December 2014 DOWNLOAD PDF
BYOD Security A compendium of our best recent coverage
Powered by This issue sponsored by:
BYOD Security
3
Mobile-Only Employee Trend Could Break Security Models
5
iOS 8 Vs. Android: How Secure Is Your Data?
7
Study: 15 Million Devices Infected With Mobile Malware
9
How Microsoft Cracks The BYOD Code: 3 Tips
12
Why John McAfee Is Paranoid About Mobile
A compendium of our best recent coverage
14 2
dark reading MUSTReads
3 Mobile Security Tips For SMBs This issue sponsored by:
Most Tweeted
Table of Contents
Mobile-Only Employee Trend Could Break Security Models One-third of employees exclusively use mobile devices for work, but security organizations still aren’t shifting their risk management focus. By Erica Chickowski COMMON WISDOM IS THAT THERE’S NO TURNING THE CLOCK back on BYOD and mobility culture in the enterprise today. But just how instrumental are mobile technologies to employee work habits, and how well have IT departments started to manage the associated risks? A recent survey shows the productivity increase due to mobility to be dramatic. But in spite of bottom-line benefits, organizations aren’t reinvesting some of that money into the necessary security measures to reduce risk. Conducted by the Ponemon Institute on behalf of Raytheon, the 3
dark reading MUSTReads
DOWNLOAD PDF
survey (registration required) showed that, for a significant chunk of the workforce, mobile technologies are no longer just a beneficial supplemental computing technology but actually the primary means of getting business done. According to respondents, onethird of employees exclusively use mobile devices to do their work, and that is expected to rise to nearly half of employees over the next year. Meanwhile, 61% of respondents report that mobile devices have increased employee productivity at their organizations. However, most businesses are seeing these productivity gains offset by a growing mobile risk profile. Approximately 52% of respondents reported that security practices on mobile devices have been sacrificed in order to improve employee productivity. The survey showed that 30% of organizations still have absolutely no security features in place to support mobility, and 74% of 4
dark reading MUSTReads
respondents say their security is inadequate to mitigate mobile threats. “Most enterprises are finding workforce productivity high with BYOD, and they can see significant tangible benefits by having workers connected with their device,” says Ashok Sankar, senior director of product management and strategy at Raytheon Cyber Products. “But security is being compromised in favor of productivity.” As the business benefits continue to rise, so does the proliferation of devices. The study found that the typical organization manages an average of 20,000 devices, with that number expected to rise to 28,000 in 12 months. In fact, 18% of organizations report that, within a year, they may need to manage more than 75,000 devices. This can only serve to put more pressure on security organizations; respondents reported it takes an average of $278 to manage devices securely.
Organizations identified malware infection and end-user negligence as two of the biggest mobile risks. Of particular concern was the fact that employee behavior has grown increasingly lackadaisical about security as mobile flexibility increases. Approximately 60% of respondents believe mobile devices have diminished employees’ security habits. In addition to improving security technology investments around mobility, organizations may need to put more onus on employees to improve their behavior. “There’s always been a one-sided conversation between IT and employees, with IT providing laptops or desktops and a specific image of the device and that was it,” Sankar says. “The newer paradigm has to be a two-way conversation. People want to use what they want, which is fine. But maybe there’s a responsibility factor associated with the mobile user than they had originally. So with flexibility comes responsibility.”p
COMMENTARY
Table of Contents
iOS 8 Vs. Android: How Secure Is Your Data?
DOWNLOAD PDF
By Adam Ely
A
pple recently released iOS 8, several updates, and two iPhone 6 models. There has been plenty of noise around the releases, from the botched 8.0.1 update to the Touch ID fake fingerprint vulnerability to concerns that Apple Pay was pushing mobile PCI scope and unknowingly sharing consumer data. The ever-changing security posture of iOS, however, has yet to be discussed. Apple released an updated iOS security whitepaper covering Touch ID, the “Secure Enclave,” and everything in between. The paper is a good read for those curious about how hardware plays into the security posture of a device and features of the iOS operating system.
5
dark reading MUSTReads
There are a number of security features on iOS 8 that were included to increase the adoption of Touch ID and Apple Pay. The security features are different from previous iOS releases and updates because the operating system is becoming a less restrictive platform. Often, enterprises criticize Android for being too open and allowing too much interaction among applications via broadcast receivers. With the new iOS 8, we’re seeing more similarities when comparing iOS to Android. As a result, enterprises should be more concerned with the trustworthiness of devices versus the actual operating systems. For example, one of the worst cases I’ve seen for key logging and data theft is when users download third-party key-
ABOUT THE AUTHOR
With iOS 8, the lines between iOS and Android are blurring. No longer is iOS the heavily fortified environment and Android the wide-open one.
Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce, where he was responsible for application security, security operations, compliance, and external security relations. He previously held security leadership roles at TiVo and The Walt Disney Company.
boards that leak or steal data on Android. Many infosec people I’ve spoken to use this simple example to explain why iOS is more secure than Android. While previous iOS versions did not allow third-party keyboards, iOS 8 does. But the real harbinger of the future, in 6
dark reading MUSTReads
my view, is the introduction of app extensions in iOS 8. App extensions allow applications to make certain functionalities available to other applications. Proving Apple’s intent to make its ecosystem more integrated, these iOS extensions are different from what we see in Android; the iOS extensions give unrelated applications the ability to interact. (Whether the application you just downloaded really needs access to your SMS messages is another question.) Another potential trouble spot is the introduction of App Groups, which allows applications from the same developer to share data with one another. While this information sharing is nothing new, it has always been done through either the server side or unsupported, covert channels, usually unbeknownst to the user. What makes the intro of App Groups a concern is that this allows applications, by the same developer, to share the same sandbox. Now the securi-
ty (or insecurity) of one app could affect the security of another app. Because organizations split application development up into teams and outsourced developers, the security of apps, even when from the same company, is not uniform. This opens up organizations and consumers to greater risk. The lines between iOS and Android are blurring. No longer is iOS the heavily fortified environment and Android the wide-open one. Android is beginning to add more enterprise security features to its operating systems, and iOS is beginning to open its kimono, making it easier for developers to create apps. In the future, these two operating systems will continue to look more alike, driving the need for CISOs to focus on securing applications on mobile devices and on data security, rather than focusing on the devices themselves. p
Table of Contents
Most Tweeted
15 Million Devices Infected With Mobile Malware Sixty percent of the infected devices run Android.
By Sara Peters
FIFTEEN MILLION MOBILE DEVICES ARE INFECTED WITH MALWARE, and most of those run Android, according to a report by Alcatel-Lucent’s Kindsight Security Labs. Researchers found that “increasingly applications are spying on device owners, stealing their personal information and pirating their data minutes, causing bill shock.” Mobile spyware, in particular, is on the rise. Four of the 10 top threats are spyware, including SMSTracker, which allows the attacker to remotely track and monitor all calls, SMS/MMS messages, GPS 7
dark reading MUSTReads
DOWNLOAD PDF
Citrix Resource Center locations, and browser histories of an Android device. Mobile infections increased by 17% in the first half of 2014, raising the overall infection rate to 0.65%. About 60% of the infected devices are Android smartphones. About 40% are Windows PCs connecting through mobile networks. Windows Mobile, iPhones, Blackberrys, and Symbian devices combine for less than 1%. The good news for Android users, according to the report, is that “the quality and sophistication of most Android malware is still a long way behind the more mature Windows PC varieties. The command-and-control mechanisms (C&C) are primitive and often don’t work. Configurations are hard coded and inflexible. The malware makes no serious effort to conceal itself, and attack vectors are limited to hoping someone installs the infected app.” p 8
dark reading MUSTReads
J Delivering Enterprise Information Securely on Android, Apple iOS, and Microsoft Windows Tablets and Smartphones DOWNLOAD NOW
J 10 Essential Elements for a Secure Enterprise Mobility Strategy DOWNLOAD NOW
J 10 “Must Haves” for Secure Enterprise Mobility DOWNLOAD NOW
J Enterprise Mobility Management: Embracing BYOD Through Secure App & Data Delivery DOWNLOAD NOW
J How Four Citrix Customers Solved the Enterprise Mobility Challenge DOWNLOAD NOW
COMMENTARY
Table of Contents
How Microsoft Cracks The BYOD Code: 3 Tips
DOWNLOAD PDF
By Bret Arsenault
S
ecuring a company’s IT environment can be a daunting task, and the growing adoption of bring-yourown-device can only add to the complexity. To effectively manage BYOD, security managers need to define new strategies to manage the resulting risks. It likely won’t surprise you that research we conducted in a Trust in Computing survey shows that 78% of organizations allow employees to bring their own computers to the office for work purposes. BYOD can improve employee satisfaction and productivity, and the trend is becoming more commonplace today. The good news is that BYOD can be implemented without eroding security. But
9
dark reading MUSTReads
it’s no small task for enterprises. At Microsoft, our IT group coordinates data security management across 340,000 devices connecting to the network and 2 million remote connections each month. The internal BYOD policies we have developed, which I oversee as chief information security officer, provide a framework for enabling employees to use their personal devices while helping to maintain protections for corporate information. I believe that companies of many sizes can leverage at least some of what we’ve instituted in their own organizations. Here’s a sampling of some of our best practices:
Best Practice 1: Develop a BYOD strategy Effective security starts with a detailed
ABOUT THE AUTHOR
Microsoft’s CISO shares best practices for balancing employee autonomy and security in today’s bring-your-own world.
As Microsoft’s CISO, Bret Arsenault is responsible for enterprise-wide information security, compliance, and business continuity efforts. He leads a global team of security professionals with a strategic focus on information protection, assessment, awareness, governance, and enterprise business continuity. His role, combined with extensive experience in network computing, distributed processing, security, and web-based solutions, makes him a highly sought-after speaker and presenter. Arsenault is also involved at the executive level with both Microsoft customers and partners, holding advisory board roles with government agencies, security companies, and other high-profile organizations.
strategy. At Microsoft we set out to define: • The company’s goals for the BYOD framework. • The capabilities we need to reach those goals.
10
dark reading MUSTReads
• A plan for supporting and securing access from personal devices. • A strategy for accountability and implementation. To help put that into perspective, here’s a breakdown of how this works at Microsoft. Our goals for BYOD are to give employees access to messaging, collaboration, and line-of-business applications, to boost productivity, and to help employees balance their work and personal lives. This approach includes employee training and engages various departments like human resources and legal. Our standards for the use and integration of personally managed devices require employees to: • Accept security controls on personal phones in order to access email. • Set personal phones to lock automatically after a period of inactivity. • Provide the ability to remotely wipe company data from a device that is lost or stolen.
The final piece in the strategy is assigning accountability for implementing and overseeing BYOD. At Microsoft, our IT department oversees a coordinated effort to help secure data on more than 340,000 end-user devices being used at the company; 90,000, or a quarter of the devices used in our environment, are personally owned.
Best Practice 2: Manage between personal and corporate data Companies need to take steps to segregate and protect corporate data effectively. For example, at Microsoft, any device accessing company email must adhere to security standards that: • Encrypt the data on the device. • Require a PIN. • Allow remote maintenance and updates to protect company applications and data. We continuously evolve this standard using technologies such as Microsoft In-
Citrix Resource Center tune and other similar products that using a mobile device management manage personally owned devices solution, or is the device personally from the cloud by removing company owned by the employee? data from a device without impacting • Is the device being used from a personal files, apps, or pictures when known location or from a new, unemployees leave the company or lend known external location? their phones to someone else. The strength of those and other factors will determine the level of Best Practice 3: Define condi- employee access, ranging from full tions for access network access and data, to full netAt Microsoft, we’ve moved to a vari- work access but no local data, to able user access model, which looks at some access to web applications, to the strength and trustworthiness of the no access (guest Internet). device, and the identity presented by As BYOD continues to become more the employee, to determine the level of mainstream in the workplace, secuaccess to company resources. For exrity can’t be an afterthought. Each ample, we ask: company should determine which • Is the employee using a non-corBYOD-friendly devices, services, and porate identity, such as a personal practices will best balance the benefits email account, or are they using a of BYOD with the increased security trusted ID from the corporate manrisks that come with it. p aged directory? • Is the device authenticated and fully managed by the company, 11
dark reading MUSTReads
J Delivering Enterprise Information Securely on Android, Apple iOS, and Microsoft Windows Tablets and Smartphones DOWNLOAD NOW
J 10 Essential Elements for a Secure Enterprise Mobility Strategy DOWNLOAD NOW
J 10 “Must Haves” for Secure Enterprise Mobility DOWNLOAD NOW
J Enterprise Mobility Management: Embracing BYOD Through Secure App & Data Delivery DOWNLOAD NOW
J How Four Citrix Customers Solved the Enterprise Mobility Challenge DOWNLOAD NOW
COMMENTARY
Table of Contents
Why John McAfee Is Paranoid About Mobile
DOWNLOAD PDF
Mobile apps are posing expanding risks to both enterprises and their customers. But maybe being paranoid about mobile is actually healthy for security. It Really Is A Big Problem
A
The size and scope of this problem is substantial, and there is no end in sight. Anonymized data from more than 6 million active customer mobile applications analyzed by RiskIQ helps quantify the issue:
engagement with an unnamed defense contractor. Apparently, out of nowhere t July’s SecureCIO event in San and for no apparent reason, the conFrancisco, in front of an audience tractor began losing contracts it would of CISOs, CIOs, VPs, and directors normally win. Eventually, it was discovcollectively representing some of the largered that a man-in-the-middle attack had est corporations in America, John McAfee, successfully infiltrated the mobile devices the enigmatic founder and namesake of belonging to the sales team. Anything McAfee, proclaimed a veritable state of they saw wound up in the hands of emergency in enterprise security. the competition. “Our paradigms for protecting corpoAs he explained, thanks to mobile rate assets [online] no longer work,” says devices, each employee has become a McAfee, who, after a brief hiatus (one in potential weak link in the enterprise which he went toe to toe with the Belize security chain. Corporate data shared on government), is back on the security scene, mobile devices and tablets has become serving as a consultant as well as founding highly valuable to competitors. Meanhis own startup. while, forced permissions within mobile In this talk, McAfee took square aim at applications are granting access to sensimobile. He discussed a recent consulting tive data stored on phones.
12
dark reading MUSTReads
ABOUT THE AUTHOR
By Peter Zavlaris
Peter Zavlaris is one of the primary analysts and contributors to the RiskIQ blog, which provides weekly insights on the latest threats and attacks that target companies outside the firewall and put customers at risk. He has held various customer satisfaction positions with providers of cloud hosting, IaaS, and enterprise security services.
• 245,000+ apps have account grabbing capabilities. • 497,000+ apps can control vibration. • 212,000+ apps are capable of accessing the camera. • 184,000+ apps can access contacts. • 66,000+ apps can read SMS. Why should we care if an application has access to a phone’s vibrate function? Because when hackers access a phone they can make changes, receive messages, download other applications, change settings, etc., without setting off the vibration alert. “Read SMS” allows hackers to capture SMS-based authentication tokens. “Get Accounts” allows the phone to access online accounts. With access to contact lists, a cyber criminal can steal this information. There are literally dozens of standard permissions one could leverage to carry out a cyber attack — without needing malware. With many large consumer-facing businesses like banks and healthcare provid13
dark reading MUSTReads
ers distributing their own branded mobile applications, the risks associated with copycat apps distributed and controlled by cyber criminals are magnified by escalating app permissions.
fake apps, mobile platform vulnerabilities are putting data at risk. For example, security firm Blue Box reported FakeID, a major flaw in the Android operating system. It affects Android’s verification of digital signatures, which are used to SMS Text Phishing vouch for the identity of mobile applicaA recent example of this technique is tions. Theoretically, this would allow atOperation Emmental, discovered by Trend tackers to successfully impersonate legitMicro. The attack uses an email phishing imate apps, like an online banking app, campaign to target customers of banks since the Android cryptographic code will that use SMS-based authentication. It not be able to verify its origin. tricks victims into installing a fake but ofIt’s becoming apparent that mobile ficial-looking mobile app, which captures applications are posing expanding risks SMS messages sent from the bank. (Trend to both enterprises and their customers. Micro found several variations of these Whether it’s excessive permissions, fake apps wrapped with names and logos of (e.g., copycat) apps that claim to be from popular German banks.) By stealing the a trusted brand, or platform vulnerabilivictim’s user name and password, and in- ties like FakeID, it appears being paranoid tercepting “out of band” authentication about mobile might actually be healthy tokens sent to his or her mobile phone, for security. p attackers can take over the bank account to commit fraud. In addition to excessive permissions and
COMMENTARY
Table of Contents
3 Mobile Security Tips For SMBs
DOWNLOAD PDF
Everyone in an organization has to work together to combat intrusions and data loss, but this is especially true for small businesses. By Vijay Basani
First Step: Policy Map out a security and mobile device policy that clearly separates personal and corporate data comingled on devices. Employees need to know specifically what 14
dark reading MUSTReads
Second Step: Education, Access Controls, And Audits It’s important to educate users on both the risks the devices present to the organization and your expectations of conduct. But strong, clearly stated company policy should also be consistently enforced through access permissions, published audit reports, and other sanctions. Frequent reminders that are integrated into general company-wide communications can make it clear what is expected and create a culture of good stewardship of digital devices
ABOUT THE AUTHOR
M
obile technologies have introduced a completely new world of risks to organizations that use them. While many larger enterprises have the resources to mount comprehensive campaigns, the era of mobile computing has placed smaller companies smack in the middle of a widespread and proliferating security crisis. Here are three steps to help SMBs develop smarter mobile security policies in this ever-changing landscape.
they can and can’t do on their mobile phones. You should write a user-focused rules of behavior document that every employee must understand and sign before they are granted access to your network.
Vijay Basani is CEO and president of EiQ Networks. Before starting EiQ Networks, he founded AppIQ, an application storage resource management provider acquired by Hewlett-Packard in October 2005, and WebManage Technologies, a policy-driven content delivery solution provider acquired by Network Appliance in August 2000. Vijay’s experience includes senior executive positions in the financial industry at Spencer Trask Securities and Josephthal Lyon & Ross. He is the co-owner of five patents for the architecture and design of the WebManage Content Delivery system, Adaptive Policy Engine, and SLA Management.
and network resources. Users should also be taught about the many basic precautions they can take to mitigate risks associated with lost or stolen devices — and how to keep both personal and corporate resources significantly safer. These steps include: • Setting lock screens with strong passwords of 8- to 10-character minimum length. • Installing antivirus/anti-malware apps. • Implementing data encryption. • Securely backing up all data. • Installing device locator and remote wiping capabilities. • Keeping operating systems and apps updated.
Third Step: Ongoing Monitoring Continuous monitoring and measurement will be essential to address known and emerging threats. This effort requires focus, discipline, leadership, and innovation involving: 15
dark reading MUSTReads
• People — Trained, skilled information workers • Culture — A true concern for protecting employee data • Leadership — For the big picture and priority setting • Process — You can’t improve what you don’t measure. What are you doing with the technology once you buy it? • Technology — Is it implemented properly? Are you monitoring it? Is it integrated across your entire enterprise? Strategies to monitor and assess devices and their data should include identification of all mobile devices accessing your network of IT assets, real-time monitoring and correlation of all activity, and both alerting and reporting on violations of security policy, user privacy, and compliance. For companies of any size — but especially SMBs — the most essential and urgent task at hand is to build a culture of good stewardship of devices and data
through a robust and detailed company policy and consistent enforcement at all levels, from entry-level employees to CEOs. Everyone in a company has to work together to combat intrusions and data loss. p