Are Mobile Devices taking over your Corporate Network?
Last week I read an interesting article stating the PC is no longer the office primary device for accessing the Internet. With the influx of mobile devices into the enterprise, it is becoming more difficult to enforce corporate policies that are centrally managed. A recent survey by McAfee across "[...] 14 nations show 21% of companies have no restrictions on use of personal mobile devices, while 58% have lightweight policies, and only 20% have stringent guidelines.[2]" Each of these devices have different OS, software installed and ways of securing them (or none at all). If these devices aren't centrally controlled and have access to everything in the enterprise, it will become a "gold mine" for those looking for an easy to pick "low hanging fruit".
A recent study indicates that "Mobile internet traffic is set to grow 400% by 2015"[3] and the bulk will be in video consumption. Wireless carriers are starting to offer Long Term Evolution (LTE) devices (i.e. rocket stick) that are potentially capable of supporting speed up to 75 Mbps, crown jewels (i.e. source code) can be transferred quickly out of a corporate network. For example, Google Android and the Apple iOS [4] have already been targeted by cyberthieves. Government agencies are starting to provide hardening guide; for example, Australia's DSD just released a guide to harden the iOS 4 devices [5]. Incident Response will also become more complex if a mobile device has been compromised and is not owned by the enterprise. I can see Network Forensics becoming a crucial tool to aid reconstructing the events that lead to an incident.
Last year ISC posted a survey on "What is your biggest fear with Mobile Devices in your enterprise?"[6] and almost 50% of the respondent answered "Monitoring for information leak" followed with about 20% having issues with "Wireless access".If you don’t mind sharing, we would like to hear from you our readers, how your organization is currently dealing with Mobile Devices.
[1] http://www.networkworld.com/newsletters/sec/2011/070411sec1.html
[2] http://www.usatoday.com/money/workplace/2011-05-30-mobile-devices-in-the-workplace_n.htm
[3] http://econsultancy.com/us/blog/5683-study-mobile-internet-traffic-is-set-to-grow-400-by-2015
[4] http://isc.sans.edu/diary.html?storyid=11185
[5] http://www.dsd.gov.au/publications/iOS_Hardening_Guide.pdf
[6] http://isc.sans.org/poll.html?pollid=301&results=Y
[7] http://next-generation-communications.tmcnet.com/topics/nextgen-voice/articles/195439-rogers-brings-canadas-first-lte-network-ottawa.htm
[8] http://gigaom.com/mobile/verizons-lte-network-getting-10-devices-by-june/
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Community SANS SEC 503 coming to Ottawa Sep 2011
Comments
Don't get me wrong -- I love my iPhone, but Apple still has a ways to equal the security of my Blackberry.
Bruce
Jul 14th 2011
1 decade ago
JimS
Jul 14th 2011
1 decade ago
Getting these devices directly on the corporate LAN where the desktops and "crown jewels" live requires special assess, controlled by password and MAC address. Most mobile activity now takes place on the new mobile LAN, as users can use vnc to get to desktop machine, so the crown jewels stay in the palace, even if they need to be looked at or worked on.
Moriah
Jul 14th 2011
1 decade ago
But the business , at least out company, caters to the employee badly. It's all about innovation here, not standing in the ways of getting things done faster and better. As you can imagine thats difficult for security. So, we started to look at MDM solutions. For the most part all of them are the same, a gateway device that leveerages and improves on activesync (i.e. MobileIRON, Sophos). They are better than native activesync, but the same issues will impact the employees. So then we proof of concepted GOOD here. This solves those complaints by having an app installed, that is protected with passcode and is an encrypted "sand box" of just corporate data. GOOD...is Good. It's not great. It has many flaws, like its dog slow. The email interface doesnt fully replicate the native one (i.e. no nested emails like native iOS email app). I personally find a productivity hit by using GOOD. It can take up to 10 seconds to decrypt the data on app launch depending on other running processes. It also doesnt grab email as fast (push/pull). I get a LOT of email in 1 hour, it can take up to 60 seconds to download all the mail if i dont check it every hour, or forget to leave it running in the background. To unlock the natice lock screen, then to unlock the corporate GOOD app, and wait up to 1-2 minutes sometimes to get my corporate data isnt fun. Plus, the device is designed to correlate all this email into one app, now its seperated.
Mobile protection in the corporate world is going to be VERY difficult if you allow any personal device. The best way is to only allow a corporate statndard, and that standard has xyz policy that the employee must be bound and agree to. I see no other way.
Nick
Jul 15th 2011
1 decade ago
We quickly decided that personal devices will NEVER be used for business purposes, or touch company assets... portable or home. As an employee, I do not want my personal property subject to discovery or seizure due to a company screw up etc... but more so as an admin, I do not want my company servers / assets subject to discovery or seizure due to some employee's family member. When John Law shows up... if user's personal stuff is co-mingled with company stuff, Law has shown little to no concern in terms of what they will wheel out the door.
Absolutely need a standard and policy. But you also need to mitigate the 12year old running this week's AnonOps App on hardware that may have placed evidence within your scope. Backups, contacts, logs... they don't use discovery motions, even when they know there will be several thousand collateral victims.
Steven
Jul 15th 2011
1 decade ago
I totally hear you, and I agree. The company doesnt agree though. It's so easy to let the employee assume the cost of the device, and pretty much let them assume the support of the device, but let them use the tools of the device to "make the company money". There is no way in hell the company would say no to personal devices. That could (it can be measured) cause a huge loss of profit and productivity here.
No one wants to carry 2 devices either, so using a corporate standard device doesnt help. It's also been argued that the corporate standard, which is the blackberry, can't do a fraction of the stuff iOS and Droid can do.
It all depends on the business I guess, but the its all the same goal. Mobile Device security is going to be huge in the coming couple years, and its going to take a major incident or breach that can be officially linked to a compromised personal smartphone on a corporate network to wake companies up.
Nick
Jul 15th 2011
1 decade ago