Security around BYOD

& Consumerization

Act now to have comfort!

Heliview Consumerization of IT

December 11 2012

Feijenoord Stadion

Marc Smeets

1 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Who am I

Marc Smeets:

■ Loves IT security

■ Loves fast cars

■ Loves champagne

IT security advisor / ethical hacker @ KPMG IT Advisory

■ Team of over 40 IT security advisors, 25 penetration testers

■ Combining strong technical skills with IT auditing skills

■ Hacking and testing mobile since 2009

2 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

What are the challenges with current

security of mobile devices?

What to do now in order to have comfort?

The challenges

4 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Mobile security

New platforms and new terms

Bring Your Own Device

Select Your Own Device

Apps & AppStore

Cloud integration & online ID

New vendors on the market

Mobile Device Management

Question: Are we

more secure than

before?

6 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Mobile Security

Are we becoming more secure?

Yes, new mobile platforms are more secure in several aspects

■ Disk encryption built-in

■ New core security features

■ Tight down platforms with eco-system

No, new platforms still fail at basic security

■ Size and complexity of the eco-system

■ Basic security checks ineffective

■ Remote wipe

■ Easy installation of Apps

■ Security update cycle

■ Apps Apps Apps | Insecure Insecure Insecure

7 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: remote wipe

8 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: remote wipe

9 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: encryption

iOS Disk encryption:

■ Technically it is hard disk encryption

■ But, it decrypts itself without user input

■ Main reason: fast wiping via crypto-shredding

Android Disk encryption:

■ Better implementation

■ But depending on version

10 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: encryption

11 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: encryption

12 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: encryption

13 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: the mobile eco-system

INTERNET

CORPORATE EXCHANGE SERVICES

DEVICES

WIFI / UMTS / GPRS

Mobile Device Management

14 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: the mobile eco-system

INTERNET

CORPORATE EXCHANGE SERVICES

Mobile Device Management IN

TE

RN

ET

SE

RV

ICE

S

DEVICES

WIFI / UMTS / GPRS

WIFI / USB

USB

WEB

CLOUD

SE

RV

ICE

S

Bluetooth

LO

CA

L S

ER

VIC

ES

CORPORATE / PRIVATE

NETWORK

PERIPHERALS

Legacy ActiveSync conn.

15 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: basic management of security checks

Two major security issues with Exchange ActiveSync

■ 1. Security checks are device local security checks

■ 2. Relies on communication over HTTP(S)

16 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: basic management of security checks

17 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Challenge: Apps Apps Apps | Insecure Insecure Insecure

Change in usage

■ Email & Contacts External Apps Line-of-Business Apps

Not all App developers of desired maturity level

Main issues we encounter when security testing Mobile Apps:

■ Insecure local storage of data

■ Data in transit not secured

■ Insecure server side controls

■ Weak identification and authentication

What to do?

19 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

What to do?

Quick and easy fixes for mobile:

■ Implement MDM with proper policy

■ Educate and train your users

■ Have your Apps tested on security issues

■ Be aware of residual risks

But, more important: be ready for cybercrime

■ “Online banking two-factor authentication compromised by a hybrid trojan (PC + mobile),

36M EUR stolen: ”

■ “3,325% increase in malware targeting the Android OS”

NCSC – Beveiligingsrichtlijnen voor mobiele apparaten :

■ “Kwetsbaarheden waardoor malware geïnstalleerd kan worden”

■ “Een aanvaller steelt geld van de gebruiker door middel van malware die op de achtergrond

gebruikmaakt van betaalde SMS-diensten of telefoonnummers.”

20 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Cybercrime

What is cybercrime?

Cybercrime concerns performing illegal activities towards an organization, using digital

means.

The term cybercrime covers a proliferation of purposes and methods of attack.

Fun

Financial gain

Activism

Espionage

Terrorism

Digital warfare

Breaking the chain

Purpose of Attack Method of Attack

Hacking

Phishing

Identity theft

Denial of Service

Advanced Persistent Threat

Traditional InfoSec

Value of info to organization

(confidentiality, integrity,

availability)

Focus on crown jewels

Shifting viewpoint in InfoSec

New InfoSec

Value of info to attacker

Security awareness and

understanding of risks is crucial

Attackers understand the risks

of technology, so should you. Think like a hacker!

21 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Examples of cybercrime attack

22 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Examples of a cybercrime attack

Non default attacks

23 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Cybercrime defence

What should you do on the short term?

Short term action response

Implement standby incident

response organisation

Short term action detection

Identify and monitor critical

assets

Short term action prevention

Perform risk analysis from

perspective of attacker

Detect Respond

Prevent

24 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

It is not about technology alone

People + Process + Technology!

Cybercrime defence

What should you do on the long term?

CYBERCRIME DEFENSE FRAMEWORK

PREVENT DETECT RESPOND

PEOPLE /

ORGANISATION

Security awareness

training

Appoint cybercrime

defence as

responsibility

Security operations

centre 24/7

Crisis organisation

Communications

PROCESSES Compliance monitoring

Vulnerability monitoring

Security testing

Patch management

Incident preparedness

training

Procedures for follow-

up on security events

Cybercrime response

plan

High-value asset

isolation procedures

TECHNOLOGY Segmentation

Endpoint and

perimeter protection

Logging and

alarming

Incident dashboards

Forensic analysis

25 © 2012 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and

‘cutting through complexity’ are registered trademarks of KPMG International.

Cybercrime defence

Main message

■ ‘Everything mobile’ changes your

security posture.

■ The cybercrime threat is real and

here to stay.

■ Take a look at your company from

an attacker’s perspective.

■ Prevention is insufficient.

Invest in detection and response.

■ 100% security is not possible.

And undesirable!

© 2012 KPMG Advisory N.V., registered with the trade

register in the Netherlands under number 33263682,

is a subsidiary of KPMG Europe LLP and a member

firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative

(‘KPMG International’), a Swiss entity. All rights

reserved. Printed in the Netherlands.

The KPMG name, logo and ‘cutting through

complexity’ are registered trademarks of KPMG

International.

Marc Smeets

smeets.marc@kpmg.nl

+31 6 51 36 66 80

@MRAMSMEETS