Industry analysts and security experts believe that as smart-phone adoption increases within the enterprise, attacks and malwares will also increase. Smart phones may become conduits to breaches of corporate data. Malwares and viruses will masquerade as apps and may compromise both personal and corporate data. 2010 saw a huge rise in such instances of targeted malware.
2011 is really a year to watch for mobile attacks. With WikiLeaks and StuxNet, fear is looming in everyone’s mind regarding what and how the next attack will be. Let us try to imagine and understand the surface of potential risks. We will focus on risks related to large businesses and enterprises.
I) Data breach as a result of lost/stolen device
A lost device means potential for loss/theft of sensitive information and also enabling unauthorized users to gain access to ENTERPRISE networks. Remember the hapless Apple engineer losing the iPhone 4 prototype in a bar? In case you are rolling your eyes, please remember, that over a six month period, 3,000 laptops were lost in London cabs. Compare that to 55,000 phones lost during same period!
Also, when individuals lose a device it is a personal loss. When enterprise devices are lost it is a much bigger affair. Some experts put the total cost of a lost laptop to be around $49,000. This cost reflects the enterprise wide effort (corporate, legal, purchasing, admin, etc.) required to deal with a lost laptop.
A sophisticated approach is to use a service such as “remote-locate-and-lock” which will remotely locate the phone using built in GPS service and lock out a lost phone. Even more stringent policies of “remote-wipe” can be enforced to remove all sensitive data from a misplaced phone. There are several vendor software options which are emerging. For iOS there is “Find My Phone”, for Android there is Lookout .
Additionally, it is important that key content be encrypted and stored in a fashion so that even a device loss does not compromise key information using a proper standard like AES-128 or AES-192.
II) Malicious code attack coming from masquerading applications
This usually happens after downloading an application, which in-spite of masquerading as an innocuous app, actually engages in nefarious activities (keyboard logging, transmission of private information secretly, etc.). In July 2010, The ‘Carrot App’ for Android was disguised as a calculator application. The malicious application was programmed to email to the attacker of transcripts all text messages, both sent and received by the infected device.
Due to Apple’s stringent application review and publication process these problems are less common in iOS, but are still an area of concern. Android, due to its open publishing policy can be more prone to such attacks. Please refer to the recent in-depth study on App genome.
III) Mobile device OS, Applications or protocol vulnerability
Software vulnerability at this level is hard to fend off and can only be mitigated by constant study of and vigilance against security threats. It is advised to ensure that the latest versions and patches of the OS & development environments (Apple XCode or Android SDK) are applied carefully and security patches are taken seriously. Remember the chain is only as strong as the weakest link!
IV) Weak or non-existent mobile device authentication
This is a double-edged sword. Having a very hard pass-code is easy to forget and hence affects the usability. On the other hand, having something straightforward like “1234” or “admin” is easy to guess and easy to crack. The long-range solution for this is using some form of biometric or fingerprint based authentication. However, until these are refined we should have a TWO FACTOR AUTHENTICATION (a combination technique of something you know, e.g. pass-code and something you have, e.g. a CAC reader). In many cases a simpler variant of CAC Reader can be adopted, e.g. a token code which is distributed via SMS. Such two-factor authentication schemes are proposed by large organizations such as Google and Microsoft. Such options will provide additional protection against phishing and malware attacks, as the one-time token codes are valid only for a limited duration of time and are deactivated automatically, thus preventing access to any sensitive information.
There can be additional attack surfaces which we have not thought about yet. After all, a “Hacker’s mind” has a different orientation than a “Builder’s brain”. Constant vigilance can never be overstated in today’s world, specially when you adopt more modern means to conduct your business.
6 comments:
Just want to add that allowing users or device administrators to encrypt all data on the device, including both internal memory and removable SD card storage - may be little overhead - but should work fine in the long-run. Also - some anti-malware's are in place now.
Secure enterprise link - as proposed by some vendors - that bonding of a device to the enterprise assigning it secure credentials that alleviate the need to store the user's enterprise password on the device, putting the IT manager in charge of device security - may sound good as it matures.
As you pointed out - the capability to manage devices remotely - that can be extended to key features like remote installation of corporate applications, remote lock, remote wipe, device location, advanced password rules as well as other standard enterprise device management policies.
This is a very good article. I hadn’t researched this topic before, and I learned a lot from your article. I have two comments, one broad-based, and one specific comment.
Broad-based comment:
This comment pertains to the overall structure of the article.
I found that the following structure is very effective for security-related articles:
First, approach it from the viewpoint of the hacker. How would a hacker try to find security holes so that he may steal corporate information?
Now that you found the potential security holes, the second step is to provide suggestions for plugging those holes. Having all those tips and tricks in one place makes it easy for the IT department to adopt it. If I were an IT guy, I would be looking for tips to keep my corporate network secure. Maybe I can talk to my VP about these points, and earn some brownie points.
You have most of the information in your posting, so this is not so much a comment on the content as it is a comment on the organization.
Specific comment:
III: explain some more why it is hard. ‘Have latest patches’ is a commandment to the masses, and like most commandments this is a commandment that gets disobeyed or forgotten. When a company has 40K employees, it is unlikely that everyone will upgrade promptly. Most Windows-based viruses can propagate because of un-patched computers. What should the strategy to deal with that?
Hope this helps. And again, thanks for the informative article.
Very nice article. Now that the smartphones are a large percentage of the mobile market, corporates need to pay attention to securing them. I have a couple of points to note here:
Smartphones are getting more powerful. Intel CEO recently said that their new atom line of processors will be a system-on-chip capable of running the same OS on a laptop & a smartphone. All the security protocol suites devised for the PCs should be usable directly on the smartphones.
iPhone already supports 802.1x with WPA2 standard (WPA2 in turn uses AES). It is ready for enterprise level of security already.
Other smartphones may not have the level of software resources that apple has. There is need for an enterpreneur to step in.
One problem-area with these myriad of mobile-apps is that people install them without actually knowing whether they are genuine or not. These apps could send out sensitive information from your mobile to the hackers. One way to prevent this is "crowd-sourcing", at the time of installing an app, it could show you how many of your friends (or friends-friends) have installed this app. That could give you a great deal of confidence on installing that app.
Somnath,
An interesting follow up to this post is a recent article in the New York Times entitled, Security to Ward Off Crime on Phones.
Here is a link to the article:
http://nyti.ms/phonesecurity
Google just pulled 11 apps from Android store due to malware threat. read the full article at: http://www.cnn.com/2011/TECH/mobile/03/02/google.malware.andriod/index.html?hpt=Sbin
Post a Comment