Guest Post: More on BYOD

As the world of computers, mobile devices, and technology in general, continue to exponentially evolve, so too must our need and desire to secure our communications, our data, and to that end our privacy. There is hardly a day that goes by anymore that we don’t hear of some major security breach of a large corporation, but this also directly impacts the individual. We have to make a concerted effort to protect our information – particularly on our mobile devices. Our mobile devices are inherently difficult to secure because they send their data over WiFi, which is susceptible to man-in-the middle attacks. We must pursue the security of our data on our mobile devices passionately. People nowadays carry so much private and more importantly valuable information on them that we just absolutely have to protect it. Particularly in this age of BYOD (bring your own device) to work. An even more difficult realm for the infosecurity folks trying to protect their networks. How does one protect a device on a network from malicious intent? How does one keep viruses, Trojans and worms off of the networks when everyone seems to be plugged in to their devices? This article intends to describe some steps that one can take to protect their mobile device both locally by encrypting the mobile device itself and also by utilizing apps that help to secure their email and telemobile device conversations from malevolence.  

 

As noted on the previous article on State of Security released on June 17, 2014, Brent recently discussed 3 tips for BYOD, which were to get these devices off of the production networks, teach people about mobile device security, and finally use what you already have to your advantage when it comes to your own architecture when developing BYOD policies and processes.

 

There are numerous steps that the IT folks can take to help secure their networks in this age of BYOD as mentioned in our previous article, but there are also some very simple and usefultips that we can all follow that will help us in protecting our mobile devices too.

 

Every company should have policies in place regarding the use and misuse of BYOD devices. This must include encryption of the data and remote wiping of the data if the device is lost or stolen, (such as Find my iMobile device, Android Lost, Mobile Security, and Autowipe,). Assuming the BYOD device is under the company’s control.  If not then as  mentioned in the previous article getting these devices off of the production network is a must. Every  company should at least require authentication and hopefully two-factor authentication of the device.  This would allow the organization some degree of control when it comes to resetting passwords, locking the device when it’s not in use, logging, etc. If it’s not, then asking employees to adhere and sign a code of conduct with regard to their device is a must, as well as periodic employee education. A quick Google search will reveal apps that can help with two-factor authentication too. Such as RSA Secure Alternative, SMS passcode, and Duosecurity.

 

The next step is to encrypt the mobile device itself upon ending your session. Thereby protecting your information from even the apps that you currently having running on the mobile device itself. All apps go through an approval process where they are tested, validated and checked for security, but there have been times where an app passed through such a process and still contained malicious code that sent back stolen personal information to the attacker. This is a particular issue in the Android market. Companies such as Cryptanium and Arxan offer integrity protection, jailbreak detection, anti-debug detection and reverse engineering protection. So if a attacker does manage to get ahold of your device it makes it much more tamper resistant. 

 

Apps that offer encrypted communication such as voice, video, text and/or file transfers are also a consideration. Silent Circle, Redmobile device and Whisper Systems offer such encrypted communication for a fee. Wickr and Cryptocat do this too, but are free. If you are just interested in encrypted text messages (SMS) then perhaps Babel, Whisper, or Akario is for you.

 

In today’s mobile device market there are a plethora of apps many of which do what they describe when it comes to helping to protect our information. Yet as with anything else if there is a will, there is a way, this is particularly true for those that mean to steal our information. If they have a desire to acquire your information they will make a concerted effort to try to extract it from your device. It is up to us to make it as difficult as possible for them to ever get it. For now there does’t seem to be a lot of apps that actually encrypt all of your information locally to the mobile device. Or if it does offer some degree of encryption then it does so over a potentially vulnerable, networked platform. In short there is no single magic bullet that will encrypt all of your mobile devices data and communications for free, but there are some out there for a fee will offer to do so. The other issue that arises is if you use said company do they have access to the information that you were trying to protect in the first place. What’s to keep a rogue employee from accessing your data? All of this can make your head spin. The moral of the story is to make good choices, use your common sense and don’t put anything on a mobile device that you aren’t willing to share with others. Be safe out there.

 

About Preston:

Preston Kershner is new to the info-security family, where he has a variety of lateral interests in topics such as cybersecurity, information security, incident handling and response, computer forensics and malware analysis. Preston has been in the medical field for over 20 years and is currently transitioning into the infosec community. When not being an information junkie, Preston enoys spending time with his family. He also enjoys learning everything he can about astrobiology (the search for exoplanets that have a potential to habour life). You can follow Preston as he continues to expand his knowledge and experience in these realms at http://www.linkedin.com/pub/preston-kershner/3a/493/965/ & follow him on Twitter (@redman7373).

 

About Brent:

Brent Huston is the Security Evangelist and CEO of MicroSolved, Inc. He spends a LOT of time breaking things, including the tools/techniques and actors of crime. When he is not focusing his energies on chaos & entropy, he sets his mind to the order side of the universe where he helps organizations create better security processes, policies and technologies. He is a well recognized author, surfer, inventor, sailor, trickster, entrepreneur and international speaker. He has spent the last 20+ years dedicated to information security on a global scale. He likes honeypots, obscure vulnerabilities, a touch of code & a wealth of data. He also does a lot of things that start with the letter “s”. You can learn more about his professional background here: http://www.linkedin.com/in/lbhuston & follow him on Twitter (@lbhuston).

 

Disclaimer:

It should be noted that some of the apps are free, some apps are cloud-based, some are open source and some are at a cost to the consumer. In no way do we endorse the applications in this article. 


3 Tips for BYOD

I wanted to take a few moments to talk about 3 quick wins you can do to help better deal with the threats of BYOD. While much has been said about products and services that are emerging around this space, I wanted to tack back to 3 quick basics that can really help, especially in small and mid-size organizations.

1. Get them off the production networks – an easy and often cheap quick win is to stand up a wireless network or networks that are completely (logically and physically) separated from your production networks. Just giving folks an easy and secure way to use their devices at the office may be enough to get keep them off of your production networks. Back this up with a policy and re-issue reminders periodically about the “guest network”. Use best practices for security around the wifi and egress, and you get a quick and dirty win. In our experience, this has reduced the BYOD traffic on production segments by around 90% within 30 days. The networks have been built using consumer grade equipment in a few hours and with less than $500.00 in hardware.

2. Teach people about mobile device security – I know, awareness is hard and often doesn’t produce. But, it is worth it in this case. Explain to them the risks, threats and issues with business data on non-company owned devices. Teach them what you expect of them, and have a policy that backs it up. Create a poster-child punishment if needed, and you will see the risks drop for some time. Keep at it and it just might make a difference. Switch your media periodically – don’t be afraid to leverage video, audio, posters, articles and emails. Keep it in their face and you will be amazed at what happens in short term bursts.

3. Use what you already have to your advantage – There are hundreds of vendor white papers and configuration guides out there and it is quite likely that some of the technologies that you already have in place (network gear, AD Group Policy Objects, your DHCP & DNS architectures, etc.) can be configured to increase their value to you when considering BYOD policies and processes. Quick Google searches turned up 100’s of Cisco, Microsoft, Aruba Networks, Ayaya, etc.) white papers and slide decks. Talk to your vendors about leveraging the stuff you already have in the server room to better help manage and secure BYOD implementations. You might save money, and more importantly, you might just save your sanity. 🙂

BYOD is a challenge for many organizations, but it is not the paradigm shift that the media and the hype cycle make it out to be. Go back to the basics, get them right, and make rational choices around prevention, detection and response. Focus on the quick wins if you lack a long term strategy or large budget. With the right approach through rapid victories, you can do your team proud!

How Risky is the Endpoint?

I found this article quite interesting, as it gives you a heads up about the state of endpoint security, at least according to Ponemon. For those who want to skim, here is a quick summary:

“Maintaining endpoint security is tougher than ever, security professionals say, thanks largely to the huge influx of mobile devices.

According to the annual State of the Endpoint study, conducted by the Ponemon Institute and sponsored by Lumension, 71 percent of security professionals believe that endpoint security threats have become more difficult to stop or mitigate over the past two years.

…More than 75 percent said mobile devices pose the biggest threat in 2014, up from just 9 percent in 2010, according to Ponemon. Some 68 percent say their mobile devices have been targeted by malware in the past 12 months, yet 46 percent of respondents say they do not manage employee-owned mobile devices.

…And unfortunately, 46 percent of our respondents report no efforts are in place to secure them.”

…While 40 percent report they were a victim of a targeted attack in the past year, another 25 percent say they aren’t sure if they have been, which suggests that many organizations don’t have security mechanisms in place to detect such an attack, the study says. For those that have experienced such an attack, spear-phishing emails sent to employees were identified as the No. 1 attack entry point.

…The survey found that 41 percent say they experience more than 50 malware attacks a month, up 15 percent from those that reported that amount three years ago. And malware attacks are costly, with 50 percent saying their operating expenses are increasing and 67 percent saying malware attacks significantly contributed to that rising expense.

…While 65 percent say they prioritize endpoint security, just 29 percent say their budgets have increased in the past 24 months.” — Dark Reading

There are a couple of things I take away from this:

  • Organizations are still struggling with secure architectures and enclaving, and since that is true, BYOD and visiblility/prevention efforts on end-points are a growing area of frustration.
    • Organizations that focus on secure architectures and enclaving will have quicker wins
    • Organizations with the ability to do nuance detection for enclaved systems will have quicker wins
  • Organizations are still focusing on prevention as a primary control, many of them are seriously neglecting detection and response as control families
    • Organizations that embrace a balance of prevention/detection/response control families will have quicker wins
  • Organizations are still struggling in communicating to management and the user population why end-point security is critical to long term success
    • Many organizations continue to struggle with creating marketing-based messaging for socialization of their security mission
If you would like to discuss some or all of these ideas, feel free to ping me on Twitter (@lbhuston) or drop me an email. MSI is working with a variety of companies on solutions to these problems and we can certainly share what we have learned with your organization as well. 

Resources for Mobile Application Security

Mobile application security continues to be a hot topic within the information security community. With more and more employees expecting to use their own devices at their workplaces, IT departments are scrambling to develop the right approach for securing their data.

If you’re working on developing security policies or seeking ways to secure your mobile applications, you may find some of these resources helpful. Stay safe out there!