How mobility can compromise security
When corporations first started connecting their internal networks to the internet, they quickly discovered the importance of security. Fast-moving viruses and worms like the “I Love You Virus”, “Melissa” and “Code Red” could easily move from desktop to desktop clogging networks and bringing an entire company’s infrastructure to a complete stand-still. To combat these threats, companies locked down their desktops and servers, forced anti-virus software to be installed, ensured that all systems had the latest patches and only allowed approved software to be run on the systems owned by their companies.
Then came the shift from desktops to laptops – first by employees wanting to bring their own computers in from home to take advantage of the fast internet connections at the office and then by salespeople and partners who wanted to connect remotely back to their office networks over the Internet to check their email or get the latest version of a presentation. These connections were seen as a major risk and corporations either outlawed them completely or created network segments so that outside systems could get to the internet but not interact with the corporate systems in any way.
And today, we have Bring-Your-Own-Device. Not only are these devices outside of an organisation’s IT department’s control, but the varying patch levels and unknown network settings mean they are could be already compromised which is especially worrying if mobile devices are allowed full access to a company’s internal server and network resource.
In the days of “Melissa” and “Code Red”, as long as everything was properly backed up, the only real risk for a company was loss of productivity due to downtime and recovery. Today, the risk is greater and potentially more destructive due to targeted attacks that seek out a company’s intellectual property and financial information. Simply ensuring that data is backed up is no longer adequate protection against catastrophic loss.
A mobile device is more powerful and has more network connection options than any desktop. Many people have their device set to automatically connect to any wi-fi network it sees. The phone or tablet in an employee’s pocket may connect and disconnect to a dozen or more different networks in the time it takes to walk down to the corner for lunch. Not to mention the almost-always-on data connection supplied by the mobile operator. Each one of those connections brings with it the potential for compromise and the installation of malicious software. The employee then unwittingly brings that device back to the office and it automatically connects to the corporate network.
Mobile malware is an exponentially increasing threat. The US Government Accountability Office (GAO) released a report on September 18th 2012 that found mobile malware instances had increased 185 per cent in less than a year, rising from 14,000 to 40,000 samples . Some of these samples can be surreptitiously installed without the user’s knowledge as they visit webpages or even as they automatically connect to compromised wi-fi access points. Those compromised devices are then unknowingly brought back to connect to the enterprise network.
The risk is escalated when you consider that many mobile devices, particularly those running the Android operating system, have not been patched in months or even years. According to the 2013 Trustwave Global Security Report, mobile malware continues to be a problem for Android with Trustwave security experts finding a 400 per cent increase in mobile malware in 2012. All major vendors routinely issue OS updates, but device manufacturers do not send those updates to users. This makes users vulnerable to exploits that may have patches; however those patches are only useful if the OS is up to date. For example, Verizon only made Android 4.1 available for the Motorola Droid 4 in March of this year – eight months after Google released it.
While malware on some mobile platforms is a major concern, it is not the only concern. Numerous legitimate mobile applications have been found to siphon off contacts and other information from a mobile device without the user’s knowledge. If the device has access to the corporate employee directory or access to the customer contact database, it could be a severe blow to any company. The loss of the corporate directory could leave the entire company open to a destructive targeted phishing attack. The loss of the customer contact database could directly affect the bottom line as customers are stolen by competitors. While the major app stores have made an effort to require apps to get explicit permission from users before they can access sensitive information, most users will blindly click ‘allow’ in the flashlight app and allow app access to contacts without realising the implications.
The 2013 Trustwave Global Security Report reveals that 87.5 per cent of all iOS and Android Apps suffered some sort of flaw or security issue. The issues usually involved the caching of sensitive data on the device or transmitting sensitive data over one of the many network connections available. Often developers simply include a simple library or framework in the application and aren’t even aware what actions their own application is taking.
Many people wrongly assume that BlackBerry is immune to malware, however BlackBerry has seen its fair share of malware written for the platform. The 2013 Trustwave Global Security Report revealed several new variants of Zeus, one of the most popular banking Trojans, found on Blackberry devices mainly in Germany, Italy and Spain. BlackBerry’s latest version, BlackBerry 10, will come installed on the much-anticipated new devices. As with any first release, the security of the platform has yet to be tested and considering the high-value user base of corporate executives and government officials, attackers will probably try to compromise the platform.
Do not assume that a mobile device that has no connection to a company’s system would not be valuable to a cybercriminal. Mobile devices may still contain confidential information or private data that may be appealing to an online attacker. Mobile devices are really just a few years old and from a security standpoint, are still in their infancy. They are subject to a wide variety of threats in the form of malware, poorly coded applications and outdated operating systems. When allowing access to mobile devices on their networks, companies should realise this and take appropriate protection in network segmentation, authentication, data compartmentalisation and other tactics to ensure the safety of enterprise data.
Space Rogue is a Threat Intelligence Manager at Trustwave. His team works with a wide variety of engagements including unauthorised access, data breaches, credit card theft/fraud, mobile device forensics, and enterprise incident response. The team also provides forensic and incident response training to corporate security teams as well as law enforcement agencies at all levels.