®

I N F O R M A T I O N

SECURITYESSENTIAL GUIDE

STRATEGIES for TACKLING BYOD How to ensure mobile security

EDITOR’S DESKBYOD: TAMING

THE TIDEA GROWING

MENACECONSUMERIZATION

DELUGE

2

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

Dealing with the Mobile RealityThe BYOD trend is forcing organizations to figure out ways to get a grip on personally owned mobile devices. BY MARCIA SAVAGE

EDITOR’S DESK

IT’S AN INESCAPABLE FACT of life: employee-owned iPhones, iPads and Android devices are flooding the enterprise. You can’t ignore or try to stop the BYOD trend. You might try, but inevitably the CEO or another high-level executive will come into the office with a cool new tablet and want to con-nect it to the corporate network.

According to a SearchSecurity.com survey conducted earlier this year, 53 percent of the IT and security pros polled said their companies allow personal devices to connect to corporate networks. Not surprisingly, device loss tops their list of mobile security concerns. A lost smartphone with sensitive corpo-rate data could spell disaster. Their other top concerns: application security, malware attacks and device theft. Still, even with all those apprehensions, 74 percent of those polled said the benefits of mobile outweigh the risks.

Organizations are tackling the mobile security problem with policies (64 percent of survey respondents said they have a written mobile device security policy) and are exploring technologies to control mobile devices. To be sure, mobile device management software is getting plenty of attention from enter-prise security managers. However, they shouldn’t make the mistake of thinking the technology is the silver bullet for BYOD.

As mobile security expert Lisa Phifer said in “BYOD: Taming the Tide,” MDM technology can help enforce mobile policies and help IT gain control over personally owned mobile devices but organizations need to understand their limitations. The diversity of mobile device platforms can present chal-lenges that MDM systems can’t always overcome.

3

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

EDITOR’S DESK

As the SearchSecurity.com survey showed, organizations are increas-ingly concerned about mobile application security. Their concern is certainly warranted.

Estimates indicate the average number of applications on a smartphone grew from 28 last year to 41 this year, Phifer said in a TechTarget mobile secu-rity virtual seminar presentation this summer. Users are downloading applica-tions from the iPhone App Store, Android Market and other official app stores but also from some “alternative” Android app stores. These alternative stores, where users run the risk of downloading pirated and redistributed apps “repre-sent the wild, wild West, where anything goes,” Phifer said. Even more unset-tling: There are app stores for jail-broken IOS devices. At the same time, both mobile app vulnerabilities and mobile malware on the rise, she said.

Despite all the risks posed by the myriad mobile applications and mobile app stores, organizations appear hesitant to put controls on downloads. Ac-cording to the SearchSecurity.com survey, 52 percent of those polled said their organizations allow users to download applications freely from app stores.

Mobile applications developed in-house pose another set of security risks, Phifer said. Mistakes by developers unfamiliar with coding for a mobile environ-ment can introduce vulnerabilities that inadvertently expose back-end systems.

There are many steps organizations can take to tackle the problem of mobile application security, including using MDM to enforce acceptable use policies, developing end user guidelines, implementing blacklists/whitelists, and devel-oper training, according to Phifer. Application security expert Russ McRee ex-plores the steps companies can take to protect themselves against mobile ap-plication security threats in “A Growing Menace.”

Organizations don’t need to try to manage the BYOD problem on their own, said Greg Akers, senior vice president of advanced security initiatives with Cisco Systems’ global government solutions group. It’s important for security profes-sionals to talk to their peers and learn from them, he said. “Talk to someone who has been down this road and find out what worked and what didn’t,” he said.

Indeed, many organizations have been figuring out ways to handle the BYOD trend for the past couple years now. Take the time to reach out to your peers. There’s no need to go it alone. n

MARCIA SAVAGE is editor of Information Security magazine. Send comments on this column to feedback@infosecuritymag.com.

4

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

By Lisa Phifer

BYOD: TAMING THE TIDE Mobile device management technology can help control the onslaught of employee- owned devices in the enterprise.

COVER STORY: TECHNOLOGY

MULTI-PLATFORM MOBILE DEVICE MANAGEMENT (MDM) systems are gaining a foothold in enterprises anxious to meet the needs of today’s expanding mobile work-force. While no silver bullet, MDM technology can give IT centralized, scalable visibility and control over the unruly bring your own device (BYOD) trend.

In a recent study by the Ponemon Institute, most organizations agreed that mobile devices created business risk but were important to achieving business objectives. However, just 39 percent had deployed security controls needed to address that risk; fewer than half of those could enforce mobile security policies.

5

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

COVER STORY: TECHNOLOGY

Unfortunately, this lax governance has already resulted in non-compliance and data breaches. In Ponemon’s survey, 59 percent said employees disengaged fundamental measures such as passwords; another 12 percent were unsure. It should therefore come as no surprise that half of those organizations had expe-rienced mobile data loss during the past year.

Given the rash of employee-owned smartphones and tablets now finding their way into the workplace, IT simply must find a way to manage mobile ap-plication and system access while keeping corporate data secure. Fortunately, a new crop of multi-platform MDM products and services stand ready to help IT achieve these objectives and mitigate BYOD risks. However, organizations need to understand the benefits, nuances and limitations of this emerging tech-nology before taking the plunge.

THE RISE OF MULTI-PLATFORM MDMMobile device management systems are not a recent phenomenon. Enterprises have long managed company-issued BlackBerries and Windows Mobiles via BlackBerry Enterprise Server and Microsoft Exchange Active Sync (EAS). But yesterday’s narrowly focused MDMs could not handle the consumer smart-phones and tablets that flooded the workplace following Apple’s iPhone release in 2007. As handset procurement rapidly shifted from employer to employee, driven by budget cuts and workforce demands, IT groups were left scrambling for more extensible tools.

Initially, IT had little choice but to reduce iPhone risk by applying EAS poli-cies to prevent corporate email access by non-passcoded phones and remotely wipe those that were lost. But these basic measures fell short of governance needs. Certainly, they did not satisfy compliance mandates to encrypt data at rest, nor could they deliver proof of continuous enforcement or meet access tracking and audit requirements. Although EAS support in newer devices con-tinues to expand, this messaging-centric approach is plagued by inconsistency and cannot meet broader mobility management requirements.

By early 2010, iPhones had been joined by iPads and Androids, fueling growth of the multi-platform MDM market. Niche multi-platform MDMs pre-viously used by cellular companies and highly mobile verticals such as retail quickly expanded to embrace iOS 4, followed by Android 2.2. Today, multi-platform MDMs are viable alternatives to BES or EAS, giving enterprises a

6

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

COVER STORY: TECHNOLOGY

“single pane of glass” through which to monitor and manage an increasingly diverse array of corporate and bring your own phones and tablets.

MDM BREADTH AND DEPTHUnlike BES, which uses a proprietary approach to manage only RIM devices running the BlackBerry OS, multi-platform MDMs are third-party products that use open APIs to tap the native interfaces and capabilities offered by many different devices. Today, it is common for MDMs to manage Apple devices run-ning iOS 4+, Samsung/Motorola/HTC/LG devices running Android 2.2+, and an array of handheld and embedded devices running WinCE and Windows Mo-bile. Limited MDM support can also be found for Windows Phone and WebOS devices. However, the degree of monitoring and control delivered for each managed device varies by make/model and OS version.

For example, MDMs can usually enforce device-level access controls on iOS and Android devices. On iOS, IT may require alphanumeric passcodes with minimum length and special characters and limit passcode age, reuse, idle time, or failed entry attempts. On Android 3+, IT can enforce all of this, plus require upper/lowercase letters, digits, and symbols. Every MDM that supports iOS and Android exhibits this difference because it reflects native OS capabili-ties. However, the extent to which each MDM tries to hide such differences under unified consoles with a consistent look and feel varies widely.

In other cases, mobile device management systems can do little to mask un-derlying diversity. For example, IT can use any MDM on the market to request a full-device wipe. Because all Apple iPhones and iPads now support full-device encryption, remote wipe easily renders data inaccessible. However, wiping most Android phones simply resets them to factory default, leaving cleartext behind on removable storage. MDMs cannot eliminate this native shortcom-ing—doing so falls to device manufacturers. But MDMs can provide tools to centrally invoke remote wipe, confirm a requested wipe has been completed, report on all wiped devices (including ownership and last known location), and clearly describe the consequences for each wiped device.

This is where MDM depth comes into play. Some MDMs stick to manag-ing hardware, software and policies. Other MDMs pile on value-added secu-rity measures. For example, some MDMs create their own authenticated, en-crypted data containers on managed devices. Any enterprise data stored in

7

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

COVER STORY: TECHNOLOGY

those containers can be reliably wiped, even on phones and tablets that do not support native full-device encryption. Moreover, this approach lets IT wipe data consistently across all MDM-supported platforms. However, MDMs that include these value-adds tend to have more device-specific dependencies and limitations than MDMs that focus on management.

LIFECYCLE MANAGEMENTEnterprises flocking to multi-platform MDM technology to gain IT visibility and control over personally owned devices may find it hard to directly com-pare products. Heritage plays a role: Some MDMs historically focused on mo-bile expense management, others started with mobile application management and still others specialized in mobile security. Yet most of these MDMs deliver foundational capabilities such as inventory and policy management that cause them to appear superficially similar. Drilling beyond functional comparison can also reveal significant differences in automation, usability, scalability and integration.

One way to reduce confusion is to preface MDM product selection with an inventory of business mobility needs and use cases. When IDC surveyed busi-nesses about their ability to support consumer devices in the workplace, four out of five respondents identified policy compliance and data security/access as top concerns. However, nearly the same percentage cited ensuring IT support and resource availability, readying mobile applications and setting employees up with multiple devices as major issues. In other words, choosing an MDM based on its ability to meet security needs alone may be shortsighted.

Instead, begin with lifecycle management. Even if the employer does not own an employee’s mobile device, it owns the business data and applications stored on that device. Start by establishing a process for tracking and managing those assets through each device’s lifetime. Doing so creates an essential foun-dation for not just security management, but expense tracking, user assistance, application and data deployment and more.

MDMs can enable lifecycle management by automating device enrollment, monitoring and de-enrollment, independent of ownership. Most MDMs sup-port IT-initiated enrollment; some also offer user-initiated enrollment. Either way, users follow links to a self-help enrollment portal where they are prompted to enter credentials. Behind the scenes, the MDM typically authenticates the

8

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

COVER STORY: TECHNOLOGY

user and compares user and device to IT-defined policies. If this user is per-mitted to enroll this device, based on make/model, OS, ownership and group membership, access may be authorized. MDMs may display an acceptable use policy and issue a device certificate before continuing on to provision the de-vice over-the-air, applying device settings, security policies and applications.

By automating enrollment, IT can deliver scalable support for many per-sonally owned devices while placing well-defined limits on acceptable use. De-vices that pass muster can be outfitted for safe productive business use, leaving IT well-positioned to continually monitor activity and enforce security policy compliance. If an enrolled device should be lost or stolen or become non-com-pliant, IT can use MDM to remotely find, lock or wipe it.

In addition, MDM may be used to invoke temporary stop-loss actions such as removing settings that permit corporate email, VPN or application access. Eventually, when the employee leaves the company or the device is replaced, MDM can easily de-enroll it while wiping corporate assets. Many MDMs can now differentiate between full-device and enterprise wipe, letting IT decom-mission an employee’s device without harming personal data.

MITIGATING BYOD RISKSWith MDM in place to shepherd every corporate and personal smartphone and tablet used for business, IT can deploy, audit and enforce security controls.

Typically, IT can use MDM to remotely configure native device settings to reflect security policies, including: requiring a PIN or password; enabling auto-lock and auto-wipe features; encrypting data at rest on the device, removable media or in the cloud; protecting data-in-motion over email, VPN or Wi-Fi; and selectively disabling hardware and OS features such as integrated cameras. When properly configured, these native settings deliver most (but not all) mo-bile security best practices for personal smartphones and tablets.

As previously noted, supported policies do vary by device make/model and OS. However, mobile device management systems generally try to maximize IT access to native settings. For example, any MDM that supports iOS device management lets IT set every Apple-supported Configuration Profile attri-bute. MDM-configured controls for Android are more varied because the de-vices themselves are more diverse. Notably, manufacturers such as Samsung and Motorola have extended native APIs with proprietary attributes to give IT

9

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

COVER STORY: TECHNOLOGY

greater visibility, control and flexibility.Ultimately, mobile security management requires careful analysis of native

device and OS features needed to implement policies and confirmation that any MDM under consideration can deliver visibility and control over those fea-tures. Where native capabilities are insufficient, MDMs can also help by de-ploying, configuring and enforcing third-party security measures.

For example, health care organizations often use MDM to centrally deploy two-factor authentication, VPN clients and virtual desktop applications. En-terprises concerned about mobile malware can use MDM to push sandboxed browsers and antimalware. To an MDM, these are simply applications that must be installed and maintained. For this reason, organizations focused on MDM to enable security should also evaluate each product’s application man-agement capabilities.

ENFORCING COMPLIANCEFor small mobile workforces, IT could enroll devices one by one, manually in-stalling required security and business applications, but that does not scale nor does it enable continuous monitoring and enforcement. This is where MDM technology can yield return on investment through logging, auditing and com-pliance enforcement.

Mobile device management systems can capitalize on their over-the-air ac-cess to enrolled smartphones and tablets. Even if devices never return to the office, MDMs can poll them to verify settings and detect events such as PIN disablement or blacklisted application installation. Some mobile devices and settings can be monitored from afar using nothing more than native APIs—no-tably Apple iPads and iPhones. Deeper than EAS insight on other devices (e.g., Android, Windows Mobile) usually requires installing a device-resident MDM agent.

Today, MDM vendors publish their agents at the Google Android Market or the Apple AppStore where users can freely download them. Upon installation, agents connect to a corporate MDM server that may be installed on-premises, hosted by a managed service provider, or operated as a cloud service. Thereaf-ter, MDM agents can serve as IT’s “eyes and ears,” logging activities, reporting on events, and carrying out MDM requests that go beyond native capabilities.

For example, it has become common for MDM agents to offer jailbreak or

10

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

COVER STORY: TECHNOLOGY

root detection. Jailbreaking or rooting pose business risks because they render the underlying OS unreliable and raise concerns about device integrity. Jail-broken Apple devices are vulnerable to mobile malware downloaded from non-Apple websites. Rooted Android devices are even more vulnerable because ap-plications can access normally privileged features.

By immediately detecting such activity, MDM agents can notify administra-tors and users. IT can even install enforcement policies that automatically take actions such as disabling email or VPN access or removing enterprise applica-tions or even wiping an offending device. Although available actions are lim-ited by the mobile OS, they can still go a long way towards reducing business risk and encouraging voluntary compliance.

TEST DRIVE BEFORE BUYINGLike any other technology designed to assist IT with security enforcement, MDM is a means to an end. Organizations should not expect MDMs to magi-cally keep a mobile workforce secure any more than a firewall can be expected to keep a corporate network safe. MDMs require careful selection, based on ability to meet business needs, implement desired policies, integrate with ex-isting infrastructure and support workflows.Those workflows and related IT processes should not be left as a post-deploy-ment exercise. Diversity within the multi-platform MDM market becomes most apparent when organizations begin to use products to manage real-world devices. For best results, pilot a few MDM products by attempting to assert and enforce an acceptable use policy on various devices of importance to your workforce. n

LISA PHIFER owns Core Competence, a consulting firm specializing in business use of emerging net-work and security technology. She has been involved in the design, implementation and evaluation of internetworking, security and management products for 30 years. Send comments on this article to feedback@infosecuritymag.com.

11

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

By Russ McRee

A GROWING MENACEMobile applications are proliferating in the enterprise, posing new risks to businesses.

APPLICATION SECURITY

WITH THE EXPLOSIVE USE of smartphones and other mobile devices, it’s no wonder mobile platforms are getting so much attention from security researchers and opportunistic criminals. Mobile device topics were all the rage at this sum-mer’s 2012 Black Hat Briefings and DEF CON 20, and we’ve seen interesting developments in the mobile malware arena in recent months. Consider Charlie Miller’s near-field communication (NFC) hack or DKFBootKit, the first known Android bootkit that loads itself during the device’s boot sequence.

For enterprises, the new exploits and threats against mobile platforms mean a lost mobile device is far from the only risk they face with the rise of the bring

12

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

APPLICATION SECURITY

your own device (BYOD) trend. Users are downloading mobile applications from a variety of app stores—some legitimate, some not—and rogue applica-tions could carry malware or have other negative consequences for a business. Internally developed applications, if not coded securely, can also pose a risk.

Let’s take a look at the mobile application threat landscape and mobile appli-cation security best practices enterprises can implement to protect themselves.

MOBILE APPLICATION SECURITY THREATSThe first three items in Deloitte’s Top 10 Mobile Threats list set the table for a discussion about mobile application security:

1.Mobile device attack surface is narrow but deep2.Mobile malware3.Application proliferation

Miller’s NFC hack at the BlackHat Briefings helps illustrate the first threat—

the premise of an attack surface that is narrow but deep, born of rich service offerings and coupled with user-centric attack vectors. As NFC becomes more popular (think in terms of paying for as soda at a vending machine with a wave of your phone) additional devices manufacturers will add NFC to their offer-ings. Miller discovered that the most interesting attacks opportunities exist at the application layer while analyzing Android Beam on Android phones and the Nokia Content Sharing app on a Nokia N9 running Meego. Android Beam allows an Android user to touch another similarly enabled Android and have it load a webpage. As such, while the attack surface in this scenario is browser-specific (narrow), it runs the gamut of browser-centric attacks via scripts, au-dio, video, and graphics (deep). Nokia Content Sharing is similar but an even worse offender as it can force another user’s phone to load content without in-teraction. There’s no vulnerability per se, just application design that tips the hand in the attacker’s favor.

Consider the impact here from the enterprise perspective. If an attacker can force a device laden with corporate data to browse to a site offering a malicious payload, without any user interaction, the adversity far exceeds the feature’s benefits. Loss of proprietary data and intellectual property with a simple prox-imity attack could be devastating.

13

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

APPLICATION SECURITY

The mitigations here are relatively straightforward. As pointed out by the NFC Forum after Miller’s presentation, it’s important that appropriate secu-rity measures are provided at the application layer. The onus here is on device manufactures to develop more robust security settings for NFC. Such measures should enable users to adjust security settings to their needs and preferences. Users and/or enterprise managers will then need to ensure that these features are put to good use. Miller reiterated that NFC-enabled device manufacturers would be wise to include the option to seek explicit user approval before allow-ing any data received over NFC to be processed by applications.

MOBILE MALWAREThe second threat cited by Deloitte—mobile malware—is a category that’s un-doubtedly on an explosive growth curve. Case in point: According to Juniper Networks, the period between July and November 2011 saw a 472 percent in-crease in Android malware. The DKFBootKit is a recently discovered and rather frightening example. According to NQMobile’s research, the Android malware mounts a writable system partition, inserts itself in the /system/lib directory, replaces several common utility programs, and modifies related services and scripts. Translation: total Android pwnzor. Much like well-known recommen-dations for running PCs, if you don’t need root or administrative privileges, don’t use them; DFKBootkit infects utility apps that require root privileges to run.

Bootkits are still an edge case, but other types of mobile malware are pro-liferating. SMS Trojans, man-in-the-mobile (MitMo), and QR code attacks all made Kaspersky Lab’s Mobile Malware Evolution, Part 5 with SMS Trojans (evil sent via text message) making up 27 percent of all mobile malware targeting the Android platform. MitMo attacks are particularly popular with attackers targeting banking victims as they bypass second factor authentication systems that send codes via SMS text messages to a mobile device to confirm identity. Of all mobile threats assessed by platform, 65 percent targeted Android with J2ME (Java) a distant second at 27 percent.

All major antimalware providers offer mobile protection, including free and commercial offerings, but users needn’t limit themselves to antimalware. Be-havioral analysis tools are also useful. Apple iOS device users can download an inexpensive app from iTunes called Clueful from Bitdefender, which will

14

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

APPLICATION SECURITY

scan your iPhone or iPad for installed apps and filter them in an ordered list based on various kinds of behavior such as location tracking, reading the ad-dress book, and battery drain. It also determines if apps use an iPhone’s unique ID, display ads, or gather analytics. It will also tell you if your data is being en-crypted and if apps anonymize you as a user. There are similar low-cost or free offerings for Android, often bundled with antimalware packages.

For those of you who really want to dig into Android devices there are tools such as Androguard for reverse engineering and analysis of Android applica-tions. There’s the Mercury Framework, which automates the discovery and in-teraction with exposed Android application features, a process that often re-quires numerous custom scripts, in a single console. Andrubis, a Web service you can submit Android Package files to, is excellent for static and dynamic analysis approaches to various behavioral aspects and properties of unknown apps for the Android platform. You can also conduct physical memory analysis of Android devices with LiME (Linux Memory Extractor). Memory analysis, as a leading edge forensic technique for PC-based systems, can also aid mobile in-vestigators given that volatile memory yields a wealth of essential information when performing incident response or analyzing advanced malware that other-wise doesn’t utilize non-volatile storage.

CONTROLLING DOWNLOADSDeloitte’s third entry in its list of mobile threats, application proliferation, touches on a theme you’ll hear over and over again in discussion of mobile ap-plication security: Only download apps from trusted app stores, but even then your absolute safety is not guaranteed.

In July, NIST released a draft version of Revision 1 for SP 1 for 800-124 “Guidelines for Managing and Securing Mobile Devices in the Enterprise.” The guide indicates that “organizations should plan their mobile device security on the assumption that unknown third-party mobile device applications down-loadable by users should not be trusted.” There also is lots of conventional wis-dom about ensuring apps run only with the permissions necessary and don’t leverage system resources beyond those that are explicitly necessary.

This is all sound advice but easier said than done. Prohibiting third-party apps, whitelisting only known good apps, and sandboxing to isolate orga-nizational data are all viable mitigations but not the easiest to implement.

15

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

APPLICATION SECURITY

Whitelisting and blacklisting require user acceptance testing to ensure enter-prise app needs are met to maintain productivity, and data sandboxing requires specific network infrastructure architecture to enforce. These mitigations also typically assume your organization maintains centralized mobile device man-agement (MDM) technology, which comes with expense, administrative over-head and can meet with user resistance. There is an industry trend towards MDM as a service where organizations can avoid internal hosting challenges while still benefitting from centralized policy configuration, push authentica-tion, device tracking, and remote wipe to offset loss or theft. In the realm of BYOD, certain restrictions still can help strengthen your defenses when facili-tated with MDM. These should include restricted use of synchronization ser-vices, distribution of organization-specific applications from a dedicated mo-bile application store, and limited or no access to enterprise data if the mobile device’s OS version or mobile device management software client versions are not current.

SECURE MOBILE APP DEVELOPMENTIn addition to mitigating the risk of users downloading rogue mobile applica-tions, companies need to take care that the mobile applications they develop internally are secure. Here is where threat modeling and a secure development lifecycle are critical. The fledgling OWASP Mobile Security Project’s Security Testing Guide offers general mobile application testing methodology to de-scribe analysis from an application developer’s perspective with attention to ap-plication vulnerabilities while examining their relevance relative to its under-lying architecture. Information gathering (reconnaissance and mapping) and dynamic analysis (runtime and interaction) are described in the guide, but the rubber really hits the road in the static analysis content. Source code review is inherent here to frame a developer’s heightened awareness regarding authen-tication, authorization, session management, data storage, transport layer pro-tection, information disclosure and Web application issues. The Denim Group offers an outstanding Secure Mobile Application Development Reference that gives equal coverage to iOS and Android development and leads off with guid-ance specific to threat modeling.

More than three years ago when I wrote Microsoft’s Solution Accelerator IT Infrastructure Threat Modeling Guide, I described a fictitious organization’s

16

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

APPLICATION SECURITY

communications system as an example for the IT infrastructure threat model-ing process. Given the rapid introduction of mobile devices into IT infrastruc-ture, such systems make for a target rich environment for attackers. While I intended the scenario to promote threat modeling the infrastructure that sup-ports mobile devices, the scenario easily crosses into discussion of threat mod-eling as part of secure mobile application development.

Incorporating threat modeling and following secure development lifecycle practices also helps address another item on Deloitte’s list: immature secu-rity solutions. Given that there are a number of popular mobile operating sys-tems and proprietary implementa-tions per major carrier, it’s easy to see how failing to adhere to stan-dards and ensuring industry wide best practices may deter from ma-ture, universal security solutions. Following guidance such as that prescribed by OWASP and organi-zations such as the Denim Group when developing mobile applica-tions will go a long way towards overcoming diversity in the mobile device industry. Quick and easy implementations, such as use of SSL for appli-cation data transmission, also help offset development quality disparity. Mo-bile applications, particularly financial apps and those transacting in personally identifiable information, or PII, should automatically fail on invalid certificates and disallow degrading sessions from HTTPS to HTTP.

OTHER STEPSTraining core members of your enterprise security teams to understand mo-bile security issues also lends to strengthened defensive tactics. As an example, the Mobile Device Security and Ethical Hacking course from the SANS Insti-tute assists students in building critical skills necessary to support the secure deployment and use of mobile devices in your enterprise, including details on analyzing and evaluating mobile software threats.

Finally, organizations with an appetite for more extreme measures may

In addition to mitigating the risk of users downloading rogue mobile applications, companies need to take care that the mobile applications they develop internally are secure.

17

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

APPLICATION SECURITY

consider deploying the National Security Agency’s Security Enhanced Android, a security-hardened version of the Android OS that aims to “limit the damage that can be done by flawed or malicious apps and in order to enforce separation guarantees between apps.” Security-Enhanced Linux, developed by the NSA, has aided in protecting Linux operating systems for years; now the same capa-bilities can be applied at lower layers of the Android software stack to confine root exploits and application vulnerabilities.

Common sense and heightened awareness for enterprise mobile device us-ers cannot be understated in their value. All due diligence to address mobile application risks must be applied to protect the enterprise in this, an era of ex-plosive mobile device use. Whether your organization develops mobile applica-tions or supports and consumes them, make securing mobile applications one of your highest priorities. n

RUSS McREE is a security analyst, researcher, and founder of holisticinfosec.org, where he advocates a holistic approach to the practice of information assurance. He also writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications. Send comments on this article to feedback@infosecuritymag.com.

18

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

By Marcia Savage

CONSUMERIZATION DELUGEThe influx of personal smartphones and other computing devices into the enterprise is forcing a shift in security thinking.

TRENDS

ABOUT THREE YEARS AGO, Thomson Reuters began tackling a problematic phenom-enon that was emerging for enterprises worldwide: Employees bringing their smartphones and other computing gadgets into the workplace. While com-panies can lock down corporate-owned mobile devices with policies and es-tablished technologies such as BlackBerry Enterprise Server, these personally owned systems require a whole new way of thinking.

“We knew data would be on devices that we didn’t control and wanted some-thing that was Blackberry-like to manage those devices,” said Tim Mathias, se-nior director of IT security at Thomson Reuters. “The problem was we didn’t

19

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

TRENDS

own the device, so we started looking at the technology, policies and standards within the company and challenged ourselves to come up with some policies that would protect the company but allow individuals to use a device of their choice.”

The New York-based information giant—which has 55,000 employees in more than 100 countries worldwide—is taking a multi-level approach to deal with the growing issue. In addition to developing policies, it’s looking into mo-bile device management technologies, and working with a technology partner to understand mobile application security risks.

The deluge of iPhones, iPads and Android devices into the enterprise is forc-ing a major shift away from the standard model of corporate-owned, corporate-controlled computer systems. The powerful and portable computing systems give employees anytime anywhere access to corporate email for increased pro-ductivity. At the same time, this consumerization of IT has security managers on edge. These personal mobile devices are easy to lose—and for thieves to steal—along with all the sensitive enterprise data on them. The threats of mo-bile malware and malicious mobile applications also loom.

Experts say the new post-PC era requires companies to shift their security thinking, develop new policies and implement technologies that maintain en-terprise security without degrading the experience that users value in these de-vices. Without a doubt, IT consumerization is a trend organizations can’t afford to ignore.

“You’re sticking your head in the sand if you think you’re not going to allow these things,” said Philip Cox, director of security and compliance for consult-ing firm SystemExperts. “Either you take control of this or it’s going to control you.”

A GROWING TIDEIt’s a scenario many IT managers are probably familiar with: A C-level execu-tive enamored with his or her iPhone or iPad wants enterprise support for the device. The trend really took hold last year, said Ojas Rege, vice president of products and marketing at mobile device management company MobileIron. “That opened the door to this notion of devices coming into the enterprise out-side of IT and IT needing to support them,” he said.

Kurt Roemer, chief security strategist at Citrix Systems, said he was flooded

20

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

TRENDS

with calls from worried enterprise security managers after the iPad came out. They wanted to know how to tell their executives the company couldn’t use the device, but “executives were saying, ‘If you don’t put this on the network, I’ll find someone who will,’” he said.

“More and more employees want to bring their personal devices into the en-terprise and many organizations aren’t ready, but they’re being forced to con-sider it,” said Nicholas Arvanitis, a principal security consultant at Dimension Data Americas, an IT services and solutions provider.

Companies are caving into the demand, it appears. According to a Forrester Research survey of about 1,000 North American and European enterprises and SMBs from the first quarter of 2011, about half of the firms surveyed support employee-owned mobile phones and smartphones.

In describing how companies are dealing with the influx of personal phones and tablets, Andrew Jaquith, chief technology officer at Perimeter E-Security, compared what he saw six months ago when he was an analyst at Forrester to the famous five stages of grief: denial, anger, bargaining, depression and acceptance.

“I would say about half of companies are in the bargaining phase. They haven’t fully accepted it, but they know they need to do something and they’re starting to figure out what their policies need to look like and what their ap-proach will be,” he said.

Consumer mobile devices represent both a curse and an opportunity, Ja-quith said. “They’re a curse in the sense that you’re making IT security rethink its entire approach to mobile devices,” he said. “The opportunity is very clear: These are devices that give employees more satisfaction and high productiv-ity at their jobs. As we move into this post-PC era, enterprises are going to be forced to accommodate these devices one way or another.”

MOBILE THREATSSupporting employee-owned devices is important to Thomson Reuters for re-cruiting new employees, Mathias said. In the two years that the company has been working on its strategy for personal mobile devices in the enterprise, the technology options have improved and the company’s understanding of the risks posed by the devices has grown, he said.

“Simply being able to plug an Android phone into any workstation of my

21

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

TRENDS

choosing and use the storage on that phone as a way to take files out of the of-fice—now it’s a gigantic USB fob,” he said.

Data loss and unauthorized access are the top enterprise security risks posed by personal mobile devices, said Matthew Todd, CSO and vice president of risk and technical operations at Financial Engines, a Palo Alto, Calif.-based inde-pendent investment adviser.

“Portable devices like smartphones and iPads are really just modern takes on the laptop—smaller, more fun, but just as filled with information as that old ThinkPad,” he said. “Portable devices can have contact lists, emails, con-fidential attachments, or even confidential images, audio or video. The threat takes on a whole new angle when smart devices are integrated with the corpo-rate environment and your smartpad or smartphone can access internal sys-tems or websites.”

Compounding the risk is the fact that unlike PCs, these small portable devices are easy to leave behind in cabs and restaurants and for thieves to snatch.

Mobile malware is another risk, but one that’s just emerging. In March, Google pulled nearly two dozen free applications from its Android Market after they were discovered to contain hidden malware. Called DroidDream, the malware tried to gain root access to the smartphone to view sensitive data and download more malware.

DroidDream “illustrated how real the malware threat is for Android,” Chenxi Wang, a vice president and principal researcher at Forrester Research, wrote in a recent report. “Personal devices that have the freedom to download any apps are a ripe source for infection,” Wang wrote. “Defending against mo-bile malware will be an increasingly important IT priority as Android overtakes iOS as the top selling mobile platform.”

Chris Wysopal, co-founder and chief technology officer at application secu-rity company Veracode, said the iPhone has been fairly unscathed by malware, “which goes to show that the walled garden, or whitelisting, of only known apps on the device is adding some security.” In comparison with the higher scrutiny in Apple’s App Store, applications in the Android Market lack security

Compounding the risk is that unlike PCs, small portable devices are easy to leave behind in cabs and restaurants and for thieves to snatch.

22

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

TRENDS

vetting, he said. Veracode earlier this year launched a mobile application veri-fication service.

“One of the biggest risks is applications installed by users without being vet-ted,” said Dimension Data’s Arvanitis.

“I believe mobile devices will be the next huge threat vector,” said Ryan

Rules of the RoadFORRESTER SAYS ORGANIZATIONS NEED TO INCLUDE THESE RULES IN THEIR POLICY FOR PERSONALLY OWNED MOBILE DEVICES

Enterprises that want to allow employees to use their personal smart-phones and other devices in the workplace need to include some baseline items in their mobile policy, according to Chenxi Wang, a vice president and principal researcher at Forrester Research. They include:

■n IT reserves the right to manage any mobile device with access to cor-porate data, including those that are personally owned.

■n The organization reserves the right to monitor the activity of personal mobile devices when they are in the company network.

■n Employees should follow Internet acceptable use policies while in the corporate environment.

■n The company isn’t responsible for damage to personal content due to corporate management functions imposed on the device.

■n The organization can disable any mobile device access to corporate resources at any time deemed necessary.

■n Users must inform IT if the device is lost or stolen.

More specific policies a company might want to consider include en-abling password-based entry and remote locking features, and reserving the right to remotely wipe the content on the device in the event of theft or loss, according to Wang. —MARCIA SAVAGE

23

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

TRENDS

Laus, network manager at Central Michigan University. “We’re still in a learn-ing phase, but I think they really will be a huge target for attacks down the road.”

PORTABLE DEVICE POLICIESWhile Thomson Reuters wants to implement strong security on employee-owned devices, the company knows it needs policies in order to do that.

“We want to be able to reach out and kill a phone that’s been stolen or lost, much like we can with the BlackBerry today, but we as a company want to have the right to do that and the technology to be able to do that for a device we don’t own. That’s where the policies come in. We need an agreement with individu-als before we can start managing a device like that,” Mathias said.

Jaquith said companies need to create what he calls a “mobile access and se-curity covenant” with their employees. “You have an agreement between em-ployees and the employer, and that’s, ‘You can bring your gear to work and use it to get email but in exchange, I’m going to ask you to do some things.’” That includes allowing security policies to be implemented on the device that en-forces corporate passcode settings, and agreeing to give the device to corporate managers in the event of an investigation where they need to perform forensics on the device or comply with a subpoena.

Arvanitis said corporate policies can list what mobile platforms will be sup-ported and include different rules depending on an employee’s role. “Those use cases need to be understood, along with the flows of data and security of that data,” he said. “Only once you’ve got that security architecture in place at the business level can you put in technical controls.”

In her report, “Managing the Security and Risk Challenges of Personal De-vices in the Workplace,” Forrester’s Wang outlined baseline items organiza-tions should include in their mobile policy (see “Rules of the Road”). Security teams need to work with legal and privacy departments on the rules and also need to consider some unique legal and privacy challenges posed by personally owned devices in the office, she said.

For example, she said, an organization could be liable if an employee mis-uses copyrighted material on their personal device. Also, imposing corporate controls on personal smartphones and other devices could conflict with privacy laws; some countries don’t permit a company to audit the network security

24

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

TRENDS

of personal devices, enforce acceptable usage policies or impose an endpoint agent, Wang said in her report.

“For a global organization, where your operations must comply with mul-tiple, different privacy regulations, knowing how to monitor and control per-sonal devices on your network can indeed be a challenge,” she said. “It may also mean you must develop different policies for different regions.”

SECURITY CONTROLSWhen it comes to enforcing enterprise security like passwords and lockout on a mobile device, the BlackBerry platform is the run-away favorite, experts say. Mathias calls the BlackBerry Enterprise Server the “gold standard.”

“The BlackBerry was built from the ground up to meet those requirements. It’s an enterprise device that found its way into the consumer world,” Vera-code’s Wysopal said. “Other devices are coming from the consumer world into

School SecurityNAC HELPS HIGH SCHOOL ENSURE MOBILE SECURITY

Essex Agricultural and Technical High School—”Essex Aggie”—wanted to be able to allow students and faculty to bring their own personal comput-ing device to campus, whether a laptop, iPhone or iPad. The question was how to do it securely.

The public vocational high school in Danvers, Mass., which counts about 485 students and 55 faculty members, decided to deploy network access control technology (NAC) from Bradford Networks. Campus Manager auto-mates registration of users, scans for operating system and antivirus up-dates, and monitors access and network usage.

“It’s nice to know that security holes in the operating system are plugged,” said Kyle Jones, technology manager at Essex Aggie. “Bradford is checking to make sure the latest versions of the Windows service packs and Apple updates have been applied.” —MARCIA SAVAGE

25

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

TRENDS

the enterprise and lack these features.”One way organizations can gain a basic level of control over all the iPhones,

Androids and other devices employees are using at work is through Exchange ActiveSync, experts say. “That’s going to be your choke point,” said Jaquith. Companies can use it to enforce password policies and device lock if the wrong passcode is entered too many times, he said.

However, companies can run into scalability problems with Exchange Ac-tiveSync when trying to manage personal devices, Wang said. A mobile device management system “can impose whatever policies you’ve established for these devices, monitor their operations, and give you a platform to impose controls to the extent it’s appropriate,” she said.

Mobile device management sys-tems will become even more important as “mobile computing starts moving beyond just email to mobile applica-tions,” Jaquith said.

According to Gartner, the mobile device management software market is quickly evolving with more than 60 vendors and little consistency. Most vendors offer on-premise or Software as a Service based tools and offer a range of capabilities, including inventory man-agement, software distribution and security, such as enforced password, device wipe and remote lock, Gartner analysts wrote in a report.

They also advised enterprises that some device platforms will limit manage-ability due to their design; companies should expect mobile device manage-ment systems to support each platform the same way. Also, Android support is still immature, according to Gartner, which predicts it will be at least another year before Android is well supported by mobile device management vendors.

Thomson Reuters is taking another look at mobile device management ven-dors now that mobile device operating systems are more mature and have bet-ter support capabilities, Mathias said. The company is also looking at ways to improve its ability to link devices to its Exchange environment, and protecting its internal environment by working to deploy a mobile VPN capability that will integrate with the firm’s digital certificate deployment so digital certifi-cates can be deployed to mobile devices for secure VPN access.

According to Gartner, the mobile device management software market is quickly evolving with more than 60 vendors and little consistency.

26

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

INFORMATION SECURITY ESSENTIAL GUIDE n OCTOBER 2012

TRENDS

Research in Motion (RIM) announced plans to release a multi-platform version of its BlackBerry Enterprise Server in late 2011, promising enterprises another way to manage the consumerization of IT trend. RIM is acquiring Ubitexx to develop the product, which it said will incorporate secure device management for Android and iOS devices. RIM said that companies can “ex-pect a range of security, manageability and controls depending on different de-vice platform capabilities.”

A technique that some companies are using to balance mobility and security is to leverage Citrix desktop virtualization technology, experts say. That way, no corporate data is stored on the device. The Citrix Receiver, offered for a va-riety of mobile devices including iPhone and iPad, works as a “window to ap-plication and desktop virtualization,” Citrix’s Roemer said.

PLANNING AHEADUnderstanding the risks in mobile applications, specifically Android and iOS phones, is another area that Thomson Reuters is tackling by working with a company that scans the applications to spot problems.

It’s beginning to discuss whether it wants to have a whitelist of applications for mobile phones, but whitelisting could be problematic because it makes the devices less personal, Mathias said. Understanding what applications are out there, how mobile employees are using them, and how the applications can be misused is new territory. “We’re just beginning to talk about how we keep up with this,” he said. n

MARCIA SAVAGE is editor of Information Security magazine. Send comments on this article to feedback@infosecuritymag.com.

EDITOR’S DESK

MDM TECHNOLOGY

APPLICATION SECURITY

CONSUMERIZATION OF IT

EDITORMarcia Savage

SENIOR SITE EDITOREric Parizo

SENIOR MANAGING EDITORKara Gattine

DIRECTOR OF ONLINE DESIGNLinda Koury

COLUMNISTSMarcus Ranum

CONTRIBUTING EDITORSMichael Cobb, Scott Crawford,

Peter Giannoulis,Ernest N. Hayden,

Jennifer Jabbusch Minella, David Jacobs,Diana Kelley, Nick Lewis,

Kevin McDonald, Sandra Kay Miller,Ed Moyle, Lisa Phifer,

Ben Rothke, Anand Sastry,Dave Shackleford,

Joel Snyder, Lenny Zeltser

USER ADVISORY BOARDPhil Agcaoili, Cox Communications

Richard Bejtlich, MandiantSeth Bromberger, Energy Sector Consortium

Mike Chapple, Notre DameBrian Engle, Health and Human Services

Commission, TexasMike Hamilton, City of SeattleChris Ipsen, State of NevadaDiana Kelley, Security Curve

Nick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, Equifax

Matthew Todd, Financial Engines

VICE PRESIDENT/GROUP PUBLISHERDoug Olender

dolender@techtarget.com

ASSOCIATE PUBLISHER Peter Larkin

plarkin@techtarget.com

TECHTARGET275 Grove Street, Newton, MA 02466

www.techtarget.com

©2012 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher. For permissions information,

please contact The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused

Web sites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community,

you can get advice and share solutions with peers and experts.