You are on page 1of 38

Identifying and responding to the evolving converged IT & Telecom Security (ENISA view)

By Michalis Mavis, MSc, MSc f. Chairman of Hellenic Fraud Forum

Interesting opinions from Ernst & Young see report Top 10 risks in Telecom 2012
Customers place more trust in Operators than in social networks, on security issues across, a range of services. They hold Operators responsible for threats from third parties even for mobile malware attacks and rogue applications (apps). The market expects that they should collaborate with suppliers and partners to tackle privacy and security issues in new service areas such as cloud security and mobile apps. Operators should work closely with governments to clarify their responsibilities in areas such as anti-terrorism and content for children.

What are the best paid IT jobs ?

1. Mobile applications developer. 2. Wireless network engineer. 3. Network engineer. 4. Data modeler. 5. Portal administrator. 6. Data warehouse manager. 7. Business intelligence analyst. 8. Senior web developer. 9. Web developer. 10. Network architect. 11. Network manager. 12. Data architect. 13. Data security analyst. 14. Software engineer. 15. Network administrator.

Reference : Online Associate News Editor

Mobile applications developers, one of the best paid jobs in 2013

Mobility trend in the modern business environment. Benefits and risks when private owned mobile gadgets are used in the business environment. ENISA, Ernst & Young and Networks Asia Reports views. Security concerns and solutions in the modern business environment. Conclusions

The ENISA point of view

The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the European Union. In its recent report ENISA stated inter alia that: Security controls need to be installed outside the perimeter of an organization in order to protect business assets on the move.

Bring your own device, trend

Employee-owned, privately-used devices like smart phones, tablets, ultra-light laptops, etc., are used for business related tasks with permission and support of the employer. Privately-used IT, like Social Networking, Cloud Storage, mail, smart phones, tablets, etc. are becoming part of professional IT life.

Benefits ?
Employees using their own devices to business save time and money. They are more mobile and productive due to permanent access to business data, transactions, and communication facilities. Increased staff availability, is achieved since urgent matters can be better coordinated and resolved.

Mobile Phone Trends - user aspects

Smartphones are becoming a placeholder for your entire life (photos, addresses, phone book, personal notes, location/presence). Smartphones are used for business applications Storage of sensitive information. Access to internal company networks. Smartphone is easy to carry along and you can always bring it with you. Unintentional/intentional user acts Authorizing installation of malicious software. Forwarding sensitive business information to an unauthorized user.

Contacts Emails Photos/videos applications Attachments Calendar


Variety and complexity of devices, systems and applications

Additional IT management resources are needed in order to accommodate the various systems (e.g. different OS). Additional investments are needed to achieve desired level of protection and compliance, when opening network perimeter security.


What are the main Risks ?


Loss of confidential data

By improper use of such services, users may neglect existing security policies and transfer company information outside the security domain, thus enabling access to non-authorized individuals. Sharing of such devices (with family and friends, for example), may cause significant losses to the organization. On the other hand high usage of mobile devices is likely to result in more lost devices.

Loss of control
Unofficial teleworking - working outside working hours, for malicious reasons. End user activities within different jurisdictions (e.g. use of cloud services and drop boxes).


How to discriminate between user and company data

Business data mixed with private info. There is always a risk related to the intervention of businesses in the private life and property of employees. Security controls may allow businesses to access users personal data stored on their devices.

Mobile devices targeted by cybercriminals

Malicious software aimed at mobile devices has reportedly risen about 185% in less than a year. Mobile devices face an array of threats that take advantage of numerous vulnerabilities commonly found in such devices. In most cases consumers are not aware of the importance of enabling security controls on their mobile devices.
Report by Michael Cooney (Sep 20, 2012)


Security issues on mobile devices

Pattern screen locks for authentication, PIN, password and/or use of biometric reader to scan a fingerprint . Two-factor authentication with non static passwords should be used when conducting sensitive transactions on mobile devices. Many applications (e.g. Email) do not encrypt the data they transmit and receive over the network, making it easy for the data to be intercepted.
Pattern screen lock


Unauthorized access to sensitive info

Consumers may download applications that contain malware. An application could be repackaged with malware and a consumer could inadvertently download it onto a mobile device. The data then may be easily intercepted. When a wireless transmission is not encrypted, data can be easily intercepted by eavesdroppers, who may gain unauthorized access to sensitive information.

Mobile devices normally do not include pre-installed security software.

Security software may slow operations and affect battery life on some mobile devices. But without it, the risk may be increased that an attacker could successfully distribute malware such as viruses, Trojans, spyware, and spam to lure users into revealing passwords or other confidential information.


Operating systems may be out-of-date

Many manufacturers stop supporting smartphones as soon as 12 to 18 months after their release. Such devices may face increased risk if manufacturers do not develop patches for newly discovered vulnerabilities. Unlike traditional web browsers, mobile browsers rarely get updates.

Firewall on mobile units

Without a firewall, a mobile device may be open to intrusion through an unsecured communications port, and an intruder may be able to obtain sensitive information on the device and misuse it.




Jailbreaking a mobile phone

Jailbreaking allows users to gain access to the operating system (rooting) of a device so as to permit the installation of unauthorized software functions and applications and/or to not be tied to a particular wireless carrier. The procedure changes how security for the device is managed and could increase security risks, if the user is not an expert.

Mobile malware
Androids topped the list of mobile malware targets. When a mobile phone is infected the malware tries to propagate the infection. This may be done even through SMS.
In the case of mobile malware threats, the DNS layer can be analyzed to detect and mitigate suspicious activity. Mobile Operators should take responsibility on that. Social Networks, like FB, propagate malware.

Use of public WiFi networks

Using unsecured public wireless Internet networks or WiFi spots could allow an attacker to connect to the device and view sensitive information.


Man-in-the-middle attack
Connecting to an unsecured WiFi network could let an attacker access personal information from a device, putting users at risk for data and identity theft. One type of attack that exploits the WiFi network is the man-in-the-middle, where an attacker inserts himself in the middle of the communication stream and steals information.

Is VPN a good solution ?

Using non-secured public Wi-Fi hotspots can leave you vulnerable to identity theft, data theft, snooping, impersonation and malware infection. That's why so many people rely on public virtual private network services, but VPNs are no panacea.


Caveats for VPN users in public Wi-Fi hotspot networks

VPN services, although intended to secure all communications, are found to have protocol and implementation level vulnerabilities. For instance, certain SSL-based VPN services are prone to man-in-the-middle attacks, which can be easily set up by a hacker on a public Wi-Fi network using readily available software and equipment. The MS-CHAPv2 exploit, (demonstrated at the recent DefCon 20 conference), showed that freely available tools and cracking sites are available to crack such services.
See report by Sohail Ahmad, India (Nov 6, 2012).


Sensitive transactions
Enable two-factor authentication for sensitive transactions, e.g. Mobile banking or financial transactions. Verify the authenticity of downloaded applications.
Procedures can be implemented for assessing the digital signatures of downloaded applications to ensure that they have not been tampered with.

Remotely disable lost or stolen devices

The best mobile security applications give you the ability to :
lock your phone and SIM card remotely wipe important information from your memory card and activate your phone's built-in GPS chip to locate your lost or stolen device.


Dont panic when mobile is stolen

Remote disabling is a feature for lost or stolen devices that either locks the device or completely erases its contents remotely. Locked devices can be unlocked subsequently by the user if they are recovered.
Enable encryption for data stored on device or memory card.

How to encrypt my data in SD card ?

Smartphone is fingerprint protected but SD card is not. Some Smartphones include build in encryption capability. Others no. There are free apps allowing encryption of files and folders of your phone SD card. Check if encryption works. But in order to see foto gallery you should decrypt first. This may be a bit boring

A stealth (invisible) SMS is send to the mobile phone. No need to accept installation of the program. It is automatically installed in the mobile phone memory. The program allows monitoring of calls and incoming outgoing SMSes. Well known programs of this type are RexSpy and FlexySpy. The attacker may pay by credit card. No need to move from his chair or visit a detective

Sminaire International RSI'2012 Morocco, 19 & 20 Novemre 2012



Mobile phone including RFID tag

A mobile phone with a RFID tag may be used as ATM card (technology already present in various countries) The mobile phone may be used instead of keys to activate the car and open your house door. It will also participate in various financial X-ctions. 34

NFC risks
Fraud risks, when using NFC for mobile payments and other financial X-ctions, by using your mobile phone. Attacks to steal a person's identity and/or money.


Pay Fraud (in M Commerce)

Interception of M-Commerce transactions. Credit Card Not Present Transactions. Inexistent paid products or services. Liability for content theft and piracy. Employee internal abuse of customers Credit Card details.


There is a clear mobility trend in the modern business environment. Mobile apps although useful include many risks. Mobile apps may turn to spying applications. The user should be able to distinguish malware apps, before installing them. There are benefits and risks when private owned mobile gadgets are used in the business environment.


Mr. Michalis Mavis, MSc, MSc //