Mobile Security Threats: Get Ready for 2016

Transcription

1 GUIDE Mobile Security Threats: Get Ready for 2016 As enterprise-grade data analytics, predictive intelligence and cognitive computing grow, security is on the forefront of everyone s mind. Hacks have become a near daily occurrence, resulting in sensitive personal and corporate data being stolen, exposed, and often used maliciously. This guide explores key security threats and offers best practices to keep organizations safe.

2 It s Getting Painful Large corporations have stockpiles of sensitive data that are at risk of security breaches, and massive mobile OS vulnerabilities affecting nearly a billion people are fresh off the press. Personal and corporate data is being stolen in targeted attacks by malicious cyber-focused nations. Devices, sensors and appliances are now connected to the Internet, gaining artificial intelligence capabilities that know intimate details about us. Yet, default configurations for every new device contain gaping security holes and vulnerabilities waiting to be exploited by a disgruntled former employee, curious script kiddie, cybercrime syndicate, or state-sponsored hacker organization. Business leaders are recognizing the opportunities in connected devices and are creating intuitive experiences through sensors, big data analytics and mobile devices. Business units are seeking to innovate and get to market quickly, while IT departments are responsible for securing corporate data and keeping the digital fortress impenetrable are struggling to keep pace. How are we to bridge the gap between stable, secure systems and flexible, innovative experiences? Gartner calls this the "bimodal approach," and it is the model being implemented by IT teams to address the need to balance innovation with security. The principal focus of the bimodal approach is to enable the best of both worlds: supporting innovation through agile processes and flexible toolsets without compromising traditional IT benefits and security controls. Security & Innovation Are Easier Than You Think The bimodal approach is easily implemented with process adjustment, mindset shift, and a flexible, secure mobile-backend-as-aservice. Mobile backend providers enable development teams to create the applications that users demand without having to worry about new underlying technologies and infrastructure. This applies to system architecture and design, security controls, and moving data from point A to point B without exposing data to an attack all while making sure everything is responsive and optimized for today s fast-paced, mobile-driven world. Many companies are dealing with sensitive data, such as medical records, internal corporate data, or consumer payment information. Adding multiple layers of security increases the difficulty for attackers to gain access to this data. To raise awareness of the vulnerabilities of mobile devices and corporate data systems, this article will address the top threats anticipated in 2016, along with security measures that can reduce vulnerability of data breaches. Mobile Threat to Protect Against 1. Man-in-the-Middle When an attacker sits quietly in between multi-party communications, they can steal all information and data being sent back and forth without either party knowing, even if the data being transmitted is encrypted. The attacker may hold seemingly-verified encryption certificates for both the client and the server, making the transmissions appear secure when in reality the data is passing through an undetected third party. 2. Unknown Infected Devices Should a single device become infected, an entire network could become vulnerable to a breach which may allow for direct attacks on the devices of the network, from that original infected device. Consider the chain of trust and make sure that all devices within each chain are secured and locked down.

3 3. Rootkits Malicious pieces of software (malware) that take advantage of a system-level vulnerability to provide an attacker with administrative access to a system, allowing them to act as an admin and access or steal any system data. These malicious exploits can be installed by an attacker who either gains command line access to a server, or by an authorized user unknowingly installing a piece of software that contains malware. 4. API Key Theft Homegrown backend systems can be exploited via APIs exposed to mobile apps, especially if the APIs are not designed with the proper security measures. This opens up significant attack vectors given massive amounts of mobile traffic. 5. Session Hijacking Improper session handling allows existing, authorized connections to your systems to be nefariously spoofed, leading to an attacker taking over an active session and issuing commands and queries as if they were the end user of that session. 6. Human Error Untrained employees and unaware consumers often do not think about securing their devices or data. Plan around human error by building in multiple layers of security controls to mitigate risk caused by common user behavior, such as forcing users to use complex passwords and to rotate them frequently. Best Practices for Securing Mobile Apps 1. End-to-end Encryption at Rest and in Transit Encrypt all things! Ensure mobile apps and websites make use of security provisions such as ensuring connections are over HTTPS with Transport Layer Security (TLS) and not SSL, as it has become unsafe after the Heartbleed and Poodle exploits were published. Protect all access to the APIs with TLS encryption over HTTPS. Do not expose any insecure endpoints: make all API calls over TLS. 2. Patching, Bug Fixes, Firewall, etc Make sure all systems and OS patches are applied immediately and that you re keeping up to date with the latest Common Vulnerabilities and Exposures (CVEs), especially zero-days, which are vulnerabilities published to the public and the software vendor at the same time, removing the ability for the vendor s engineers to get a head start on a fix. Monitor all network traffic and implement alerts of any suspicious activity. Some examples include a long series of failed user login attempts (especially from differing IP addresses), attempts at gaining root access, or unknown or unsupported requests and endpoints appearing in logs. Keeping systems up to date with the latest software packages and bug fixes is essential, so make this a priority for the entire stack. 3. API Key Management Common practice used to be to simply embed a secret key in an app and hard-code it server side, but new best practice includes implementing an API Key Management system. Embedding a secret access key client-side makes it easier for a malicious actor to reverse engineer your code to discover and use your key for nefarious purposes. These systems make it easy to generate, manage and (most importantly) revoke API keys to restrict permissions as necessary and enforce access controls on your back-end data. Additional ways of securing APIs specific to mobile consumption involve techniques such as certificate pinning, user authentication, rate limiting, network firewalls, and JSON/XML firewalls.

4 4. Identity and Access Management (IAM) Proving digital identity in corporate environments is essential since the other side of authorization often holds massive amounts of corporate data, so these systems need to be reliable, secure, an impenetrable. Using third-party Identity Providers (IdPs) are typically more secure than building one yourself and remove the risk of managing credentials on-site. Using an external IdP will allow app users to log in with social networks or corporate credentials, depending on your IdP of choice. Typically used through OAuth or SAML, IAM makes sure your systems are only accessed by the people they are supposed to be accessed by, and no one else. If you can fully trust an IdP (such as Okta or Facebook) then it is less likely that someone will be able to gain unauthorized access to your systems since those systems are notoriously difficult to crack. 5. Proper Session Handling Best practice is to set appropriate session timeouts and expire tokens following inactivity, making use of techniques such as regenerating your session tokens after a successful login, and of course making use of a TLS-secured HTTPS connection for all communications. 6. Intrusion Detection System (IDS) w/ Breach Notifications IDS are designed to alert system administrators of unwanted or suspicious activity. IDS comes in many flavors, but often rely on using common information models and correlation patterns that allow network admins to trace activity to a single point of origin. By mapping all network and system traffic to a repository of data generated over time, IDS can be used to tell what activity is normal and what may be malicious. Keeping an eye on user login attempts, large scale brute forcing attempts, and location of regular access versus attempted access, are all features of standard IDS. For example, if multiple access attempts are made from impossible distances (i.e. one in San Francisco followed by one in Philadelphia followed by one in Dallas, all within 60 seconds), odds are this activity should be flagged and reported. Combining these tools with targeted alerts allow for the appropriate parties to be notified almost immediately upon a potential breach. Tools such as Splunk, which relies heavily on machine automation, and Alert Logic, which combines advanced technologies backed by a human-powered security operations center, make great foundational tools for detecting potential threats and notifying the response teams. 7. Comprehensive Logging and Backups When data is lost or servers need to be wiped, there must be a quick and easy way to recover and restore systems to their previous state. Best practices say that all data should be replicated across multiple availability zones and multiple data centers. Take full filesystem snapshots at least once per day and back them up fully encrypted and for as long as is needed given the type of data being backed up to make sure you can fully restore customer databases in the event of accidental deletion, corruption, or any loss. An additional way to protect against loss or corruption is to maintain an audit trail of every modification to every piece of data within applications, which can be used to rewind to a previous state if necessary. 8. Proper Incident Response Procedures Make sure to prepare early on so teams know how to respond in the event of a security incident. Predetermined procedures and policies enable companies to respond to security incidents with a clear plan of action, instead of reacting with emotion and panic. For strong resources to assist with putting plans in place you may want to explore Carnegie Mellon University s CERT FAQ, HHS s Incident Reporting, and Rapid7 s resources including this short video on incident response.

5 Conclusion There are countless opportunities for attackers to gain access to data. Building as many precautionary layers as possible to prevent breaches, loss of data and leaks is critical. Technology is always evolving and it is impossible to fully secure and protect every bit and byte, especially when organizations need to continually push their boundaries through innovation and organizational agility. Business and technology leaders should continually be working closely with experts to educate, adapt and secure corporate systems, applications and devices, as constant dialogue and adaptation is everyone s best chance at staying ahead of the curve of information security. Security is all about risk reduction, which includes making everything as secure as possible while simultaneously preparing how to respond not react when a successful attack exposes sensitive data. There are limitless moving parts across the security landscape, which often lead to organizations relying on third-parties for expertise, risk mitigation and reducing the amount of complex technologies to deal with. To discuss mobile security threats, technologies and opportunities, feel free to reach out to our team at CloudMine any time. When we all come together and address these problems head on, we ll all end up with better, more secure, and stable systems. For more information, please contact advisors@cloudmine.me and/or sign up for our Mobile Competency Checkup ( cloudmine.me/checkup), which includes an assessment on security and compliance needs.