CYBER & INFOSEC

"blogger, InfoSec specialist, super hero ... and all round good guy" 

DISCUSSIONS, CONCEPTS & TECHNOLOGIES FOR THE WORLD OF

JOIN THE DISCUSSION

Mobile Security should be your top concern

The world is much smaller than it was thirteen years ago. In 2007 Steve Jobs announced the Apple iPhone. It was an innovative product because it brought mobile Internet into the pockets of millions of people.

Smartphones were in existence before the iPhone. Blackberry devices were standard issued devices for mobile email connectivity. The Treo handsets were popular with technology-minded corporations because they delivered a mobile Internet presence and could be expanded by applications. Windows mobile devices had a loyal following. However, not one of these device categories completely dominated the market and captured people's imaginations.

When the iPhone was released and its subsequent software and hardware revisions, it balanced out the power and the flexibility needed for business communications while providing aesthetic and cosmetic quality in design and function that consumers enjoy. Since the iPhone's debut, we have seen an explosion in consumer first, Internet of Things, business-ready devices from Apple, Samsung, Google, and many others. However, as users have become more mobile and carry more information on their devices, the security risks and potential vulnerabilities this introduces to an organization have increased dramatically. The mobility of the workforce is the most critical cybersecurity vulnerability facing IT managers today.

According to Cisco Systems, "by the end of 2014, the number of mobile-connected devices will exceed the number of people on earth, and by 2018 there will be nearly 1.4 mobile devices per capita. There will be over 10 billion mobile-connected devices by 2018 (Cisco Visual Networking Index, 2014). That report published in 2014 shows us that even the most liberal estimates never came close to estimating the smartphone market's growth in 2018. According to the website Oberlo, "Latest figures show an increasing number of smartphone users year after year. In 2020, the number of global smartphone users is projected to total 3.5 billion, marking a 9.3 percent increase from 2019.

The current global population of 7.7 billion people means the smartphone penetration rate is at 45.4 percent. In other words, more than four out of every ten people in the world are currently equipped with a smartphone. (Oberlo)

Almost every September, when a new iPhone is released, it is virtually clockwork expectations from the general public that there will be a media blitz. People may no longer line up for days, but Apple still sold out popular models within minutes of the iPhone release in 2020. Many people will load their Apple or mobile carrier websites waiting for devices to go on sale, all of them waiting to get a taste of the Steve Jobs wonder device.

Users prefer to use devices for personal and business use. When you can knock out a few extra hours of work during a time-out at your children's soccer game for you to spend some spare time with your children at home, it is easy to see why there is an attractiveness to be connected all the time. Many organizations see the benefit and increased productivity of giving users devices they feel comfortable with, using regularly, and being responsive.

Joseph Bradley, in his blog titled, New Analysis: Comprehensive BYOD Implementation Increases Productivity, Decreases Costs states,

"The growth of connected devices is impacting enterprises worldwide. However, the key to unlocking value is shifting from the number of connected devices to the value of the connections themselves. We define a connection as the intersection of People, Process, Data, and Things—coming together to form the Internet of Everything (IoE). The IoE opportunity represents 21 percent of corporate profits, or 14.4 trillion dollars over the next ten years, worldwide. Capturing the potential value of IoE depends on an inclusive business environment that facilitates innovation and productivity. Fostering a work-your-way environment by empowering employees to bring their own devices is a critical part of the solution". (Bradley, 2013).

It is no longer about wanting to produce data. It is about having access to information anytime, anywhere, about anything, and available all the time. This leads itself to a competitive workforce that both employees and employers want to take advantage of. Today, in 2021, potential employees working remotely and from home evaluate technology refresh programs, personal technology siphons, and bring your device (BYOD) acceptability in organizations when deciding what job offers to accept or decline.

Organizations must provide these options to stay competitive and attract new talent. Opening up intellectual data, allowing users to access corporate information outside the walls of an organization, and managing risk while providing value to their employees is challenging for organizations.

In the past, organizations had a clear security perimeter. They knew where their Internet demarcation points existed, and new data and traffic beyond these demarcation points could not be trusted and must be treated as potentially hostile. Firewall and Intrusion Prevention Systems were put in place. Mobility and introduced a new world for IT security organizations. Demarcation when corporate traffic ends and where public traffic starts can no longer be identified.

The COVID-19 virus forced users to telecommunicate, use virtual private networks (VPNs) or complete their work using web-based applications that can be accessed from any device from anywhere in the world. As the world and our behaviors evolve to the new normal in terms of culture and remote connectivity, we have to realize our world has changed and how corporate users will connect to networks and communicate. There will not be a vaccine, protocol, or reset button to bring everything back to normal without adaption. That adaption means more remote connectivity is going to increase even further.

Discounting the issues of remote users or teleworkers, even what has once considered traditional users have multiple mobile devices from tablets, smartphones, and mobile hotspots that they might use during a day within the walls for an organization to access corporate information.

Mobile hotspots may not be needed as they were in the past to be used when an ad-hoc meeting is scheduled in a conference room with little connectivity. They have mainly been replaced with smartphones with hotspot capabilities that can be used at lunch to check emails.

Need some extra power, a larger entertainment screen, or a portable device with some flexibility? Tablets such as the iPad are the go-to choices. Many people feel these can be full productivity replacement devices for laptops with powerful apps, keyboards, and trackpads.

In his article, Doug Drinkwater, CISOs Must Move Beyond Perimeter Security; he states that organizations believed they were castles, and like most castle builders, they thought building high walls and moats could contain the situation of information security threats (Drinkwater, 2014).

Attackers have analyzed the organization's perimeter information security defenses, and for the most part, they realize that perimeter defenses are solid. Attackers are no longer trying to find vulnerabilities within firewalls or other security devices because, for the most part, they do not exist or are incredibly time-consuming to take advantage of.

Therefore, they are turning their attention to a much easier target. They are turning their attention to a system that, in many cases, is completely neglected, ignored, rarely updated, and easily defeated.

Attackers today are attacking the human element. They target and exploit an organization's users.

In an article published by Infoworld, 5 Takeaways of Verizon DBIR by Roger Grimes, it is noted that insider or employee threats do not make up the majority of cyber threats that organizations face. What is an insider threat? According to the Workshop on Research for Insider Threats Organization published on the Software Engineering Institute's (SEI) blog run by Carnegie Mellon University), "The threat of attack from insiders is real and substantial. An insider can be defined as a current or former employee, contractor, or another business partner who has authorized access to an organization's network, system, or data. Malicious insiders are those who intentionally exceed or misuse that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information or information systems" (SEI 2013).

There is no arguing, all though the probability of today's insider threats is low compared to other threats, their risk is rising, and more and more insider threats are occurring. Furthermore, when successful insider threats do occur, they can cause massive and unrecoverable damage. Recent examples of insider threats include Edward Snowden.

He was an employee and trusted contractor. Referencing our castle methodology earlier, Edward Snowden didn't need to get over the massive castle walls. He was invited in from the beginning and was one of the guards on the wall. No amount of perimeter security would have helped the National Defense Agency protect against an attack similar to what Edward Snowden carried out.

Edward Snowden, Bradley Manning, and many other insider threat examples are based on malicious individuals with a motive to carry out destructive damage to an individual. However, what if the individual did not know the destruction they could cause or be causing?

What if they were simply a pawn being taken advantage of by utilizing the same technology that makes them more productive? Organizations realize that mobile device enablement is just as big of a real insider threat as is a malicious individual. Mobile devices have unprecedented access to corporation sensitive data. They can be used unknowingly to the user to capture corporate information and transmit it to unauthorized individuals.

Mobile devices used in corporations have access to corporate email, user lists, network shares, and wireless login information. Mobile devices also have multiple forms of communication. For example, mobile devices can connect to the corporate wireless network to gather information and perform network reconnaissance.

Attackers can control and transmit sensitive data from mobile devices thru a mobile network, thereby bypassing all corporate security controls.

Aamir Lakhani (full disclosure Lakhani is the author of this paper, yes mom, it's me!), security consultant showcased at Hacker Halted in 2012 in his presentation Bring Your Own Destruction how he performed a network security penetration test by sending an organization a modified mobile phone thru a FedEx package with an extended battery. As the mobile phone sat in the organization's shipping room, security consultant Lakhani was able to control the mobile phone thru the mobile provider, perform and record exploits on the organization thru their corporate wireless network, and perform pivoted, chained exploits on the organizations corporate assets to maintain persistence connectivity. Lakhani recorded on Concise Courses can find a summary of the talk. (Lakhani 2012).

Dan Goodin from Ars Technica reported on an Android bug that allows attackers to remote exploit Android devices, manipulate those devices, expose and transmit information (Goodin 2014). All this can be accomplished without the user's consent nor knowledge. These exploits are part of the much vulnerability that gets exposed with mobile device platforms every year. The popularity of the devices and the need from device manufacturers to ensure devices are easy to use, develop, and configure security models found in other corporate devices.

However, the popularity of the devices for the same reasons mentioned above also makes it almost impossible to get corporate entities to give their users alternate solutions that they will accept.

Attackers are using mobile devices against unsuspecting users against them as launching points for complicated attacks using various attack methods. SMS worms are the most common types of attacks. (Rapoza, 2012). SMS propagates to other mobile phones by sending a victim an SMS message. The SMS message can be encoded to execute a program. It can also be low tech taking advantage of social engineering techniques by enticing users to click on a link or send or reply to an SMS text.

Scanning the victim's phone book, sending SMS messages to their contacts, and traversing thru Bluetooth and WiFi connections usually propagates worms. Code that executes thru SMS worms can potentially install backdoors for attackers to compromise systems and remain hidden.

These types of backdoors can be used to compromise 2-factor authentication systems that use text messages for authentication. Think you are safe when your bank wants to send you a text message with a code? Think again, these worms are designed to steal and transmit that and other sensitive information from your phone. SMS toll-charge fraud is designed to take advantage of mobile phone carrier billing for premium texts. These worms sign your phone number up for premium services and charge your phone bill thousands of dollars. By the time you get the bill, the attacker has the money from your mobile provider, and you are stuck with the bill. Laws regarding consumer protection for mobile phone fraud are unclear and not established at best, leaving most grunt work and research to the consumer or organization. Websites such as www.spoofcard.com show how easy it is to use caller ID spoof to send a victim a text message appearing as another phone number or person. Spoofcard also lets attackers call victims and making their phone numbers appear as anything they want.

In many cases, if you call a mobile phone and make it appear like you are that mobile phone, essentially by calling yourself, in most cases, you will be logged into that phone's voicemail. The trick is not new and has been documented for years. Kevin Mitnick, in his book The Art of Deception, described using this technique for years. He alluded to how individuals could use this technique to get into celebrity's voicemails and mobile phone emails to steal confidential texts and pictures (Mitnick, p-112-124, iBooks Edition).

In recent years private pictures stolen from celebrities and voicemails have been highlighted in the media. This appears to be a common technique that was used. Organizations must work with their users and work within the mobile devices' capabilities and limitations to protect their information. Many mobile devices do not offer enterprise-ready encryption or authentication services. We see a transition from Bring Your Own Device (BYOD) to Bring Your Own Apple or Samsung Device because of these limitations.

The Apple discussion forum at https://discussions.apple.com/thread/2738932?tstart=0 highlights how Apple devices can only "forget" about connecting to wireless when they are in the range of that wireless network. If they are not, the user does not have the Apple device's ability to beacon and request over the air if the network exists.

The issue with this is attackers can use this beacon to tell mobile devices they are legitimate networks, and mobile devices should connect to them.

From that point, attackers can carry out man-in-the-middle attacks and intercept user passwords and other data traffic. They can even disrupt encrypted communication channels in some cases to allow access to information the user may think is unreadable.

Organizations are turning into various mobile protection software suites and techniques to try and mitigate these risks. They include using mobile device management software to manage and secure these devices. According to VMWare's AirWatch, Manage Your Device Fleet, popular manufacture of mobile device management software they state, "Mobile Device Management enables businesses to address challenges associated with mobility by providing a simplified, efficient way to view and manage all devices from the central admin console."

They claim their solution allows enterprise organizations to manage and secure multiple devices with multiple operating systems with a single corporate-wide security and usage policy (Manage Your Device Fleet).

Organizations are also attempting to give single devices multiple personas by dividing up the function of business-related information into secure containers closely controlled and monitored.

In their article What is a Secure Container, Mobile Helix describes a mobile device container as "a secure container is a separate, partitioned and secure environment on a mobile device in which to run corporate applications and store related sensitive corporate data.

Containers are an increasingly important component of a mobility strategy as enterprises look to support BYOD programs" (What is a Secure Container). The biggest issue with secure containers is that they make sharing data between secure container apps and other applications very difficult.

If you want to have a unified address book or email inbox, it is almost impossible to achieve with today's secure container solutions. They also have inadequate protection in securing the device and concentrate their security efforts in obtaining information inside the container.

Mobile devices continue to challenge IT managers. They struggle in providing users what they are asking for in the workplace while securing information. IT Managers do not have the luxury of denying requests in fear of user uprising, losing competitive advantage, or losing productivity.

IT Managers who comply in implementing these technologies risk introducing significant risks that could adversely affect a business's livelihood. Manufacturers such as Apple and Google continue to add features to help support enterprise users but have clearly stated they are a consumer products oriented manufacture first. This creates ideological difficulties for IT managers who are used to managing user devices in different manners than the options available to them today.

In conclusion, mobile devices' popularity to allow instant and easy access to any information, the popularity of these devices, and the proliferation of their usage in corporate environments is the most critical cybersecurity vulnerability facing IT managers today.

References


Bradley, J. (2013, May 22). New Analysis: Comprehensive BYOD Implementation Increases Productivity, Decreases Costs. Retrieved July 13, 2014, from http://blogs.cisco.com/news/new-analysis-comprehensive-byod-implementation-increases-productivity-decreases-costs/



Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2013–2018. (2014, February 5). Retrieved July 13, 2014, from http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/white_paper_c11-520862.html



Drinkwater, D. (2014, February 26). RSA 2014 CISOs must move beyond perimeter based security. Retrieved from http://www.scmagazine.com/rsa-2014-cisos-must-move-beyond-perimeter-based-security/article/335825/



Goodin, D. (2014, June 28). Serious Android crypto key theft vulnerability affects 10% of devices. Retrieved July 13, 2014, from http://arstechnica.com/security/2014/06/serious-android-crypto-key-theft-vulnerability-affects-86-of-devices/



Grimes, R. A. (2014, April 29). 5 takeaways from Verizon’s 2014 Data Breach Investigations Report. Retrieved July 13, 2014, from http://www.infoworld.com/d/security/5-takeaways-verizons-2014-data-breach-investigations-report-241488



http://www.sei.cmu.edu/community/writ2013/. (n.d.). Retrieved July 13, 2014, from http://www.sei.cmu.edu/community/writ2013/



Karma RogueAP(Powerfull Wireless Pen-Testing Tool). (2008, July 20). Retrieved July 13, 2014, from http://wifi0wn.wordpress.com/2008/07/20/karma-rogueappowerfull-wireless-pen-testing-tool/



Lakhani, A. (2012, October 23). Hacker Hotshots Archive 2011 – 2014. Retrieved July 13, 2014, from http://www.concise-courses.com/infosec/20121023/



Manage a Diverse Fleet of Devices in Your Enterprise. (n.d.). Retrieved July 13, 2014, from http%3A%2F%2Fwww.air-watch.com%2Fsolutions%2Fmobile-device-management



Mitnick, K. D., & Simon, W. L. (2002). The art of deception: Controlling the human element of security. Indianapolis, IN: Wiley.



Rapoza, K. (2012, March 01). Worm Attacks Coming For Google’s Android – Kaspersky Lab. Retrieved July 13, 2014, from http://www.forbes.com/sites/kenrapoza/2012/03/01/worm-attacks-coming-for-googles-android-kaspersky-lab/



What is a secure container? | Mobile Helix Link | Secure enterprise HTML5. Make Link Container your secure containerization solution for enterprise apps and data. (n.d.). Retrieved July 13, 2014, from http://www.mobilehelix.com/why-mobile-helix/what-is-a-secure-container/

Oberlo: https://www.oberlo.com/statistics/how-many-people-have-smartphones#:~:text=Latest%20figures%20show%20an%20increasing,rate%20is%20at%2045.4%20percent.

1 comment