Protecting the enterprise against mobile threats
Mobile devices have transformed the digital enterprise allowing employees to access the information they need to be most productive from virtually anywhere. Has that convenience come at a cost to enterprise security, though?
According to Forrester’s The State of Enterprise Mobile Security: 2016 to 2017, by Chris Sherman, “Employees are going to continue to purchase and use whatever devices and apps they need to serve customers and be highly productive, whether or not these devices are company-sanctioned.”
Additionally, the report found that S&R professionals will face complex challenges as a result of the different API interfaces and security profiles across devices. Sherman wrote, “Security teams must plan for years of increasing complexity by choosing technology solutions that simplify management and security workflows.”
Scott Simkin, senior threat intelligence manager, at Palo Alto Networks, said that BYOD is a trend that we were talking about five years ago. “Bringing a personal device into the enterprise is not something new, but the masses have come to peace with the fact that employees–in order to achieve their objectives–are requiring it.”
What that means for security practitioners is that the attack surface is massive. “It now has been multiplied by a factor of 100 or 1,000 by the sheer number of vulnerable applications and devices that the attacker is able to leverage,” Simkin said.
In addition to bringing devices to the office, employees are also demanding that they have access to the network when not on premise. “They want access to resources whether it’s Dropbox or other applications that allow them to get their corporate data,” Simkin said.
There are myriad issues that challenge enterprise security whether it is the apps themselves or the user behavior of the folks who own and operate the mobile devices not keeping their operating system up to date.
“Thousands of applications developers are taking their great ideas and putting them into practice, but they are not thinking about building security into their application from the beginning,” said Simkin.
Given that there are generally three ways for users to access applications, where they get their apps becomes incredibly important from a security perspective.
“They can go to the official app store or download it from a third party application site, or they can jailbreak or side load the application,” Simkin said. “The official app stores do a good job of filtering out malware and threats, but those third party app stores are more of the Wild West.”
A wider trend in the mobile threat landscape, according to Simkin, is that attackers are going after the application developers. “They are unknowingly infected with malware and then the application is infected and that is then passed on to users.”
As it is with securing the traditional network, mobile security is also about building policies. “Security resources are scarce,” said Simkin, “so, organization needs to think about how they safely enable those mobile devices to access corporate resources. They need to take the time now to consider what technology they are going to put into place to keep the company safe.”
Even the White House is changing the paradigm a little bit. The President’s now infamous use of an Android phone has helped bring to light the need for better mobile security, said Paul Innella, CEO at TDI.
“If organizations don’t start treating mobile devices, which includes IoT, as corporate assets, they are going to see this wide scale disruption and infiltration. So, they have to be thinking about how they evaluate the risk of one of these mobile devices coming into their environment,” Innella said.
Taking a more pragmatic approach and treating mobile as they would anything else in their environment, means that they need to do appropriate access, identity, application, and data management, Innella said.
“There are numerous mitigation tactics from whitelisting and blacklisting and authenticating the device itself to malware detection. All of the mitigation tactics they would use on a laptop,” Innella said.
Also key is having policies that don’t require as much rigor. “There has to be a systematic understanding of what they should and should not do, like not using public hotspots and not transmitting wireless, turning off Bluetooth and not using the save password function on browsers,” Innella said.
If practitioners recall the challenges that came with securing the network with the advent of laptops, they can look to the future of mobile with the benefit of hindsight.
“It’s about protecting data at rest on the device, data in transit, and the data at rest in the infrastructure, within the enterprise,” Innella said. “There has to be encryption of data at rest on both ends. Encrypting data at rest on the device is a big, big issue.”
The device itself is one reason the mobile threat landscape is changing directions, said Josh Shaul, vice president of web security at Akamai. “How does that thing in the conference room turn into a covert listening device accessing my intellectual property and everything else?”
When users load that game onto their phone, they are giving access to the camera, microphone, calendar, and contacts without thinking about what they are loading onto the phone.
“The outlier is who we worry about,” Shaul said. “Folks put bad software on there that can be used to spy on people through their mobile devices. It’s not hard to do that particularly when they overtly ask for and are granted permission.”
The attackers are now pivoting and moving from filling in webforms on the website to attacking the API, which allows them to do the same things but it’s set up for mobile apps, Shaul said.
“They are realizing that it’s easier pickings going after the APIs that are just getting published and becoming mainstream because there is the misconception they will only be used as intended. It’s just another service connected to the internet that people can access,” Shaul said.
Rather than having the device turn into something that can spy on them, enterprises need to be using good mobile device management software. “Tools that lockdown the camera and the microphone. Enterprises can adopt that as a standard and roll it out as part of the mobile device management system they use,” Shaul said.
Beyond the API as another attackable entity, the issues related to code remain largely unfixed as there is a lack of good security testing or strong development processes around security in mobile applications.
“If the APIs are going to be pushing the whole order of web traffic, it’s going to take a different architectural approach to fix mobile security. You get into a scale where you are required to go into the cloud, and for some that is going to be a challenge,” Shaul said.
This story, “Protecting the enterprise against mobile threats” was originally published by CSO.