Embed Size (px)
Citation preview
BECHTLE XXXXXXXXXXXXXX AG
Page 1, © March 2011
BECHTLE SUISSE ROMANDE
Perspectives 2011-2012 Gestion et sécurité des mobiles With a mixed Slides from Symantec & Bechtle (EN+FR)
Pascal Kotté
Senior Consultant
Altiris Certified Trainer
BECHTLE
Page 2, © March 2011
Symantec Xchange presentation – 2011-06-09 Mobile Management & Security
1. Mobile Evolution
2. Les Risques
3. Mobile Security
• SEP-M.Ed.
• NAC
• PGP
4. Mobile Management
5. Roadmap
Q&R
Page 3, © March 2011
Web URL (Videos, English)
BECHTLE SUISSE ROMANDE
Mobile Management
• http://www.symantec.com/tv/allvideos/details.jsp?vid=645438053001
• http://www.youtube.com/watch?v=34mh7Qxib7I
Blog: http://www.helloblog.fr/index.php/le-marche-des-applications-pour-smartphones-un-tres-gros-busine/
BECHTLE XXXXXXXXXXXXXX AG
Page 4, © March 2011
1. Le monde des Mobiles
Page 5, © March 2011
Quelques chiffres
Selon une étude publié en janvier dernier par le Gartner Group, le marché des
applications pour smartphones se porte plutôt bien !
Quelques chiffre$ :
• 5 milliards de revenu généré en 2010
• 15 milliards de revenu estimé pour 2011, soit 190% d’augmentation
• 8,2 milliards d’applications téléchargées en 2010
• 17,1 milliards d’applications le seront en 2011
Et près de 185 milliards de téléchargements depuis l’origine en 2008, à l’horizon 2014
Le tout pour un total de plus de 50 milliards de chiffre d’affaire en 2014 !
Source: Laurent Heslault (Symantec) http://www.helloblog.fr/
BECHTLE SUISSE ROMANDE
Page 6, © March 2011
Quid des “mobiles” ?
BECHTLE SUISSE ROMANDE
Janvier 2011
http://marketshare.hitslink.com
BECHTLE XXXXXXXXXXXXXX AG
Page 7, © March 2011
2. Les Risques
Page 8, © March 2011
Un peu d’histoire…
BECHTLE SUISSE ROMANDE
• Dans les années 80, Hackers = “héros”
o Joke
o Disruptives ou destructifs
o Pour le fun…
• Maintenant: Professionnels (cf Stuxnet)
o Money motivation
o High technical skills
o Underground activities on pirated PCs:
that is “Zombie”
o CYBERCRIMINALITE
Page 9, © March 2011
Les Botnet
BECHTLE SUISSE ROMANDE
Page 10, © March 2011
Les enjeus
BECHTLE SUISSE ROMANDE
(Janvier 2007, Conférence à Davos)
« Vinton Cerf, grand spécialiste du réseau, président de l'ICANN, et co-inventeur du protocole de communication Internet TCP/IP, estime que probablement ¼ des PCs connectés à Internet sont des Zombies, soit 100 à 150 Millions de PCs sur les 600 millions. »
« Hamadoun Toure, le secrétaire général de l'UIT (Union internationale des télécommunications), a déclaré que la guerre contre les zombies ne serait gagnée que si les gouvernements, les fabricants informatiques, et les usagers faisaient alliance. »
Page 11, © March 2011
Anatomie d’une attaque ciblée
BECHTLE SUISSE ROMANDE
Page 12, © March 2011
2010
cf. Symantec:
Internet Security
Threat Report,
Volume 16 (2010)
BECHTLE SUISSE ROMANDE
Page 13, © March 2011
2010
BECHTLE SUISSE ROMANDE
Page 14, © March 2011
Android.Walkinwat, une fausse version de Walk&Text.
vole les coordonnées du SmartPhone (nom, numéro, IMEI…) et après, envoie un message à tout le carnet d’adresse !
BECHTLE SUISSE ROMANDE
Finalement, il suggère à l’utilisateur berné de surveiller sa note de téléphone et
lui propose d’acheter la vraie application Walk&Text…
Source: http://www.helloblog.fr/index.php/le-maliciel-android-qui-balance-les-pirates-a-leur-amis/
Page 15, © March 2011
Laurent Heslault
les applications Android malveillantes ne se trouvent plus uniquement
• sur des «markets» parallèles, voir «underground»
• mais bien maintenant sur LE vrai « market android »
Ces applications auraient été téléchargées à plusieurs dizaine milliers d’exemplaires
durant les 4 jours de présence, avant d’être retirées par Google.
BECHTLE SUISSE ROMANDE
Source: http://www.helloblog.fr/index.php/attention-
applications-android-infectees-suite-et-pas-fin
spécialiste en sécurité de l’information @Symantec
Page 16, © March 2011
iPhone vs Android
Paul Kocher, president and chief scientist of semiconductor security firm Cryptography
Research Inc. in San Francisco, notes:
“With both Android and the iPhone, it’s just a
matter of time until you find a bug that lets you take
over the operating system and get root or super-
user privileges and do what you want.”
BECHTLE SUISSE ROMANDE
http://www.channelprosmb.com/article/24032/Android-and-iOS-Security-Turning-Security-Flaws-Into-Sales
http://www.ismashphone.com/2010/11/5-of-the-most-notable-ios-security-holes-weve-seen.html
BackBerry:
http://www.reuters.com/article/2009/06/03/us-blackberry-security-idUSTRE55269N20090603
WinPhone:
http://www.intomobile.com/2011/05/04/microsoft-issues-their-first-ever-windows-phone-security-update/
Mobile security and management capabilities compared
Capability Apple iOS
3.x, 4.x Google Android
2.x HP WebOS
1.x, 2.0 MSFT Windows
Mobile 6.x MSFT Windows
Phone 7 Nokia Symbian
2.x, 3.x [1] RIM BlackBerry
5.x, 6.x
On-device encryption Yes No No Yes No Yes [2] Yes
Over-the-air data encryption Yes Yes Yes Yes Yes Yes Yes
Complex passwords Yes No Yes Yes No Yes Yes
Enforce password policies Yes [3] EAS [4] (2.2 only) EAS EAS, 3PS EAS EAS, 3PS BES
Support VPNs Yes Yes Yes (2.0 only) No No Yes Yes
Disable camera Yes [3] No No EAS, 3PS No No BES
Restrict/block app stores Yes [3] No No EAS, 3PS No No BES
Restrict/block wireless LANs Yes [3] No No EAS, 3PS No No BES
Remote lockout Yes [3] EAS (2.2 only), 3PS (2.2 only)
EAS EAS, 3PS EAS No BES
Remote wipe Yes [3] EAS (2.2 only), 3PS (2.2 only)
EAS EAS, 3PS EAS EAS, 3PS BES
Selective wipe of business apps and data only
3PS (iOS4 only) No No No No No BES (BB OS6 only)
Enforce and manage policies EAS, 3PS
(iOS4 only) EAS (2.2 only) EAS EAS, 3PS EAS EAS, 3PS BES
EAS policies supported 14 9 (2.2 only) [5] 5 29 [6] 7 NA none [7]
Manage over the air EAS, 3PS
(iOS4 only) EAS (2.2 only),
3PS EAS EAS, 3PS EAS EAS, 3PS BES
Second-factor authentication (RSA SecurID)
No No No Yes [8] No No Yes [8]
Symantec Mobile Solutions 17
Notes: [1] Some Nokia E-series and N-series devices only;
[2] storage cards not encrypted; [3] via choice of Apple iPhone Configuration Utility (no over-the-air confirmation or auditing), EAS, and 3PS;
[4] require PIN only;
[5] some third-party email client applications support additional EAS policies within those applications only;
[6] Exchange Server Enterprise license required for support of all 29 EAS policies, lower-tier licenses support 15 EAS policies;
[7] BES supports more than 400 policies of its own; [8] some device models only.
Table credit: Infoworld, Mobile management: How iPhone, Android, Windows Phone 7, and the rest stack up
Key:
EAS = via Microsoft Exchange ActiveSync;
BES = via BlackBerry Enterprise Server 5.x;
3PS = via third-party server;
NA = information not available
Page 18, © March 2011
Autre risque important:
L’absence de “vraies” politiques de sécurité
BECHTLE SUISSE ROMANDE
«INSEE (FR): Enquête sur les technologies de l’information et de la communication et le commerce électronique 2010«
Page 19, © March 2011
Les moyens…
BECHTLE SUISSE ROMANDE
Qui peut disposer d’une paire
de spécialiste IT security à demeure ?
1. Intégrer les meilleures pratiques
• Etablir une “policy” de base
• Identifier les risques
et faiblesses essentielles
• Ne pas en oublier…
2. Partager les services d’un spécialiste, mais raisonnablement adapté à votre entreprise.
3. Mettre en place des outils de protection spécialisés prédéfinis…
Page 20, © March 2011
Les 4 piliers de la Sécurité par Symantec
BECHTLE SUISSE ROMANDE
Symantec Mobile Device Solutions Today
Threat Protection (SEP Mobile Ed)
Network Access Control (SNAC Mobile Ed)
Mobile Device Security
Information Protection (Mobile Security Suite)
Intelligent Software Management
(Mobile Management 7.0)
Remote Assistance
(Mobile Management 7.0)
Inventory (Mobile Management 7.0)
Mobile Device Management
Configuration Management
(Mobile Management 7.0)
Symantec Mobile Solutions 21
BECHTLE XXXXXXXXXXXXXX AG
Page 22, © March 2011
3. Mobile Security
Get visibility and control of devices, users and applications
Update devices and applications as needed without physical access
Symantec Mobile Solutions Overview
Enterprise Apps and Services
Device Management
Identity & Access
Symantec Mobile Solutions Products
Prevent unauthorized usage of devices and features
Prevent the device from becoming a vulnerability
Protect data from unauthorized access after device theft & loss
Prevent threat to the content on devices from malware
Content Security
Enterprise Security Investments (processes, products, policies and personnel)
Authentication and authorization for access to enterprise applications and resources
Allow access to right resources from right devices with right postures
Device Security
Leverage the existing security infrastructure
Allows scale and efficiency from day one
23 Symantec Mobile Solutions
Mobile Devices
Symantec’s Broad Mobile Strategy & Solutions
Email Anti-Malware/SPAM Symantec BrightMail Gateway
Data Loss Prevention Symantec Data Loss Prevention
Endpoint Virtualization Symantec Endpoint Virtualization
Email Encryption PGP Email Encryption
v
Next Gen Mobile Services Next Gen Network Protection
Email Anti-Malware/SPAM Symantec BrightMail Message Filter
Two-Factor Auth (VIP) VeriSign Identity Protection
Hosted PKI VeriSign Hosted PKI Service
Key Management PGP Universal Server
Mobile Management Symantec Mobile Management
Two-Factor Auth VeriSign Identity Protection
Device Certificates VeriSign Hosted PKI Service
Fraud Detection VeriSign Identity Protection Fraud Detection
Mobile Encryption PGP Mobile and Support Package for BlackBerry
Symantec Mobile Solutions 24
Cross Platform
Mobile Security SEP Mobile Edition / SNAC Mobile Edition
Web Security Symantec Web Gateway & Hosted Web
Security
MOBILE DEVICE ENTERPRISE / DATA CENTER
CARRIER / SERVICE PROVIDER
Page 25, © March 2011
SEP Mobile Edition – integration avec SMP
Supported Platforms for Mobile Device
• Windows Mobile 5.0 - Pocket PC
• Windows Mobile 5.0 - Smartphone
• Windows Mobile 6.0/6.1 - Professional
• Windows Mobile 6.0/6.1 - Standard
• Symbian 9.1-9.3 – Series 60 version 3.x
Antivirus File and Folder Exclusion List
The administrator can now define certain types of files that are known to be safe to not be
scanned. Increases performance of the product, Decreases the impact on system
resources.
Automatic LiveUpdate After Install
The product will automatically update the software and virus definitions after installation.
Increases security after installation, Ensures that the latest software updates are
immediately applied
BECHTLE SUISSE ROMANDE
Symantec Endpoint Protection Mobile Edition 6.0
Symantec Endpoint Protection Mobile Edition 6.0
Symantec Endpoint Protection Mobile Edition 6.0
Symantec Endpoint Protection Mobile Edition 6.0
Page 30, © March 2011
Symantec Network Access Control Mobile Edition
Platform support,
Mobile device Operating Systems
• Microsoft Windows Mobile 6..0/6.1 Standard
• Microsoft Windows Mobile 6.0/6.1 Prof.
• Microsoft Windows Mobile 5.0 Smartphone
• Microsoft Windows Mobile 5.0 Pocket PC
• Symbian OS 9.1 or later
• Symbian OS Series 60 v3.x
Key Features
Assessment of devices to ensure that required
technologies such as antivirus, firewall, and other
security components are installed, running, and
correctly configured before allowing access to the
network or corporate email.
On-device verification of installed software version
numbers.
Customizable server and client alerts upon host
integrity assessment results.
Seamless integration with Symantec Endpoint
Protection Mobile for Self-Enforcement
capabilities.
Centralized over-the-air enterprise management
with the Symantec Management Platform.
BECHTLE SUISSE ROMANDE
Mobile Management 7.0 SP3 Overview 31
Symantec Network Access Control Mobile Edition 6.0
Mobile Management 7.0 SP3 Overview 32
Symantec Network Access Control Mobile Edition 6.0
Mobile Management 7.0 SP3 Overview 33
Symantec Network Access Control Mobile Edition 6.0
Page 34, © March 2011
Encryption & Authentication
Mobile Encryption powered by PGP
PGP Mobile solves the mobile security problem with comprehensive email and data
encryption for Windows Mobile smartphones, enabling robust protection for the
information stored, in use, and shared with other users.
http://www.pgp.com/products/mobile/
Two-Factor Authentication powered by Verisign
Two-factor authentication combines something you know (such as a username and
password) with something you have (a credential such as a card, token, or mobile phone)
to verify an identity or to verify a transaction. VeriSign® Identity Protection (VIP)
Authentication Service provides the validation for "something you have" in an easy-to-
deploy cloud-based offering that balances cost, convenience, and risk.
https://www.verisign.com/authentication/two-factor-authentication/index.html
BECHTLE SUISSE ROMANDE
Symantec Solutions 35
Aperçu “Beta Norton @Android”
Page 36, © March 2011
Norton – le grand public Beta testeurs
Symantec Solutions
Page 37, © March 2011
Norton Mobile Security – Beta version (android)
BECHTLE SUISSE ROMANDE
Page 38, © March 2011
Protection Web, et blocage ciblés: SMS, Call
BECHTLE SUISSE ROMANDE
Page 39, © March 2011
Antivirus pour Mobile… Détection Malware
BECHTLE SUISSE ROMANDE
Page 40, © March 2011
Protection contre le vol, via SMS (+password)
BECHTLE SUISSE ROMANDE
BECHTLE XXXXXXXXXXXXXX AG
Page 41, © March 2011
4. Mobile Management
Mobile Management Apple Agent UI Examples
Symantec Mobile Solutions – Symantec Confidential 42
Registration iPad App
Symantec Mobile Management 7.0: Remote Assistance
43
Symantec Solutions 44
Screenshots
The required roadmap disclaimer
This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available.
DISCLAIMER
Symantec Solutions 46
Mobile Management Apple Agent UI Examples
Symantec Solutions 47
Symantec Solutions 48
Symantec Solutions 49
Symantec Solutions 50
Symantec Solutions 51
Symantec Solutions 52
Symantec Solutions 53
Symantec Solutions 54
Symantec Solutions 55
CMDB Altiris intégration
Symantec Solutions 56
Policies pour mobiles, ciblées
Symantec Solutions 57
BECHTLE XXXXXXXXXXXXXX AG
Page 58, © March 2011
5. Roadmap
Page 59, © March 2011
The required roadmap disclaimer
This information is about pre-release software. Any
unreleased update to the product or other planned
modification is subject to ongoing evaluation by Symantec
and therefore subject to change. This information is
provided without warranty of any kind, express or
implied. Customers who purchase Symantec products
should make their purchase decision based upon features
that are currently available.
DISCLAIMER
Page 60, © March 2011
Les informations ci-dessous,
ne sont pas contractuelles…
1. IOS: Apparition des agents IOS, afin de supprimer la dépendance avec MS Exchange
ActiveSync:
• URL d’installation automatique de certificats (device)
• Inventaires plus détaillés, détection “Jailbroken devices”
• Configurations initiales: avec “Apple configuration utility”
• Déploiement d’applications “Enterprise”
2. Agent natif: Android
• Détection des “rooted device”
BECHTLE SUISSE ROMANDE
2012:
• Plus de sécurité: Anti-Malware
• Portail de logiciels Entreprises “Self-service”
• Gestion des consommations
Mo
bile
Man
age
me
nt
7.0
PGP Mobile
Symantec’s Feature List
Symantec’s Current capability Symantec’s Short-term roadmap
Symantec Mobile Solutions 61
SE
P M
ob
ile
VeriSign VIP
VeriSign PKI Service
SNAC Mobile
NG
NP
Mobile Mgmt 7.0
Content Security Password Controls Remote Wipe Encryption/Management
Device Mgmt Asset Inventory Configuration Mgmt & Feature Controls
App Management/Distrib. Remote Assistance
Device Security Anti-Virus w/ Live Update App Control SMS Anti-Spam Stateful Firewall
Identify & Access Soft tokens/OTP PKI for Mobile NAC Compliance Management
Next Gen Network Protection Communication Logging Policy based filtering
BECHTLE XXXXXXXXXXXXXX AG
Page 62, © March 2011
Thanks, Questions ?
[email protected] Senior Consultant
Altiris Certified Trainer
