Session on enterprise mobile security by Ajay Gabale ( AVP - Technology) and Dwarakanathan LN (Head - TCG) during Endeavour Regional Mobility Conference - India.
Also visit: http://www.techendeavour.com/mobility-offerings/security-architecture for more details on how we help our clients in enterprise mobile security.
Over the past two decades, we have witnessed significant technology advances in mobile devices, from the personal data assistants (PDAs) of the late 1990s and early 2000s to the ubiquitous and multifunctional smartphones of today. These advances have extended the virtual boundaries of the enterprise, blurring the lines between home and office and coworker and competitor by providing constant access to email, enabling new mobile business applications and allowing the access to, and storing of, sensitive company data.In this presentation, we will outline the risks related to today’s most popular mobile device platforms and technologies, along with methods by which an organization may assess its exposure to these risks. Finally, we will outline means by which many of these risks may be mitigated through technical device controls, third-party software, and organizational policy. These components all contribute to an enterprise-grade mobility management program that will ultimately serve as a guide in the rapidly evolving mobile environmentAs the mobility of today’s workforce continues to grow, the phrase “out of the office” is less and less relevant, and the flow of information in and out of the organization is increasing dramatically and becoming more difficult to control. The mobile workforce’s demand for connectivity is driving change in the way organizations support their employees away from the office and on their personal computers. On the other side, companies are also expected to release and support robust and functional mobile device-friendly applications for their customers.With the increase in mobile device capabilities and subsequent consumer adoption, these devices have become an integral part of how people accomplish tasks, both at work and in their personal lives. Although improvements in hardware and software have enabled more complex tasks to be performed on mobile devices, this functionality has also increased the attractiveness of the platform as a target for attackers. Android’s “open application” model has led to multiple instances of malicious applicationswith hidden functionality that surreptitiously harvest user data.1 Similarly, third-party Android application markets in China have been identified as hosting applications with administrative remote command execution capability.Many organizations are concerned about data integrity, and increased regulation and data protection requirements have placed further obligations on organizations to properly secure data that interacts with mobile devices. As a result, higher levels of security and data protection assurance are required — potentially more than vendors or the platforms themselves are currently able to provide.As companies around the globe look to increase the productivity of their employees or deploy new applications to appeal to an ever- increasing mobile world, corresponding security challenges present themselves. Unfortunately, the benefits and rewards of using mobile devices are sometimes counteracted by fraud and security risks.As an example, security researchers have identified several iPhone security vulnerabilities that allowed users to bypass device restrictions and install their own firmware.2 This may result in the users’ ability to bypass many of the restrictions that prevent malicious software from running on the device. Such vulnerabilities must be considered when choosing which mobile platform(s) to support.
Mobile device attack surface is narrow but deep The attack surface on mobile devices is small from a traditional network security perspective but very deep - both in terms of services (e.g., applications, messaging, push and web services), and attack vectors targeting the user (e.g., browser based attacks, social engineering attacks, phishing attacks targeting small screens, etc.).Mobile malware Highly standardized, rich, native APIs make mobile malware development and distribution straightforward and more scalable than on PCs. It is easy for malicious software to access device data and functionality, leading to consequences such as data disclosure and unforeseen charges.Application (and subsequently data) proliferation Vendor application stores and end user awareness are heavily relied upon lines of defense. However, vendor application store validation processes have their limitations, not focusing strictly on security, and users install applications with little due diligence.Device and data loss Mobile devices have a highly portable form factor and as a result are easily prone to loss or theft. Loss of a device can lead to the loss of sensitive information including stored credentials, personally identifiable information (PII), corporate data, etc.Device and data ownership When it comes to data stored on mobile devices, both corporate and employee owned, data ownership and liability questions are still not settled. Significant data privacy issues may arise between employees and enterprises as employees use corporate devices for personal activities and personal devices for business purposes.Network communication channels Data in transit between the mobile device and server may be intercepted. Transmission may occur over any supported medium such as Wi-Fi, Bluetooth, GSM, etc. These transmission methods can potentially be exploited in order to gain unauthorized access to sensitive data.Immature security solutions There are multiple dominant mobile operating systems and multiple carrier specific implementations of each. This results in a far more diverse ecosystem than today’s desktop environment and makes it difficult to deploy singular solutions for mobile security.Less IT control The rules of the game have changed – users and executives are driving decisions around devices, platforms and applications while IT teams are scrambling to provide secure, manageable solutions.Lack of a formal strategy Device churn is high, app growth explosive, products remain immature and the threats are evolving – the technical landscape will continue to change. Managing through rapid change without a formal program and strategy invites confusion and costly rework.
1. Though many organizations are still uncomfortable with consumerization, security and data breach incidents in 2012 will force them to face BYOD-related challenges.The Bring-Your-Own-Device (BYOD) Era is here to stay. As more and more corporate data is stored or accessed by devices that are not fully controlled by IT administrators, the likelihood of data loss incidents that are directly attributable to the use of improperly secured personal devices will rise. We will definitely see incidents of this nature in 2012.2. The real challenge for data center owners will be dealing with the increasing complexities of securing physical, virtual, and cloud-based systems.While attacks specifically targeting virtual machines (VMs) and cloud computing services remain a possibility, attackers will find no immediate need to resort to these because conventional attacks will remain effective in these new environments. Virtual and cloud platforms are just as easy to attack but more difficult to protect. The burden will thus fall on IT administrators who have to secure their company’s critical data as they adopt these technologies. Patching a big array of virtualized servers is a challenge, allowing hackers to hijack servers, to fork traffic, and/or to steal data from vulnerable systems.3. Smartphone and tablet platforms, especially Android, will suffer from more cybercriminal attacks.As smartphone usage continues to grow worldwide, mobile platforms will become even more tempting cybercriminal targets. The Android platform, in particular, has become a favorite attack target due to its app distribution model, which makes it completely open to all parties. We believe this will continue in 2012 although other platforms will also come under fire.4. Security vulnerabilities will be found in legitimate mobile apps, making data extraction easier for cybercriminals.To date, mobile platform threats come in the form of malicious apps. Moving forward, we expect cybercriminals to go after legitimate apps as well. They will likely find either vulnerabilities or coding errors that can lead to user data theft or exposure. Compounding this further is the fact that very few app developers have a mature vulnerability handling and remediation process, which means the window of exposure for these flaws may be longer.5. Even though botnets will become smaller, they will grow in number, making effective law enforcement takedowns more difficult to realize.Botnets, the traditional cybercrime tool, will evolve in response to actions taken by the security industry. The days of massive botnets may be over. These may be replaced by more, albeit smaller but more manageable, botnets. Smaller botnets will reduce risks to cybercriminals by ensuring that the loss of a single botnet will not be as keenly felt as before.6. Hackers will eye nontraditional targets so flawed Internet-connected equipment, ranging from SCADA-controlled heavy industrial machinery to medical gadgets, will come under attack.Attacks targeting supervisory control and data acquisition (SCADA) systems as well as other equipment accessible via networks will intensify in 2012 as certain threat actors go beyond stealing money and valuable data. STUXNET and other threats in 2011 highlighted how SCADA has become an active target. Proof-of-concept (POC) attacks against network-connected systems, including medical equipment, are expected to ensue.7. Cybercriminals will find more creative ways to hide from law enforcement.Cybercriminals will increasingly try to profit by abusing legitimate online revenue sources such as online advertising. This will help them hide from the eyes of both law enforcement and antifraud watchdogs hired by banks and other financial agencies.8. More hacker groups will pose a bigger threat to organizations that protect highly sensitive data.Online groups such as Anonymous and LulzSec rose to prominence in 2011, targeting companies and individuals for various political reasons. These groups are likely to become even more motivated in 2012. They will become more skilled both at penetrating organizations and at avoiding detection by IT professionals and law enforcement agencies. Organizations will have to deal with this new threat and to increase their efforts to protect vital corporate information.9. The new social networking generation will redefine “privacy.”Confidential user information is ending up online, thanks in large part to users themselves. The new generation of young social networkers have a different attitude toward protecting and sharing information. They are more likely to reveal personal data to other parties such as in social networking sites. They are also unlikely to take steps to keep information restricted to specific groups such as their friends. In a few years, privacy-conscious people will become the minority—an ideal prospect for attackers.10. As social engineering becomes mainstream, SMBs will become easy targets.To date, the craftiest social engineering ploys have been directed against large enterprises. However, cybercriminals are now so adept at social engineering that the effort to target companies individually—big or small—is becoming less costly. This and the greater volume of personal information available online will allow cybercriminals to launch more customized and fine-tuned attacks against small and medium-sized businesses (SMBs). As in previous attacks against SMBs, cybercriminals will continue focusing on gaining access to companies’ online banking accounts.11. New threat actors will use sophisticated cybercrime tools to achieve their own ends.Targeted attacks will continue to grow in number in 2012. Cybercriminals will not be the only ones using these attacks, however. As the effectiveness of advanced persistent threats (APTs) becomes more obvious, other parties such as activist groups, corporations, and governments will find themselves using similar cybercrime tools and tactics to achieve their goals.12. More high-profile data loss incidents via malware infection and hacking will occur in 2012.High-profile attacks will continue to hit major organizations in 2012. Important and critical company data will be extracted through malware infection and hacking. As a result, significant data loss incidents will ensue, potentially affecting thousands of users and their personal information. These incidents can result in significant direct and indirect losses to concerned parties.
Requirements:End-to-End security requirements3rd Party app integration security requirementsIdentify Requirements for user data access (Offline)Accessing sensitive informationArchitecture and DesignConsider Platform security features (Security API’s)Consider Infrastructure security (VPN, 2 Factor, Multifactor)ConstructionFollow secure codding practicesUse Security Framework, Tools and API’s provided by platformManaging application dataTestingThreat Modeling Network testingApplication Data ExploitationDeploymentUse Deployment Policies as per platform guidelinesFollow App Store GuidelinesUse profiles certificates to avoid unauthorized accessOTA updates
Devices can be configured remotely and made sure that the device remains IT policy complaint. Configuration policies can be configured manually or pushed over-the-air.The provision process involves installation of certificates on devices and authentication of users into theenterprise domain.In case of a loss of device or any other reason, data can be remotely wiped from the devices.Security policy can be enforced so that the users should not be able to downgrade or change the policies. Hardware features such as camera can be disabled remotely.MDM provides a mechanism to have a custom In-House Store, where enterprise applications can be hosted. The custom application catalogs enable enterprise to distribute and also update applications.