RazorPointer

Throughout my travels, I have started to see a disturbing trend beginning to emerge among organizations that are deploying mobile devices to their users independent of their own well-developed security policies. For example, many organizations have started a trend of deploying Blackberries or Smart Phones’s to enable employees to remain in constant contact with peers, clients, suppliers, etc. This organizational digital tethering however is being deployed at the expense of good information risk management.

Organizations are spending significant resources on securing their information assets from traditional threats, and then turning around and letting the “mouse access to the cheese” by allowing access to corporate information (email, intranets, files) over devices that have not been adequately secured.

For example, I have encountered organizations that have deployed the following configuration “paradoxes”:

• end-point encryption mechanisms on laptops, desktops, and removable media, but do not enforce even simple controls such as strong password authentication or encryption on mobile devices
• proxies and content filtering on laptops and desktops connected to the LAN, but allow mobile devices unfettered access to social networking sites, file sharing sites, xxx sites, free web-mail systems, etc.
• Anti-X and host based firewalls on corporate laptops and desktops, and yet do not apply the same standards to mobile devices
• Group Policies and limited privilege accounts that prevent the installation of unauthorized software on corporate systems, but then allow full access to install various applications on mobile devices.

What other types of deployment “paradoxes” have you seen organizations suffer from?

Having recently completed security assessments on mobile devices and networks, I have come to realize that many organizations that deploy mobile technologies see mobile devices as mysterious and spooky, and not really “part of the network”.

Modern Mobile devices (2.5G/3G/EDGE/HSxPA, etc.) operate like ANY OTHER CLIENT on a network… they receive IP addresses… they transmit IP traffic… they connect to ports… they surf the Internet… they have email, web browsers, firewalls, and operating systems… all of which are subject to the same types of attacks that we spend countless hours patching on our corporate laptops and desktops (and probably face greater risk as the threats are significantly misunderstood).

So what can organizations do to reduce the risk of information assets being compromised? Here are a few tips:

• Enforce the use of strong passwords and encryption on mobile devices (central management is a plus if possible)
• Where possible, route all mobile web traffic through your own corporate proxies and content filtering systems (this may not be an option for those that do not run their own BES)
• Consider deploying mobile anti-virus clients (sMobile VirusGuard or McAfee Mobile Security for Enterprise to name a few)
• Deliver end user security awareness training and messaging to build a “security as top of mind” culture
• Ensure mobile devices are provisioned, de-provisioned, and managed as part of your overall corporate systems fleet  (this includes being included in asset management, build, patch, decommissioning, and backup/recovery processes).

A recent article at Dark Reading has begun to highlight emerging mobile based threats… things are definitely going to get worse before they start to get better… but then that’s usually how security tends to work in our crazy world… oh gotta run… my Blackberry is buzzing with a masked link to follow from Twitter

The concept and power of social networks like LinkedIn, Facebook, Twitter, MySpace, etc. leverage the notion of social trusts in order to  grow virally . The concept of  “I trust Sally, and she trusts Henry, therefore I can probably trust Henry” is the fuel that feeds the frenzy in social networking. However, the same “trusts” that make social networking so powerful also present some interesting security challenges.

For example, in cases where a “friend” happens to have their PC compromised due to a virus/worm/malware etc. and ends up spamming you with links to click on either by email or posting on “your wall” … the implicit trusts we have in our friends often times cause us to click the link and become compromised ourselves…

If you happen to follow @guykawasaki (God Bless Him) on Twitter you’ll find he tends to post 10-15 times a day with interesting links to various sites… Do you personally KNOW Guy? Do you KNOW if he maintains his system well (not to imply he doesn’t… just giving an example) Are you willing to trust that he is vigilant in keeping his browser/system patched? of course he does … and also bet that his account is always under his own control (or that it’s even really him)?

Twitter (god knows I love it!) further exacerbates the problem as it limits the number of characters one can type into a Tweet … many users try and optimize their messages by using abbreviations and shorten character consuming urls via services such as tinyurl, drop.io, hex.io, bit.ly etc. Yet the cryptic mini-urls generated by these well intentioned services result in potentially dangerous links being masked for the sake of brevity!

Some of these services have begun to recognize the potential havoc that can be caused by url-masking and have started to offer link preview features. These features have to be manually turned on (and often require cookies), and do not really allow you to assess whether you are entering the lion’s den on the other side… A great feature would be to integrate Google’s Safe Browing API or McAffee SiteAdvisor type functionality.

How do you minimize the risk? Counters-measures can include running products such as no-script, sandbox-ie, and ensuring your browser and OS are always patched (these are more risk mitigation as they maybe quite ineffective at O-days..)

Better yet do as Gaylord Focker did in Meet the Parents, and stay out of the “Circle of Trust”!

SecurityFocus produced an interesting analysis of Downadup and it’s geo-mapping relative to global software piracy data (you have to love the application of GIS systems!). Interestingly, there seems to be a high correlation between infected PC’s and countries within which Software Piracy is high (e.g. China, Russia, India).

The article attributes the implementation of Microsoft’s Windows Genuine Advantage program resulting in a reduction of automated updates being applied to pirated copies of Windows.

From a business perspective (and from the paying customers perspective) this might make sense at first blush. However, where does the responsibility lie, when software programming errors lead to the creation of massive bot-nets which turn around and attack/attempt to steal the information of the customers you are trying to protect?  (irrespective of if the zombied machines are running pirated software or not…)

In this instance one needs to look at the greater moral responsibility a vendor has in ensuring its products can not be exploited to “do no harm”… kind of like selling a car with faulty brakes if you ask me…

Bottom Line: the software of many vendors is increasingly becoming intertwined into the minute to minute aspects of our lives … and with that should come some level of responsibility (at least morally IMHO)…

Downadup: Geo-location, Fingerprinting, and Piracy

Dark Reading posted an interesting article regarding four threats that would start to become prevalent in 2009:

1.Internet  E-Bombs -> Massive Bot-Nets executing DOS attacks against Internet Infrastructure designed to break peering between ISP’s (if any of the Confickr bot-net rumor prove true, this could be a reality sooner then we think!)

2. Radical extremist hackers -> Hacking to be used by extremist groups as an alternative method of warfare. We’ve already seen examples of this recently including Israeli website target’s Hamas

3. Attacks on online ad revenue -> Compromising ad-sources to be used as vectors to spread malware could wreak havoc on legitimate ad-revenues totaling millions in losses.

4. Human casualties -> The spread of malware into hospital networks could result in the loss of human life. Until now, this type of threat has always been considered high impact, low probability. As attack vectors spread the threat looms ever closer. Already many hospitals have been forced to shutdown due to virus outbreaks. Recently, a system used in the surgical theatre at Sheffield was also reported to have rebooted during a surgery causing hospital IT staff to disable auto-update on 8000 pc’s… resulting in the spread of Confickr to at least 800 pc’s on the network (talk about a catch-22!).

The above threats, further increase the case for vigilance and the deployment of sound patch management protocols and procedures.

Scary stuff!

More details here: Four Threats For ‘09 That You’ve Probably Never Heard Of (Or Thought About) - DarkReading.

BreakPointLabs released an interesting Firewall Testing Methodology which includes a series of videos that discuss and demonstrate the methodology. I’ll post back once I have had a chance to review the methodology with my comments.

BreakingPoint Firewall Testing Methodology — BreakingPoint.