BYOD Cyber-Security. How concerned should you be?

According to ComputerWeekly.com, “Nearly half of firms supporting BYOD report data breaches.” PWC’s 2013 Information Security Breaches Survey said “9% of large organisations had a security or data breach in the last year involving smartphones or tablets.” But as you know, correlation is not causation, and those quotes may imply a greater danger from BYOD than has yet been observed.

One of the most authoritative and exhaustive analyses of cyber security is Verizon’s annual “Data Breach Investigations Report.” The 2013 edition of the report analyzes over 47,000 ‘security incidents,’ including 621 ‘data breaches.’ It says:

The “Bring Your Own Device” (BYOD) trend is a current topic of debate and planning in many organizations. Unfortunately, we don’t have much hard evidence to offer from our breach data. We saw only one breach involving personally-owned devices in 2011 and a couple more in 2012.

So if your main concern is corporate data breach, the situation is not yet as dire on the mobile side as it is on the non-mobile side. But the Verizon report cautions:

Obviously mobile malware is a legitimate concern. Nevertheless, data breaches involving mobile devices in the breach event chain are still uncommon in the types of cases Verizon and our DBIR partners investigate. However, we do expect them to make more of an appearance in our data as mobile payment systems continue to become more common.

Two reports that focus on mobile malware are Trend Micro’s “Mobile Threat and Security Roundup,” and one I mentioned in a previous post, BlueCoat’s “2013 Mobile Malware Report.”

According to Trend:

In 2012, we detected 350,000 malicious and high-risk Android app samples, showing a significant increase from the 1,000 samples seen in 2011. It took less than three years for malicious and high-risk Android apps to reach this number—a feat that took Windows malware 14 years.

Just as Windows malware varied, so did Android malware—around
605 new malicious families were detected in 2012. Premium service abusers, which charge users for sending text messages to a premium- rate number, comprised the top mobile threat type, with transactions typically costing users US$9.99 a month. And victims of mobile threats didn’t just lose money, they also lost their privacy. The issue of data leakage continued to grow as more ad networks accessed and gathered personal information via aggressive adware.

Aggressive adware in mobile devices are now similar to the notorious spyware, adware, and click-fraud malware rampant in the early days of the PC malware era. They, like PC malware, generate profit by selling user data. PC malware took advantage of loopholes in legitimate ads and affiliate networks, while today’s aggressive adware can cause data leakages that aren’t always limited to malicious apps. Even popular and legitimate apps can disclose data.

The BlueCoat report concurs with this assessment:

Mobile threats are still largely mischiefware – they have not yet broken the device’s security model but are instead more focused on for-pay texting scams or stealing personal information.

So mobile malware is exploding, but so far targeting individuals in relatively trivial thefts. The Trend report observes that mobile threats are recapitulating the history of computer threats, but faster. Expect to see the mobile device threat level increase.

Mobile Malware Update

Blue Coat Systems has published an interesting report on the state of mobile malware. The good news is that in the words of the report “the devices’ security model” is not yet “broken.” This means that smartphones and tablets are still rarely hijacked by viruses in the way that computers commonly are.

Now for the bad news. On the Android side (though apparently not yet on the iOS side), virus-style hijackings have begun to appear:

Blue Coat WebPulse collaborative defense first detected an Android exploit in real time on February 5, 2009. Since then, Blue Coat Security Labs has observed a steady increase in Android malware. In the July-September 2012 quarter alone, Blue Coat
Security Labs saw a 600 percent increase in Android malware over the same period last year.

But this increase is from a minuscule base, and this type of threat is still relatively minor on mobile devices. Instead the report says, “user behavior becomes the Achilles heel.” The main mobile threats are from what the report calls “mischiefware.”

Mischiefware works by enticing the user into doing something unintentional. The two main categories of Mischiefware are:

  1. Phishing, which tricks users into disclosing personal information that can be used for on-line theft.
  2. Scamming, which tricks users into paying far more than they expect for something – like for-pay text (SMS) messages or in-app purchases. Even legitimate service providers can be guilty of this type of ‘gotcha’ activity, with rapacious international data roaming charges, or punitive overage charges on monthly ‘plans.’

“User behavior becomes the Achilles Heel” is hardly a revelation. A more appropriate phrase would be “User behavior remains the Achilles Heel,” since in this respect the mobile world is no different from the traditional networking world.

Mobile Security and HTML5

Smartphones and tablets have plenty of computing power to host malware, and they are simultaneously connected to the Internet via a cellular connection and to the LAN via Wi-Fi. So everybody in your organization has a device capable of by-passing your firewall in their pocket.

The good news is that smartphone OSes were designed recently enough that their creators were able to build security into the platforms using techniques like ARM TrustZone, and “chain of trust.” Technologies of this type are merely optional on PCs. Plus,the Android and iPhone app stores tightly control the applications that they distribute, and most people don’t take the trouble to avoid this protection. With these system-level and application-level protections, smartphones and tablets are intrinsically less vulnerable than PCs.

But there’s plenty of bad news, too. The chain of trust isn’t foolproof, and malicious code can get through the app store certification process.

On top of these traditional threats, a new one looms: HTML 5. Adobe Flash is so notoriously vulnerable that Steve Jobs refused to let it onto the iPhone. Adobe has now thrown in the towel, and committed to HTML 5 instead. HTML 5 is presumably safer than Flash, but it is untried, and it has powerful access to the platform more akin to a native app than to traditional HTML.

This means that we can expect a rising tide of smartphone-related security breaches.

Big Brother

Some ideas are so obvious once you hear them that you feel like you already had them yourself. One such is a new application for Wi-Fi from a company called Euclid Analytics.

Euclid’s idea is to provide Google Analytics-style information on foot traffic in retail stores. They implement it using the Wi-Fi on smart phones. This is technologically trivial: if you leave the Wi-Fi on your phone turned on, it will periodically transmit Wi-Fi packets, for example ‘probe requests.’ Every packet transmitted by a device contains a unique identifier for that device, the MAC address. So by gathering this information from a Wi-Fi access point, Euclid can tell how often and for how long each device is in the vicinity. Presumably enough people have Wi-Fi on their phones by now to gather statistically representative data for analytics purposes.

The Euclid technology doesn’t require your opt-in, and it doesn’t need to be tied to Wi-Fi. The concept can trivially be extended to any phone (not just Wi-Fi equipped ones) by using cellular packets rather than Wi-Fi, and for people with no phone, face recognition with in-store cameras. For this kind of application even 90% accuracy on the face recognition would be useful.

One of the only four choices on Euclid’s website’s navigation menu is Privacy. Privacy gets this prominent treatment because the privacy issues raised by this technology are immense.

Gathering this kind of information for one store – anonymous traffic by time, duration of stay, repeat visits and so on doesn’t seem too intrusive on individuals, but Euclid will be tempted to aggregate it across all the stores in the world, and to correlate its data with other data that stores already gather, like point of sale records.

Many technology sophisticates I talk with tell me that it is naive to expect any privacy whatsoever in the Internet age, and I guess this is another example. Euclid will effectively know where you are most of the time, but it won’t know much more than your cellular provider, or any any of the app vendors to whom you have given location permission on your phone.

ITExpo: BYOD – The New Mobile Enterprise

If you are going to ITExpo West 2012 in Austin, make sure you attend my panel on this topic at 1:30 pm on Wednesday, October 3rd.

The panelists are Jeanette Lee of Ruckus Wireless, Ed Wright of ShoreTel and John Cash of RIM.

The pitch for the panel is:

BYOD (Bring Your Own Device) has been in full swing for a couple of years now, and there’s no going back. Enterprises have adopted a policy of allowing users to use their own devices to access corporate networks and resources. With it comes the cost savings of not having to purchase as many mobile devices, and user satisfaction increases when they are able to choose their preferred devices and providers (and avoid having to carry multiple devices). But the benefits don’t come without challenges — the user experience must be preserved, security policies must accommodate these multiple devices and operating systems, and IT has to content with managing applications and access across different platforms. This session looks at what businesses can do to mitigate risks and ensure performance while still giving your users the device freedom they demand.

ITExpo: Enterprise SBC and UC Security Essentials

If you are going to ITExpo West 2012 in Austin, make sure you attend my panel on this topic at 10:00am on Wednesday, October 3rd.

The panelists are Scott Beer of Ingate Systems, Jeff Dworkin of Sangoma, Eric Hernaez of NeSatpiens, Mykola Konrad of Sonus Networks, Jack Rynes of Avaya and John Nye of Genband.

The pitch for the panel is:

Supported by Session Border Controllers (SBCs) and Unified Communications (UC), enterprises can enable workers to essentially carry their desk phone extensions and features with them, wherever they are working on any given day – via VoIP clients and other UC applications on smartphones, tablets, and other mobile devices. With rich UC applications features such as call transfer, conference call, corporate directory listings, and presence, workers can collaborate and communicate in real-time, increasing productivity by maintaining an always one presence.

But wireless and Internet connected mobile devices present unique security challenges that differ dramatically from traditional communications and data security methods that rely on firewalls, user authentication, and encryption. Further, these mobile devices can expose sensitive network traffic, and proprietary or confidential data and communications, to multiple vulnerabilities.

Enterprises that have embraced SBCs, and other components of UC security, are proving they can securely protect and extend communications to external parties, unlocking new ways of collaborating with clients, partners, distributed employees and the supply chain. This session will consider the Enterprise SBC as a means of satisfying security and privacy requirements, with signaling and traffic encryption, media and signaling forking, network demarcation, and threat detection and mitigation, enabling enterprises to capture the cost benefits of VoIP and UC, while maintaining essential security postures and access to multi-mobile communications across the network, anytime, anywhere.

Information Cards versus Open ID?

We all hate passwords – they are insecure and burdensome; but they seem so firmly entrenched that they will be around for a long time. The New York Times recently wrote a story about Information Cards, an interesting attempt to overcome some of the deficiencies of passwords. The article draws a conflict between Information Cards and Open ID, that Paul Trevithick, the chairman of the Information Card Foundation, hurried to deny, characterizing the efforts as complementary. Trevithick concludes:

I really don’t think we’ll get Internet scale adoption with any of the “pure-play” but partial solutions on their own. Instead, take an “extract” of OpenID, mix in a derivative of Liberty (esp. ID-WSF) services at that endpoint, top it off with i-cards, browser integration, and run it on all platforms (including mobile), and maybe we’ll have a recipe for something that works in enough real world situations to be generally useful.

Cisco’s Motion Announcement

Cisco’s Motion announcement on May 28th was huge for enterprise mobility. It defined some new terms which we will be hearing a lot: “Cisco Motion,” “Mobility Services Architecture” and “Mobility Services Engine.” Cisco Motion is the name of the “vision.” The Mobility Services Engine 3350 is a $20,000 appliance that embodies the Mobility Services Architecture, which is a part of Cisco’s Service Oriented Network Architecture.

Cisco has published a lot of useful information about these new products. A good place to start is the launch webinar, which includes an informative Powerpoint presentation. The Mobility Services Architecture is described in a white paper. There are two press releases: a conventional press release consisting of written words, and a “social media release” consisting of links to YouTube clips and podcasts.

What we’re doing here is abstracting the network control element of the architecture and the services and application integration piece. This reflects what we have been talking about for the last 2 plus years around the Services Oriented Network Architecture. It’s about how we can drive new capabilities into the network, that can be married up with a host of different applications and turned into a solution for our customers. It’s not just applications running over the network. Increasingly with this architecture, it is about applications running “with” the network.

Ben Gibson, Senior Director Mobility Solutions, Cisco Systems

Cisco describes the MSE as a “platform for partnering,” the idea being that it exposes network-level information through an open application programming interface (API) to applications delivered by independent software vendors (ISVs).

Adding wirelessness to the IP world generates network-layer information that can be useful to applications, notably information about the location of known devices, and the intrusion of unknown devices. The MSE orders that information and presents it through the API.

Cisco Motion also addresses some downsides of mobility. Adding mobility to the IT world brings a lot of new headaches:

  • There are multiple network types (currently cellular and Wi-Fi, later WiMAX)
  • There is a profusion of new device types (currently smart phones) which must be managed and tracked
  • There is a wave of innovation in consumer applications. Employees are demanding these applications in the enterprise environment.
  • Mobility also complicates compliance with data confidentiality regulations like PCI and HIPAA.

So far Cisco has identified four categories of application that can run on the MSE: Context-Aware applications, Wireless Intrusion Prevention Systems, Client Management and Intelligent Roaming.

Context Aware Applications
“Context Aware applications” seems to be Cisco’s term for applications that do asset tracking. Cisco is partnering with ISVs in both horizontal and vertical markets. These ISVs are OAT, Intellidot, Aeroscout, Pango/Innerwireless and Airetrak. The Context-Aware software is scheduled to ship in June 2008.

Adaptive Wireless Intrusion Prevention Systems

Overlay wireless intrusion prevention systems add devices to monitor wireless traffic looking for rogue access points and clients. The innovation here appears to be that the MSE exposes information from the access points and wireless controllers that eliminates the need for these overlay devices. IPS software running on the MSE can substitute for the overlay IPS, while yielding equivalent depth of reporting and features. A further benefit of running the IPS over the MSE API is that the same software will be able to handle future wireless networks in addition to Wi-Fi. The Adaptive WIPS software is scheduled to ship in the second half of 2008.

Mobile Intelligent Roaming

This is enterprise Fixed-Mobile Convergence. The MSE isn’t a mobility controller; it issues an event up through the API when it determines that the Wi-Fi network needs to hand the call off to the cellular network. This event is handled by mobility controller software from an ISV. Cisco’s launch partners for this are Nokia for phones, and Agito on the mobility controller side. The Mobile Intelligent Roaming software is scheduled to ship in the second half of 2008.

Secure Client Manager

This works with Cisco’s 802.1X and CCX products. Cisco estimates that 80% of IT’s wireless and mobility effort goes to client troubleshooting and security provisioning. The Secure Client Manager will help mitigate this problem for the imminent wave of mobile devices. The Secure Client Manager is scheduled to ship in the first half of 2009.

Unified Wireless Network Software

Cisco Motion requires a new software load for the access points and WLAN controllers: the Cisco Unified Wireless Network Software Release 5.1, which shipped in May 2008.

Ask and ye shall receive

Ken Dulaney, Gartner VP distinguished analyst and general mobile device guru, told the crowd at the Gartner Mobile & Wireless Summit today that he still can’t recommend businesses adopt the iPhone — even with an SDK. Dulaney said that he recently wrote Apple a letter in which he outlined several things Apple would need to do with the iPhone before Gartner could change its mind about it. The directives included:
– Permit the device to be wiped remotely if lost or stolen
– Require strong passwords
– Stop using iTunes for syncing with a computer
– Implement full over-the-air sync for calendar and PIM

Jason Hiner, TechRepublic March 5th, 2008

On the same day Dulaney said this in Chicago, Phil Schiller of Apple was holding a news conference in Santa Clara granting some of these wishes, and many more:

  • Microsoft Exchange support with built-in ActiveSync.
  • Push email
  • Push calendar
  • Push contacts
  • Global address lists
  • Additional VPN types, including Cisco IPsec VPN
  • Two-factor authentication, certificates and identities
  • Enterprise-class Wi-Fi, with WPA2/802.1x
  • Tools to enforce security policies
  • Tools to help configure thousands of iPhones and set them up automatically
  • Remote device wiping

At the news conference Apple wheeled out several corporate endorsers: Genentech, Stanford University, Nike and Disney.

At first blush, the new enterprise-oriented capabilities of the iPhone appear to be an IT manager’s dream come true (though it will be a while before the dream is a reality.) Even this contrarian post concedes that it will make the iPhone more competitive with the Blackberry, while faulting Apple for not having a comprehensive enterprise strategy.

Apple is clearly serious about the enterprise smartphone market, and this strategy is sound. The business market supports price points that easily accommodate the iPhone, and this strategy spills over to the business PC market in two ways: today by acting as a door-opener for Mac sales, tomorrow by evolving the iPhone into a PC replacement for many users.