Open Mobile Menu

Blog

When Smart Phones Attack…

Views: 3133

Written By: Tony Fulda March 06, 2015

I'd bet that a few of you have noticed that a lot of people use mobile phones, tablets and personal laptops for work these days...  Our always-online super-connected workforce has technology in their pockets that blur the line between phone and computer, work and personal, and public and private.  These technologies allow us to do things mankind used to only dream of:  you can update a PowerPoint presentation from the back of a motorcycle! Send a company-wide email with pictures of your coworkers at the bar! (though just because you CAN doesn’t mean you SHOULD).  For better or worse, it’s becoming hard to find a spot on Earth where you can’t connect to work, your social networks, or the Internet. This shift in how we interact with data, other people, and the rest of world provides opportunities for astonishing flexibility in communication and data sharing for many organizations; it also presents some serious security risks.

The adoption rate and use of mobile and BYOD systems (“Bring Your Own Device”) has outpaced many organizations’ ability to control how/where/why/when end-user devices are used and where data is stored, and the consequences of leaking data or losing devices tend to be analyzed in hindsight after a compromise happens.  Security and privacy concerns around mobile and BYOD have been around for a while, relatively speaking, but many organizations are just now starting to come to terms with an appropriate response and strategy for integrating security into their mobile environment. 

The two main schools of thought related to mobile/BYOD usage that we see in many cases are somewhere in the following categories:

  • Category 1: Mobile or BYOD are difficult to configure and manage, there is no way to integrate and secure them in a manner that is consistent with security policy.  Connecting to the network with your own device or viewing/downloading data to a mobile device is prohibited.
  • Category 2: Mobile or BYODs are impossible to configure and manage, so… just, whatever.  We should probably have a plan, but nothing bad has happened yet and we don’t want to tell our employees what to do.

Most organizations fall somewhere in between these two approaches.  We may see Acceptable Use policies and requirements for personal firewalls and 2-factor authentication on employee-owned laptops, but then observe that there no policies or restrictions prohibiting the downloading or sharing sensitive data from the device.  We commonly see mobile devices with essentially the same functionality as a laptop connecting to sensitive data and email systems with no malware protection, no configuration management enforced, and inadequate or non-existent end-user usage policies or awareness training processes followed.  

Inconsistent or unexamined policies and procedures in an organization’s gameplan related to mobile/BYODs can lead to real-world privacy, regulatory, and reputational risks.  To address the issue, AppSec Consulting has been working with a number of our customers to help them develop comprehensive strategies to protect and integrate security into their mobile environment, with a focus on balancing business needs with security and privacy concerns.  We would love to help you out on your project, but if you’re just getting started and are taking a DIY approach here are a few of the lessons that we have learned while helping our customers address this Wild West world:

  • In order to understand your risks, you have to understand how/where/when these devices are being used. Perform an inventory of the devices, applications, and data that are commonly being used/accessed by your users.  Determine whether the applications, access, and configurations on mobile devices support and are aligned with your larger information security and data classification programs.  Determine whether deployed technical controls and access restrictions are adequate to prevent a misconfigured or infected mobile device or BYOD system from connecting to your internal network:  MAC address filtering and proxies that kick devices that don’t meet specific security criteria off to a “dirty” network may be useful here.

 

  • Don’t overlook mobile devices when performing a Risk Assessment, and don’t underestimate the impact a lost/missing/hacked device can have on your organization.  Ask yourself what types of data are commonly on mobile/BYODs, and what would happen if the device was lost or stolen.  At one of my previous employers, a large amount of sensitive HR data was compromised when a laptop was stolen out of an employee’s car.  The company paid for credit monitoring and notifications, but the cost to address the issue after the fact (in person hours alone) likely far outweighed the cost of a data encryption solution or better security awareness training.  Think hard about likely loss/compromise scenarios, and determine the type of data that may be on the device in order to determine appropriate countermeasures. 

 

  • Organizations that don’t have a mobile security strategy tend to drift towards permissiveness, and end - users will tend towards convenience over security.  Don’t forget about strong (enforceable) acceptable use policies, and include mobile security in your awareness training.  Users with the ability to install their own applications or change settings on mobile devices invariably will do so.  Rule of thumb: for every technical control that is not enforced, a free malware-laced Kitten Screensaver or candy-themed game will be installed.  Again, determining your likely risk, data and connection types, and common usage scenarios will allow you to decide whether you need to deploy strong centralized controls, use proxies and virtual desktops, and/or deploy mobile device and malware management solutions on smart phones, tablets, and BYODs.

 

  • Mobile and BYODs can be a perfect tool for compromising data and infecting your network.  Many organizations don’t even have mobile/BYOD security on their radar, and haven’t thought through scenarios where these devices can be inadvertently or maliciously used to attack their systems.  By their nature, mobile/BYODs are portable, allow for multiple connection types, and provide data storage and transmission capabilities that may be out of band and invisible to traditional monitoring technologies.  If you don’t have processes in place to look for it, how hard would it be for a user to email sensitive financial data to themselves and forward it to their Gmail account? If a BYOD user is connecting to your internal network from the coffee shop, is their device protected from malware that could be stealing credentials and data? Preventing data compromise may require a combination of data classification and inventory, strong access restrictions, and technical controls (such as Data Loss Prevention tools) in order to be effective.

 

  • Mobile applications are not desktop applications.  In many cases organizations do not apply the same rigor to their mobile application security that they would to a more traditional desktop thick client/web-based application deployment, even though the mobile application may have connections and credentials that allow for access to the same systems and data.  Developers often reduce security and authentication requirements for mobile applications because using complex passwords on a mobile device is considered to be more difficult than a desktop client, yet these mobile applications often perform the same functions as traditional web or desktop applications.  In addition, many organizations don’t have the tools/experience to test mobile application security, or they use inappropriate or inadequate testing methodologies that don’t address the unique architecture and OS parameters of the mobile device or application.  Do your homework to find the tools and frameworks appropriate to securing your particular type of application, or consider engaging an outside firm that specializes in this type of assessment (I’ve heard rumors that AppSec Consulting is pretty great at this…).

 

  • Don’t forget about mobile/BYOD in your Incident Response plan and awareness training. In many organizations, a smartphone is issued, mail is turned on, and it’s “set it and forget it”.  There may be no restrictions in place on device configuration, no requirements for passwords/PINs, and no way to remotely wipe or disable a mobile device.  To make matters worse, a lot of users wouldn’t think to contact their help desk in the event of a malware issue on their personal laptop or phone that may be connecting to corporate systems. Awareness training needs to clearly define requirements for security, and users need to know what they can and can’t do and what to do if a device is suspected of compromise or goes missing. Include mobile scenarios in your IR testing plan.

 

  • Defense in Depth is the only solution to using mobile/BYOD safely.   Here are a few points to consider:
    • A good mobile/BYOD strategy will start with a business analysis to determine how, why, and who can use mobile devices, followed by a risk assessment.
    • Inventory mobile device identified in the previous step, include them in the risk assessment process, and identify common threats/attack vectors.  The assessment can help to determine the existence and adequacy of controls used to protect devices and whether the residual risk is acceptable. 
    • Don’t overlook mobile in your overall security program – for example, do your Incident Response, logging/monitoring, and configuration management processes include mobile?
    • Technical testing of device configurations is highly recommended in order to identify potential misconfigurations or vulnerabilities. 
    • End-user awareness training and strong policies and procedures are needed to support mobile/BYOD usage.
    • Don’t forget about device reuse and deprovisioning scenarios:  is there a process to address retired/repurposed devices and all of the data they may contain?  Are devices included in your access reviews and inventory systems?

Mobile and BYOD can increase productivity and agility, but can also allow end-users (or malicious users) to poke a thousand little holes in an organization’s defenses.  Gaps or oversights in policy, process, technology, training, and awareness can leave your company open to an unacceptable level of risk.

The good news: that risk can usually be mitigated with the right tools and proper planning.  We are seeing many organizations meet these challenges successfully through thoughtful implementation of technical, operational, and administrative controls, as well as the use of a new crop of device management solutions that are non-intrusive to end users and provide additional levels of centralized control.   

Please contact us if we can help!

-Tony

Tony Fulda

Tony Fulda has over fifteen years of information technology, information system security and technology training experience, performing technical and enterprise risk assessments and consulting for clients in the higher education, hospitality, healthcare, service provider, and retail industries. As AppSec Consulting’s Managing Director of Strategic Advisory Services, Tony is responsible for driving the strategic direction of the assessment team and ensuring that AppSec Consulting’s clients receive exceptional service and maximum return on investment.

Tony has assisted hundreds of clients achieve their security and compliance goals through scope reduction, process improvement, and strategic technology integration.  He has led or participated in a multitude of remediation projects and has performed US-based and International Level 1 Report on Compliance audits for some of the largest organizations in the world.

read more articles by Tony Fulda