1 / 19

Cyber Security and Mobility “Are we on the edge of the cliff?”

The Secure Software Acquisition Process – C Level. Cyber Security and Mobility “Are we on the edge of the cliff?”. 1. Who am I?. Chair Computer Information Systems Department University of Detroit Mercy Director Center for Cyber Security and Intelligence Studies

fergus
Download Presentation

Cyber Security and Mobility “Are we on the edge of the cliff?”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Secure Software Acquisition Process – C Level Cyber Security and Mobility “Are we on the edge of the cliff?” 1

  2. Who am I? • Chair Computer Information Systems Department University of Detroit Mercy • DirectorCenter for Cyber Security and Intelligence Studies • Former EmployeeFord Motor CompanyIT Security & Strategy • StudentUniversity of Michigan DearbornPhD Program – Writing dissertation IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 2

  3. Aspirations • At the end of this presentation you will have a better understanding of: • The cyber risksyou face as Mobile Users • The current state of the mobile payment space • The steps you can take to protect yourself IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 3

  4. Mobile Devices (ubuiquitous) • Smartphone sales are greater than laptop sales. • Purchases increasing at an annual growth rate of more than 40% • About 40% of corporate devices are purchased by individuals who then use them in the enterprise. • Number one mitigation strategy for organizations is limiting operating system diversity • “We are going to limit ourselves to ONE risky platform” • * Source International Data Corporation IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 4

  5. Mobile Devices (general worries) • Gen Y has shown a propensity to accept risk. • Antivirus/Antispyware tools are available but not as powerful as their laptop counterparts. • Antivirus/Antispyware tools are often disabled because of performance. • There is a lack of awareness of the differences between Wi-Fi and cellular technology. IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 5

  6. Mobile Devices (Malware History) • First Symbian malware (2004): • Cabir worm (spread via Bluetooth) • Skuller (spread via OS vulnerability) • First iPhone virus (2009): Ike worm targeted jail broken iPhonesWritten by a Dutch hacker who was ripped off by a punk hacker. It targeted jailbroken phones running SSH • First Android Malware (2010)Trojan-SMS.AndroidOS.FakePlayerDistributed via websites not Android Market. Written by Russian virus writers. IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013

  7. Mobile Devices (breaches) • 1 in 3 breaches attributed to mobile devices includes lost or stolen devices • Malware, hacking, and physical compromise were 5 of top 10 events in Verizon report • Others were malware, hacking of servers • Breaches are not matching increased usage • My speculation is that people don’t report loss of personally owned devices IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 7

  8. Mobile Devices (breaches) • 1 in 3 breaches attributed to mobile devices includes lost or stolen devices • Malware, hacking, and physical compromise were 5 of top 10 events in Verizon report • Others were malware, hacking of servers • Breaches are not matching increased usage • My speculation is that people don’t report loss of personally owned devices IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 8

  9. Mobile Devices (what’s being done?) • The Federal Trade Commission and the California Attorney General have recently published reports focused on mobile privacy. • California AG’s “Privacy on the Go” report was issued in January 2013. • The FTC’s “Mobile Privacy Disclosures” staff report, was released on February 1, 2013. • recommendations on mobile privacy disclosures to 3 different audiences: mobile app marketplaces, mobile app developers, and mobile advertising networks. IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 9

  10. Mobile Devices (what’s being done?) • NIST • “Guidelines for Managing the Security of Mobile Devices in the Enterprise” • DRAFT Guidelines on Hardware-Rooted Security in Mobile Devices • DRAFT Guidelines on Mobile Device Forensics IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 10

  11. Mobile Devices (compromises) • Accelerometer • Confused Deputy. • SSL • NFC • Charger • GCM IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 11

  12. Cyber Crime • Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved. • Annual loss estimates range from billions to nearly $1 trillion. • Some claim cybercrime rivals the global drug trade in size • Estimates may be enormously exaggerated, but it would be a mistake not to consider cybercrime a serious problem • Cybercrime is actually a relentless, low-profit struggle for the majority. • You have the power to limit your vulnerability to cyber crime. • *Source: The Cybercrime Wave That Wasn’t By DINEI FLORÊNCIO and CORMAC HERLEY, Published: April 14, 2012 IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 12

  13. What do they want? • Assets that can be turned into money • SSNs • Bank accounts • Credit Card accounts • Identities • Access to physical things • Cars • Places of business • Underage candidates for exploitation IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 13

  14. Mobile Commerce (what is it?) • NOT: browser based payments • NOT: traditional Visa/Mastercard/Amex/Discover • IS: “New Experience where the technology fades into the background” • IS: SMS, ACH, eMAil, “trusted third parties” • IS: Huge across the globe, burgeoning in the U.S. IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 14

  15. Mobile Commerce (players?) Device Manufacturers Industry Groups; Banks Payment Channel Creators Credit Card Companies Corporations Merchants Mobile Users IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 15

  16. Mobile Commerce (examples) • Google Wallet (not NFC) • Stalled until GoogleCash (email cash) • ISIS (NFC) • AT&T, Verizon and T-Mobile have inked. Visa, MasterCard, Discover and American Express are partners • Western Union (SMS) • ACH transfers • Square (not NFC, yes GPS) • SquareReader, SquareWallet, SquareCash, SquareRegister • PayPal (eBay, headed to NFC) • 20B in mobile payments, PayPal reader, cash cow IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 16

  17. Mobile Commerce (Protections) • Google Wallet • Hacked twice, immediately • ISIS • NFC vulnerabilities, Uses Secure Element • Western Union • SMS vulnerabilities • Square • GPS vulnerabilities, uses geofencing, uses proprietary • PayPal • undetermined IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 17

  18. Mobile Commerce (What to do) • Move slowly • Tie accounts to low balance credit card not a debit card • Separate your phone and credit cards. • Don’t put your phone in a “bumpable” place • For a business, engage an expert for a threat assessment and policy inspection IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 18

  19. For more information Jeff Ingalsbe Chair - Computer Information Systems Center for Cyber Security and Intelligence Studies University of Detroit Mercy ingalsja@udmercy.edu threatmodeler@gmail.com IAPP Detroit KnowledgeNet (September Meeting) Thursday September 5th, 2013 19

More Related