Mobile Security. Policies, Standards, Frameworks, Guidelines

(1)

Mobile Security

Policies, Standards, Frameworks,

Guidelines

Guidelines for Managing and

Securing Mobile Devices in the

Enterprise (SP 800-124 Rev. 1)

(2)

©A. Marcella Ph.D., CISA, CISM

APPLE iOS 6 TECHNOLOGY OVERVIEW Version 1, Release 0.1, 31 October 2012 Developed by DISA for the DoD

http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html

MOBILE DEVICE MANAGEMENT (MDM) SECURITY REQUIREMENTS GUIDE (SRG), Version 1, Release 0.2, Developed by DISA for the DoD, OVERVIEW, 26 October 2012

OpenID is just one type of Federated Identity system.

OpenID is focused more on the consumer market, whereas FID-proper is focused on the enterprise.

OpenID offers the ability for users to log into one website (Facebook, for example) using

credentials from another website, such as

Google (who is now an OpenID identity provider).

(3)

OAuth’s main goal is to eliminate the need to give website A your username and password for website B, and determines what website B can get from website A once it’s been allowed access.

OAuth

OpenID is about authentication OAuth is about authorization

Security Assertion Markup Language (SAML) The SAML standard defines a framework for exchanging security information between online business partners.

(4)

Identity Provider (IdP)

The system, or administrative domain, that asserts information about a subject.

For instance, the Identity Provider asserts that this user has been authenticated and has given associated attributes.

Service Provider (SP)

The system, or administrative domain, that relies on information supplied to it by the Identity Provider.

It is up to the Service Provider as to whether it trusts the assertions provided to it.

Security Assertion Markup Language (SAML)

SAML defines a number of mechanisms that enable the Service Provider to trust the assertions provided to it.

1. How does the relying party trust what is being asserted to it?

2. What prevents a “man-in-the-middle” attack that grabs assertions to be illicitly “replayed” at a later date?

The primary mechanism to mitigate or detect such attacks is for the relying party and asserting party to have a pre-existing trust relationship, typically involving a Public Key Infrastructure (PKI).

(5)

Mobile Device Security Standards

• Required to cover each type of device:

– Laptop

– Windows Mobile – Blackberry Client – iPhone; iPAD (ios5/6)

• Required to cover each type of technology

– Wireless LAN – Bluetooth1

Mobile Security Standard

• ISO 17799:2005 Example

• Section 11.7 covers Mobile Computing and

Teleworking

– 11.7.1 ‘A formal policy should be in place, and

appropriate security measures should be adopted to protect against the risks of using mobile

computing and communication facilities’

– 11.7.2 ‘A policy, operational plans and procedures

(6)

ISO/IEC 29176:2011

Information technology -- Mobile item identification and management -- Consumer privacy-protection protocol for Mobile RFID services

ISO/IEC 18028-5:2006

Information technology -- Security techniques -- IT network security -- Part 5: Securing communications across networks using virtual private networks

ISO/IEC 27002:2005

Information technology Security techniques --Code of practice for information security management

ISO/IEC 27001 & 27002

• Security Policy

• Organizational Security Infrastructure • Asset Classification and Control

• Human Resource Security

• Physical and Environmental Security

• Communications and Operations Management • Access Control

• Incident Management

• Systems Development and Maintenance • Business Continuity Management

(7)

OWASP Mobile Security Project

www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks

This list was initially released on September 23, 2011

A call for volunteers was released in the July 2012 for an annual refresh of the Top 10 Mobile Risks.

OWASP Top 10 Mobile Controls

1. Identify and protect sensitive data on the

mobile device

2. Handle password credentials securely on the

device

3. Ensure sensitive data is protected in transit

4. Implement user authentication/authorization

and session management correctly

(8)

OWASP Top 10 Mobile Controls

6. Perform data integration with third party services/applications securely

7. Pay specific attention to the collection and storage of consent for the collection and use of the user’s data

8. Implement controls to prevent unauthorised access to paid-for resources (wallet, SMS, phone calls etc...) 9. Ensure secure distribution/provisioning of mobile

applications

10. Carefully check any runtime interpretation of code for errors

OWASP – Mobile Controls

I. Establish coding practices for mobile coding

II. Enforce higher security posture on the device

for sensitive apps used in an enterprise

context

III. Protect your application from other malicious

applications on the device

(9)

The user's authentication and authorization

experience should be consistent across

both web and native mobile applications.

Users will become confused when they're

expected to use different credentials and/or

a different “login ceremony” for mobile

application models, especially if accessing

the same application.

Phishing is becoming a major problem for

cloud services and is not diminished when

using mobile applications.

The user should be given the chance to

recognize and trust the authentication

service.

(10)

What happens when an employee loses

their phone?

If passwords are left cached on the phone,

an organization's data is put at risk.

The use of OAuth in combination with SSO

allows for seamless access without the risk

of caching passwords.

1. For more information about the Common Criteria, including links to download the complete official criteria, see the Common Criteria portal at

www.commoncriteriaportal.org/ and the website of the Common Criteria Evaluation and Validation Scheme (CCEVS) (www.niap-ccevs.org/cc-scheme/). 2. The authentication model for HTTP is described in RFC 2617, HTTP Authentication:

Basic and Digest Access Authentication, which you can find at www.ietf.org/rfc/rfc2617.txt.

3. For information on the SSL protocol for secure networking, see

http://tools.ietf.org/html/draft-ietf-tls-ssl-version3-00. For the TLS protocol, see www.ietf.org/html.charters/tls-charter.html and RFC 5246 at

http://tools.ietf.org/html/rfc5246.

4. Documentation of the AES encryption algorithm used for FileVault is available on the National Institute of Standards and Technology (NIST) website at

http://csrc.nist.gov/CryptoToolkit/aes/rijndael/.

5. For information on Kerberos authentication, see http://web.mit.edu/kerberos/. For information on MIT’s Kerberos for Macintosh, see

http://web.mit.edu/macdev/Development/MITKerberos/MITKerberosLib/Commo n/Documentation/KerberosFramework.html.

6. See OS X Server Open Directory Administrationavailable at

www.apple.com/server/documentation/ for details on the services that support