A False Air of Security
Yesterday's hot, new technology is all too often today's big, new security headache. This is seemingly now the case when it comes to insurers and their embrace of mobile computing technology.
As insurers move to exploit devices based on operating systems such Google's Android and Apple's iOS in an effort to woo customers and empower employees, data thieves are creating a witches' brew of Trojans, worms, viruses and botnets built especially for these mobile platforms. A new report from Santa Clara, Calif.-based McAfee, "Threats Report: Fourth Quarter 2010," quantifies the scope of the problem, noting the number of pieces of new smartphone malware it found in 2010 rose 46% over the level detected in 2009.
Indeed, malware has been discovered attached to games and wallpaper apps created for the Android market. Previously, the creators of malware often ignored desktop systems running Apple's OS X to concentrate on the larger market of computers running Microsoft's Windows. But thanks to market share of iOS devices and their popularity within the enterprise, Apple products will be targeted as never before. Imitating the success of Google and Apple online apps markets, mobile malware authors are now creating their own app stores to distribute malware. What's more, McAfee found that malware makers are poisoning search results by making increased use of search engine optimization, noting that on average, within the top 100 results of daily search terms, 51% led to malicious sites, and each of these poisoned results pages often contained more than five malicious links.
In addition to becoming more common, malware is becoming more complex and potentially destructive. The Conficker worm of 2009 and the Stuxnet worm of 2010 reflect the fact that the caliber of malware creators we are dealing with today is very different from the typical teenage hacker of the 1990s, says Apu Kapadia, assistant professor of computer science and informatics at the University of Indiana. "Conficker showed us that hackers were sophisticated, but Stuxnet is clearly the work of a nation state," he says. "The level of sophistication it showed was pretty amazing. Long story short, we're dealing with adversaries who can get to data if they really want to."
Worse yet, Kapadia notes the vast array of sensors present on mobile devices-such as wireless and Wi-Fi radios, GPS receivers, microphones, cameras, compasses and accelerometers-mean that malware writers have some new toys at their disposal as well. "We now have the risk of malware augmented by sensors that can actually peek into your physical environment," he says. Indeed, Kapadia and a team of researchers developed a Trojan called Soundminer as a proof of concept to demonstrate how a mobile phone's sensors could be used by data thieves to monitor phone calls. "We demonstrated that these phones are smart enough and computationally capable enough to listen to what you are saying and to identify and record credit card numbers," he says.
The challenges mobile devices present and their related data loss prevention efforts has not been lost on Bill Murray, who leads the IT Risk Security and Compliance team at Westfield Center, Ohio-based Westfield Insurance. As enterprises increasingly entrust more information to mobile networks, Murray foresees more malware being developed to attack it and, consequently, a thoughtful re-evaluation of security procedures being in order. "All this increasing functionality introduces a ton of risk that people haven't thought about-everything that can be used can be misused," he says. "As an insurer, we are very aware that we are a target and may be on somebody's radar. We regularly do internal and external assessments, and make sure we are doing all the due diligence we can as a company so we are not a victim."
In order to have a holistic vision for mobile security, Murray says one of the first decisions insurers must make is an architectural one. He says the two main options for securing employee mobile devices are thus: 1. Treating smartphones and tablets in a similar manner as laptops and enabling data storage and work to be done locally; or 2. Equipping mobile devices with a virtual interface to access corporate data and work on a remote desktop or server.
Murray says the decision, in many ways, reflects the fat client/thin client debate of the 1990s. Like then, strong arguments can be made for either approach. "There are probably some shades of grey between the two, but from a corporate perspective, you're going to have to choose between the two options," he says.
With the first option, proponents can argue that with their ever-increasing processing power (some mobile devices now have dual core processors), expanded amount of memory and burgeoning software ecosystem, these systems function much like laptops and should be regarded as such.
Another primary benefit of this model is that with information locally stored and processed, these devices maintain most of their functionality when offline. To keep data secure in this architecture, controls would need to be put in place, including password protection, remote wipe, encryption and URL filtering software. Other controls would be required to make sure that no data can cross the firewall between the corporate data and the rest of device. For example, prohibiting the dragging or copying of files would prevent an employee from cutting text from a corporate document and pasting into a document on the other side of the firewall.
The second architectural option, which Murray dubs the collapsed data center, keeps all data and processing in the company's back end, and uses the mobile device solely as the host of a presentation layer. He says the goal is to enable the worker to bring up a window on their tablet or smartphone that looks identical to their work desktop; in reality, it is just an encrypted tunnel between the mobile device and the company's back end. "Employees would actually be seeing a remote screenshot of a PC in a virtual environment since data never goes to the mobile platform," he says. "The good thing about this option is that because data never goes to the device, the amount of controls we have to install on it is minimal."
Yet, John Brady, information security architect engineer at Westfield, notes that despite the ubiquity of the Web, there are still times when you don't have access. "People want to hop on a airplane and open an e-mail attachment," he says. "If you don't have access to the Internet, you have no access to the data center, so we're not quite there yet."
Brady says one way to meld the two options is to enable batch shipping of e-mail or other documents so employees can work offline through their VPN. "We think that if you design the e-mail clients correctly, you can have corporate e-mail shipped to the device with attachments as long as everything stays in an encrypted area," he says.
APPLES, BERRIES AND ANDROIDS
After deciding how to best architect and secure a mobile platform, the question becomes which platform or platforms to support. In addition to the aforementioned Google and Apple platforms, the ecosystem built up around Research in Motion's Blackberry device remains a formidable option. Likewise, Microsoft's recent decision to team up with hardware giant Nokia is widely viewed as indication that the company has every intention of making its Windows 7 smartphone a viable alternative for corporate mobility. While few may have predicted that the mobile market would support four separate operating systems, it now seems more a reality.
Brady says as long as business information is being shared via smartphones, it's incumbent upon insurers to understand their security models. Each platform offers its own pros and cons when it comes to data loss prevention; so it will be up to individual insurers to determine which operating systems to support, Brady says. "The makers of the new operating systems are very aware that they either build-in security from the ground up or they will not be able to sell their devices into corporations."
He notes that both Apple's iOS and Google's Android make use of "sandboxing," which means that applications-by default-do not have permission to perform any operations that would adversely impact other applications, the operating system, or the user. "Android has its Dalvik virtual machine and iOS has a similar sandbox that isolates applications by default so that every single application on the device is running in its own little virtual machine totally apart from other apps," he says, noting that while sandboxing doesn't make an operating system impregnable, it's a good indication of the forethought that went into them. "Those operating systems have robust security frameworks that will make it straightforward for companies to implement good security on those devices."
Brady says insurers also should be aware of significant changes occurring to the BlackBerry ecosystem, as RIM readies its first tablet computer, the PlayBook. Long regarded for the security of its devices, Blackberry now appears to be transitioning away from the BlackBerry OS (BBOS)/BlackBerry Enterprise Server (BES) system, which features fine-grained security layers, and enables administrators to define hundreds of configuration settings toward an approach closer to the Android model. Brady says RIM's 2010 acquisition of QNX, the maker of micro-kernel-based operating systems, was an indication of their move toward a more app-centric OS.
No matter what choice in platform or architecture a carrier makes, Murray says, information technologists will have to constantly adapt in order to keep pace with the bad guys. "I'm sure there are some very interesting surprises in store for us," he says.
THE HUMAN FACTOR
Despite the threat of malware, Kapadia does not think enterprises should shy away from mobile platforms. "From a software perspective, these OSs have major industry backing, and will be similarly secure to laptop and desktop OSs," he says. "You can always be paranoid about implementation vulnerabilities, but then you would have to stop using your laptop as well. So the question should now turn to whether there are major differences in mobile phones at a conceptual level."
In that sense, the most qualitatively different aspect of mobile operating systems is their very mobility. While few employees tend to leave desktop computers behind at bars and restaurants, mobile devices are easy to lose. Kapadia says encryption does offer a degree of protection from physical loss of a mobile device, but is less effective against malware. "Encryption may not help you against malware because once it is on your system, it is essentially behaving as you, and the system doesn't know if it's you or the malware asking for the data."
Thus, old-fashioned risk management and loss control measures are every bit important as technology defenses. Kapadia notes that some of the infamous hacking incidents in memory came about as the result of a human unknowingly divulging passwords or information. "People think of systems as just being computers," he says. "But in the end, humans are part of the system and hackers can exploit human weaknesses to get in. Attackers always take the path of least resistance."
Ultimately, it's up to risk managers to weigh the benefits versus the risk of mobile technologies, he says. "In the security community, the joke is that if you want a perfectly secure system, just turn it off. But the reality is we have to do business, and life has to move on."
As VP of Internet services for San Francisco-based Esurance Insurance Services Inc., Marjorie Hutchings knows well the role people play in stopping malware attacks and data leakage.
Hutchings says that in addition to having clear policies and procedures in place to classify data so users know what is appropriate and what's not, education is imperative. "You have to make sure that your user community is very well versed in your security policies," she says. "Our employees get trained about security procedures when they enter our organization, and are also retrained on a regular basis."
Hutchings stresses the importance of communication between security team members and business units clamoring to use a new product. "It can be frustrating because everyone wants the newest, latest greatest thing," she says. "We try to do a good job of explaining why [there is a delay,] but Apple has some pretty cool commercials."
She says a classic instance of the need for patience and effective communication occurred several years ago when the iPhone first appeared on the market, and employees wanted to account their corporate e-mail accounts on it. As one of the people in the enterprise tasked to worry about data security, it fell to Hutchings to figure out how the device would fit into the company's security infrastructure.
"At the time, it was a consumer product, not a business solution, so we were not an early adopter," she says. "We wanted to make sure that we were able deliver e-mail to the device securely and that the data on the phone was encrypted."
She says there will always be an inherent trade-off between security and convenience. While employees may begrudge the need for a convoluted password to access corporate e-mail, it is the duty of information technologists to remind them that such measures are for the common good of the company.
"When you try to make things easy for people, it's usually not the best solution from a security standpoint," she says. "We have to make sure we are protecting our data. It's not something we will negotiate or budge on. When it comes to technology, we try to be as cutting-edge as possible, but security will always be at the forefront for us."
Anti-Malware Tools Also Evolve
The panoply of mobile security threats now facing enterprises has not been lost on security vendors now beginning to offer products that address data loss hazards on a broad range of technology platforms.
San Diego-based data loss prevention provider Websense launched Websense Mobile DLP, a technology aimed at protecting data over a variety of mobile platforms, including Google's Android and Apple's iOS. The mobile suite quarantines corporate mail communications on mobile devices, and has other reporting and remediation capabilities. The suite also is part of the Websense TRITON architecture, which combines Web, e-mail and data security in a unified platform.
John Yun, senior product marketing manager at Websense, says holistic solutions are needed to protect against dynamic, blended threats now emerging. "Data loss prevention is becoming a very broad area," he says. "You have to take a step back and look at this from an organizational perspective."
To be sure, mobile devices are not the conduit for malware into the enterprise. Malware writers have focused more attention on social networking tools as an enabler for data theft. "You no longer have to go to the dark corners of the Internet to find bad stuff," Yun says.
In addition to letting malware in, enterprises have to be equally vigilant against social media's potential to enable people to externalize sensitive data, says James Cella, president of SiteQuest Technologies, Salt Lake City.
The company recently partnered with Sungard's Protegent business unit to craft a tool for monitoring employees' social networking activity. Cella says athe product is intended to provide greater visibility into the potential compliance risks that social media presents, noting the speed at which the technology is advancing presents problems for risk managers. "Facebook moves quickly," he says. "They constantly roll out new functionality, so you have to be agile. What Facebook is today is nothing like it was six months ago, let alone a year ago."