BYOD and Your Security Part III

Continuing his discussion on BYOD and its security implication , Panseh Tsewole looks at  carrier level vulnerabilities in the BYOD ecosystem . Panseh Tsewole reckons this is an area typically not covered by Info Sec pros doing risk analysis on BYOD projects .  Either at home or on the road , traffic reaching our enterprise networks  travels through a provider’s infrastructure . In this write-up , Panseh Tsewole discusses some of the issues we should consider .

Transport layer vulnerabilities through Man In The Middle Attack can be used against the carrier’s network .  MITM attack allows the attacker to sniff traffic and gain access to sensitive data . We should ensure the carrier is deploying SSL or https encryption at the transport level .

Rogue access points is a challenge . Numerous environments such as hotels, airports, coffee shops and some restaurants offer free Wi-FI .  Attackers can use a variety of tools that can act as proxies and capture data that includes login credentials.  SSL stripe is a tool that can be used to capture credentials from sites using https protocol. Panseh Tsewole recommends remote access policies should address these vulnerabilities. The policy should ensure all remote connections to the enterprise network should come in through secured SSL VPN connections.  Panseh Tsewole has researched numerous SSL VPN solutions whereby the clients automatically initiate a connection to the enterprise network as soon as it detects internet connectivity outside of the LAN.  Palo Alto’s network Global Protect is one such product.

Some BYODs use GSM technology to connect to  carrier’s network.  SIM cloning is a serious vulnerability with such devices.  Cloning is basically creating a copy of the original SIM card .  These tools are readily available on the internet.    A service provider  usually  implements  anti cloning technology on its network . Our job is to verify such counter measure is in place with the carriers being used by the BYODs on our networks.

BYOD and Your Security Part II

Panseh Tsewole continues his discussion on BYOD . BYOD is a security challenge for most enterprises . Panseh discusses the benefits and challenges of having a BYOD program ,

Traditionally , the enterprise IT infrastructure team is used to manage all the OS in an enterprise . However, with the advent of BYOD , heterogeneous systems are introduced into the network . We know different mobile operating systems support different ways to manage device and application security . On Android , if we need to install an application we would have to give either all the permission to the list or cancel the install. Apple IOS based devices are different . We can choose not to give permission to a specific service and still install the application . The level of security can also be compromised if the device is jail broken and allows installation of applications from unrecognized application sources .

Mobile access to enterprise brings in its fold additional threats and vulnerabilities. These are three fold : the mobile devices , carriers and enterprise data centers . At the mobile device level , there are OS related vulnerabilities , data at rest vulnerabilities , mobile malware and device theft . Many OS vulnerabilities have led to the compromise of mobile devices . Android OS has been a target for malware writers and hackers for some time now and enterprises still do not prefer Android for the enterprise.

Some applications might store user credentials to applications such as Facebook locally on mobile device. Theft or unauthorized access can lead someone to steal that data . Data at rest vulnerability should be addressed by the application preferably through encryption.

BYOD and Your Security Part I

In the first part of his discussion on BYOD , Panseh Tsewole takes a look at how we got here . Why is BYOD a hot topic at most enterprises . Panseh believes it is an important component of a successful information security program .  He will devote the next few weeks blogging on this topic .

For a long time , organizations provided employees with company owned portable devices being it a laptop or a Blackberry device .  Often , the employees were allowed to use these devices to check emails, store contact and downloading of rich applications wasn’t allowed .   The last few years more powerful devices such as the IPhone , with rich features have been developed and heavily marketed to consumers .  Employees have embraced these devices and prefer to use these devices  they own , for work purpose.

Organizations for the most part has embraced employees using their own devices for work purpose . It makes business sense as it reduces capital expenditure on procuring these devices . However, allowing employees to bring in their own device is fraught with risk to an enterprise’s assets .

There are security , privacy and legal concerns to deal with . The questions to be considered include how much control would the enterprise exert over a BYOD ? What is the level of management being assigned to the BYOD ? How is a theft of BYOD going to be handled ? Is the enterprise going to allow its data to be stored on the BYOD ? Which BYOD are going to permitted access and how do we go about determining which to allow? How many BYOD per user would be allowed to connect to the network ? How are applications going to push the BYOD ? Can we restrict the user’s access to certain sites on their own device ?  How far are we going to go support the BYODs ?

These are some of the questions that need to be answered prior to the introducing BYOD on an enterprise network .

State Tax refund and Identity Thieves

It is refund time and identity thieves are busy stealing tax payers data,  filing bogus tax returns and receiving billions in tax refunds from the tax authorities . Since 2012 the IRS has implemented additional safeguards that have reduced such thefts . However, at the State level, it is a major problem as most States haven’t invested  in anti fraud technologies to reduce such threats .  What can be done to fight against such threats ?  HIPAA like law needs to be created across all industries to protect personal identifiable information . Panseh Tsewole notes the  thieves usually got the personal identifiable information from health care entities such as doctor’s offices . However , with HIPAA such entities are no longer the gold germ . Thus , they go  after low hanging fruits . Easy targets .  The ideal targets include county or city utilities with less than robust security defenses .  Some work with comprised employees at various entities that steal and pass on to the identity thieves the PII data .  Panseh Tsewole believes  a law requiring all PII data to be protected at all times would be a place to start . At rest, in transit and while being processed . For all industries not just banking , finance or health care .  Panseh Tsewole’s conclusion is for us consumers to use extreme care . Guard our social security numbers and never give them  to an entity over the phone .

Leaking ATM

A malware that allows ATMs to automatically dispense cash without any card in the machine . The same malware had a key logger functionality that recorded bank employees keystrokes and used that info to steal millions out of the bank . It is time to move to signatureless anti-malware defenses rather than using signature dependent anti-virus solutions .


Advanced Persistent Threats (APT)

Advanced Persistent Threats are usually sponsored by States . These threat agents have enormous resources . With time and the enormous resources behind them , it is a matter of time before they breach the target’s network. We should have mechanism in place to detect and mitigate such breaches as soon as they occur . Our goal here should be simple. Limit the damage as it is very difficult to prevent such attacks .