Mobile Application Security – Insights from a Penetration Tester

Overview:
Having been early adopters of latest-generation mobile technology in the security sphere, Securus Global has extensive experience in iPhone and Android platform security testing.

We’ve worked with many prominent Australian and international clients in helping them not only discover security issues in their critical mobile applications, but also actively helped them fix security issues and assisted them in secure development standards and approaches.

If you have deployed, are developing, or looking at mobile applications for your enterprise and/or your clients, these sessions will provide you with a valuable insight from our perspective and experiences. We’ll take you through case studies of what has and can go wrong, current threats facing enterprise mobile applications and data, and share a few areas of our own research that will assist you in making your systems as secure as possible.
http://securusglobal.com/services/assessment-and-assurance-services/product-assurance-testing/

The events will also provide you with networking opportunities to discuss and share information with other colleagues in the industry.

Sydney:

Tuesday, 2nd October 2012
4.00 – 5.00pm

Securus Global Office
Level 17
31 Market Street

Melbourne:

Tuesday, 9th October 2012
4.00 – 5.00pm

Securus Global Office
Level 8
50 Queen Street

Presenter:
Norman Yue, Senior Security Consultant, Securus Global

RSVP:
Places are limited to a maximum of 20 people. Please confirm your attendance with Jacqui Henderson (02) 9283-0255 or Email: jacqui.henderson@securusglobal.com

Red cell testing takes on mobile security

When considering an organisation's digital security, it is commonplace for workers to take into account common features such as password strength and regular updates of antivirus software.

While these certainly help to form part of a strong security plan, these components do not constitute a complete suite of protection.

This is because malicious parties are constantly evolving the way they seek out information that can be used in a penetration attack.

As an example, the 2012 Threat Report by Websense Security Labs analysed over 200,000 smartphone apps and found what it calls "a noticeable percentage" of the mobile programs were containing elements of malware and non-essential permissions.

The report states: "The popularity of mobile devices is creating a large target installed base and cybercrime is actively innovating to harvest information for profit."

On top of this, researchers found that 51 per cent of mobile users turn off password permissions and security protections on their devices – making a lost or stolen phone a valuable commodity for malicious parties.

This is just one of the avenues that red cell testing teams could use when helping to examine possible exploitation routes – making use of the same methodologies and processes as real-world hackers and data thieves, but without the danger of losing control of proprietary information.

PCI DSS neglect can damage a business’ reputation

The payment card industry data security standard (PCI DSS) is a set of requirements developed and maintained by an industry council made up of some of the biggest names in the game.

Compliance with these measures is important for businesses and clients – not to mention financial providers – as it protects their reputation and helps to enhance the purchasing experience.

However, a recent interview published by ZDNet on April 24 with a leading expert on PCI DSS asserted that many firms had neglected their security obligations.

According to senior security consultant Steven Surdich, companies sometimes engaged in so-called 'patching' behaviour before a yearly audit rather than ensuring their system was adequately protected at all times.

The PCI expert stated that this kind of activity was obvious to external qualified security assessors who are charged with ensuring that a company's defences are in line with the industry standards

Mr Surdich explained: "The environment that was certified as PCI compliant – that needs to be protected from unauthorised changes.

"You want to make sure that you understand the environment, and that you're actually part of the change process in some capacity."

Regular reviews of the payment card systems by a registered professional can be helpful in this process, as they explain the requirements on a relatable basis.

Small Vulnerabilities, Big Business Risk – ZDNET Article

At our February Breakfast Brief in Sydney and Melbourne, two of our Penetration Testers and Researchers presented to a select crowd on the importance of not overlooking the small vulnerabilities. When undertaking Vulnerability Assessments and Penetration Tests, these small, seemingly inconsequential vulnerabilities are often down graded or accepted and left to be exploited by hackers that are highly adept in finding, collecting and holding onto these vulnerabilities for future reference and to used together to compromise an organisation.

Here is a little of an article on the presentation from ZDNET.

At the Securus Global’s February security briefing, a pair of security researchers, demostrated how businesses accepting small securty risks may be leaving the door open to hackers who have realised that chaining small vulnerabilities together represents an easy way to destroy companies.

The researchers stated that organisations tended to look at vulnerabilities separate from other vulnerabilities, when the real issue was how these could be used in conjunction with each other to become potentially more dangerous. They then went on to demonstrate how a number of organisations they had previously worked with had fallen into the trap of considering threats to their business in isolation.

To read more: http://www.zdnet.com.au/are-small-vulnerabilities-the-real-enemy-339332377.htm

Securus Global’s Consulting Services

Due diligence for disaster recovery

Knowing how to react to a data emergency is crucial if a business is to recover from a digital threat – as inactivity or undirected progress can be just as damaging as the initial attack.

This has become increasingly important in recent times due to the noted growth in complexity of many internal systems – not to mention the growth in use of third-party digital services and products.

Part of the problem is that it can be difficult for those inside a business to envisage just how a data disaster could occur – let alone the best methods for containing the threats it could pose.

To really get to grips with these issues, a fresh perspective can provide an insight into the areas of a firm's frameworks where weaknesses lie dormant.

In turn, this kind of thorough reporting can allow for more comprehensive planning actions to be undertaken – not just preventative measures.

This kind of due diligence can result in a powerful disaster recovery framework that takes into account all areas of a firm's operation – not just those that pose an obvious threat.

Security Due Diligence Assessments

Handling familiarity threats with red cell testing

A common term among accounting firms and service organisation, the phrase 'familiarity threat' stems from a close association between two or more individuals that clouds their professional and ethical responsibilities.

In some cases this can influence decision making activities and reporting duties in ways that the people concerned are unaware of at the time – such as taking an easy stance on questionable behaviour or not being as rigorous with a review as standing policies often require.

This term can easily be extended to cover the areas of online security, with professionals who have long associations or who are fairly familiar with each other's habits overlooking potential breaches or failing to include concerning elements in their findings.

This is where the value of red cell testing comes into play – bringing an ethical yet anonymous third-party group to the scene with the aim of accessing dummy data.

A team can be instructed to only target certain avenues of access, or provided with free reign over their method of penetration – such as phishing scams, dummy calls and social engineering attempts – in order to find gaps in a company's defences.

In turn this provides the company with a comprehensive report into where potential threats may lie that is free of familiarity or personal bias.