Thursday, April 11, 2013

Blog on BYOD Security: The Art of detecting unauthorized devices in the network!!

Did you know that more than 1/3rd devices go undetected and hence unmanaged and more than 50% of these are the source of all network and data compromises in an enterprise?

You know what you know and you have no idea of what you don’t know and worse you cannot manage what you don’t know. This very well applies with the mobile world too especially in the BYOD world of the enterprise. Today pretty much every one carries at least two smart devices (a smart phone and a tablet) if not more and people changing devices or carrying different devices over a period is highly probable and one can end up using at least 5 to 6 devices over a period of time of as short as an year and can even reach 10. In fact Microsoft allows max 10 devices per employee in their Redmond office.

Many of the MDM (Mobile Device Management) vendors including Microsoft EAS (Enterprise Active Sync) and Microsoft System Center (MS SC) all provide ways to track all the devices and manage them (of course by provisioning these devices and putting an agent on it) but they end up managing only 2/3rd of all devices that are plying in the corporate network, and more than 1/3rd devices goes undetected and for various reasons including they did not install an “agent” that was prescribed by the vendors to they did not register on a portal suggested by the vendor. Even in MS world, you connect to AD and get into the domain and you are recognized and this happens to most company given laptops and desktops. This is the first of the three levels where all these devices gets classified. Second one is not with the domain but those, which connect only to the EAS. Second level, which mainly applies to BYODs, is knowing and managing when they connect to the EAS (not necessarily to domain). Even SC has the stack of both AD and EAS managed devices and those who have SC know that it takes quite a while to know completely about the devices they manage. Then there is the third level where more than 1/3rd devices belong and are on the network but AD and EAS (and MDM tools for that matter) have no idea about their existence. They have not installed any agent nor connected to the EAS either (or would have rooted or jailbroken the device and connect to EAS and EAS cannot track it) they can easily logon and connect to the Internet and do what they can, and all goes unchecked.

Another trouble with unmanaged devices is that we don’t know to what level their security is checked and whether they are vulnerable or not (having older OS) or whether they have malware present or not. According to many popular surveys more than 1/3rd devices go undetected and end up being unmanaged and more than half of them end up being source of all vulnerabilities, security holes and malwares and will end up being the source of network and data compromises, malware attacks, and cyber espionage. It is not that the owners of these unmanaged devices intend to do this but they circumvent these mainly to get some other privileges, which otherwise they will not be. Few examples are that companies don’t allow android devices into corporate but people like me love android and we will find a way to get into the enterprise undetected and without our knowledge we will be source of all network and data compromises in the enterprise.

Here is where we @ i7 play a crucial role. Our tool PeregrineGuardtm using patent-pending sophisticated algorithms and finger printing techniques, goes over multiple protocols and huge knowledgebase of all these devices and OSes behaviors and facts clearly identify and fingerprint each of these devices and we do all of it without putting an agent or a client on the device and completely non-intrusive and transparent to the employee. We pick up all these devices and via AD/RADIUS or LDAP we even know to who it belongs and hook into MDM and EAS database and find out which are all managed and which are all not managed and give IT a list of all such devices, what OS and OS versions are they running, what is their vulnerability rating (DVItm or device vulnerability index) and alert the IT to bring the to the safety net of the enterprise or allow them to ply the way it is but at least help make a informed decision.

Deployment is even more easier, just plug in a server or even a laptop with PeregrineGuard behind Wi-Fi aggregators into the mirror port and not even in-line and immediately you will start seeing all the devices that are there and the reports about their existence, belonging, usage etc., and if you have AD or RADIUS, it even tells to who these devices belong to; Just plug it and in and start seeing the reports!!

Once you have a control on these unmanaged devices, you reduce the risk of cyber attacks/data leak in the organization by more than 80% and hence helping enterprises securing their network while reaping the rich benefits of the BYOD. Another interesting statistics I read is that those companies who have banned or barred any BYOD into their enterprise has still more than 30% of employees using devices in one way or other to do something within the organization which IT is completely unaware of. In my opinion, BYOD is a juggernaut that cannot be stopped.

BTW when I say BYOD it is not just your smart phones and tablets but can also include employee owned laptops too as distinguished from company given laptops, which I feel, is also the need of the hour and many companies have allowed this option already!!

Manjunath M Gowda
i7 Networks, “Agentless BYOD Discovery & Control”
LinkedIn, @i7networks

Reproduced with the permission from the author of blog.

Thursday, April 4, 2013

BYOD Security: I have anti-virus on my device. I am completely safe against malwares!! Sure?

Generally most people believe that if they have some anti-virus scanning tool on their device, it is completely safe against any malwares getting into the device. Enterprise believes that the antivirus scan tool is alone good enough to prevent malwares into the corporate network. Following cases show how far we are from the truth and how malwares have become very sophisticated to escape these signature-matching tools and still go ahead and infect the device and the corporate network.
January this year (January 2013) New York Times reveled that it had been a victim of China-based cyber attack campaign and that was going on undetected for last four months. They first broke into one account using Spear phishing and once they got access into one, using that they got access into 53 employees of Times. As soon as they broke into one, they installed malware – the malicious software – than enabled them gain access to the Times network and more employees and accounts. In almost a similar fashion, Bloomberg news was targeted last year and some employees accounts were compromised.  
In both the attacks, the attackers had installed malware on its network to spy on the data and in the Times case, they had installed 45 such malwares and guess what and very interestingly only one of it was detected by Symantec the leading Anti-virus provider. Don’t misinterpret the data, Symantec product is completely fine and any other Antivirus also would have not recognized at all.

Malwares are getting very advanced in the use of technology. Anti-virus uses known signatures to detect malwares where in they scan the device to detect such malwares but Cybercriminals now have too many different methods at their disposal to modify executable. One such technique used is compression, which was mainly intended to aid application developers to reduce the size of their program file to ease distribution. Now, the same technique is used by malware-creators to obfuscate the contents of the executable. This way they could modify their code in order to bypass signature-based antivirus software.  There are many such advanced techniques where in they can easily masquerade and get into the corporate environments via these devices even though they have anti-virus software installed on their device.

Another instance is of BYODs managed by MDMs and are not safe either from malwares. Secure MDM containers can be bypassed easily to install malwares. This can be done by publishing a seemingly innocent app in the Android market and once this app is installed, the app refers to the malicious code, which is then downloaded and creates a hidden binary which will start working as the malware or the Trojan which MDM can no way detect its presence. It is little tougher to inject the malware in the iOS scenario but not impossible either. Attacker has to install a signed app on the targeted iOS device using an enterprise-developer certificate and then attacker uses  jailbreak exploit, gains root access, injects into container the malicious code and attacker removes all traces of jailbreak

This does not mean that MDM is not useful but again proves mu point that multiple layers of security are required. No wonder, Symantec released a response stressing on the importance of additional layers of security more so again showing the importance of “behavior-based” blocking and informing all of us that “antivirus software alone is just not enough”. Symantec was right in saying that Antivirus alone cannot protect a enterprise network from malware, no matter how sophisticated or advanced the signature matching algorithm is and one should look for tools which looks at the network traffic to detect anomaly and catch the malwares there by their behavior.

 To summarize, no enterprise should rely solely on antivirus detection especially w.r.t BYOD devices as they keep going out and coming back in to the enterprise and can easily pick up those malwares. Also because cybercriminals now have too many different methods at their disposal to masquerade the malware into the device via any of the apps they install and find a way to get into the enterprise without leaving any clues or footprints for the anti-virus scanning tools to detect them. It is time for CISOs to take push their organization to add additional layers of security on top of anti-virus systems. One could be detection of all devices in the system, other is whitelisting of apps that can be allowed in the enterprise, yet another are tools to watch the network behavior to determine anomaly & unusual network behavior to recognize the malware.

Manjunath M Gowda
i7 Networks, “Agentless BYOD Discovery & Control”
LinkedIn, @i7networks

PS Reproduced from i7nw blogs with permission

Wednesday, March 27, 2013

BYOD Security: Why Should I care if my OS is older?

Most people are happy with the OS they have and they rarely update when they are available too, mainly for android more than iOS.  Most people are not aware of some the serious security implications if they don’t update their OS patches and worse it affects the enterprise where they work more seriously if the enterprise does not check for the vulnerabilities of these devices.

Generally most people will not upgrade to the latest and greatest OS immediately for many reasons. This might not be true w.r.t iOS devices (iPhone, iPad etc.) because there is just one vendor for all and one OS and many a times your phone will update automatically (and that can also create issues like we had with 6.1, here is the blog on that) but this is very prevalent with Android based devices.

Even though Android pushes new updates, it won’t reach you immediately as we should wait for the same from the handset maker like Samsung, HTC, etc. who later takes these updates, incorporate these changes into their versions and then test again and then make it a general availability to its customers. It all takes a lot of time and there is a huge time gap running into few weeks if not few months between when Android release its new version to when the handset providers releases their updates. Another reason is many of us will be using an older handset, which will not support newer versions. Many a times OS makers will not provide patches for older OS but ask us to update to the newest version.

In some cases, android OS is completely fine but there are vulnerabilities that have crept in due to customizations of the OS by hand-held manufacturers and these can be exploited easily. One such example is of Samsung (with its Galaxy Tab GT-p1000) where in the vulnerabilities introduced are pretty serious and can be misused to silently perform almost any action on the victim's phone, ranging from placing phone calls to sending e-mails, SMS messages and so on. The other vulnerabilities can be misused to change other settings of the victim's phone, such as networking or internet settings, without the user's consent.

Question is, what if I delay the update by few weeks, as I am pretty happy with what I have. There is an issue, issue is far more serious than we all made to believe, unfortunately very serious one too, and let me explain why before you start disagreeing with me.

Most software especially the OS when they are released might have security holes also called as vulnerabilities, which perpetrators and cyber fraudsters will somehow figure out and take advantage of. As soon as these OS and software vendors get to know of it, will release updates, which are supposed to plug all the known vulnerabilities. Problem is we won’t keep up with these updates and many times our handset vendors don’t follow up often on these updates and worse we won’t update either. Let me explain with an example on how this can affect us.

Assume you are running a 2.1.X android and in this version of the OS, the Google services authentication tokens fly in the clear text which means people can snoop in easily and capture those tokens and hence get info on how to get into your Google services including Picasa, calendar, contacts etc. and get a whole bunch of info and can be misused greatly. Through these credentials they can get into lot more of your accounts and info and can be misused easily including getting any enterprise info you might have stored, your personal photos or even any financial information you might have stored on your device.

Of course it is fixed in 2.3.X but then if you had not known about this and did not update the OS, or if the handset makers delayed the update, cyber fraudsters could have used this vulnerability to get into the security hole easily and get your account and passwords and much more and could have created huge damage before you realize it.
This is just an example but there are much serious vulnerability which people and the enterprise might not be aware at all. Here is a recent survey report from Computer World, which said that More than 50% of devices running Google's Android mobile operating system (OS) have unpatched vulnerabilities, opening them up to malicious apps and other attacks.
These vulnerabilities will be used to the hilt to induce malware into the device, which will create havoc in the system either siphoning off your personal stuff, or when you connect into enterprise using this device, get into enterprise and create havoc there.

In August of 2012, Google introduced stricter rules for applications on its Android mobile OS to reduce the number of malicious apps in the Google Play app market and improve its reputation. The revised Google Android developer policy includes new rules on app naming and a ban on apps that disclose personal information without permission.

Prior to this tightening of Google Play regulations, 100,000 Android devices in China were affected by a Trojan malware, called MMarketPay.A. The virus, hidden in applications, which appeared to be legitimate, was designed to purchase apps and content without the consent of the device user, running up high mobile bills. Additionally, at the beginning of September, an Android SMS malware firm was fined £50,000, by the UK premium phone services regulator PhonepayPlus. The company, SMSBill, produced a malicious Facebook link that led to malware being downloaded onto Android smartphones.
If this is all about the OS and its vulnerabilities, same goes with the apps too which are residing on the device. Getting a check on the malwares and vulnerabilities seems a must for devices especially if you are using it for any financial data storage or financial transactions or any critical information, which you don’t want others to know, or misuse. Same goes true if you allowing these devices (BYOD) into the enterprise. In my next blog I will write on what does it take to make sure device is safe as far as vulnerabilities and malware are concerned, and if there a way to get a vulnerability ranking for each of these devices.

Manjunath M Gowda
i7 Networks, “Agentless BYOD Discovery & Control”
LinkedIn, @i7networks

PS Reproduced from i7 networks blog ( with permission

Thursday, March 21, 2013

Dr. Jekyll and Mr. Hyde & BYOD!!

Ok it is not really split personality of BYOD (can happen when malware enter) but more of a Dual Persona. Today BYOD security solutions are maturing and creating new ways of securing them and Dual Persona is one of them which provides enough security for the enterprise so that they can feel secure about the BYODs and also create two separate spaces – one is business and one if personal. Also discussed is how it works and what are the advantages and disadvantages of such solutions.

BYOD has ushered an era what is called the Consumerization of IT in the enterprise (or CITE) where in mixing personal and business apps and data are happening and this has the potential to introduce malware into the corporate networks via these BYODs. Because of this fact, IT introduces the extra management and security protections such as those which restricts what you can do and what you cannot, what apps you can install and what you cannot with the possibility of even knowing what you might do with that device during your personal time. These security controls might work for IT to protect its resources they seem to be oblivion completely to the employee’s view and convenience that bought it in the first place for his personal usage. Why buy such as expensive device only to be told what you can and cant do with it and what web sites to go and what not to go and what is constantly watched by the an agent that are looking for potential data breaches even when you are conducting non-business activities. . Employees may be prevented from downloading personal applications from app stores or accessing Internet for games, social media, non-business browsing, and unauthorized productivity and entertainment tools. Why have our own device in the first place?

Welcome Dual persona!!! They have to come into the market to address the precise problem I just stated, “Employees did not buy those expensive devices just to be controlled by IT” J They are designed to meet the needs of both IT and the employee in a way. DP (Dual Persona) solutions are newer in the market, have very basic management capabilities and they are not positioned as full-blown MDM solutions but provide enough IT security for most industries and complete flexibility for the employee. For those highly regulated industries, DP can compliment the MDM solutions that already exist.

DP solutions create that two logical “sides” on a mobile by separating personal and business data and applications. This way IT can care for its portion and employees be as flexible as they want to be on their part of the device. As they as keeping business business, personal personal!! This goes against the way say MDM works as MDM locks down completely having a negative effect on the end user. No I don’t say DP will replace all of MDMs as in many highly regulated industries MDM is a must but even there DP can play a role and complement each other.
Hypervisor can be an example of this but hypervisors require the device OEM to participate to integrate their solution and it takes much longer to provide the support for all models, and generally not truly heterogeneous. Also there will be performance hit, as virtualization requires the device to run two separate OSs and application stacks. On the other hand there are other solutions such as AT&T toggle is more at the OS level and can be easily integrated.

Most of the dual persona solutions explicitly separate business and personal data. One can use two applications on appropriate devices and easy to toggle between these two persona. That way business can get the best of both worlds, a high level management and control while employees can use their part as they wish and hence better buy-in to the solution. DP is today available mainly on iOS and Android. Also this dual-persona can come up with separate bandwidth/data plans for billing and tracking purposes too. Hence DP solutions hold particular promise as they provide more power, choice, and convenience to the employee.

Of course dual persona comes with its own issues too. When you get a text/SMS, where does it go? Do you maintain two separate contacts list? Many mobile vendors don’t provide two separate contacts databases. When you want to call a friend also a business partner, which side will you flip? When you get a call is it personal or business and which one rings? How do you do social media, personal or business? Especially if you do both action items very often that is both personal (say Social Media) and business (say some salesforce update), will you keep flipping? Also not all OS are supported and of course again unauthorized devices are not take care of.

To summarize, the problem of BYOD today is looked upon on various angles and each angle has its own solution with its own strengths and weaknesses and a business has to do is to analyze all issues that plague them and then decide on a solution or a set of solutions that suit them best. There is no one size that fits all.

Manjunath M Gowda
CEO, i7 Networks,  “Agentless BYOD Discovery & Control”, @i7networks,

(Reproduced from blog with permission)