What Should a Mobile Security Program Look Like? YMMV

all right oh good afternoon everybody tall I should stay right here for the video so I'll try not to walk around too much hopefully you're here because you have some type of interest they learn it about mobile security if you're belper from that side maybe you're building a mobile studio Ram for your company I think by ear with questions yeah don't jump into things it's a big point away nothing other than what I said X is that your mileage is gonna vary everybody's situation is different that's kind of the going here I'm usually not a fan of the Who am I slide but I put this in here because it's kind of screams a little bit about the

different types of scale you can work with as we go anybody was at a family business especially it was kind of born into that that was my first career small family farms and agricultural stuff kind of move from there into the software development that's my first introduction they're out there sticking with us theme music all the messes with that spent most of my career at a large international bank so 19 years through it a bunch of different stuff effective with that time Jerry herbicides software development got into architecture mobile essentially mobile security and have a little fun but what might represent that from the vehicle perspective right now I'm at a bit sighs life sciences company I will say because I'm

wearing the shirt and response in the conference I'm a picky scientific seeker there we've been there about four months to get into a mobile security like a vehicle's in between these two somewhere Oh pick a nice car

all right so does letting will appear the program has a couple different steps here first thing is gonna be to know your organization this is all the stuff that's telling unique - doing what - trying to do who are the people involved what kind of budget do you have history all that kind of stuff that's going to be unique next is to identify the mobile risk and spend the most time looking at that but you have that list identified then you're gonna need to prioritize it what you can work on

then quietly we'll see there's a book people thinking about city getting risk is the way to respond to that especially a bunch of different options

you think about this is that the very first one I can't help you with it all so if you came to hear about your organization thank you I don't have to get into your own space that's your starting point identifying mobile risk these are mostly common to everyone look at a bunch of different resources that are available to you and you can see what state that is you prioritising boat risks again that's going to be isn't that sorority and with the risk

all right give some of people have heard of us web application security project sit around for a while we have a top 10 list focus on the bedside is the W implies you also have a mobile type camera please that a couple years ago it updated a couple times as a side note as awesome as he lists we use that as well we're not going to run through all the top ten here so this is one resources you know - how she's a couple he's saying some samples later on

people used to talk about mitre attack as a framework putting more of analogies especially it's like an inventory of tactics techniques and they do have some mitigation with the 79 techniques this is a fair amount of detail all the different things over the weeds you can attack won't escape with that's when the device level up yeah that's that muttered or we'll get you there

like use government actually has a couple different publications though nationalists to the standards and technology of a fun place to read things they have a couple things on mobile setting the security mobile applications it would be a resources Bakley who feel a certain party application that's at the station we need to take the same principles on the part of that

catalogue is exactly what it sounds like like the attack with

a couple years back I would she years ago now Department Homeland Security put out a study on mobile device security pretty heavy read a while but they cover

this was kind of a quick one but us within anyway Center for Internet Security has listed with these top 20 control not mobile-specific of these lots of good principles in funny and implies it was the goals these before that's security the other work has that

all right this one workman's to list as well throw in UDK she's gonna have to be packed into it maybe a management read about something in a journal or they heard about something at a conference and that was on you to do list

I'm a tissue and other bunch of different variations of both but basically learning by the mistakes is what other companies do in your face

all right so you know you know your Ord we did identified a bunch of over risk advertise what was kind of a couple things so one thing there that's hard to everybody at some point is the Boston store so you have to question watch yourself here implies that statistic I've heard all the data that's stored on there is what

I remember we have to use the data stored about the operating systems but and user starts to readily think about I'm going to pop them with that that's stuff like Wi-Fi passwords word prediction list counts location history all that kind of that is a use of the device and all the stuff that you contact a put in there

Bumba list with chat after you use all the ones that are out there

if you only asked what could be the impact of all this it'll loss doesn't get much of a mention but it's worth putting on there yep device works offline for whatever reason

see the disclosure intensity everybody phone's going to be you but extras involved is going to be well they would be

all right so we definitely can't slow them advice would be one thing but offer once someone has control of advices yeah but nobody associated with that he plays that's used for - spatula authentication

servus no fancy but the person who has a device and all of it has it cell service conditions looks like there could be one no I mean person ate someone doing have to easy if you have their device that can send something from their account for that that's a monetary loss for the device itself and if you actually happen to get the device back address lost now where as possibility you know there's that happens with some period of time with the device wasn't Oh your call don't have a question about what happened during that time maybe that's where the device wasn't actual purpose of the attacker on yes ask the question who bears the impact sometimes it'll be the end user

so the department like this a couple questions to ask ahead of time what kind of places are these home by the organization and we have all these little devices or work with us and use a little bit forward on devices or past good requirement and grids how long is it some of the other ones before before yeah the first question can I remove white some of them operating system versions on the device isn't much to look at in a later example gentle about the question and recertification

when the loss actually happens is a couple other questions so as an organization that our first warning device I'll tell you would actually at that point but it's actually stored on to a specific device that was law guide your response to that my question is still there

all right second example going now where I look at what this looks like usually what's the third party app stores and say that's a scary place funky drafts they're also working at the officials for instance we're gonna show up there as well

you now abusive permission is another thing so there's apps out there that may not do what they should be doing with the questions that they have of these efforts in getting done here we for the Chad asset bubble over at other applications going over in the wraps use that function over the entire screen you log in each other after every fight kind of the same concept with you the resources so they can fight off your network suppose the loading adds our money for the its owner same thing is a cryptocurrency minor battery after exploits os1 abilities look at that little bit later but I was an Android makes the top ten top 50 products it has

you

profiles are nothing to look at just for iOS but there's just so many legitimate purposes they have a phone of a profile

debatable with this last one ready after the for security or privacy practices they have the same impact is how are you though the pen isn't there I think the kind of stuff we're down how do you categorize that as far as the impacts on here so we've heard about ransomware it's a mobile as well but out buta loss we'd access the key logins and David Becker about Heinz access has a couple different when Bruce he counts fishing

other things we call surveillance where we following in that privacy ball category just be natural civilians where you are family microphone type stuff

under the monetary loss side same questions out there who bears the impacts mobile security program for your organization you have to worry about what comes back to you especially you we're out of time we're mostly the same except for that last one of the top session how am I going to check them out more infection obviously though you know could happen I mean that come in first step but effect it when it happens well it does happen through a similar Lister question

especially illness OS vulnerabilities so here's the third one here guessing what the rip does this is speaker themselves every read about things like executing arbitrary code with kernel well privileges it's just level privileges or awfully network traffic data pretty much puts this notebook

oh sure code whatever these after ten

look at the two olessa cereal I was an Android couple years is plenty of

questions here to ask ahead of time who use this on any device I could have a lot more leeway and we're seeing the lightest offering

buffeted pieces

platforms that support have a good answer to

operation system versions are currently use if you're walking into a situation where you know

I'm going to find a life version I'll see this sp4 forward he's bigger than fish national database rusher around of these what

once you have that list how am I gonna enforcer again I could just be through policy

along with that or if you're talking about this device or even controls at the mobile application way

best example for prioritization is middle attack risk here everybody requested the state of disclosure and that privilege that works positioning the theater

in that position relations possibility my first pet and then do the house service but being that maybe less likely but they should be following so the

questions yes I'm here or what systems my mobile apps talk to have some networks my mobile device II biggies data its Wi-Fi

well ever did is transferred so and that'll tell you that you handle bubbles that be here company back to the food loss how all right so we go through that section um we jump all the way into this ecology opposes the friends you have here three suicide you have all the work with your tools offenders partly

whatever but though we have all the limitations

Fuzzy's makes the top of the list and definitely places

Oh how much time one that's all my different pulse is worth the mention here just because and every company's a little bit different every was a specific could be a group facility tight-knit and once the hall problems around the world where could be the place you oh he hasn't place right now are going to be part of the equation history associated

again if we go through the handling risk well a couple examples and I put this out on a continuum here all the way on the scary side this one we use HTTP acknowledge that's what we're using and you'd have all the risk a little bit better those using HCBS and we go this completion a couple different please quietly things like Gucci sale and over with these with heart bleeds

it's to tell spooky scary side a little bit for the river to do things like sharing the risk

oh but it's do things a little bit for the river I finish there's always an option before you're buying good policy you can risk you they're getting a little bit more on the healthier side here like in the actual reform certificate or gonna believe it to get things

you transparency long-sought up in this context again it's partially of reactive control

especially

therefore gave some overlap okay so that's active and my share of the healthy side the heavier the work size we look at especially like this you can have to decide where's the way spot along the beach how much

everybody we've been transit at rest Haas here you just go all the way on the ferry side and say we're just gonna educate

nice encryption every modern mobile device with that ability please do that you're doing something but

some say that fibbing on farms I've insurance disappearance again that's just include there device encryption but enforcing a trunk ask again

cut across the bottom here is application level encryption people if there's a point that is being very good but depending how you doing so using the device right next to the dealer you he's from the users own password I will do it once - baby of - and assure you that's good

he sort of servers authentication the better and all the other side

you well that's your development practices other places with us will try and capture data for you to their life either

we're dealing

all right pretty secure codes another way so if you're building an application sorry about this so if you're getting enough patience party a little bit doesn't ask but you say about that as well dude the bottom third party and you have to poppy okay I probably got a third party so we don't have to worry about it level protection but probably the society bike there's conditions that you want into the contract that we were already got Stevie the application

there's much options of popular to come with anything bug bounty program doing things like appalling human code reviews and your social vulnerability penetration testing all sorts of stuff obviously the kind of partial mitigations or things to do we're looking at

distant oppression Wow

you so that's a good example there again but how much is different between everybody you can share a couple different things away that are common to everybody let's stuff together and help you file that stuff somebody example

stay on top of cybersecurity news is another one I usually let this refer to mobile years install gears how much changes as much as that pace that I want to use this slide we drove those updates nothing annually my capabilities is kind of on that puzzle as well so for policy changes

Catherine Sue's things like this these are the kind of more periodic what they happen after year things to watch their Kalevala building disclosures

at hospitals also watch it clean up all these reducing for my fire house but it's always flowing it

everybody here she kind of loses this in an earlier talk today but knowing who the smart people are will help you all right we rather you're gonna be an expert and everything bunch of the veins that are out there and then an overlap with mobile a little bit but you're also pretty distant literally NASA's managing

let me do this my people are to go to them input them selling a problem you

we ran through this was a quick thought I thought I would finally laid

you

yes great word I heard once the word fragmentation team up these before because looking at the OS versions that are out there kind of depends whether you had control of who advices nobody buys them wash them down with MDM and some users put a bunch of tiny speck on that

and if it's you talking about with employee situation the leeway in defining that's like this to buy a new surprise you're making an app for the whole market tail there you know it's persons one side

depends on my ship but Mitchell device are you gonna be up to date

you

that's what everything else you do in that program so hard is done five think about things perceptive you have us stuff device within bins and all those controls we've had there

yeah

you

you

you