Tag Archives: mobile device management

One Acronym to Rule Them All…

Image

It seems that maybe MDM (Mobile Device Management) isn’t the most effective solution to an issue as broad and undefined as BYOD (Bring Your Own Device), although it certainly is a simpler one. At a recent CISO panel, Andrew Yeomans, a board member of the Jericho Forum and regular attendee of the RANT event for end user security professionals, was amongst other senior figures in the industry calling for a more effective and rounded solution.

Since the iPhone and G1 came along and convinced us all that PDA owners were on to something after all, the issue of secure mobility has arisen beyond the need to encrypt laptops and USB sticks. This has troubled CISOs and Information Security Managers who are reluctant to tell their CEO “no”; after all information security is positioning itself as an enablement function now. So how do you tackle the problem of making a consumer device, with little inherent security, sufficiently resilient to hold sensitive or regulated corporate data?

It seems at one point about 12-18 months ago, MDM was a possible solution, now it is often heralded as the only solution. So what’s the problem, other than licence fees from some vendors can reach towards £100 per device, and that’s without support or server costs… there is of course the additional strain on already understaffed security departments as well.

So why might MDM be the great info sec white elephant of 2012/13? The main difficulty all security controls encounter is user resistance, if something isn’t intuitive or streamlined it will often be circumnavigated. MDM may sound like a good blanket solution but it is addressing Bring Your Own Device, and therefore it’s presence on a personal smartphone or tablet is incredibly intrusive. It is harkening back to the darkest days of Draconian approaches to information security and risk management. To do the job properly MDM needs to lock down the full device and in doing so impacts user experience.

MDM is one solution to fit them all. Fine your product covers iOS, but is it compatible with the iPod Touch/Nano and the latest iPad Mini too? Yes you do Android, but does that cover Froyo, Gingerbread, ICS and Jelly Bean? And what about every manufacturer’s Android OS overlay, will it work on employees’ HTC, Sony Ericsson, Samsung, Motorola, LG, Huawei, ZTE, Acer, Asus, Dell and Panasonic handsets? Then there’s the Nexus and Kindle ranges. Fragmentation is a huge problem not only for compatibility but also from a functionality and support perspective. And what about reporting, how do you manage so many disparate devices, and where do you begin with e-Discovery?

Other acronyms don’t necessarily fair any better. MIM (Mobile Information Management) is also troublesome from a security and monitoring perspective; and MAM (Mobile Application Management) is again difficult for the user to adjust to, there’s a sacrifice of native apps and there’s a whole new aesthetic and ecosystem to acclimatise to. The idea of MAM through SDKs and API wrappers, features recently announced by both AirWatch and Webroot, will likely materialise to be the most effective solution in the long-term.

As it stands, for many MDM is too obtrusive a solution for personal devices and much better suited to locking down corporate mobility assets. We’re on the right path, but there’s a lot of work to be done in balancing security, impact, and usability. Come to think of it then, BYOD is just like most other security concerns CISOs have encountered over the last decade.

Advertisements

Threats Facing Android

In a very recent article on PC World’s website, Eric Geier wrote that 2012 will see a rise in information security threats, aided, in part, by the ubiquity of mobile devices – smartphones, tablets and laptops for example – as well as the growing and sustainable popularity of social networks. Cybercrime is going to become a very pressing issue indeed.

Moreover, a new study by McAfee, suggests that Android is now the number one attacked mobile platform out there.

With that in mind, we thought we’d give some of you professionals working in forensics, governance and compliance, and information security and risk management a lowdown as to some of the major threats – and vulnerabilities – facing devices using Android.

Third party applications are one of the best things about using Android – the open source nature of it allows for widespread innovation and development, providing consumers and businesses alike with a huge variety of choices. Naturally, established names imply a certain level of tacit trust – you’re confident that you’re getting a reliable product – whereas unfamiliar names bring a level of uncertainty – you’ve got nothing to weigh it up against. Because the open source environment is defined by the sheer volume of developers and products out there, it can be a tough maze to navigate through.

Similarly, Google’s own casual mantra, their guiding company philosophy of openness and close collaboration, though commendable brings certain, obvious weaknesses that is, in comparison to say Apple, a major shortfall. Take for example the verification process for applicants wanting to enter the Android market – in the last two years a number of apps, approved and available to users, have come with malware-infections. This is a major area that needs addressing.

Other things to be wary of include privacy settings. Though we may live in an age of ‘over-candidness’, where people reveal odd little titbits on sites like Facebook and Twitter, privacy is still a right worth protecting. However, in some cases, there are transparent weaknesses already built into certain devices. HTC devices, for example, automatically geo-tag photos and Tweets – you actively have to disable this feature. Consequently, other devices alleging localised services could, rather worryingly, sneakily utilise GPS permissions for location tracking. And of course there is the much publicised data collection and exposure on the company’s Sensation and Evo range.

One of the biggest risks is the easy access to a virtual private network (VPN), which many businesses and employees use remotely, providing an easy mobile working environment. Which is great for increased connectivity and in promoting flexible working, but also a route for cybercriminals to infiltrate corporate networks surreptitiously and either introduce corrupt software or thieve important data.

The threats are very real but there are measures in place to help protect Android uses. We’ll be discussing that in our next post. In the meantime for further reading check out the Acumin white paper on Android security: http://www.acumin.co.uk/cm/content/resources/white_papers

Open source Android a target for cyber criminals

The smartphone revolution was always inevitable if we considered Moore’s law as indisputable fact. To abridge a very fascinating and somewhat complicated branch of philosophy coupled with technological discourse, Moore’s law relates to the idea put forward in 1965 by Gordon Moore, Intel co-founder, that the number of transistors on a chip would double every 24 months.

Simply put, this would result in technological devices being smaller, more intelligent and powerful than their predecessors. So far so good, this could be a near-enough description of how things have panned out nearly 50 years on from that now prescient statement.

With smartphones coming to dominate the lives of everyone from bankers, to social networkers to information security and risk management professionals, these devices, like their cumbersome ancestors, are vulnerable to – or at least victim to – cyber security breaches.

Google’s Android operating system, which is at the forefront of the smartphone market – it’s available on a wide range of devices at competitive prices – is one which is being most visibly targeted. At any given time there are 40,000 infected devices across the globe, which goes some way to show how serious the problem is for Google.

It comes with the territory – Google, though famous for its adage “don’t be evil”, has grown into a huge multinational corporation with a massively diverse portfolio of operations. Many of which are free, many of which are predicated on the idea of collaboration. This is especially the case with Android, which is based on an open source philosophy – which allows people the freedom to modify, change and improve existing programs.

Which leaves it naturally vulnerable to those seeking to use it for far less noble goals – rootkits, Trojans, botnets, you name it; all of this is able to, in some way, immerse itself into the Android operating system. An apt description of this is the commercialisation of mobile malware, meaning smartphones are now prey to malicious and manipulative rogue software like SpyEye.

That’s just a brief introduction to the current state of play in the growing prevalence of cyber security in mobile devices. In the last year alone, 20 per cent of cyber crime in the United Arab Emirates occurred on mobile devices.

With smartphones fast becoming a part of everyday business, adopting risk management procedures to counter this is going to be an important part of the daily rigmarole.

In our next blog, we’ll look at some of the major threats and vulnerabilities on Android devices.

Download the Acumin white paper on Android Security from here: http://www.acumin.co.uk/cm/content/resources/white_papers

What are you and your organisation doing about Android security?

At the RANT Forum (Acumin’s monthly information security networking event), attendees often complain that they are playing catch up to cybercriminals. It is the bad guys that define the market, they are at the cutting edge as they try and find vulnerabilities, attack vectors, and exploits that will allow them to break in to a network. It is difficult enough for the CISO and Info Sec Manager to ensure that they are recognising and mitigating the appropriate risks, let alone trying to factor in emerging threats such as zero days and second guess the nature of the next generation of hack attempts.

This idea of playing catch up in IT security also extends in to new technology areas, the corporate line often requires some maturity before implementation of new products. This has not necessarily been the case with smartphones. By smartphones I refer here not to the old school PDA-type devices we enjoyed at the turn of the millennium – my guilty pleasure on that one is here! Rather I mean the combatting trinity of iPhone, Android, and Blackberry… sorry WinMo7, you are underappreciated indeed!

There must be few technologies that have been so rapidly integrated in to corporate environment, let alone being driven by users. Early adopters usually spend hours going blue in the face trying to explain why gadgets like the Psion Series 3 are the ‘next big thing’, with the emergence of shiny and gimmicky apps, the ‘Wow factor’ of the modern smartphone has spread like wildfire (not the HTC Wildfire, which would spread slowly due to an underclocked and underspec’d CPU!).

So, when the CEO (or his/her designated errand runner) knocks on the door of the info sec team, it is a brave IT Security Manager who will cautiously lean out from behind the firewall cluster and inform them that the proper security controls haven’t been developed and implemented yet to let the boss’ new toy run riot on the network. So what do you do?

We find the information security industry, both in terms of vendors and internal security, looking to develop protective measures for what is essentially a pocket computer (a proper one with RAM and CPU to match the claim, as opposed to this.) With such rapid technical innovation in terms of hardware and software it is difficult to keep abreast of emerging threats and how to counteract them.

Android here probably stands as more of a challenge than the iPhone here – its users are typically more technical and are allowed greater freedom by the OS to chop and change. This means that control becomes difficult, especially with the wide number of devices and various incarnations of the operating system. The iPhone with its proprietary nature is an easier beast to tame. So if you’re looking to find out more about the threat landscape on Android, as well as some of the potential vulnerabilities and counter actions you can take as both a personal and business user, take a look at the Acumin white paper on Android Security.

– Ryan Farmer

rfarmer@acumin.co.uk