity S

tack

1. Authenticate the users

2. Authorize the users

4. Session Management 5. Audit Logs

6. Protect the reserved data

8. Error Handling

6. Protect the reserved data3. Prevent “Parameter manipulation”

OWASP Overview of Security Controls

3. Data Validation

7. Secure Config Management

29

OWASP Top 10

Source: The Open Web Application Security Project (OWASP) 2013 Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10

OWASP Top Ten 2013 How does it work OWASP

ESAPI

A1- InjectionInjection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Encoder

A2-Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

Authenticator,User, HTTPUtils

A3-Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Validator, Encoder

A4-Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

AccessReferenceMap

A5-Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

SecurityConfiguration

30

OWASP Top 10

Source: The Open Web Application Security Project (OWASP) 2013 Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10

OWASP Top Ten 2013 How does it work OWASP

ESAPI

A6-Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

Encryptor, EncryptedProperties

A7-Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

AccessController, AccessReferenceMap

A8-Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

User (csrftoken)

A9-Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

IntrusionDetector

A10-Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Validator

31

Mobile Threat Model

Spoofing

Repudiation

Denial of Service (DoS)

Improper Session Handling

Social Engineering

Weak Authentication

Weak Authorization

Malicious Application

Untrusted NFC Tag or Peer

Malicious QR Code

Missing Device

MalwareClient Side Injection

Toll Fraud

Crashing Apps

Excessive API Usage DDoS

Push Notification Flooding

Tampering

Modifying Local Data

Insecure WiFinetwork

Carrier Network Breach

Information Disclosure

Malware

Backward Breach

Reverse Engineering Apps

Lost Device

Elevation of Privilege

Sandbox Escape

Weak Authorization

Compromised Device

Compromised Credentials

Make Unauthorized Purchases

Push Apps Remotely

Flawed Authentication

Rooted Jailbroken Rootkits

Source: OWASP Top 10 Mobile Risks Jack Mannino URL: http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks

32

Possible vulnerabilities of mobile web applications• Information Disclosure• SSL Weakness• Configuration management weakness• Old, backup and unreferenced files• Access to Admin interfaces• HTTP methods enables, XST permitted, HTTP Verb• Credentials transport over an encrypted channel• User enumeration• Guessable user account• Bypassing authentication schema• Vulnerable remember password weak password

reset• Logout function• Browser cache weakness• Bypassing Session Management Schema, Weak

Session Token

• Cookies not secure• Session Fixation• Exposed sensitive session variables• Cross-Site Request Forgery (CSRF)• Path Traversal• Bypassing authorization schema• Privilege Escalation• Bypassable business logic• Reflected Cross-Site Scripting (XSS), Stored XSS,

Document Object Model (DOM) XSS• Cross Site Flashing• SQL, LDAP, ORM, XML, SSI, Code Injection• OS Commanding• Buffer overflow• Locking Customer Accounts• Buffer Overflows• WSDL Weakness

33

Possible vulnerabilities of mobile web applications

Source: Mobile Top 10 2014 OWASP URL: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_RisksURL: http://www.net-security.org/secworld.php?id=14556

34

Mitigating Common Mobile Devices Threats• Software-based threats and mitigations• Exploitation of vulnerable mobile OS• Web-based threats and mitigations• Network-based threats and mitigations• Physical threats and mitigations• Mobile device threats to the enterprise and mitigations• User-based threats and mitigations• Service provider-based threats and mitigations

Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf

35

Mitigating Common Mobile Devices Threats• Software-based threats and mitigations

• Malware threats• Exploitation of vulnerable mobile OS

• Exploitation of Vulnerable Mobile Application• Web-based threats and mitigations

• Mobile Code• Drive-by Downloads• Exploitation of Vulnerable Browser

• Network-based threats and mitigations• Voice/Data Collection Over the Air• Voice/Data Collection Over the Network• Manipulation of Data in Transit• Data Exposure Through RF Emission• Connection to Untrusted Service• Jamming• Flooding• GPS/Geolocation

• Physical threats and mitigations• Loss of Device• Physical Tamper• Device-Specific Features• Supply Chain• Mobile Peripherals

• Mobile device threats to the enterprise and mitigations• Access to enterprise resources

• User-based threats and mitigations• Social engineering• Classified information spill• Incident involving mobile device features• Theft/misuse of Services• Tracking

• Service provider-based threats and mitigations• Location tracking• Usage behavior tracking via applications• Routing/forwarding• Data ownership and retention

Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf

36

Policy Issues When Adopting Mobile DevicesMobile Device:

• Accreditation• Acquisition• Provisioning• Configuration, Monitoring, and Control• Service Management• Security Management• Expense Management• Customer Care• Retirement and Reuse

Source: CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf

37

Security Information Event Management (SIEM) Tools• AccelOps• AlienVault Unified Security Management (USM)• BlackStratus Log Strom, SIEM Strom, Compliance Strom• EMC RSA• EventTracker• Hewlett Packard Enterprise ArcSight & Fortify• IBM QRadar Platform• Intel Security McAfee Enterprise Security Manager,

Event Receiver (ERC) & Enterprise Log Manager• LogRhythm• Micro Focus (NetIQ)• Securonix• SolarWinds Log & Event Manager (LEM)• Spunk• Trustwave

Growth areas for Mobile Security:• Event Management, Monitoring & Notification• Log Analysis & Data mining

38

OWASP Security Guidelines, Tools and Technologies

Automated Security Verification• Vulnerability Scanners• Static Analysis Tools• Fuzzing

AppSec Education:• Flawed Applications

• Learning Environments

• LiveCD

• SiteGenerators

Web Goat: WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

Security Architecture:• ESAPI: Enterprise Security API

CSRFGuard: A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.

ESAPI: Enterprise Security API

AntiSamy: A library for HTML and Cascading Style Sheets (CSS) encoding.

AppSensor: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications.

Secure Coding:• AppSec Libraries

• ESAPI Reference Implementation

• Guards and Filters

Orizon: A source code static analysis tool like findbugs, pmd or their commercial counterpart such as Fortify SCA or IBM Rational Ounce 6 (formerly known as Ounce 6 by Ounce labs).

O2: Defines how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Application Security Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.

LAPSE+: Is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications.

Manual Security Verification Tools:• Penetration Testing Tools

• Code Review Tools

AppSec Management:• Reporting Tools

WebScarab: Web security tool & framework for analyzing applications that communicate using the HTTP and HTTPS.

SWF Intruder: first tool specifically developed for analyzing and testing security of Flash applications at runtime.

SQL Ninja: A Perl tool, helps a penetration tester to gain a shell on a system running Microsoft SQL server, exploiting a web application resulted vulnerable to SQL Injection.

SQL Map: Automated Audit tool

DirBuster: Directory & File names tool

Before Development Define & Design Development Deploy & Maintenance

39

Security Testing Tools and TechnologiesDynamic Scanners:AcunetixArachniBurp SuiteHP WebinspectIBM Security AppScan StandardIBM Secruity AppScane EnterpriseMovituna Security NetsparkerNTO SpiderOWASP Zed Attack ProxyTenable NessusSkipfishw3aF

Static Scanners:FindBugsIBM Security AppScan SourceHPE Fortify SCAMicrosoft CAT.NETBrakeman

SaaS Testing Platforms:WhiteHatVeracodeQualysGuard WAS

IDS/IPS and WAF:DenyAllF5ImpervaMod_SecuritySnort

Defect Trackers:Atlassian JIRAMicrosoft Team Foundation ServerMozilla Bugzilla

Known Vulnerable Component Scanner:Dependency Check

40

Conclusion• Explosion of Mobile Devices, Internet of Things (IoT) and interconnection among them will

continue due to value-add efficiencies and economics.

• Cloud is key enabler to support Mobile & IoT growth.

• Cloud is all about secured services architecture, design, development, deployment, and management.

• Security Architecture, Risk Management & Audit practices are at the center for Mobile, IoT, Agile, DevOps, and Cloud Management transformation.

41

Definitions of Key Terms & Acronyms• ADFS: Active Directory Federated Services• CADF: Cloud Auditing Data Federation• CSA: Cloud Security Alliance• CSCC: Cloud Standards Customers Council• CSS: Cascading Style Sheets• DMTF: Distributed Management Task Force• ENISA: European Network and Information Security Agency• GRC: Global Regulatory Compliance• LDAP: Lightweight Directory Access Protocol • LTPA: Lightweight Third Party Authentication is a single-sign on (SSO) credential format intended for use in distributed, multiple

application server environments.• NIST: National Institute of Standards and Technology• NIST CC SRA: Cloud Computing Standard Reference Architecture• Payment Card Industry Data Security Standard (PCI DSS)• SAML: Security Authorization Markup Language• SCIM: System for Cross-domain Identity Management • WAP: Wireless Application Protocol• XSS: Cross-Site Scripting

42

References & Credits

43

Reference URLs• The Open Web Application Security Project (OWASP)

• CIO.gov URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf

• NIST Cloud Computing Standards Roadmap

• Detailed CSA TCI Reference Architecture

• NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

• URL: http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm

• CRCnetBASE: http://www.crcnetbase.com/action/showPublications?display=bySubject&category=40001730&collapse=40001730

• FedRAMP: https://www.fedramp.gov/

• FISMA: http://www.dhs.gov/federal-information-security-management-act-fisma

• Mobile security reference architecture MSRA URL: https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf

• IBM mobile security architecture URL: http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a/f7f18938e631eb6986257da2007729a8/$FILE/Mobile%20Security%20Guide%20and%20Security%20Reference%20Architecture.pdf

• Open web security architecture project OWSAP URL: https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet

sukumar.nayak@hpe.comsukumar.nayak@gmail.com240.506.2305linkedin.com/in/sukumarnayak/

45

Backup

46

Internet of Things

47

The Open Web Application Security Project (OWASP) Enterprise Security API (ESAPI)

14 Modules

Source: The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page