This blog is typically dedicated to security topics however I thought I would share about two cool gadgets I’ve been using to a live healthier lifestyle. Check them out and make 2013 a healthier year for you.
I love playing soccer but HATE running as a form of exercise. The problem I have is my mind concentrates on how uncomfortable I feel. I can run for miles on the soccer field but not around the neighborhood.
Zombies, Run! makes running fun. It’s an iPhone / Android app that puts you in the middle of a Zombie apocalypse. There are too many Zombies to shoot so “runners” like you have to go out and gather supplies without weapons. You start a mission and run like your normally would wearing headphones and listening to music. The app plays music off your mobile device playlist and periodically interrupts with radio transmissions from an operator updating you on your mission status. You also pick up virtual supplies while running to bring back to base. Your actual running route doesn’t matter however the distance and pace determines how you do. You can also use this app on a treadmill.
That’s all cool however the real fun is randomly Zombies will chase you. Zombies, Run! uses your GPS to track your speed and warns you to run faster as zombies approach. You start hearing Zombies moaning over your music as they get close which really makes you push yourself. The app will start beeping when Zombies are nearby and prompt you every mile about your pace.
Run Log shows when Zombies attacked, virtual things I picked up and radio transmissions
Bring Your Own Device (BYOD) has become a hot topic for many industries. Lately security people are using the term BYOD like datacenter folks classify everything as Cloud. My team has advised our customers using a best practice BYOD architecture (more info HERE) and like many consultants feel Mobile Device Management aka MDM is a key factor.
A few months ago I posted about one of the market leaders, MobileIron, HERE. I have received multiple requests for another vendor and chose the current leader Zenprise according to Gartner’s Report “Critical Capabilities for Mobile Device Management”. Plus I really like Zenprise.
Zenprise offers all the popular features expected from leading MDM vendors such as controlled remote wipe, policy enforcement (passwords, etc.), flagging jailbroken devices and enabling location. A few differentiators as of today for Zenprise are the ability to remotely login into phones (similar to remote desktop for windows), secure content distribution and Mobile DLP, application-specific VPN tunnels, and SIEM integration.
The architecture of Zenprise is similar to other MDM vendors. They have a management system (Zenprise Device Manager, or ZDM) and enforcement system (Zenprise Secure Mobile Gateway (SMG)). The Zenprise SMG is what denies email services to devices that violate policy. They also have a component that sits inside the network and does advanced diagnostics and troubleshooting for Microsoft Exchange and BlackBerry Enterprise Server (Zenprise Service Manager, or ZSM). Like many MDM vendors, Zenprise has an agent that sits on endpoints to enforce policy. Most people install both the ZDM and Zenprise SMG since it makes sense to enforce policies. Licensing for cloud or on-premise is based on the number of endpoints and drops as larger quantities are purchased.
To try Zenrpise out, go to https://zencloud.zenprise.com/zencloud/cloudUser/create and fill out the form to gain access to a free trial of the cloud service. You can also request Zenprise software to setup an on-premise trial however you will have to request that from a Zenprise sales person or partner such as World Wide Technology Inc. One you gain access to the management system, login in and you should hit the main dashboard.
After logging in, the main Zenprise landing page will show devices you are managing. Details include Jailbroken / Rooted, Managed / Unmanaged, Serial numbers, IMEI/MEID, last connected, User, OS Version, etc. You can click a device and see details such as what apps are installed, how much battery life is available, installed certificates, etc.
Zenprise policies are pretty easy to setup and can be device specific. The screenshot below shows a blacklist policy for Angry Birds and Dropbox on iOS devices.
You have a few options in Zenprise to add a new device. One option is downloading the Zenprise agent from iTunes / Google Play and enrolling. Enrolling requires the ZDM address, username and password. Once you login, it will prompt you for certificates and any profiles configurations setup by administration.
Once Zenprise is installed, the user can access apps offered by administration and view the agent configuration.
Other methods in Zenprise to add devices include registration using the administration dash (asks for the serial number of the device) and sending out a registration link via email or txt.
There are many options in Zenprise for reports which include inventory, software, jailbroken / rooted and hardware. Below is a screenshot from the next release coming out in June/July 2012. Check out www.zenprise.com for more info on their solution.
Everybody hates losing things. It drives you mad looking in the same places thinking a magic gnome will put your item back. Usually that doesn’t happen. Especially when it’s a highly desired product such as a mobile device. Mobile devices are becoming a leading target for theft since they can carry as much sensitive data as a standard laptop. Hackers can steal your photos, instant messages and web history. Some mobile app leverage cookies that never expire meaning hackers could essentially access sensitive websites such as your bank account through replaying old sessions.
How are these types of hacks executed? For iOS products, a hacker could take your device, spend 10 minutes jailbreaking it so they can install a remote Trojan / Administration app before returning it. This would permit the hacker unlimited continuous access into your life. Another option is dumping the records on their computer to go through later and selling the hardware on ebay. Either way, you have been PWN3D and possible put your employer as well as family at risk of future attacks.
These are just some of the methods used if your device is stolen. See this post regarding an attack calling your phone and remotely hacking your voicemail HERE
There are things you can do to defend against mobile device theft outside not misplacing your phone. Most manufactures offer password protection as well as limiting information exposed pre-login (IE not displaying text messages or other alerts until the phone is unlocked). Enable password features and stay away from easy passwords such as a row of numbers (1234) or the same number (4444). Some devices offer more complex password options than PINs which is great if available. Shorten the sleep/auto lock timer so the window your device is unlocked is limited in the event its stolen. When you are not using your device, press the lock button. Many mobile device screens absorb fingerprints after use, which make it easy for hackers to guess your password. Consider a protection screen that includes fingerprint resistants. Some devices offer location and remote wiping services that can be used to locate and secure lost or stolen devices. Also make sure to notify your employer if a device containing cooperate email or other sensitive services is stolen.
Employers should take securing mobile devices accessing cooperate data very seriously. Some approaches to improve mobile device security are utilizing endpoint management products such as Mobile Iron or Zenprise to enable features described above as well as check for Jailbroken devices (More info on this subject can be found HERE). Employees may not be willing to apply security applications on their mobile devices, which IT could focus on protecting the network as well as data that rests on mobile devices as an alternative to MDM (mobile device management). Some examples are using access control technology to check if mobile device meets company standards before permitting access. Other options are leveraging Data Loss Prevention (DLP) technology, which stops sensitive data from moving to a mobile device or encrypting that data with additional authentication to access. Sandbox solutions are an alternative by locking down the data in a secure session that expires after use (example is Good Technology). Another important function to consider is enforcing VPN tunnels whenever a mobile device accesses data outside of the internal network. This protects against common man in the middle attacks targeted at mobile devices using open wireless networks.
The good news for employers is there are many options for securing mobile devices and the data they use. The investment in mobile security should at a minimal match securing other devices with sensitive data such as laptops and servers. Don’t let mobile devices be the weakest link into your network!
The majority of today’s workforce uses multiple devices such as laptops, tablets and smartphones (IE brings their own device or BYOD). Leadership from most industries is being asked to permit these devices on the network in some limited or full fashion. Common BYOD questions are “how do I support growth for users with multiple devices?”, “what type of access should guest and employees use for mobile devices?”, “how do I provision corporate mobile devices?”, and “what security vulnerabilities am I exposed to by permitting mobile devices?”. All are good questions and can be addressed by focusing on three core BYOD concepts: Infrastructure, Access Control and Device Management.
The first thing to consider for BYOD is if your wireless network can support growing from one device per user to potentially 2-4 devices. The best way to find out is by performing a wireless assessment to verify capabilities and potential risks caused by obstacles and nearby rouge networks (IE Starbucks using a similar RFID channel). Security features such as wireless intrusion detection and prevention (WIDS /WIPS) as well as controlling the number of permitted associated devices per user should be considered for BYOD to guarantee scalability and service.
Another common area of concern for BYOD is provisioning access to employees and guests. The first BYOD question typically asked is “should all mobile devices be handled by a separate network or should employee owned mobile devices share the same core network while guest devices use another network?”. However you plan to permit mobile devices, best practice for BYOD is to automate the process based on multiple factors such as device type, user authentication and risk status. Policies permitting employee access using personal devices should have a process to register and track those devices (IE web registration page like in hotels) rather than an “employee wireless password” that could get compromised and not associated to a device. Many solutions such as Cisco Identity Services Engine (ISE) offer self-registration to eliminate the need for employee or guest users to deal with an IT member to gain network access. Solutions that leverage profiling technologies can automatically assigned specific access types based operating system, device type and other details (IE provide different access for iPhones and Androids) so you know who and what is on your network. “Knowing is half the battle”, GI JOE
The final piece to the BYOD puzzle is device management. Most mobile hardware vendors give power to device owners meaning Apple, Android, etc. device users can take themselves out of compliance at anytime (blackberry is the only exception). Solutions such as Mobile Iron and AirWatch provide methods to assess devices for high risk factors such as jailbreaking or using unapproved applications which is crucial for BYOD. Application based endpoint management solutions verify devices and either permit or deny corporate services such as providing email based on policy status (IE no email service while angry birds is installed). Common BYOD policies are enforcing the use of passwords, remote locking devices, denying hacked devices, provisioning specific applications and having the ability to remote wipe only corporate data. The mobile security market leaders offer a breath of operating systems and hardware options as well as easy methods to communicate when end users fall out of compliance.
Industry leaders for security are focusing on BYOD by developing solutions for mobile devices. RSA and Symantec recently released data loss prevention (DLP) for mobile devices to deny sensitive information such as social security numbers from moving to or from mobile devices. Network vendors such as Cisco are partnering with mobile manufactures to address BYOD by offering VPN technology that encrypt traffic from mobile devices while off the corporate network. There are many options for endpoint security when looking at BYOD, which the investment for mobile security should match protecting laptops and desktops regardless if the employee owns the asset.
IT administrators are being asked to come up with ways to permit mobile devices onto the corporate network in a secure fashion (via MDM Solution or other technology) . This subject touches a few technology areas such as access control, secure wireless, data protection and secure management of mobile devices however the focus for this piece will be mobile device management. Members of my team have tested the MDM leaders such as Mobile Iron, Airwatch, Zenprise, Good Technology, McAfee, Symantec, etc. and summed up the following as things to consider when evaluating a Mobile Device Management solution.
The first thing to consider is your desired MDM Solution Policy. Typically there are three scenarios to address:
1) GUESTS / PERSONAL DEVICES – Devices coming on the network as guests that you don’t manage or access internal data
2)CONTRACTORS / PERSONAL DEVICES ON NETWORK-Devices coming on network with partial access to corporate data
3) EMPLOYEES / CORPORATE DEVICES - Devices with full network access and managed by corporate.
The target of most MDM solution requirements is addressing items 2 and 3 while item 1 is typically covered by an access control technology. The two common approaches taken by MDM vendors are a sandbox or endpoint management offering. Sandbox or secure container technologies provide the most security by protecting corporate data within a sandbox application. Policies for encryption, data loss prevention and limiting data access can be controlled through MDM issued access methods rather than what is offered by the device manufactures. Most mobile device offerings give power to users (all but blackberry) however sandbox technology protects the data regardless of rights provided to users. The main con against the sandbox approach is not utilizing native device applications such as built in email, which tends to impact user acceptance. Good Technologies is an example of a sandbox based MDM solution.
MDM solutions that offer an endpoint management approach support specific vendors (Apple iOS, Android, etc) and compliment existing native applications. Application management MDM solutions leverage an agent on mobile devices to control applications as well as issue commands such as remotely wiping sensitive data. Its hard to say application management MDM solutions address a specific threat category however risk is dramatically reduced by using them to remove hacked / jail-broken devices, permitting approved applications and managing native security options such as passwords and data removal. Application management MDM solutions tend to be more suited for “Bring your own device” requirements while sandboxed MDM solutions favor corporate issued mobile devices.
Other factors to consider are provisioning mobile devices and proper control of data access. Consider the activation and enrollment options for the three use cases listed above (Guests, Contractors and Employees). Can employees register personal devices for access via a GUI or will it require an administrator? How well does the MDM solution assign and manage corporate controlled devices? What are the maintenance options regarding standardizing and upgrading mobile device software for corporate managed assets? Can the MDM solution provide reports listing all applications on mobile devices accessing the network? A strong MDM solution should handle all of these, which specific data access is controlled based on how users authenticate via local authentication or advance access control solutions.
The final thing to consider is MDM security features which usually are common across the leading vendors. Top features include verifying device configuration policies such as checking for hacks or jailbreaks. Policies should be flexible depending on if devices are corporate or personal. Mobile device applications should be verified and controlled to avoid vulnerable software such as a game with backdoor malicious intent. Remote wipe capabilities should be available and focus only on corporate data (IE do not wipe personal email, contacts, etc. without the end-users’ permission). Data protection such as password enforcement should be enabled through a centralized platform. All of these features should be displayed in a report so leadership can verify the security status of mobile devices accessing corporate data.
Every MDM vendor has their own way to accomplish its features so it’s a good idea to develop your policy and match it to MDM solution rather than an open comparison between products. Hopefully this gives you some points to consider for your MDM evaluation. Also note subjects like access control, two-factor authentication, secure wireless and other technologies should be considered for a complete solution.
IPads and iPhones are pretty awesome. They are slick looking and fun to play with. My friend’s Android is pretty cool as well. I had to find an app that gave my iPhone a slider login to counter his coolness. Regardless of the cool factor, many agencies are afraid these devices bring lots of risk if permitted on the cooperate network.
As C-level executives / high-ranking commanders get their hands on fancy mobile devices, they start to demand for a policy to bring mobile devices onto the network.
My recommendation to secure mobile devices is to look at this from two sides:
1) NETWORK: How do I provision network access for approved and non-approved mobile devices?
2) END POINT: How do I manage approved mobile devices such as enforcing polices around what applications are used, avoiding jail broken devices, etc.
To answer question 1, the best way to look at this is as an access control problem. Many customers I have worked with provision non-approved devices on a limited network through the use of VLAN redirection, ACLs or separate wireless SSID. For cooperate issued devices, they leverage authentication to see if the user is approved and scan for policy checks to verify the device is safe before provisioning access. Failure to meet these checks either defaults the device to the guest network, limits the cooperate access or completely denies the device. Some examples of access control solutions are Cisco ISE, Cisco NAC appliance and Forscout.
To answer question 2, this comes down to end point management. Vendors like Symantec offer mobile device management solutions, which offer an agent to enforce policy. They have features like password enforcement, remote wiping only corporate data (key for not upsetting users violating policy), checking for jailbreaks, and offering additional authentication methods.
The final point I’ll bring up is its best practice to enforce the end point management piece through the access control solution. For example, develop a policy that looks for an iPad and checks for who is authenticated as well as if the end point management agent is installed, up to date and running. As long as the end point management agent is doing its job, you know the iPad is used by a approved user and is not brining on additional risk since it meets all cooperate policies enforced by the end point management agent. There are many ways to design this type of solution but hopefully this helps understand how to approach this situation from a high level viewpoint.