Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

gartner

Enterprises have more than 2,000 unsafe mobile apps installed on employee devices

Veracode has released analytics from its cloud-based platform showing that, based on the mobile applications it assessed, the average global enterprise has approximately 2,400 unsafe applications installed in its mobile environment.

Based on an analysis of hundreds of thousands of mobile applications installed in actual corporate environments across various industries including financial services, media, manufacturing and telecommunications Veracode found 14,000 unsafe applications of which:

  • 85% expose sensitive device data, including SIM card information such as phone location, call history, phone contacts, SMS message logs, device IDs and carrier information.
  • 37% perform suspicious security actions, such as checking to see if the device is rooted or jailbroken (which allows applications to perform superuser actions such as recording conversations, disabling anti-malware, replacing firmware or viewing cached credentials such as banking passwords); installing or uninstalling applications; recording phone calls; or running other programs.
  • 35% retrieve or share personal information about the user such as browser history and calendars, often sending sensitive information to suspicious overseas locations and allowing attackers to develop a complete profile of users and their social connections.

According to Gartner,

Through 2015, more than 75% of mobile applications will fail basic security tests.”  At the same time, cybercriminals and nation-states are constantly looking to exploit insecure applications in order to steal corporate intellectual property, track high-profile individuals or insert aggressive adware for monetary gain.

This creates a challenge for enterprises that want to increase productivity and employee satisfaction by providing BYOD programs or corporate-owned devices.  Modern MDM and enterprise mobility management (EMM) systems are designed to enforce corporate policies on managed devices, but need an automated and scalable mechanism for maintaining up-to-date information about thousands of unsafe apps that are constantly being added to public app stores around the world.

Existing approaches for addressing unsafe mobile apps, such as manually-curated blacklists, are difficult to scale because of the sheer size and constantly-changing nature of the problem.  As a result, they either fail to keep up with mobile threats or frustrate employees by prohibiting apps for no reason.

Many mobile apps are unsafe because they unknowingly access insecure third-party libraries and frameworks in the software supply chain – while other apps have been specifically designed to perform malicious actions,” said Chris Wysopal, Veracode co-founder, CISO and CTO. “Veracode’s automated cloud-based reputation service and MDM/EMM integrations were purpose-built to address the speed and scale required to effectively secure employee devices in global enterprise environments

Top 10 technologies for information security and their implications for security organisations in 2014

At the Gartner Security & Risk Management Summit they highlighted the top 10 technologies for information security and their implications for security organisations in 2014. 

Enterprises are dedicating increasing resources to security and risk. Nevertheless, attacks are increasing in frequency and sophistication. Advanced targeted attacks and security vulnerabilities in software only add to the headaches brought by the disruptiveness of the Nexus of Forces, which brings mobile, cloud, social and big data together to deliver new business opportunities,” said Neil MacDonald, vice president and Gartner Fellow. “With the opportunities of the Nexus come risks. Security and risk leaders need to fully engage with the latest technology trends if they are to define, achieve and maintain effective security and risk management programs that simultaneously enable business opportunities and manage risk 

Gartner believes the top 10 technologies for information security are: 

1. Cloud Access Security Brokers

Cloud access security brokers are on-premises or cloud-based security policy enforcement points placed between cloud services consumers and cloud services providers to interject enterprise security policies as the cloud-based resources are accessed. In many cases, initial adoption of cloud-based services has occurred outside the control of IT, and cloud access security brokers offer enterprises to gain visibility and control as its users access cloud resources.

2. Adaptive Access Control

Adaptive access control is a form of context-aware access control that acts to balance the level of trust against risk at the moment of access using some combination of trust elevation and other dynamic risk mitigation techniques. Context awareness means that access decisions reflect current condition, and dynamic risk mitigation means that access can be safely allowed where otherwise it would have been blocked. Use of an adaptive access management architecture enables an enterprise to allow access from any device, anywhere, and allows for social ID access to a range of corporate assets with mixed risk profiles.

3. Pervasive Sandboxing (Content Detonation) and IOC Confirmation

Some attacks will inevitably bypass traditional blocking and prevention security protection mechanisms, in which case it is key to detect the intrusion in as short a time as possible to minimize the hacker’s ability to inflict damage or exfiltrate sensitive information. Many security platforms now included embedded capabilities to run (“detonate”) executables and content in virtual machines (VMs) and observe the VMs for indications of compromise. This capability is rapidly becoming a feature of a more-capable platform, not a stand-alone product or market. Once a potential incident has been detected, it needs to be confirmed by correlating indicators of compromise across different entities, for example, comparing what a network-based threat detection system sees in a sandboxed environment to what is being observed on actual endpoints in terms of processes, behaviors, registry entries and so on.

4. Endpoint Detection and Response Solutions

The endpoint detection and response (EDR) market is an emerging market created to satisfy the need for continuous protection from advanced threats at endpoints (desktops, servers, tablets and laptops), most notably significantly improved security monitoring, threat detection and incident response capabilities. These tools record numerous endpoint and network events and store this information in a centralized database. Analytics tools are then used to continually search the database to identify tasks that can improve the security state to deflect common attacks, to provide early identification of on going attacks (including insider threats), and to rapidly respond to those attacks. These tools also help with rapid investigation into the scope of attacks, and provide remediation capability.

5. Big Data Security Analytics at the Heart of Next-generation Security Platforms

Going forward, all effective security protection platforms will include domain-specific embedded analytics as a core capability. An enterprise’s continuous monitoring of all computing entities and layers will generate a greater volume, velocity and variety of data than traditional SIEM systems can effectively analyse. Gartner predicts that by 2020, 40% of enterprises will have established a “security data warehouse” for the storage of this monitoring data to support retrospective analysis. By storing and analysing the data over time, and by incorporating context and including outside threat and community intelligence, patterns of “normal” can be established and data analytics can be used to identify when meaningful deviations from normal have occurred.

6. Machine-readable Threat Intelligence, Including Reputation Services

The ability to integrate with external context and intelligence feeds is a critical differentiator for next-generation security platforms. Third-party sources for machine-readable threat intelligence are growing in number and include a number of reputation feed alternatives. Reputation services offer a form of dynamic, real-time “trustability” rating that can be factored into security decisions. For example, user and device reputation as well as URL and IP address reputation scoring can be used in end-user access decisions.

7. Containment and Isolation as a Foundational Security Strategy

In a world where signatures are increasingly ineffective in stopping attacks, an alternative strategy is to treat everything that is unknown as untrusted and isolate its handling and execution so that it cannot cause permanent damage to the system it is running on and cannot be used as a vector for attacks on other enterprise systems. Virtualization, I\isolation, abstraction and remote presentation techniques can be used to create this containment so that, ideally, the end result is similar to using a separate “air-gapped” system to handle untrusted content and applications. Virtualization and containment strategies will become a common element of a defense-in-depth protection strategy for enterprise systems, reaching 20% adoption by 2016 from nearly no widespread adoption in 2014.

8. Software-defined Security

“Software defined” is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security and so on. Like networking, compute and storage, the impact on security will be transformational. Software-defined security doesn’t mean that some dedicated security hardware isn’t still needed, it is. However, like software-defined networking, the value and intelligence moves into software.

9. Interactive Application Security Testing

Interactive application security testing (IAST) combines static application security testing (SAST) and dynamic application security testing (DAST) techniques. This aims to provide increased accuracy of application security testing through the interaction of the SAST and DAST techniques. IAST brings the best of SAST and DAST into a single solution. This approach makes it possible to confirm or disprove the exploitability of the detected vulnerability and determine its point of origin in the application code.

10. Security Gateways, Brokers and Firewalls to Deal with the Internet of Things

Enterprises, especially those in asset-intensive industries like manufacturing or utilities, have operational technology (OT) systems provided by equipment manufacturers that are moving from proprietary communications and networks to standards-based, IP-based technologies. More enterprise assets are being automated by OT systems based on commercial software products. The end result is that these embedded software assets need to be managed, secured and provisioned appropriately for enterprise-class use. OT is considered to be the industrial subset of the “Internet of Things,” which will include billions of interconnected sensors, devices and systems, many of which will communicate without human involvement and that will need to be protected and secured.

The drivers for BYOD

In the recent F5 document promoting their BYOD solutions F5 had an interesting section on what were the drivers for BYOD.

The F5 “BYOD Drivers” section is below.

In 2013, the mobile workforce is expected to increase to 1.2 billion, a figure that will represent about 35% of the worldwide workforce and many of those workers will be using their own devices.

People have become very attached to their mobile devices. They customize them, surf the web, play games, watch movies, shop, and often simply manage life with these always-connected devices. Those organizations that have implemented BYOD programs are reporting increased productivity and employee satisfaction at work.

The 2012 Mobile Workforce Report from enterprise Wi-Fi access firm iPass found that many employees are working up to 20 additional hours per week, unpaid, as a result of their company’s BYOD policies. Nonetheless, 92% of mobile workers said they “enjoy their job flexibility” and are “content” with working longer hours.

In addition, 42% would like “even greater flexibility for their working practices.”

Organizations have been able to reduce some of their overall mobile expenses simply by not having a capital expenditure for mobile devices and avoiding the monthly service that come with each device. In addition, in some cases, BYOD implementations can brand the IT organization as innovators.

The flipside of the convenience and flexibility of BYOD are the many concerns about the risks introduced to the corporate infrastructure when allowing unmanaged and potentially unsecured personal devices access to sensitive, proprietary information. Applying security across different devices from a multiple number of vendors and running different platforms is becoming increasingly difficult. Organizations need dynamic policy enforcement to govern the way they now lock down data and applications. As with laptops, if an employee logs in to the corporate data centre from a compromised mobile device harbouring rootkits, keyloggers, or other forms of malware, then that employee becomes as much of a risk as a hacker with direct access to the corporate data centre.

Mobile IT is a major transformation for IT departments that is deeply affecting every major industry vertical, and the effects will continue for years to come.

F5 data sources:

  • International Data Corporation (IDC), Worldwide Mobile Enterprise Management Software 2012-2016 Forecast and Analysis and 2011 Vendor Shares, Sept. 2012
  • Computerworld UK, “BYOD Makes Employees Work Extra 20 Hours Unpaid,” August 22, 2012

Criminal logic; follow the money and find easy targets

Acceptance marks displayed on top left of this...Anecdotal information shows that small businesses are just as likely to become victims of an attack as large businesses.

Why?

  1. Criminals do not discriminate, a dollar is a dollar, a credit card is a credit card, no matter where it is stolen from.
  2. Small businesses cannot invest as much in protection, management, procedures and processes as larger businesses.
  3. Smaller businesses are often the last to discover, understand and therefore achieve compliance, for example PCI DSS. Compliance is described as a painful process but PCI DSS offers a detailed and defined set of requirements which will allow a business to secure all types of information and not just credit cards.
  4. Malware (Viruses, Trojan’s, etc.) does not know the difference between small and large business, in an automated attack malware tools just look for weaknesses.
  5. The hospitality industry is frequently targeted by criminals because they know there is a high level of staff attrition in an industry with a high proportion of smaller or franchised businesses. Read my article Fraud could be costing UK hotels over £2 billion a year.

Avivah Litan in her recent Gartner Blog recounts the story of a small restaurant in Winchester, Kentucky which had a data breach involving credit cards.

The story so far looks like the criminals gained access to the store’s systems remotely and siphoned off the cards’ magnetic stripe data and then creating counterfeit cloned cards which resulted in thousands of dollars in fraud and affected a high percentage of the town’s population, and significantly almost 25% of the local Police force.

The sad thing is from my own experience of running a small business it is customer loyalty that often makes the difference between being profitable and going bust and incidents like this always affect a customer’s perception of the business.

Large business can employ a PR Agency, send lots of letters, offer discounts and let a branch ride out the storm until people have forgotten about the breach, all of which a small business could not afford to do.

So what can small businesses do?

  • The first thing is to assume that you may become a target because the criminals use tools which try to find vulnerable business every minute and hour of the day.
  • Ensure that your payment devices; terminals, tills, e-commerce solution, etc. are all Payment Application Data Security Standard (PA DSS) approved. The PCI website has a list of approved products and version, find the link here.
  • Ensure you have the IT Security basics in place, Firewall, Anti-Virus, etc. and use the auto updates for the technology.
  • Make sure all your IT devices, not just your desktops and laptops but your tills and EPOS devices all have their software updated/patched regularly, if it is available turn on auto-updates.
  • Train your staff to understand what their responsibilities are and how to report issues and suspicions. A reward scheme might help.
  • I know it is difficult for small business owners to find the time but read the PCI DSS guidelines and the Self Assessment Questionnaire (SAQ) but it is an excellent start to a secure business. If you have any questions about which SAQ is needed or any other questions ask your bank they are as concerned about your security as you are.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: