Trusted Mobile Computing

7/29/2019 Trusted Mobile Computing

1/8

November 2012

White Paper:Enabling Trusted MobileComputing

CTOlabs.com

Inside: Context on BYOD

Integrity Verifcation and Compliance Assurance

Lessons to learn or your enterprise deployment

A White Paper providing context and guidance you can use


2/8

CTOlabs.com

Trusted Mobile Computing Through Integrity Verifcationand Compliance Assurance

The use of mobile devices within government and industry is continuing to evolve at a rapid pace.

Only a few years ago, enterprise mobility meant wireless email on BlackBerry. Today, organizations

are embracing the latest iOS and Android devices and are constantly waiting to nd out whats next.

Tablets and the iPad are revolutionizing the way eld employees and knowledge workers do their

jobs. And mobile apps are everywhere, on every device, and are used for both personal entertainment

and business productivity. The bring-your-own-device (BYOD) approach has also spread through

government and industry with the promise of increased employee satisfaction and productivity aswell as potential cost savings and organizational eciencies.

Security Policies, Saeguards and Risk Management

Security policies and safeguards have not kept pace with the growth in mobility for the enterprise,

resulting in rising mobile risk. A recent survey by Trend Micro found that nearly half of all companies

allowing BYOD experienced data or security breaches due to employee devices accessing corporate

networks. Because employee devices can carry malware, access insecure networks, track their

owners, and even surreptitiously record conversations and take photos if tampered with, ensuring

device integrity is now a necessity in the modern workplace. Fortunately, there is a solution that is

specically designed to monitor and maintain system integrity while still enabling choice of device

and applications. Fixmo Sentinel Integrity Services provides leading integrity monitoring, tamper

detection, jailbreak detection, and policy verication to ensure that mobile devices and applications

start and remain in a known trusted state.

Fixmo and Its Origins

Fixmos origins lie with the U.S. National Security Agencys (NSA) internally-developed solution for

verifying the integrity of their BlackBerry mobile devices, codenamed AutoBerry. While BlackBerry

devices were issued for security and compliance with government security standards (FIPS 140-2),

there were a growing number of reported incidents where unveried network communications and

software updates were occurring on devices of employees that were traveling overseas and roaming

across wireless networks. These incidents raised serious concerns over the integrity of these devices

1


3/8

A White Paper or the Government IT Community

and their potential exposure to malicious code injection and cyber attacks. Finding dangerous ormalicious alterations to device software proved extremely dicult as checking for variations in

millions of lines of code was impractical and monitoring policy compliance across thousands of

devices was manpower intensive. AutoBerry saved time and eort by comparing known good hashes

of devices in a trusted state and then detecting any dierences and analyzing for vulnerabilities and

compromises, thereby automating mobile device compliance auditing.

Through the NSA Technology Transfer Program, Fixmo

expanded on AutoBerrys capabilities, ported all of the

functionality to Android and much of it to iOS, and

released the resulting product as a commercial-o-the-

shelf (COTS) solution for both government agencies and

private sector organizations.

Integrity Verifcation andCompliance Assurance MitigatesRisk

Mobile device integrity is critical to an enterprise as

threats to mobile device security are serious and growing.

Recently, the Government Accountability Oce reported

on the gravity of mobile risk, calling on the Department of

Homeland Security and the National Institute of Standards

and Technology to implement measures to increase mobile

device security in the public and private sectors. Mobile

devices face unique and dangerous threat environments

as users connect to cellular networks with root access to

their devices and WiFi networks they do not know and

trust. Mobile devices are susceptible to loss, malware,cyber attacks, phishing, hidden SMS managing applications that send expensive premium rate SMS

messages, and SMiShing or phishing through SMS rather than email.

Adding to this, most mobile devices used for business are now also permitted to have unveried

third party applications installed on them from public app stores or third party distribution sites.

Currently, most IT departments lack sucient tools to detect tampering, compromises or potential

2

Scans Can Drive Policy Changes

Fixmo empowers you with the ability to make

changes to devices based on the results of scans,

with a wide range of options available for you to

execute. For example:

If high-risk change is detected during

an integrity scan (such as jailbroken OS,

detection of malware or the presence of a

blacklisted application), automatically lock

or wipe the device

If a medium-risk change is detected during a

scan (such as the installation of an unknown

application), automatically lock down the

corporate data residing within the Fixmo

SafeZone secure workspace until IT can

analyze the risk and make a decision on

what actions to take, if any

If a low-risk change is detected (such as

the upgrade of a trusted application to a

new version), notify IT but do not take any

immediate action


4/8

CTOlabs.com

3

non-compliance scenarios caused by unveried third party applications which may or may not bemalicious in intent.

Mobile Threats Increasing

Mobile malware is rampant and rising. Recent analysis

by Arxan Technologies found that over 90% of the

top 100 paid applications for iOS and Android have

copycat versions on the market that resemble legitimate

applications but are instead infected. For Apple, mostof those hacked apps are on unauthorized markets

for jailbroken devices, though malware was recently

discovered in the Apple App Store that harvests data from

user address books. Researchers also claim to have snuck

malware into the App Store before to demonstrate that

Apples verication is not infallible.

Android malware similarly spies on users with infected

devices. One typical, common recent instance of malware

(known as Android.Trojan.GingerMaster), comes bundled

with multiple non-malicious apps and runs in the

background to broadcast device IDs, phone numbers, and

more to command and control servers. Other common

infected applications (such as Android.Monitor.Sheri)

monitor users GPS coordinates. Additionally, one must

consider the vast array of mobile applications that are not

designed to be malware, but may put your private data

and devices out of compliance nonetheless. For example,

a recent report suggests that 86% of the top 100 apps onthe Apple App Store and Google Play marketplace request

access to some type of personal information with many of them gaining access to GPS coordinates

and/or the native address book on the device which houses both personal and business contacts.

Threat Context

50% of Android users are running out of

date, unpatched OS

92% of the top 50 iOS apps come fromdierent developers

85% of the top free iOS and Android apps

can access private user data

55% of smartphones used in business will

be owned by employees by 2015

90% of businesses will have corporate

apps running on employe devices by 2014

9% of companies have a policy to wipe

corporate data while leaving personal

data intact

71% of businesses plan to implement

a solution that separates business and

personal data

22% of IT pros have seen malware on

mobile devices


5/8

A White Paper For The Federal IT Community

While their intent may not be malicious, these types of applications may put your state of complianceat risk.

Continuous Monitoring Required

Fixmo Sentinel Integrity Services combats these potential security and compliance breaches through

continuous monitoring of devices to prevent unwanted policy changes, OS rooting, unveried

applications, OS tampering, and other potential compromises that can lead to a state of non-

compliance. It also proves that devices are in a trusted state through auditable compliance reporting.

As almost all iPhone malware comes from third party app stores accessed by jailbroken phones, andAndroid malware typically infects devices set to accept unveried third party applications, Fixmo

Sentinel can alert IT departments if employees have made these or other changes that raise the risk for

infection so that IT can proactively assess and remediate before the threat results in an actual breach.

And if a device becomes infected, Fixmos Integrity Services will detect changes that indicate hidden

malware may be running in the background to leak sensitive data. Fixmo Sentinel contains over 100

predened compliance and integrity reports and scales easily across Android, iOS, and BlackBerry. It is

also designed to integrate with existing mobile and IT infrastructure and leverage the safety measures

your enterprise already has in place.

Fixmo Sentinel also provides integrity-based policy controls which automate policy controls based on

the results of an integrity scan. If the scan nds high-risk changes such as a jailbroken OS, malware,

or a blacklisted application, Sentinel can automatically lock or even wipe the device. If medium-risk

changes are detected, such as the installation of an unknown application, Sentinel can automatically

lock down the corporate data residing within the Fixmo SafeZone container until IT can analyze the

risk and decide which actions, if any, it should take. And if the changes that Sentinel nds are low-risk,

like upgrading a trusted application, it will take no immediate action but will notify IT. This way threats

can be countered early before they do serious damage, risks can be identied and examined further,

and the enterprise is kept up to date on the signicant changes across all of its mobile devices.

4


6/8

CTOlabs.com

5

Concluding Thoughts

Trusted mobile computing requires integrity verication and compliance assurance. The many

capabilities of Fixmo deliver this to the enterprise. Fixmo capabilities are backed up with a world-class

engineering team which has built solutions that can scale to the size of the global hand-held device

market. Key components of their suite of solutions were initially developed by the US government and

under terms of the governments agreement with Fixmo these components are free for government

use.

Why Fixmo

Here is more on Fixmos key capabilities for government use:

Fixmo Sentinel Desktop - No Charge to Government: Fixmo Sentinel Desktop is the commercial

alternative for AutoBerry, a mobile device security and tamper detection solution that was initially

developed by the U.S. National Security Agency.

Fixmo Sentinel SCC - No Charge to Government: Fixmo Sentinel Server Compliance Check (SCC) is

the commercial alternative for AutoBES, a solution for automatically scanning BlackBerry EnterpriseServer and Good Mobile Messaging Server to ensure proper conguration and STIG compliance.

Fixmo MRM: Learn more about the Fixmo MRM platform which brings Fixmo Sentinel together with

the Fixmo SafeZone Secure Container to provide a holistic mobile risk management platform for

protecting devices, protecting corporate data and proving regulatory compliance.

Fixmo Solutions or Government: Visit the Fixmo Government Solutions page at Fixmo.com to learn

more about mobile security, compliance and risk management solutions for Government agencies.


7/8

A White Paper For The Federal IT Community

More Reading

For more federal technology and policy issues visit:

CTOvision.com- A blog for enterprise technologists with a special focus on Big Data.

CTOlabs.com - A reference for research and reporting on all IT issues.

J.mp/ctonews - Sign up for the Government Technology Newsletters.

Fixmo.com - Learn more about Fixmo today.

About the Authors

Bob Gourley is CTO and founder of Crucial Point LLC and editor and chief of CTOvision.com He is a former

federal CTO. His career included service in operational intelligence centers around the globe where his

focus was operational all source intelligence analysis. He was the rst director of intelligence at DoDs Joint

Task Force for Computer Network Defense, served as director of technology for a division of Northrop

Grumman and spent three years as the CTO of the Defense Intelligence Agency. Bob serves on numerous

government and industry advisory boards. Contact Bob at [email protected]

Ryan Kamauis a technology research analyst at Crucial Point LLC, focusing on disruptive

technologies of interest to enterprise technologists. He writes at http://ctovision.com. He researches

and writes on developments in technology and government best practices for CTOvision.com and

CTOlabs.com, and has written numerous whitepapers on these subjects. Contact Ryan at Ryan@

crucialpointllc.com

6


8/8

CTOlabs.com

For More Inormation

If you have questions or would like to discuss this report, please contact me. As an advocate for better

IT in government, I am committed to keeping the dialogue open on technologies, processes and best

practices that will keep us moving forward.

Contact:Bob Gourley

[email protected]

703-994-0549

All information/data 2012 CTOLabs.com.

Documents

Trusted Mobile Computing