Castle

by Natalie Miller • @natalieatWIS

Protect your mobile kingdom and mitigate risk with a layered defense

Published July 14, 2014

 
 

If there is one lesson learned from the “Yo” app’s meteoric rise in popularity, it’s that not only does everyone seem to want to create their own app, but it seems no matter what it is, the masses will download it. However, in contrast to Yo’s tagline, “It’s that simple,” establishing a secure mobile platform is far from easy.

“People don’t realize the risk that’s going on with mobile,” says Caleb Barlow, Director of Product Management-Application, Data, Mobile, and Critical Infrastructure Security for IBM. “The challenge we’re running into with this is that these mobile apps are incredibly easy to hack, and not only are they easy to get into, but we have the challenge that people are sharing enormous amounts of personal information.”

Research firm Gartner forecasts that mobile payment transaction volume will surpass 450 million users and $721 billion in transfers by 2017. The value of these money transfers is also on the climb—although the values per transaction are generally low, users transact via mobile devices much more frequently because of availability, ease, and a lower cost of services. Gartner predicts mobile transactions will account for almost 69 percent of the total value of money transfers in 2017.

We trust mobile devices with more important data than before. Mobile devices are becoming our wallets, our IDs, and losing these things is much more impactful than losing a mobile phone.

Dionisio Zumerle, Principal Research Analyst for Mobile Security at Gartner

Mobile threats are actually growing at a slower pace than the technology of mobile devices, but even less-evolved threats are becoming increasingly powerful, says Dionisio Zumerle, Principal Research Analyst for Mobile Security at Gartner.

Get insights delivered to your inbox every week. Subscribe to our free newsletter.

“We trust mobile devices with more important data than before,” explains Zumerle. “Mobile devices are becoming our wallets, our IDs, and losing these things is much more impactful than losing a mobile phone.”

There are two key ways enterprise data is being exposed on mobile devices, says Zumerle. The largest source of data loss is through a device that lacks adequate device-level protection, and the second is due to the use of unsupported apps, such as apps that allow users to upload enterprise data onto third-party clouds. These unsupported apps are not necessarily malicious, but may conflict with corporate policy and can be easily hacked.

Securing applications is only part of the puzzle. Rogue versions of applications are also a threat. Barlow explains that it’s very easy for cybercriminals to develop a rogue version of an app and repost it out to app stores. Once an unsuspecting customer downloads the app, the device is infected and the rogue app is then able to trade personal data off the user’s device. For many smartphone customers, this amounts to a significant amount of data.

5 steps to mitigate mobile security risks when building a mobile application>>

 
According to Zumerle, Gartner worked with several vendors to identify best practices to help clients develop secure mobile apps, both for B2C and for B2E scenarios. These are represented in the report, “Avoiding Mobile Application Development Security Pitfalls.” 

Below are his top 5 steps:

  1. Minimize the application permissions
  2. Establish server-side checks
  3. Leverage mobile platform native credential protection mechanisms
  4. Apply certificate pinning to avoid man-in-the-middle attacks
  5. Harden the application against reverse engineering

X Close

Between these rogue application, lost devices, and hackers, businesses and consumers are vulnerable to attacks that can lead to the significant loss of sensitive data, revenue, customers, and brand reputation. Similarly, as the popularity of employee-owned devices in the workplace grows, so does the need for organizations to establish an integrated mobile security platform.

In the case of the bring-your-own-device (BYOD) workforce, cyber criminals are beginning to target mobile workers as a way to access organizations’ back-end IT systems. According to a study conducted by Webroot, 73 percent of companies have a mix of company and employee-owned devices. Of those companies, 62 percent reported significant increases in demand for help desk support to repair, replace, or manage the security of smartphones and tablets in the company. Resolving these issues consumed as much as 36 percent of one help desk technician’s time each month.

“BYOD is changing the entire concept of enterprise security,” says Zumerle. “Mobile devices are increasingly considered as untrusted, because personal usage cannot be tamed. This obliges organizations to find new ways to protect enterprise information. Organizations are abandoning the legacy model of locking down a device to secure it and are focusing on securing the data. Organizations are becoming information-centric, but mobile devices are application-centric. Therefore, organizations are focusing on decoupling security controls from the device and protecting apps through containment.”

The mobile security mindset
Organizations are more aware of these vulnerabilities and the need to bring added protection to their mobile space as more apps are developed and pushed to market and as businesses embrace BYOD technologies in the workplace. The issue surrounds company data that sits out on third-party cloud services that interact with its mobile devices. Not only is this a security risk, but when employees leave the company, all that data goes with them.

Over the last 10 years, security in general has been an afterthought for most organizations, says Barlow. “The difference now is that security is becoming a boardroom conversation. If you go out and survey chief information security officers or chief financial officers, legal officers, or CEOs, security is number two or three on the list of things they are worried about—right behind revenue—and the reason is it can decimate a company’s reputation overnight, and you don’t have to look further than some of the recent breaches to see the impact.”

The difference now is that security is becoming a boardroom conversation. If you go out and survey chief information security officers or chief financial officers, legal officers, or CEOs, security is number two or three on the list of things they are worried about—right behind revenue—and the reason is it can decimate a company’s reputation overnight, and you don’t have to look further than some of the recent breaches to see the impact.

Caleb Barlow, Director of Product Management-Application, Data, Mobile, and Critical Infrastructure Security for IBM

Communications giant AT&T recently alerted its mobile customers of a data breach that leaked birthdates and Social Security numbers. The breach was perpetrated by three employees of AT&T’s own service providers. And, earlier this year, T-Mobile customers also fell victim to a breach that left personal information compromised. The wireless network operator confirmed a hacker gained access to records, yet claimed the incident alone wasn’t enough to cause harm to customers. In Israel, security group “Lookout” discovered a cloned banking app in the Google Play store masquerading as a legitimate app belonging to Mizrahi Bank. The malicious app, called BankMirage, was stealing users’ credentials once downloaded. Lookout reported the app to Google and it was removed from the app store.

“We’re really starting to pay a whole lot of attention to this and starting to figure out, how do we start to protect people from what is going on there,” says Barlow. “So what we’re telling people is that there are four things you have to do. You have to protect the device, protect the apps, protect the content, and protect the transactions … A lot of this is just awareness. People just aren’t aware of the problem. Your average consumer isn’t aware of how much data they have shared on their mobile phone.”

A layered defense: What it means to protect the device, app, content, and transactions>>

 

According to Barlow, the best approach to a secure mobile platform is four-tiered: protect the device, content, app, and transactions.

Protect the device: The interesting thing with these devices is that they’re connected, says Barlow. Unlike a company laptop, devices are employees’ personal property. It has personal pictures, their contacts—so when an employee leaves the company, there is an issue with wiping that device clean of enterprise data without wiping the personal data. “We need a slightly more sophisticated set of tools that understands and can segment what’s the corporate data versus the personal data and how to break that apart,” says Barlow.

Protect the content: Organizations must put a wall around the personal side of the phone and the enterprise side of the phone to protect transactions of corporate applications to the public world. “So what we are going to do is put a barrier around these corporate applications so the corporate apps can share data all day long, but if you try to copy it out of those corporate apps it gets stopped,” he says. “Again the idea is that we can’t trust what’s on your phone. It’s a dirty environment. You might have a rogue version of Angry Birds on there that not only plays the game but also steals your data.”

Protect the app: In this scenario, the key is to build the apps using security tools that can put security provisions into the app itself. “If you think of the metaphor of a castle, you have the moat, you have the walls, the entire perimeter was what security was, but inside the walls there wasn’t any security,” says Barlow. “IT departments, in our traditional environments, are really the same thing. They are to put your firewalls, your intrusion prevention system at the border, but once you’re inside the company or inside your laptop, applications are sharing data all day long. Well, you can’t do that on mobile phones because you can’t trust the other apps. So we’ve got to move that [security] perimeter into the app itself, which requires a whole new level of sophistication in technology to be able to do that and that’s probably the most critical innovation that’s happening in mobile.”

Protect the transactions: If an employee is making an online banking transaction, it isn’t part of the corporate mobile security framework yet the organization still wants to know that the transaction is authentic, integral, and that the device isn’t routed, jail broken, or full of malware. Protecting the transaction is all about running tests in real time even if there may not be an established security framework on the device to identify if it is actually a safe transaction.

X Close

But in reality, this data is correlated and sold to data brokers and other cybercriminals, who then use the information to break into company IT systems. On a similar front, when people build mobile applications, many times the app developer isn’t necessarily a seasoned developer who is thinking about security. The mindset is to push mobile apps out as quickly as possible, yet if security tools aren’t integrated at the same time, issues arise, says Barlow.

The IBM MobileFirst portfolio, along with the IBM MaaS360 offering, gives organizations the tools build this defense—through mobile technology adoption, integration of cloud-based capabilities, and a comprehensive mobile management and security solution. These capabilities support IBM’s vision for Enterprise Mobility Management (EMM), which also encompasses the lifecycle management of apps and security of transactions between businesses, partners, and customers, according to IBM.

Transaction security is important, says Barlow. “We know how malware acts; even if we can’t identify what exactly the malware is, we can set out a trap and if something triggers the trap, we may not know what triggered it, but we know something did, so we can stop that transaction.”

Other important factors are the location and velocity of the device. “If the device is coming from a place where we know often has [criminals], then we don’t allow the transaction to go through,” he explains. “If you suddenly went from Boston to Ukraine in two hours, that’s not exactly possible, so something is wrong. There are a lot of things that we can do looking at these devices to try to determine if there is actually a human behind the device and is it actually the person who signed up for this device in the first place.”

IBM has been focused on aggressive acquisition in the mobile security space, says Barlow, and Gartner Inc. named IBM a Leader for EMM in its recent Magic Quadrant report for its work in mobile management and security.

“We feel this recognition from Gartner underscores IBM’s ongoing commitment to helping clients transform and protect their businesses through mobile,” says Deepak Advani, general manager, IBM Cloud & Smarter Infrastructure.

“One of the things we pride ourselves in is making tools that scale,” says Barlow. “But also when we talk about security, these threats are constantly evolving, constantly changing. There are over 200 engineers we have in Israel around the clock constantly researching these threats on mobile to make sure these products are up to date and they’ll push out updates a couple times of day if they have to.”

The cost of security
“Most organizations have either reached or are reaching a security posture that provides their workforce with basic services such as email and document repositories,” says Zumerle. “The second wave of enterprise mobility is aiming at enabling more complex tasks on mobile devices, and these require developing native mobile apps. This implies that organizations will have to learn how to secure their mobile apps and how to integrate mobile devices with enterprise infrastructure securely.”

What are the top 5 things to know about mobile security in general? >>

 

According to Zumerle, organizations evaluating mobile security strategies should know the following:

  1. Mobile security is an area of constant change. Whatever solution one chooses, it is important to stay tactical and avoid lock in.
  2. One solution will not be able to protect the entire workforce. It is important to break down user requirements into pockets of workforce population and satisfy these requirements with solutions that may apply only to certain pockets.
  3. There is not yet a universal understanding of what is safe and what is unsafe with mobile devices. Organizations and IT leaders at times have extreme views (either too strict or too lax). Now is the time to translate mobile technical risks into enterprise risks and to have an enterprise-wide discussion of what should be the levels of risk accepted.
  4. Mobile security is about secure enablement, not lockdown.
  5. EMM tools simply translate your logical controls into technical. It is paramount to have a well-thought-out mobile policy in place before selecting a tool. This is a process that may seem trivial, but it is quite a complex task that needs to involve the IT, operations, security, HR, and legal departments.

X Close

As illustrated in the Gartner report, “The Six Pain Points of Managing Mobile Devices for Small or Midsize Businesses,” Zumerle explains that the biggest pain points are cost, deployment options, security, usability, training, and support. “These [businesses] have many of the same challenges as large enterprises, however, due to limited skills and resources, their solutions are often less complex and need to be easier to manage,” he says. “Most small organizations will go for cloud-based EMM solutions because of the simplicity that they provide.”

Every company struggles with how much money to spend on security, says Barlow. “This is a really hard thing because there is no end to the potential budget that you could spend on securing stuff,” he explains. However, the conversation has shifted from the IT professional having to justify the need to the CEO, to the C-levels really seeing the need for a broad strategy. “One of the first things is figuring out the defenses in depth and really having that broad array or framework up. You’ve got to build the wall, put some archers on the wall, maybe not put alligators in the moat, but let’s at least build it a little bit deeper, and fill it with some water,” says Barlow.

“The second thing is really starting to change the dialogue at the C-level. This can’t be a dialogue about security speak, this has to be a dialogue about risk. So the smartest chief security information officers are really starting to go in and say, ‘Look … we have three or four options of investment and posture, we can be down here, which means that our odds are that we’ll end up in the newspaper with a nasty public breach at least once in the next three years and here is the potential impact of that and here is the budget associated with that,’” he explains. “In this other stream, here’s another scenario. ‘We’re not guaranteed, but the odds are we’ll stay out of the paper and we’ll protect our users, but it comes with this price tag,’ and those are probably both the wrong answers. The right answer is probably somewhere in between. Then they start laying out those answers in between and really translating this, not from a technical discussion, but a business risk discussion. So when we translate that into a risk discussion, then things start to get interesting because then we can have a real dialogue on what’s the right level of investment.”

 
 

Comments

No one has commented on this item.