This workshop will introduce mobile device security, discuss its risks for your organisation and provide you with possible solutions.
After discussing threats, vulnerabilities and risks of mobile device integration, the iOS and Android device specific features and vulnerabilities will be presented along with several attack scenarios, forensic methodologies and real life case studies. Although this workshop focuses on iOS and Android, you will also get an overview of the other “mobile players” along with their associated vulnerabilities and weaknesses.
For secure enterprise integration useful mitigating controls will be shown with practical examples on how to implement them. We will demonstrate mobile device management solutions along with other possible integration strategies like container solutions or hosted management solutions. Also not only technical controls will be discussed but also e.g. how to cover mobile devices within your organisations IT security policy.
During the workshop we will discuss different deployment scenarios and also talk about things like BYOD (Bring you own device).
This willl be a practical workshop where you can test the various things in small hands-on sessions. We will provide you with some devices. Your own devices are welcome, too.
Mobile Security Agenda
- Short introduction:
- What are mobile devices?
- What is special about them?
- Differences between “the new and old players”.
- What makes them the frontend of the future.
Short smartphone operating system overview:
- iPhone OS: architecture, (security-) features & attributes
- Google Android
- Other players
Corporate challenges:
- What (not) to do with mobile devices
- Achieving the security goals
- Network integration
- Mobile device management.
- Bring your own device
- Private use of corporate devices
- War stories from the wild
Mobile device information security management:
- Standards & approach
- Threats & vulnerabilities (with practical demos)
- ERNW Rapid Risk Assessment
- Required security controls
Security controls for a secure integration:
- Control categories
- Structured approach to select controls
- User restrictions & access policy
- Mobile device management
- Policies & guidelines
- Available technical controls
Mobile device management:
- Requirements
- iOS management
- Configuration profiles
- iTunes in business
- Apple configuration utility
- Over the air provisioning
- Android management
- Microsoft Exchange Active Sync
- Third party management solutions
Data management:
- Local data storage
- Container solutions
- Using (web-) apps to access centrally stored data
- Synchronization (Traveler, EAS)
- Cloud services
- Trust & control
- Apples iCloud & Googles cloud services
- More cloud
- Integration of iOS devices
- Integration of Android devices
Remote access: risks & controls
App approvement:
- Technical assessment
- Assessment metric
Operations:
- Important processes for secure operation
- Implementation hints
- Mobile device security concept
Mobile Device Security Policy:
- Policy basics
- Acceptable use policy
- The “10 golden rules”
Rene Graf leads the “Mobile Security” team at ERNW and has performed a number of BYOD projects including pentests of container solutions and forensic analyses of devices used by CxOs.