Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Application Security...
-
Upload
ibm-security -
Category
Technology
-
view
311 -
download
1
Transcript of Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Application Security...
Sponsored by IBM and Arxan Technologies Dr. Larry Ponemon, Ponemon Institute
Neil K. Jones, IBM SecurityMandeep Khera, Arxan Technologies
2017 Study on Mobile and Internet of Things Application Security
Agenda
Overview of “2017 State of Mobile and IoT Application Security” study Key findings
Risk of mobile and IoT applications Are organizations mobilized to reduce security risk? Current security practices in place Survey methodology
Q&A session
Presenters
Neil K. Jones, Application Security Market Segment Manager, IBM Security
Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute
Mandeep Khera, Chief Marketing Officer, Arxan Technologies
Purpose of the study
The purpose of this research is to understand how companies are reducing the risk of mobile apps and Internet of Things (IoT) in the workplace. The risks created by mobile apps have been well researched and documented. This study reveals how companies are unprepared for risks created by vulnerabilities in IoT apps.
January 18, 2017 Ponemon Institute Presentation Private and Confidential 4
Sample response Frequency Percentage
Sampling frame 16,450 100.0%
Total returns 651 4.0%
Rejected or screened surveys 58 0.4%
Final sample 593 3.6%
January 18, 2017 Ponemon Institute Presentation Private and Confidential 5
A summary of key findings in this research
• Many organizations are worried about an attack against mobile and IoT apps that are used in the workplace.
• Organizations have no confidence or are not confident they know all mobile and IoT apps in the workplace.
• The use of mobile and IoT apps are threats to a strong security posture.
• Mobile and IoT risks exist because end-user convenience is considered more important than security.
• The functions most responsible for mobile and IoT security reside outside the security function.
• Hacking incidents and regulations drive growth in budgets. • Despite the risk, there is a lack of urgency to address mobile and
IoT security threats.• Malware is believed to pose a greater threat to mobile than IoT
apps.
January 18, 2017 Ponemon Institute Presentation Private and Confidential 6
Page 7
The risk of mobile and IoT apps
Ponemon Institute Presentation Private and Confidential
How difficult is it to secure mobile and IoT apps?1 = easy to 10 = very difficult, 7+ responses reported
January 18, 2017 Ponemon Institute Presentation Private and Confidential 8
Level of difficulty in securing IoT apps Level of difficulty in securing mobile apps0%
10%
20%
30%
40%
50%
60%
70%
80%
90%84%
69%
How concerned is your organization about getting hacked through a mobile or an IoT app? Very concerned and Concerned responses combined
January 18, 2017 Ponemon Institute Presentation Private and Confidential 9
Hacked through an IoT app Hacked through a mobile app0%
10%
20%
30%
40%
50%
60%
70%
58%
53%
How concerned is your organization about the threat of malware to mobile and IoT apps? 1 = no concern to 10 = very concerned, 7+ responses reported
January 18, 2017 Ponemon Institute Presentation Private and Confidential 10
Threat of malware to mobile apps Threat of malware to IoT apps0%
10%
20%
30%
40%
50%
60%
70%
80%
90%84%
66%
How significantly does employees’ mobile and IoT apps use affect your organization’s security risk posture?Very significant and Significant increase responses are combined
January 18, 2017 Ponemon Institute Presentation Private and Confidential 11
Use of mobile apps Use of IoT apps0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
79%75%
How confident are you that your organization knows all of the mobile and IoT apps in the workplace? Not confident or No confidence responses are combined
January 18, 2017 Ponemon Institute Presentation Private and Confidential 12
0%10%20%30%40%50%60%70%80% 75%
63%
How important is end-user convenience when building and/or deploying mobile and IoT apps? 1 = not important to 10 = very important, 7+ responses reported
January 18, 2017 Ponemon Institute Presentation Private and Confidential 13
0%10%20%30%40%50%60%70%80%
68%62%
Who is primarily responsible for the security of mobile and IoT apps?
January 18, 2017 Ponemon Institute Presentation Private and Confidential 14
No one person is responsible
Head, quality assurance
User of mobile apps
Head, application development
CISO/CSO
Lines of business (LOB)
CIO/CTO
0% 5% 10% 15% 20% 25% 30% 35%
11%
2%
16%
31%
5%
21%
14%
11%
3%
8%
11%
15%
20%
32%
Responsible for the security of mobile apps Responsible for the security of IoT apps
Would any of the following factors influence your organization to increase the budget? Two responses permitted
January 18, 2017 Ponemon Institute Presentation Private and Confidential 15
None of the above
Concern over potential loss of customers due to a security incident
Government incentives such as tax credits
Concern over potential loss of revenues due to a security incident
Concern over relationship with business partners and other third parties
Media coverage of a serious hacking incident affecting another company
New regulations
A serious hacking incident affecting your organization
0% 10% 20% 30% 40% 50% 60%
15%
10%
12%
15%
23%
25%
46%
54%
Page 16
Are organizations mobilized to reduce the risk?
Ponemon Institute Presentation Private and Confidential
How concerned are you about the use of insecure mobile and IoT apps in the workplace? 1 = not concerned to 10 = very concerned, 7+ responses reported
January 18, 2017 Ponemon Institute Presentation Private and Confidential 17
Insecure IoT apps Insecure mobile applications0%
10%
20%
30%
40%
50%
60%
70%
80%
70%
64%
Please rate your organization’s urgency in securing mobile and IoT apps. 1 = low urgency to 10 = high urgency, 7+ responses reported
January 18, 2017 Ponemon Institute Presentation Private and Confidential 18
Urgency in securing IoT apps Urgency in securing mobile apps0%
5%
10%
15%
20%
25%
30%
35%
40%
45%42%
32%
Has your organization experienced a data breach or cyber attack because of an insecure mobile or IoT app?
January 18, 2017 Ponemon Institute Presentation Private and Confidential 19
Yes, known with certainty Yes, most likely Yes, likely No, not likely0%
10%
20%
30%
40%
50%
60%
11%15%
34%
40%
4%
11%
31%
54%
Data breach or cyber attack caused by an insecure mobile appData breach or cyber attack caused by an insecure IoT app
Page 20
Current security practices in place
Ponemon Institute Presentation Private and Confidential
How often does your organization test mobile and IoT apps?
January 18, 2017 Ponemon Institute Presentation Private and Confidential 21
We do not test
Testing is not pre-scheduled
Every time the code changes
Unsure
Annually
Monthly
0% 10% 20% 30% 40% 50% 60%
48%
26%
14%
7%
5%
0%
26%
35%
18%
8%
10%
3%
Mobile apps IoT apps
Where are mobile and IoT apps tested?
January 18, 2017 Ponemon Institute Presentation Private and Confidential 22
Primarily in production Primarily in development Both in production and development0%
10%
20%
30%
40%
50%
60%
70%
39%
32%29%
58%
26%
16%
Mobile apps IoT apps
Top five means of securing mobile and IoT appsMore than one response permitted
January 18, 2017 Ponemon Institute Presentation Private and Confidential 23
Security testing throughout the SDLC
Dynamic application security testing
Static application security testing
Educate developers on safe coding
Penetration testing
0% 10% 20% 30% 40% 50% 60%
15%
26%
26%
30%
39%
30%
51%
53%
55%
57%
Primary means of securing mobile apps Primary means of securing IoT apps
The most difficult OWASP mobile app security risks to mitigateVery difficult and Difficult responses combined
January 18, 2017 Ponemon Institute Presentation Private and Confidential 24
Lack of Binary Protection
Improper Session Handling
Security Decisions Via Untrusted Inputs
Insecure Data Storage
Insufficient Transport Layer Protection
Poor Authorization and Authentication
Client Side Injection
Weak Server Side Controls
Unintended Data Leakage
Broken Cryptography
0% 10% 20% 30% 40% 50% 60% 70% 80%
35%
38%
41%
43%
47%
50%
60%
62%
65%
70%
The main reasons why mobile and IoT apps contain vulnerable code More than one response permitted
January 18, 2017 Ponemon Institute Presentation Private and Confidential 25
Other
Application development tools have inherent bugs
Lack of understanding/training on secure coding practices
Incorrect permissions
Lack of quality assurance and testing procedures
Malicious coding errors
Lack of internal policies or rules that clarify security requirements
Accidental coding errors
Rush to release pressures on application development team
0% 10% 20% 30% 40% 50% 60% 70% 80%
4%
21%
33%
36%
40%
48%
51%
65%
69%
3%
18%
30%
36%
55%
44%
49%
65%
75%
Reason why IoT apps contain vulnerable code Reason why mobile apps contain vulnerable code
Page 26
Methods
Ponemon Institute Presentation Private and Confidential
Current position level within the organization
January 18, 2017 Ponemon Institute Presentation Private and Confidential 27
2% 3%
16%
22%
15%
40%
2%
Senior Executive
Vice President
Director
Manager
Supervisor
Technician/Staff
Contractor
The primary person reported to within the organization
January 18, 2017 Ponemon Institute Presentation Private and Confidential 28
54%
18%
9%
6%
4%2%2%2%3%
Chief Information Officer
Chief Information Security Officer
Chief Technology Officer
Chief Risk Officer
Chief Security Officer
Chief Operating Officer
Compliance Officer
Data center management
Other
Primary industry classification
January 18, 2017 Ponemon Institute Presentation Private and Confidential 29
18%
11%
10%
10%9%
9%
8%
5%
5%
3%3%
2%2%2%3%
Financial services
Health & pharmaceuticals
Public sector
Services
Industrial & manufacturing
Retail
Technology & software
Consumer products
Energy & utilities
Entertainment & media
Hospitality
Communications
Education & research
Transportation
Other
Worldwide headcount of the organization
January 18, 2017 Ponemon Institute Presentation Private and Confidential 30
8%
13%
21%
25%
17%
9%
7%
Less than 100
100 to 500
501 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
More than 75,000
Arxan and IBM End-to-End Mobile and IoT Security Solution
Enterprise Applicationsand Cloud Services
Identity, Fraud,and Data Protection
Device Security Content Security Application Security Identity & AccessProvision, manage and secure Corporate and BYOD devices
Secure enterprise content sharing and segregate enterprise and personal data
Develop secure, vulnerability free, hardened and risk aware applications
Secure access and transactions for customers, partners and employees
Security IntelligenceA unified architecture for integrating mobile security information and event management (SIEM), log management, anomaly detection, and configuration and vulnerability management
IBM QRadar Security Intelligence Platform
IBM MobileFirstProtect (MaaS360)
IBM Security AppScan, Arxan Application Protection, IBM Trusteer Mobile SDK
IBM Security Access Manager for Mobile, IBM Trusteer Pinpoint
Security Intelligence
Content SecurityApplication Security
Identity & Access
Device Security
DATA
Personal and Consumer Enterprise
© Copyright IBM Corporation 2016. All rights reserved.
• Link to study: 2017 State of Mobile & IoT Application Security• Related blog: Is IoT Security a Ticking Time Bomb?• Learn more about the IBM Security & Arxan Technologies partnership
32
Resources to learn more
Page 33
Q&A
Ponemon InstituteToll Free: 800.887.3118
Michigan HQ: 2308 US 31 N.Traverse City, MI 49686 USA
Neil K. [email protected]
Mandeep [email protected]
Ponemon Institute Presentation Private and Confidential
Caveats
There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.
• Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.
• Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are involved in the security of mobile and IoT application security in their organizations. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.
• Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.
January 18, 2017 Ponemon Institute Presentation Private and Confidential 34