Wednesday, March 27, 2013

BYOD Security: Why Should I care if my OS is older?


Most people are happy with the OS they have and they rarely update when they are available too, mainly for android more than iOS.  Most people are not aware of some the serious security implications if they don’t update their OS patches and worse it affects the enterprise where they work more seriously if the enterprise does not check for the vulnerabilities of these devices.


Generally most people will not upgrade to the latest and greatest OS immediately for many reasons. This might not be true w.r.t iOS devices (iPhone, iPad etc.) because there is just one vendor for all and one OS and many a times your phone will update automatically (and that can also create issues like we had with 6.1, here is the blog on that) but this is very prevalent with Android based devices.

Even though Android pushes new updates, it won’t reach you immediately as we should wait for the same from the handset maker like Samsung, HTC, etc. who later takes these updates, incorporate these changes into their versions and then test again and then make it a general availability to its customers. It all takes a lot of time and there is a huge time gap running into few weeks if not few months between when Android release its new version to when the handset providers releases their updates. Another reason is many of us will be using an older handset, which will not support newer versions. Many a times OS makers will not provide patches for older OS but ask us to update to the newest version.

In some cases, android OS is completely fine but there are vulnerabilities that have crept in due to customizations of the OS by hand-held manufacturers and these can be exploited easily. One such example is of Samsung (with its Galaxy Tab GT-p1000) where in the vulnerabilities introduced are pretty serious and can be misused to silently perform almost any action on the victim's phone, ranging from placing phone calls to sending e-mails, SMS messages and so on. The other vulnerabilities can be misused to change other settings of the victim's phone, such as networking or internet settings, without the user's consent.


Question is, what if I delay the update by few weeks, as I am pretty happy with what I have. There is an issue, issue is far more serious than we all made to believe, unfortunately very serious one too, and let me explain why before you start disagreeing with me.

Most software especially the OS when they are released might have security holes also called as vulnerabilities, which perpetrators and cyber fraudsters will somehow figure out and take advantage of. As soon as these OS and software vendors get to know of it, will release updates, which are supposed to plug all the known vulnerabilities. Problem is we won’t keep up with these updates and many times our handset vendors don’t follow up often on these updates and worse we won’t update either. Let me explain with an example on how this can affect us.

Assume you are running a 2.1.X android and in this version of the OS, the Google services authentication tokens fly in the clear text which means people can snoop in easily and capture those tokens and hence get info on how to get into your Google services including Picasa, calendar, contacts etc. and get a whole bunch of info and can be misused greatly. Through these credentials they can get into lot more of your accounts and info and can be misused easily including getting any enterprise info you might have stored, your personal photos or even any financial information you might have stored on your device.


Of course it is fixed in 2.3.X but then if you had not known about this and did not update the OS, or if the handset makers delayed the update, cyber fraudsters could have used this vulnerability to get into the security hole easily and get your account and passwords and much more and could have created huge damage before you realize it.
This is just an example but there are much serious vulnerability which people and the enterprise might not be aware at all. Here is a recent survey report from Computer World, which said that More than 50% of devices running Google's Android mobile operating system (OS) have unpatched vulnerabilities, opening them up to malicious apps and other attacks.
These vulnerabilities will be used to the hilt to induce malware into the device, which will create havoc in the system either siphoning off your personal stuff, or when you connect into enterprise using this device, get into enterprise and create havoc there.


In August of 2012, Google introduced stricter rules for applications on its Android mobile OS to reduce the number of malicious apps in the Google Play app market and improve its reputation. The revised Google Android developer policy includes new rules on app naming and a ban on apps that disclose personal information without permission.

Prior to this tightening of Google Play regulations, 100,000 Android devices in China were affected by a Trojan malware, called MMarketPay.A. The virus, hidden in applications, which appeared to be legitimate, was designed to purchase apps and content without the consent of the device user, running up high mobile bills. Additionally, at the beginning of September, an Android SMS malware firm was fined £50,000, by the UK premium phone services regulator PhonepayPlus. The company, SMSBill, produced a malicious Facebook link that led to malware being downloaded onto Android smartphones.
If this is all about the OS and its vulnerabilities, same goes with the apps too which are residing on the device. Getting a check on the malwares and vulnerabilities seems a must for devices especially if you are using it for any financial data storage or financial transactions or any critical information, which you don’t want others to know, or misuse. Same goes true if you allowing these devices (BYOD) into the enterprise. In my next blog I will write on what does it take to make sure device is safe as far as vulnerabilities and malware are concerned, and if there a way to get a vulnerability ranking for each of these devices.


Manjunath M Gowda
CEO,
i7 Networks, “Agentless BYOD Discovery & Control”
LinkedIn, @i7networks

PS Reproduced from i7 networks blog (i7nw.com/blog) with permission

Thursday, March 21, 2013

Dr. Jekyll and Mr. Hyde & BYOD!!


Ok it is not really split personality of BYOD (can happen when malware enter) but more of a Dual Persona. Today BYOD security solutions are maturing and creating new ways of securing them and Dual Persona is one of them which provides enough security for the enterprise so that they can feel secure about the BYODs and also create two separate spaces – one is business and one if personal. Also discussed is how it works and what are the advantages and disadvantages of such solutions.

BYOD has ushered an era what is called the Consumerization of IT in the enterprise (or CITE) where in mixing personal and business apps and data are happening and this has the potential to introduce malware into the corporate networks via these BYODs. Because of this fact, IT introduces the extra management and security protections such as those which restricts what you can do and what you cannot, what apps you can install and what you cannot with the possibility of even knowing what you might do with that device during your personal time. These security controls might work for IT to protect its resources they seem to be oblivion completely to the employee’s view and convenience that bought it in the first place for his personal usage. Why buy such as expensive device only to be told what you can and cant do with it and what web sites to go and what not to go and what is constantly watched by the an agent that are looking for potential data breaches even when you are conducting non-business activities. . Employees may be prevented from downloading personal applications from app stores or accessing Internet for games, social media, non-business browsing, and unauthorized productivity and entertainment tools. Why have our own device in the first place?

Welcome Dual persona!!! They have to come into the market to address the precise problem I just stated, “Employees did not buy those expensive devices just to be controlled by IT” J They are designed to meet the needs of both IT and the employee in a way. DP (Dual Persona) solutions are newer in the market, have very basic management capabilities and they are not positioned as full-blown MDM solutions but provide enough IT security for most industries and complete flexibility for the employee. For those highly regulated industries, DP can compliment the MDM solutions that already exist.


DP solutions create that two logical “sides” on a mobile by separating personal and business data and applications. This way IT can care for its portion and employees be as flexible as they want to be on their part of the device. As they as keeping business business, personal personal!! This goes against the way say MDM works as MDM locks down completely having a negative effect on the end user. No I don’t say DP will replace all of MDMs as in many highly regulated industries MDM is a must but even there DP can play a role and complement each other.
Hypervisor can be an example of this but hypervisors require the device OEM to participate to integrate their solution and it takes much longer to provide the support for all models, and generally not truly heterogeneous. Also there will be performance hit, as virtualization requires the device to run two separate OSs and application stacks. On the other hand there are other solutions such as AT&T toggle is more at the OS level and can be easily integrated.

Most of the dual persona solutions explicitly separate business and personal data. One can use two applications on appropriate devices and easy to toggle between these two persona. That way business can get the best of both worlds, a high level management and control while employees can use their part as they wish and hence better buy-in to the solution. DP is today available mainly on iOS and Android. Also this dual-persona can come up with separate bandwidth/data plans for billing and tracking purposes too. Hence DP solutions hold particular promise as they provide more power, choice, and convenience to the employee.

Of course dual persona comes with its own issues too. When you get a text/SMS, where does it go? Do you maintain two separate contacts list? Many mobile vendors don’t provide two separate contacts databases. When you want to call a friend also a business partner, which side will you flip? When you get a call is it personal or business and which one rings? How do you do social media, personal or business? Especially if you do both action items very often that is both personal (say Social Media) and business (say some salesforce update), will you keep flipping? Also not all OS are supported and of course again unauthorized devices are not take care of.

To summarize, the problem of BYOD today is looked upon on various angles and each angle has its own solution with its own strengths and weaknesses and a business has to do is to analyze all issues that plague them and then decide on a solution or a set of solutions that suit them best. There is no one size that fits all.

Manjunath M Gowda
CEO, i7 Networks,  “Agentless BYOD Discovery & Control”

in.linkedin.com/in/manjunathgowda, @i7networks, i7nw.com

(Reproduced from i7nw.com blog with permission)

Wednesday, March 13, 2013

BYOD – The chaos unauthorized devices bring to an organization


A new study1 by Spyglass Consulting group says that more than 2/3rd of nurses are using unauthorized devices for clinical communications. The report is based on in-depth phone interviews with 100 nurses in a variety of healthcare organizations in 33 states, focusing on the information requirements of nursing and the use of mobile and wireless technology to meet those requirements.

Cisco sponsored survey2 of 512 security professionals across five countries, including the U.S., found that use of unauthorized devices on corporate networks is proving to be a hassle and, in some cases, a significant security issue for IT. Similar findings go with the usage of unauthorized apps too. Today, the report says that ITSDMs (IT Security Decision Makers) wants to know what security applications employees are running (63% of them wanted) and what OS (56% of them wanted). More than half (56 percent) of ITSDMs said they determined their employees use unsupported applications, with the U.S., China and Japan leading the way. About 30 percent of ITSDMs (54 percent in Germany, the highest level) said unauthorized users pose the greatest risk to their organization. When it comes to unauthorized network devices, such as smartphones, the risk has proven to be very real. About 40 percent of the ITSDMs surveyed said they'd experienced a breach or loss of information due to an unsupported network device.

Gartner analyst Ken Dulaney said the growing use of unsupported devices is becoming a real headache for IT. "About five times a week I hear from enterprise clients that are freaking out about the use of unauthorized mobile devices," says Dulaney. "Employees are getting really good at getting around whatever the company policy is." Dulaney said many vendors can help with mobile management and audit solutions that get this new generation of devices "on the table instead of under the table," so IT can see what's out there. "These smartphones and other devices that are being used, aren't behind the firewall and they're not encrypted so that's a real problem for IT," he added.
One employee with a $30 access point purchased at Wal-Mart or Fry’s can open up the entire corporate network, allowing anyone with mobile device to connect to it and open up company’s internal network.
Once these unauthorized (or rouge) devices are connected to corporate network, the vulnerabilities on these devices exposes the organization's confidential data and critical assets, including intellectual property, to the outside world. Also these devices can introduce malware unintentionally into corporate network.
The biggest issue of using unauthorized devices are that, first of all IT has not verified the security aspects of those devices and can carry a lot of vulnerabilities and malwares which can get access to these critical clinical data and if leaked to outside creating huge legal risks attracting many legal cases as well as loss of brand value for the organization.

Another issue is enterprises being lax about these devices and turning a bling eye to the security threats they might pose. Problem is that many enterprises are reluctant to strictly forbid or enforce bans on unapproved apps and unauthorized devices because they appeal to younger generation of workers these firms want to attract and retain. Nevertheless they like to know what are those devices and apps that are running and like to know how vulnerable they are and how much threat they can be to the corporate network.

If these are one kind of issues, there are issues w.r.t availability of tools which discovers all these devcies and apps and bring them to the management of the IT and provide that safety-net.

"There are two interesting problems: one is that the consumer is taking control of IT and the other is that the IT guy is resource-constrained," said Nokia Vice President Purnima Kochikar.  She added that traditional, behind-the-firewall security solutions aren't enough in increasingly mobile enterprises. "Everything you thought was secure inside the firewall can be left behind in a taxi," warned Kochikar.

"There's no denying the end-user or organizational value of smart devices. But, we face technical challenges when managing them for performance and security, especially when they're not authorized," said Rich Green, lead wireless engineer at Community Health Systems.

Thankfully today we have access to new generation of tools that can detect all these rouge devices and get them to the safety net of IT. These tools non-intrusively and routinely analyze your company's network, look for any ambiguous traffic and detect all such devices and bring then to the IT safety net leaving IT to take further action. (in fact i7’s peregrineguard does this).

With such measures & tools in place, businesses can actually encourage employees and authorized guests to bring their favorite wireless devices and smart phones/tablets to work. Rather than putting a blanket ban and saying “No to BYOD”, which in now way enhances security let alone sapping out the morale of employees, enterprises can allow all their employees, field force and even temporary workers/contractors to get those devices that are comfortable with, enabling maximum productivity, highest satisfaction among workforce and while still feeling very safe that there are no unauthorized devices or apps on the network, and the network is safe from attacks from these unauthorized/insecure devices.


Manjunath M Gowda
CEO, i7 Networks,  “Agentless BYOD Discovery & Control”

in.linkedin.com/in/manjunathgowda, @i7networks, i7nw.com
manju(dot)m(at)i7nw(dot)com
blog: i7nw.com/blog



http://www.i7nw.com/?p=772

(Reproduced from i7 networks ( i7nw.com) blogs with permission)


Sunday, March 10, 2013

BYOD 101 and the Productivity and Security implications for an Enterprise


(Reproduced with permission from i7nw)

This blog talks about mainly BYOD, the new phenomenon to hit enterprises by surprise and the implications of it especially the productivity and the security aspect of it. Also discusses in brief what does other buzzwords in this space mean, which you might have heard, and wondering what it means.

BYOD stands for Bring Your Own Device to work. A movement called “Consumerization of IT” is taking place wherein more & more workforce is deciding what device and what Apps to get to work rather than the IT and hence creating a huge challenge for IT to manage such a workforce, especially the security of the corporate network and its data.

Today whether you allow personal smartphones and tablets into the enterprise or not, people have found a way to use them. According to many surveys, north of 70% of people are already using it and north of 80% of companies have already adopted the BYOD trend in some way or other. Analysts have clearly told that this is a movement, which cannot be stopped, and their message has been very strong, adapt it or lose out in the competition.

Productivity Gains

According to a survey conducted by one of the cloud infrastructure companies (VMware), which was conducted across 10 countries in the Asia-Pacific region, including India found that employees find them more productive at workplace getting their own smartphones & tablets  (72%) and in India it was 77%.

In India of all the people surveyed, 72% claimed to be more productive working the devices of their choice, 70% claimed to be happier in their role when they are allowed to work using their own device and 66% said that life and work was less stressful when they had a choice of what device they use.

Security Threat

Biggest challenge in adopting this BYOD trend has been the security. Today BYODs if not checked can create havoc in the corporate network. Compromised devices can infect malware into the system via back door, or data resident on the device when lost can be compromised, or data in transit can be meddled into. Again in all surveys, IT has agreed that this is the problem #1 to solve.
Another popular study, which focused on mobile security decision-makers in the United States, United Kingdom and Australia, found an overwhelming 82 percent of respondents believe that mobile devices create a high security risk within the corporate environment. Results show that mobile security is a high priority for half of the companies supporting BYOD, equating to increased help desk support and consumption of valuable IT resources. In addition, 45 percent reported lost or stolen devices in the past year and 24 percent experienced mobile malware infections, crippling productivity and potentially compromising company and customer data.

However, larger organizations, those with 500 or more employees, are at even higher risk. According to the study, 67 percent had dealt with lost or stolen mobile devices and 32 percent had experienced mobile malware infections, creating widespread concern about the business impact of employee-owned devices within the enterprise.

According to the survey more than 60% of the organization allows BYOD and they are not aware of pitfalls of allowing accessing critical corporate resources via smart devices without proper access control.

According to Bluecoat survey, a whopping 77 percent of IT managers see the risk of malware spreading to the corporate network from mobile devices as moderate to very high. A more recent study by Harris Interactive, primarily focused on users in the US, found that 55 per cent of companies had already experienced a security breach as a result of personal technologies being used in the workplace.


Now the Buzzwords!!

BYOD security is provided in various forms and segments and is an evolving market with huge potential. There are MDMs, which stands for Mobile Device Management and there are many vendors who look into mainly device management while providing few security features for enterprises. They install a client on your device and make that client connect to a server in the enterprise and control what your device can do and cannot do and more importantly if the device is lost or misplaced, this has the capability to wipe out the entire device.  They pretty much control every aspect of the device and to give an example, They can even switch off/on the camera in your smartphone when they want. MDMs are considered more of a device control than security per say but they do provide a lot of security features such as what apps can be installed and what cannot and what can be used etc. This solution is recommended in highly regulated industries such as insurance & finance. Of course they do have issues such as intrusion into privacy of employees, too intrusive and provisioning takes a long time as it is client-server architecture and of course they manage what are known devices and there are lot of unknown or unauthorized devices, which many of them are unsecured and hence can create a security hole. Seems the best solution if enterprise provides the device but for a personal device this can be too intrusive and steps on ones privacy.

While MDMs look into device aspect, MAM’s are what are called Mobile Apps Management does a similar stuff w.r.t apps management on your device and makes sure the data is encrypted in the transmission and allows only those apps that are listed and denies access on those that are not listed etc. They pretty much work the same way that MDM works and usually has a client installed on them too and suffers from the same disadvantages as MDMs and also generally cannot make out if the device has malware or if OS is vulnerable and has been compromised.

Next come the NAC devices (Network Access Control). This to a large extent keeps away from the client and controls the access of devices in the enterprise. Their way of doing is by registering the device via a self portal or via a client (a transient one), collect all the info and recognize these devices and put them on a separate virtual LAN based on the corporate criteria. This way you will actually put the devices on a separate LAN and hence forcefully in a way control the access for device. Some of the issues with NAC is that very tough to deploy, cannot create differential access on the same vlan as say your laptop and always puts it on a separate vlan as a way to control. Also they have no way to detect unauthorized devices nor they can recognize network traffic and identify malicious traffic and device. They also cannot wipe out a device if it is lost or stolen.

Then comes the Containerization where is the apps in question are wrapped or contained within another layer or a box which is totally encrypted. This provides an additional layer of security for the critical apps and the sensitive data. All communications from this app to the server in the enterprise will be encrypted and also if/when the device is lost, this server will wipe out the entire app and the data associated with it. Many companies provide the framework for this so that those enterprises that go for their own app store and their own apps can wrap them up with this secure layer. This solution is also called app wrapping. Advantages are that you have an extra layer of security but some of the disadvantages are that again it leaves a footprint on the device, very resource intensive (for how many apps and how many versions will you create this wrapped up version). Also tough to wrap the 3rd party apps (which are more popular and are being used more frequently and are enterprise ready) is very difficult and to enforce the usage of wrapped-version is going to be pretty tough.

Then comes the virtualization, which we are all used to for our desktop. By this process, one creates a complete wrap up for the phone itself and not just the apps in question. This way you need to work, you can always flip to the work space and then when you need to do your personal things, just flip to your personal profile and these two are disconnected and hence generally very safe for enterprises to use this. Of course this has its own share of issues. Many people don’t feel convenient to flip to work. It is not so easy to divide what is official and what is personal. Does Facetime, Facebook, Skype, Evernote, and lot more such apps, are official or personal? what is office and what is personal? Whan a call comes where does it go? What about texting (SMS)? There can be only one contacts database and where does it go? Impossible to decide? People will start using just one of them when such confusion exists and the solution will fail. Also mobile processors are not that powerful to support a full-blown virtualization and hence performance suffers.

Then comes the MEAP or what is called the mobile enterprise application platform (MEAP). It is a comprehensive suite of products and services that enable development of mobile applications. Cross-platform considerations are one big driver behind using MEAPs. For example, a company can use a MEAP to develop the mobile application once and deploy it to a variety of mobile devices (OS) such as iPhone, iPad or android devices,  with no changes to the underlying business logic. A MEAP solution is generally composed of two parts: a mobile middleware server and a mobile client application. A middleware server is the solution component that handles all system integration, security, communications, scalability, cross-platform support, etc. No data is stored in the middleware server – it just manages data from the back-end system to the mobile device and back. The actual apps can be thick or thin depending upon the complexity of work executed and they all connect to the server for security and management. MEAP is mainly good for development of corporate apps especially when you know that you will be deploying across multiple OS/Devices and provides a good security layer for those apps. Some of the issues again are that already popular enterprise ready apps that are available via 3rd party cannot be managed using this and also cannot provide complete security and also cannot control the malicious or compromised device coming into enterprise and more of a way to develop/deploy and control corporate apps and provide security around them.

Then there is dynamic discovery and health check of these devices that are connecting to the network and then provide policy enforcement based on the integration & health of the device. This detects all the devices that are trying to connect to the enterprise either via the regular authorized way or via unauthorized means such as spoofing, hot-spotting and various others way (it is estimated that 1/3rd of the devices that connect are unauthorized) and many among this unauthorized are unsecured ones, creating a huge security hole in the enterprise. These solutions actually detect and bring all these unauthorized and unsecured devices to corporate management fold and in a way providing the safety net to enterprises. They also check the health of the device whenever they connect to corporate network such as whether is it compromised, is it malicious and also whether they are jailbroken or rooted and then provide device based differential access say based on the device type, class, location, branch-office etc. (This is where our i7 PeregrineGuard plays). One good thing is that since all of it is done without installing a client or an agent on the device, this zero-footprint solution will be very powerful when you are dealing with multiple device kinds and OS and when you are worried of any security hole an unmanaged unauthorized and an unsecured device can create. Of course they also don’t provide you with a total solution and they need to integrate with a MDM solution or MS EAS to provide the wipe-out feature.

In summary, BYOD is here to stay and “Consumerization of IT” will be the next wave and along with that there will be huge security implications with enterprises trying to secure their network and data. Many vendors look at this issue in many different ways and they are generally classified as MDM, MAM, Containerizations, Virtualizations, NACs, Dynamic Discovery and Health Checks, & MEAPS.

I have explained very briefly how they all work. Hope I was able to do justice to the topic. If you liked it, or hated it or whatever, please do drop me an email with your suggestions, critiques and feedback and will be very thankful for that.

Manjunath M Gowda
CEO, i7 Networks,  “Agentless BYOD Discovery & Control”

in.linkedin.com/in/manjunathgowda, @i7networks, i7nw.com
manju(dot)m(at)i7nw(dot)com
blogs on BYOD: i7nw.com/blog