Google running late to the enterprise mobility party

Is Android secure enough for the enterprise?

Android has a bad reputation when it comes to security, which is unfortunate because it’s the biggest mobile platform around in terms of market share. Gartner says Android claimed 80.7% of the worldwide smartphone market in 2014. We know that the BYOD trend has sparked a dramatic rise in personal mobile devices being used for work, and the bulk of those devices are running Android.

As the most popular mobile platform around, it’s inevitable that Android is going to be targeted by cybercriminals. Cisco’s 2014 Annual Security Report found that 99% of mobile malware in 2013 targeted Android devices.

But beyond its ubiquity, there’s another reason that Android is such a common target for malware. The fact that it offers an open alternative to Apple’s walled garden is a double-edged sword. It allows users the freedom to customize and micro-manage permissions on their devices, but if you don’t know what you’re doing, it’s very easy to expose yourself to risk.

 

Opening yourself up to risk

High-profile incidents and malware attacks are common. Just the other day, Palo Alto Networks highlighted a potential hijacking vulnerability which allows attackers to replace a seemingly legitimate app with malware without the user’s knowledge during the installation process. This could give them access to sensitive data, including usernames and passwords.

In some ways, the security threat with Android is overstated, and this incident is a good example of why. The exploit that Palo Alto Networks discovered requires users to install an app from outside the Google Play Store. In fact, the vast majority of malware found on Android, according to Cisco’s data, is found in third-party app stores. The bulk of malware is actually found in app stores predominantly serving Eastern Europe, the Middle East, and Asia, especially China, where Google doesn’t have an official presence.

An F-Secure whitepaper from 2013 found that the number of apps carrying malware in Google’s Play Store was just 0.1%, and that they have an extremely short shelf life, because they are removed as soon as they are discovered. Google has also tightened security significantly since then. But even though the risk may be exaggerated, that doesn’t mean there isn’t a risk.

 

Significant obstacles for Android

Android defenders will point out that installing apps from outside the Play Store requires the user to tick a box in a menu in their Android settings, and that is true. The problem for IT departments sizing up the competition is that platforms like Apple’s iOS and BlackBerry don’t allow users that level of freedom. In theory, Android’s permission system shows users exactly what each app can do, but in practice users treat it like a Terms and Conditions page and just blindly accept most permissions.

Fragmentation is another headache for IT departments looking to manage mobile devices. There are lots of different flavors of Android, and a multitude of different devices with customized user interfaces and apps pre-installed by manufacturers and carriers. Because Google doesn’t exercise as much control over apps as Apple does, the chances are good that the mobile apps putting your data at risk are Android apps. It’s the low-hanging fruit for cybercriminals.

 

Google is late to the enterprise party

Traditionally, the mobile device market for the enterprise has been dominated by BlackBerry, but in the last couple of years Apple has made major gains by offering a good range of security capabilities. Google is relatively late to the market.

Samsung, the leading Android manufacturer, actually started targeting the enterprise security market with its Knox platform a couple of years ago. It offers cloud-based device and application management and secure workspaces, but despite working across Android and iOS devices, it hasn’t been widely adopted.

Now Google has stepped in with Android for Work, which allows users to partition Android devices so work apps and data are kept separately from personal apps and data. IT departments can control work apps and keep data secure without infringing on personal privacy. Since many startups also use Google’s web apps, this could prove to be a very popular service in the months to come.

There are also a number of third-party solutions out there from vendors like SOTI that go even further, offering deep levels of control and oversight for the security-conscious.

 

Android can be secure

None of this means you can’t use Android in the enterprise. It just means that you need a solid MDM policy and you need to employ the right management tools. If you consider that Android devices are already in the enterprise through the BYOD trend, they can be significantly cheaper than the competition, and their security capabilities are improving all the time, it may be unwise to discount the platform out of hand.

Comparatively, it may still be easier for IT departments to securely manage devices running BlackBerry or iOS than Android, but that’s beginning to change.

 

This article was originally published in Network World.

Image credit Cutcaster.

Positive signs for the future of cybersecurity

For all the infosec hurdles to overcome, we can build a bright future if the enterprise can pull together.

 

We often talk about the enormous challenges facing IT departments around the world. The consumerization of IT, driven by the BYOD trend and coupled with mobility, has given birth to a wide range of serious security threats. As the enterprise increasingly relies on the cloud to provide software, infrastructure, and platforms as services, safeguarding valuable company data is an entirely different prospect than it was even just a decade ago.

But for all the hurdles to overcome, there is mounting evidence that businesses no longer have their heads buried in the sand — or stuck in the cloud! There’s a growing realization that cybersecurity requires budgetary commitment, sincere collaboration, and a solid stratagem. If the enterprise can pull together, with government backing and the right expertise, we can build a bright future that’s secure from cybercriminals.

 

Money, money, money

We’re not going to solve the problem by throwing money at it, but it certainly helps, and it’s also indicative of a deeper understanding of the underlying threats and potential costs of a data breach.

The Ponemon Institute found the average cost of a data breach in 2014 was $3.5 million, a 15% increase from 2013. The enterprise is starting to realize that it’s an awful lot cheaper to provide a proper budget for security now than it is to pay through the nose later.

Companies are growing more aware of threats, and this is leading to a greater allocation of resources. Gartner estimated that worldwide information security spending rose 7.9% last year, reaching a total of $71 billion, and it’s set to grow another 8.2% this year to hit $77 billion.

According to the 2015 Piper Jaffray CIO Survey, security is the top spending priority for CIOs in 2015, just as it was in 2014. An impressive 75% of respondents expect to increase security spending this year, and that comes on top of an average 2% growth in annual IT budgets.

 

Government backing

The U.S. Government is also weighing in. President Obama identified cybersecurity as a priority in his budget and asked for $14 billion to boost defenses for 2016. That’s an increase of $1.5 billion compared to this year, and it includes funds for a Civilian Cyber Campus intended to bring agencies together to focus on cybersecurity issues. That spirit of collaboration extends to the private sector.

The White House summary stated, “Cyber threats targeting the private sector, critical infrastructure and the federal government demonstrate that no sector, network or system is immune to infiltration by those seeking to steal commercial or government secrets and property or perpetrate malicious and disruptive activity.”

With greater pooling of resources and sharing of knowledge, threat identification and neutralization will become easier and more efficient. There’s strength in numbers.

 

Proper planning and education

You need resources to build security, but budgets must also be allocated wisely. When we looked at what the military can teach us about cybersecurity, we identified the need for proper planning and a system to enforce policy rules. Buying an expensive piece of security software or employing consultants to provide a snapshot of your security health is not going to be enough. You need an ongoing plan and expertise.

Thankfully, more and more knowledge is starting to filter through into the private sector, as experts from the military, the FBI, the NSA, and the Department of Homeland Security move into business and share their insight and best practices.

More businesses are starting to understand the value in educating their own workforces on security. Establishing programs to ensure that staff are aware of vulnerabilities and the potential for cyberattacks is important. Companies can leverage much greater value from existing security systems and polices by teaching staff good habits, and it’s also important that they understand the potential impact of a breach.

 

Rowing together

Looking beyond cybercriminals to the threat of nation-sponsored attacks, it makes sense for all of us to pull together. If the government and the private sector truly collaborate, we will see a decline in the threat level. The first stage was to recognize the level of the problem, and the scale of recent breaches has opened a lot of eyes. Now it’s time to work with each other to build ourselves a secure future. In tech we trust!

 

This article was recently published in Network World.

Imagery credit: cutcaster

7 security threats that go ignored too often

From unencrypted email to open Wi-Fi to faulty firewalls, some of the most common security threats could easily give away the entire farm.

 

More threats emerge for IT departments every year. Cybersecurity is increasingly challenging as attacks get more sophisticated. But many core basics are still being ignored.

Verizon’s 2015 Data Breach Investigations Report put the total at 2,122 data breaches last year, with nearly 80,000 incidents. The vast majority of them fit into the same categories. There are some obvious, often overlooked areas where security can be tightened with minimal effort.

Any IT department looking for potential vulnerabilities would do well to start with the following seven threats:

 

Mobile malware

You must have a proper Mobile Device Management policy in place. If you allow people to bypass security systems by jailbreaking or rooting and let them install apps from unknown sources, then you can bet they will.

 

See also: Are mobile apps putting your data at risk?

The consequences can be devastating. An infected device, unwittingly brought into the office by your own employee, could effectively bypass the rest of your systems. You need to identify and remove malware, remotely wipe devices, and provide secure access to corporate servers. A solid split between personal and corporate data with encryption and secure containers is vital.

 

Device loss or theft

Many of the biggest data breaches come about after a laptop or a smartphone was left somewhere it shouldn’t have been. Sometimes people are careless with devices. Sometimes they get stolen.

You can’t prevent it from happening, but it is very easy to prevent it from causing a data breach. The vast majority of devices have the capability to encrypt and password protect the data they hold. Take advantage of these capabilities and you can drastically decrease the risk of data breach after a loss or theft.

Unencrypted email

Emails are a potential treasure trove of sensitive data, and millions of emails are being sent every day with absolutely no encryption. It’s very easy to download tools that allow you to collect unencrypted email. Combine unencrypted email with our next entry, and you could be giving away valuable data.

The sad thing is that it’s very easy to encrypt email. There are a lot of user-friendly solutions now. It doesn’t have to be laborious or expensive. The other beauty of encrypting email is that it doesn’t just foil cybercriminals, it also safeguards against human error. People accidentally send emails to the wrong address quite often, and it can lead to serious data breaches.

 

Open Wi-Fi

The prevalence of unsecured Wi-Fi networks is surprising and worrying. If you don’t have any protection in place, then you’re making it easy for hackers to spy on your traffic. Things like unencrypted email can be intercepted through man-in-the-middle attacks. You simply can’t afford to use unsecured consumer routers for a business. You’re inviting trouble. Make sure you have a security policy for your network and enforce it.

 

Faulty firewalls

Many companies are operating with firewalls in place that give them the illusion of security. Modern malware is designed to sit unnoticed and exfiltrate data silently. Without the right software and an expert view, you will never know if you’re infected. You need the expertise to understand how your firewall should be configured. Too many IT departments aren’t taking advantage of firewall features that have been paid for. It also has to provide real-time protection for all devices and locations, without hampering performance.

 

Broken web filters

You probably have a web filter to block objectionable content, but the problem is that most malware online is hosted on legitimate websites that have been compromised. Whether the entry point is a hijacked website or a link in a malicious email, the user will never know they’ve been attacked. Hackers can buy exploit packs online and use vulnerabilities in browsers and third-party software to gain a foothold. A static filter isn’t enough, you need real-time filtering to scan for dodgy URLs and web-based malware.

 

Ignoring Macs

Apple doesn’t do much to dispel the myth that you don’t get malware on Macs. The Flashback Trojan managed to infect more than 600,000 Macs back in 2012, and it proved difficult to eradicate. There have been other incidents since then. Apple’s OS X has some compelling security features, but it’s not perfect, and there are always vulnerabilities in third-party software as well. Understand that Macs are not immune to cyber attacks. Many security experts are pointing to the rising tide of ransomware, where data is locked and a demand for money is made if you want it unlocked. Don’t leave them defenseless; it’s time to install suitable security software on your Macs.

Much of our list here can be tackled without major resource requirements, so there’s really no excuse not to look at them. There are, of course, lots of other things to consider when you’re addressing security, and it’s an ongoing challenge to stay on top of threats. But if you begin by dealing with these seven threats, you’ll be off to a good start.

 

This article was recently published in Network World.

Imagery credit: cutcaster

 

What can the military teach us about cybersecurity?

Teaching the workforce to create a heightened state of awareness.

It’s time for the business world to toughen up on security. The threat from cybercriminals is pervasive. Successful attacks on financial institutions, large retailers, and even government bodies, are all too common.

There’s a reason that the Worldwide Threat Assessment of the US Intelligence Community report, released in February this year, put Cyber at the head of the list of global threats. But the targets are not always military, as the report explains, “A growing number of computer forensic studies by industry experts strongly suggest that several nations—including Iran and North Korea—have undertaken offensive cyber operations against private sector targets to support their economic and foreign policy objectives, at times concurrent with political crises.”

Linda Musthaler’s excellent recent article asked, Is it time to adopt a military-style approach to cybersecurity?The answer is yes. The military and the NSA are in the vanguard of the cybersecurity industry. They have developed some extremely effective methods to protect the country. We can adopt some of these methods to protect our businesses from hackers.

An ongoing war

If you want to find the right approach to vulnerability management, then you can start by adopting the right mindset. Security is not something to be ticked off a list. You can’t implement a policy and then forget about it.

Mike Walls , a retired U.S. Navy Commander now running cybersecurity firm EdgeWave, told Musthaler, “we need to monitor, we need to assess, we need to get data and analyze the data and feed the results of that analysis back into our systems and our processes as soon as possible. It is more of a military warfighting process.”

This attitude is reflected in the aforementioned U.S. Intelligence report, “the cyber threat cannot be eliminated; rather, cyber risk must be managed.”

New lines and methods of attack are being developed every day. The enemy is not necessarily the small time criminal you’re picturing. Cyber attacks backed by hostile nation states are well-funded and well-organized. You need a defensive policy to cater for a resourceful and skillful adversary.

Developing a solution that fits

Every solid security plan starts with a thorough evaluation. Whether you have server misconfigurations or mobile app vulnerabilities, the first step is to identify thm. There’s no substitute for an in-depth look at your organization and your networks. We’re not just talking about penetration testing here, you need to consider internal threats and lateral vulnerabilities as well. The military and NSA employ people who can think like the enemy to gain an insight into likely lines of attack.

The next stage is to formulate a plan that protects the key components of your business, but it’s worthless without education and enforcement. In rigid organizations with a strong disciplinary tradition like the military, it may be easier to set out policy rules. In business it’s important to set aside time and resources for educating your staff. There should also be some understanding of the potential consequences of a breach.

Enforcement requires a dedicated security professional working on cybersecurity 24/7/365. You can’t set up software systems and ask IT to monitor them when the security consultants pull out. The intelligence approach used by the NSA prizes human intuition and vigilance. But it takes expertise to spot threats and interpret the incoming security data correctly.

The battle isn’t won

Because there’s no end point with cyber security, you need a process in place that continually assesses and reassesses your security systems. Make sure that whoever you task with cybersecurity has the knowledge and the tools to do the job. But it’s important to remember that having a security expert on board is no silver bullet. That expertise should be shared with the rest of the workforce to create a state of awareness.

The strength of military organizations comes from their ability to pull together in the same direction. Create a culture of awareness in your company. Teach your workforce to be mindful of what they’re doing and how breaches happen. With the right foundation, any security strategy you develop and employ will be that much more effective.

 

This article was originally published in Network World.

Image credit Cutcaster