Thursday, April 11, 2013

Blog on BYOD Security: The Art of detecting unauthorized devices in the network!!

Did you know that more than 1/3rd devices go undetected and hence unmanaged and more than 50% of these are the source of all network and data compromises in an enterprise?

You know what you know and you have no idea of what you don’t know and worse you cannot manage what you don’t know. This very well applies with the mobile world too especially in the BYOD world of the enterprise. Today pretty much every one carries at least two smart devices (a smart phone and a tablet) if not more and people changing devices or carrying different devices over a period is highly probable and one can end up using at least 5 to 6 devices over a period of time of as short as an year and can even reach 10. In fact Microsoft allows max 10 devices per employee in their Redmond office.

Many of the MDM (Mobile Device Management) vendors including Microsoft EAS (Enterprise Active Sync) and Microsoft System Center (MS SC) all provide ways to track all the devices and manage them (of course by provisioning these devices and putting an agent on it) but they end up managing only 2/3rd of all devices that are plying in the corporate network, and more than 1/3rd devices goes undetected and for various reasons including they did not install an “agent” that was prescribed by the vendors to they did not register on a portal suggested by the vendor. Even in MS world, you connect to AD and get into the domain and you are recognized and this happens to most company given laptops and desktops. This is the first of the three levels where all these devices gets classified. Second one is not with the domain but those, which connect only to the EAS. Second level, which mainly applies to BYODs, is knowing and managing when they connect to the EAS (not necessarily to domain). Even SC has the stack of both AD and EAS managed devices and those who have SC know that it takes quite a while to know completely about the devices they manage. Then there is the third level where more than 1/3rd devices belong and are on the network but AD and EAS (and MDM tools for that matter) have no idea about their existence. They have not installed any agent nor connected to the EAS either (or would have rooted or jailbroken the device and connect to EAS and EAS cannot track it) they can easily logon and connect to the Internet and do what they can, and all goes unchecked.

Another trouble with unmanaged devices is that we don’t know to what level their security is checked and whether they are vulnerable or not (having older OS) or whether they have malware present or not. According to many popular surveys more than 1/3rd devices go undetected and end up being unmanaged and more than half of them end up being source of all vulnerabilities, security holes and malwares and will end up being the source of network and data compromises, malware attacks, and cyber espionage. It is not that the owners of these unmanaged devices intend to do this but they circumvent these mainly to get some other privileges, which otherwise they will not be. Few examples are that companies don’t allow android devices into corporate but people like me love android and we will find a way to get into the enterprise undetected and without our knowledge we will be source of all network and data compromises in the enterprise.

Here is where we @ i7 play a crucial role. Our tool PeregrineGuardtm using patent-pending sophisticated algorithms and finger printing techniques, goes over multiple protocols and huge knowledgebase of all these devices and OSes behaviors and facts clearly identify and fingerprint each of these devices and we do all of it without putting an agent or a client on the device and completely non-intrusive and transparent to the employee. We pick up all these devices and via AD/RADIUS or LDAP we even know to who it belongs and hook into MDM and EAS database and find out which are all managed and which are all not managed and give IT a list of all such devices, what OS and OS versions are they running, what is their vulnerability rating (DVItm or device vulnerability index) and alert the IT to bring the to the safety net of the enterprise or allow them to ply the way it is but at least help make a informed decision.

Deployment is even more easier, just plug in a server or even a laptop with PeregrineGuard behind Wi-Fi aggregators into the mirror port and not even in-line and immediately you will start seeing all the devices that are there and the reports about their existence, belonging, usage etc., and if you have AD or RADIUS, it even tells to who these devices belong to; Just plug it and in and start seeing the reports!!

Once you have a control on these unmanaged devices, you reduce the risk of cyber attacks/data leak in the organization by more than 80% and hence helping enterprises securing their network while reaping the rich benefits of the BYOD. Another interesting statistics I read is that those companies who have banned or barred any BYOD into their enterprise has still more than 30% of employees using devices in one way or other to do something within the organization which IT is completely unaware of. In my opinion, BYOD is a juggernaut that cannot be stopped.

BTW when I say BYOD it is not just your smart phones and tablets but can also include employee owned laptops too as distinguished from company given laptops, which I feel, is also the need of the hour and many companies have allowed this option already!!

Manjunath M Gowda
i7 Networks, “Agentless BYOD Discovery & Control”
LinkedIn, @i7networks

Reproduced with the permission from the author of blog.

Thursday, April 4, 2013

BYOD Security: I have anti-virus on my device. I am completely safe against malwares!! Sure?

Generally most people believe that if they have some anti-virus scanning tool on their device, it is completely safe against any malwares getting into the device. Enterprise believes that the antivirus scan tool is alone good enough to prevent malwares into the corporate network. Following cases show how far we are from the truth and how malwares have become very sophisticated to escape these signature-matching tools and still go ahead and infect the device and the corporate network.
January this year (January 2013) New York Times reveled that it had been a victim of China-based cyber attack campaign and that was going on undetected for last four months. They first broke into one account using Spear phishing and once they got access into one, using that they got access into 53 employees of Times. As soon as they broke into one, they installed malware – the malicious software – than enabled them gain access to the Times network and more employees and accounts. In almost a similar fashion, Bloomberg news was targeted last year and some employees accounts were compromised.  
In both the attacks, the attackers had installed malware on its network to spy on the data and in the Times case, they had installed 45 such malwares and guess what and very interestingly only one of it was detected by Symantec the leading Anti-virus provider. Don’t misinterpret the data, Symantec product is completely fine and any other Antivirus also would have not recognized at all.

Malwares are getting very advanced in the use of technology. Anti-virus uses known signatures to detect malwares where in they scan the device to detect such malwares but Cybercriminals now have too many different methods at their disposal to modify executable. One such technique used is compression, which was mainly intended to aid application developers to reduce the size of their program file to ease distribution. Now, the same technique is used by malware-creators to obfuscate the contents of the executable. This way they could modify their code in order to bypass signature-based antivirus software.  There are many such advanced techniques where in they can easily masquerade and get into the corporate environments via these devices even though they have anti-virus software installed on their device.

Another instance is of BYODs managed by MDMs and are not safe either from malwares. Secure MDM containers can be bypassed easily to install malwares. This can be done by publishing a seemingly innocent app in the Android market and once this app is installed, the app refers to the malicious code, which is then downloaded and creates a hidden binary which will start working as the malware or the Trojan which MDM can no way detect its presence. It is little tougher to inject the malware in the iOS scenario but not impossible either. Attacker has to install a signed app on the targeted iOS device using an enterprise-developer certificate and then attacker uses  jailbreak exploit, gains root access, injects into container the malicious code and attacker removes all traces of jailbreak

This does not mean that MDM is not useful but again proves mu point that multiple layers of security are required. No wonder, Symantec released a response stressing on the importance of additional layers of security more so again showing the importance of “behavior-based” blocking and informing all of us that “antivirus software alone is just not enough”. Symantec was right in saying that Antivirus alone cannot protect a enterprise network from malware, no matter how sophisticated or advanced the signature matching algorithm is and one should look for tools which looks at the network traffic to detect anomaly and catch the malwares there by their behavior.

 To summarize, no enterprise should rely solely on antivirus detection especially w.r.t BYOD devices as they keep going out and coming back in to the enterprise and can easily pick up those malwares. Also because cybercriminals now have too many different methods at their disposal to masquerade the malware into the device via any of the apps they install and find a way to get into the enterprise without leaving any clues or footprints for the anti-virus scanning tools to detect them. It is time for CISOs to take push their organization to add additional layers of security on top of anti-virus systems. One could be detection of all devices in the system, other is whitelisting of apps that can be allowed in the enterprise, yet another are tools to watch the network behavior to determine anomaly & unusual network behavior to recognize the malware.

Manjunath M Gowda
i7 Networks, “Agentless BYOD Discovery & Control”
LinkedIn, @i7networks

PS Reproduced from i7nw blogs with permission