CHECK POINT THE MYTHS OF MOBILE SECURITY



Similar documents
White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

How To Support Bring Your Own Device (Byod)

Comprehensive Enterprise Mobile Management for ios 8

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Small businesses: What you need to know about cyber security

What We Do: Simplify Enterprise Mobility

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

Yes MAM: How Mobile Device Management Plus Mobile Application Management Protects and Addresses BYOD

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Small businesses: What you need to know about cyber security

WHITE PAPER. Mobile Security. Top Five Security Threats for the Mobile Enterprise and How to Address Them

Data Protection Act Bring your own device (BYOD)

10 Quick Tips to Mobile Security

Guideline on Safe BYOD Management

Chris Boykin VP of Professional Services

BE SAFE ONLINE: Lesson Plan

Cyber Security. Securing Your Mobile and Online Banking Transactions

BYOD in the Enterprise

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Enterprise Mobility Management

Top tips for improved network security

October Is National Cyber Security Awareness Month!

EndUser Protection. Peter Skondro. Sophos

Kaspersky Security for Mobile

Introduction to the Mobile Access Gateway

Security Overview Enterprise-Class Secure Mobile File Sharing

The fastest, most secure path to mobile employee productivity

Internet threats: steps to security for your small business

EasiShare Whitepaper - Empowering Your Mobile Workforce

Basic Security Considerations for and Web Browsing

Samsung Mobile Security

Sophos Mobile Control

Device Independence - BYOD -

Feature List for Kaspersky Security for Mobile

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Implement Mobile Device Management to Deploy HCSS Mobile Apps

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Securing Corporate on Personal Mobile Devices

1. Introduction Activation of Mobile Device Management How Endpoint Protector MDM Works... 5

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Secure Your Mobile Workplace

MDM and beyond: Rethinking mobile security in a BYOD world

Solve BYOD with! Workspace as a Service!

IT Resource Management & Mobile Data Protection vs. User Empowerment

Key Requirements of Enterprise Mobility Management Solutions

Securing Office 365 with MobileIron

ADDING STRONGER AUTHENTICATION for VPN Access Control

Windows Phone 8.1 in the Enterprise

The Attacker s Target: The Small Business

How To Protect Your Mobile Devices From Security Threats

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Using your Encrypted BlackBerry

Open an attachment and bring down your network?

The Maximum Security Marriage:

Marble & MobileIron Mobile App Risk Mitigation

BYOD Guidance: BlackBerry Secure Work Space

BYOD. opos WHAT IS YOUR POLICY? SUMMARY

The Hidden Dangers of Public WiFi

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

SOLUTION BRIEF Enterprise Mobility Management. Critical Elements of an Enterprise Mobility Management Suite

Quick Start and Trial Guide (Mail) Version 3 For ios Devices

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Consumerization. Managing the BYOD trend successfully. Harish Krishnan, General Manager, Wipro Mobility Solutions

Managing Mobility. 10 top tips for Enterprise Mobility Management

BYOD Guidelines A practical guide for implementing a successful BYOD Management program in an organization of any size.

Bell Mobile Device Management (MDM)

Security Awareness Program Learning Objectives. By Aron Warren Last Update 6/29/2012

perspective The battle between MDM and MAM: Where MAM fills the gap? Abstract - Payal Patel, Jagdish Vasishtha (Jags)

AppConnect FAQ for MobileIron Technology Partners! AppConnect Overview

Information Security It s Everyone s Responsibility

Secure Mobile Solutions

Readiness Assessments: Vital to Secure Mobility

How to Use Windows Firewall With User Account Control (UAC)

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

Egnyte App for Android Quick Start Guide

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

BlackBerry 10.3 Work and Personal Corporate

BYOD How-To Guide. How do I securely deliver my company s applications and data to BYOD?

Transcription:

CHECK POINT THE MYTHS OF MOBILE SECURITY Mobility has transformed the workplace. Laptops, smartphones and tablets not only enable an organization s road warriors, but also create freedoms for all employees to stay connected whether at a conference, working from home, or even sitting in an airport terminal. MOBILE DEVICE SECURITY IS MORE THAN JUST PROVIDING TRUSTED APPLICATIONS AND RULES THAT AVOID MALWARE When it comes to securing mobile devices, the most popular choices have been Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) solutions. However, it is not clear how much protection any of these solutions offer in real world situations. For instance, what happens when a device with both work and personal information is misplaced and needs wiping? Do any of these protect against malware? How well are corporate documents protected? We decided to uncover the myth of how well currently available solutions protect real data in real situations. We asked our internal experts to create some typical scenarios and conduct an evaluation of each vendor s security features. The scenarios spanned from how to deal with lost devices to how to deal with malware to how to protect documents. RESULTS OF THE MOBILE SECURITY MYTH BUSTING We looked at four basic scenarios users face on a regular basis, testing each solution s ability for: 1. Lost device handling Remotely wipe corporate data, not employee s personal data 2. Pre-infection handling Protect the mobile device from malware infection 3. Post-infection handling Deal with malware found on a mobile device 4. Document and content protection Protect documents and prevent intentional/unintentional data content loss 1

The test findings are shown in Table 1 below. MDM AND EMM DO NOT DETECT MALWARE OR PROTECT FROM THREATS WHEN USING NON-APPROVED APPLICATIONS Device Wipe-Work Data Pre-Infection Handling Post-Infection Handling Document Protection Content Protection Table 1. Check Point Capsule Good Good For Enterprise MobileIron Mobile@work AirWatch Workspace Citrix XenMobile PASS PASS FAIL PASS PASS PASS FAIL FAIL FAIL FAIL PASS FAIL FAIL FAIL FAIL PASS PASS PASS PASS PASS PASS FAIL FAIL FAIL FAIL When it comes to avoiding obvious rogue behavior, most vendor solutions will suffice. Many mobility protection solutions focus on simply avoiding malware by locking down the device and assume they can succeed with that 100% of the time. But what if they miss just one piece of malware? How do they deal with an infection on a mobile device? What actions do they take to safeguard the organization s larger network? We explain the details of our evaluation process, test bench setups, and our performance observations on each vendor s performance in the rest of this paper. THE MDM AND EMM SOLUTIONS ALSO DO NOTHING TO STOP SPYWARE ONCE ON A DEVICE MDM AND EMM BACKGROUND MDM and EMM have traditionally been the methods to provide mobile security. However, security was never the primary driver behind the design of either of these methods. MDM was an early mobile security option that gave companies the ability to lock down access to certain features on mobile devices, preventing users from performing certain tasks. While reasonable from an IT security standpoint, this was not popular with users because it restricted their freedoms. In a Bring Your Own Device (BYOD) environment, restricting user freedoms and threatening to wipe their devices was even less attractive. Newer EMM solutions allowed far more user freedom which they accomplished by using approved applications. EMM solutions secure individual applications by restricting their abilities through use of a security-layer embedded either at the application s source code level or with an outside security wrapper. Approved applications can be distributed, monitored and managed from a centralized EMM monitoring station. Both MDM and EMM protect networks mainly by avoiding malware and only secure corporate data and applications, leaving personal data and applications exposed. MDM and EMM do not detect malware or protect from threats when using non-approved applications. The MDM and EMM solutions also do nothing to stop spyware once on a device. 2

MOBILE SECURITY MYTHS DOCUMENT PROTECTION IS AN OVERLOOKED ASPECT OF MOBILE SECURITY MOBILITY ALLOWS PEOPLE TO WORK ON THE RUN, AND PEOPLE IN A HURRY TEND TO BE MORE PRONE TO MAKING MISTAKES When looking at extending your organization s network edge to include mobile devices, protection requires consideration of several factors. On any mobile device, whether laptop, tablet or smart phone, there are various ways to protect the device, the connection back to your network, and the content on both. Most organizations protect the connection via a Virtual Private Network (VPN). The VPN connection creates a secure trusted path between a remote device and your organization. It does not secure the device or its contents but the transport from the device to the corporate network. Some VPN options support a concept called split tunneling where only the corporate traffic goes to the organization s network. Internet access from the remote device, for example, establishes a direct internet connection. While this saves bandwidth, this new connection is no longer encrypted or secure. MYTH #1 MDM IS SECURE Mobile Device Management (MDM) describes a system which allows an IT department to administrate mobile devices and to control user actions. With MDM, IT can decide what the user can and cannot do with the device. There are two major shortfalls with MDM. From the user side; MDM policies can be very restrictive depending on the IT department. When employees feel restricted, they tend to find ways around their security protections. From the organization side, MDM does not actually protect the device since MDM solutions do not include malware protection capabilities. While MDM solutions can control settings and applications, they cannot control the data going in and out of the device. MDM can be costly to maintain due to mobile devices needing constant monitoring for rogue behavior. MYTH #2 MOBILE CONTAINERS PROTECT MOBILE DEVICES FROM MALWARE Mobile containers are a more flexible solution enabling users to gain access to corporate data on their device separate from their personal data. The container is a protected area on a device with independent access controls. This secure encrypted workspace protects business data by segregating it from other data and applications on the device. While containers protect corporate data on the mobile device, personal data and applications are often unprotected. Running a container on a compromised device will compromise the data in use. MYTH #3 DOCUMENTS ARE PROTECTED WHEN SENT TO/FROM MOBILE DEVICES Document protection is an overlooked aspect of mobile security. Mobility allows people to work on the run, and people in a hurry tend to be more prone to making mistakes, whether that mistake is losing their device or emailing a document to the wrong recipient. Protecting access to the location of a document on a device is one option. Another might be to password protect the document but unfortunately, once it is open, it can still be printed, copied or shared. The best option would be to restrict access to only a specific set of recipients, set limits on what they can do with the document, and be able to revoke access at any time. A complete mobile security solution would secure the connection, the device, the business data on the device, personal data and non-business applications, and of course provide the highest level of document protection. That set the performance bar for the scenarios the team created and tested. 3

THE MOBILE SECURITY VENDOR LINE-UP We compared Check Point Capsule against the four leaders in the Enterprise Mobile Management (EMM) systems space since they represent more evolved security for mobile devices. The configurations for each are in Table 2 below. VENDOR SERVER VERSION CLIENT VERSION Check Point Check Point R77.20 Capsule Workspace (1.643.34) Capsule Connect (2.38) Good Technology Good Mobile Messaging (8.3.0.12) Good for Enterprise (2.8.1.402) MobileIron Core 7.5 (Cloud) Mobile@Work (7.5.0.2) AirWatch AirWatch MDM Cloud (7.3.6.0) Citrix XenMobile 9.0 Table 2. Workspace (1.5.3.394) Inbox (2.2.2.2194) Worx (10.0.1) With WorxMail THE MOBILITY EVALUATION SCENARIOS AND RESULTS Each vendor solution was loaded on an LG G3 mobile phone running Android 4.4. We configured each solution with an Office 365 inbox and allowed file sharing and web access from and to the solution. To ensure the test validity, we used the latest version of each vendor s server and mobile application as of February 2015. TEST SCENARIO 1 DEALING WITH THE LOSS 1. An employee uses a tablet for both personal and work access. While on travel, the employee loses the device. The employee calls their IT department and reports the loss. IT initiates a remote wipe of any of the corporate data and access 2. The employee gets the device back two hours later and accesses it to see the results of the IT action. A PASS is given if IT was able to wipe corporate data and block access in the timeframe Test Goal: Determine how well each security solution is able to protect the organization s networks and data in the instance of a lost device, and determine how targeted it can accomplish this while avoiding the destruction of personal data. 4

TEST RESULTS Check Point: The Check Point Capsule was able to remotely wipe the corporate data and disable corporate access from the device remotely. It accomplished this without impacting any of the personal photos stored on the same device. Good: Good supports remote wipe of enterprise data from the Good For Enterprise App MobileIron: MobileIron has limited selective wipe capabilities and only for email data. Other data on the device such as corporate files has to be removed using full device wipe. AirWatch: AirWatch supports Enterprise Wipe of corporate data on the device Citrix: Citrix XenMobile supports Selective Wipe of enterprise data on the device ONLY CHECK POINT PREVENTS THE DOWNLOAD OF MALWARE ON THE MOBILE DEVICE THROUGH ITS THREAT PREVENTION CAPABILITIES. ALL OTHER TESTED VENDORS ALLOWED MALWARE DOWNLOAD TEST SCENARIO 2 EMAILING MALWARE INFECTED LINKS The entire executive team in a company receives an email from a known high-profile candidate. The email describes the candidate s summary qualifications, contains a link to the candidate s LinkedIn profile in PDF format and another link to the candidate s website. Both the attachment and the link contain malicious content that can infect the device once opened. Since on average 9% of recipients will click on an official sounding link sent via email to them, there is a good chance someone will click-through. 1. Send an email to a mobile device via corporate email protected by one of the solutions under evaluation 2. Open the email and find two links that cause the following: a. Download a malicious pdf file to the device b. Access a malicious website infecting the device. For the validity of the test, the link with the malicious content in the mail should be accessible from outside the container. Mobile containers cannot open external content from inside the secure workspace and must redirect it to the device s native browser. 3. Press the first link and then inspect the device for malware infection 4. Press the second link and then inspect the device for malware infection Test Goal: Check whether each solution protects a mobile device from possible infection by recognizing and preventing malicious content. TEST RESULTS Check Point: The Check Point protected device would not allow the opening of the PDF or the accessing of the malicious site. When a user tries to download a malicious pdf, the pdf download is blocked and the file download fails. When a user tries to open a link to a malicious website, Check Point Capsule blocks the access to the website and notifies the user. 5

Good: When trying to open a link from an external domain, Good will redirect it to the device native browser and will open it there allowing the malicious content to infect the device. MobileIron: MobileIron allows the user to open the link accepted via email on the device browser. This in turn, enables malicious content to access the device. AirWatch: AirWatch by default opens all links in the AirWatch Browser. However, if this option is disabled, the native device browser opens the links and allows malicious content to infect the device. Citrix: Citrix Worxmail will allow opening the links on the device, therefore exposing the device to malware. GOOD, MOBILEIRON, AIRWATCH AND CITRIX: THESE VENDORS CANNOT PREVENT THE SPY APPLICATION INSTALLED ON THE DEVICE FROM SENDING DATA TO C&C SERVERS It is worth noting that only Check Point prevents the download of malware on the mobile device through its threat prevention capabilities. No other tested vendors can protect mobile devices from malicious content when opened outside of the secure container. TEST SCENARIO 3 POST-INFECTION HANDLING Our mobile device is left logged in and unattended by accident. Someone finds it, downloads a mobile spy application that silently records all keystrokes and sends all typed content to a command and control server. They relock the device and leave it behind to be rediscovered by the original owner. Mobile spy applications are capable of collecting user activities such as device location, call lists and text content, screen and camera captures, and can even gain complete control over the mobile device. A proper security solution should be able to isolate the protected area from such spy applications. 1. Infect a mobile device with a mobile spy application. Activate the application. It sends data created and received on the mobile device to a hacker-monitored command and control server. 6

2. The user opens their email application on the device, writes an email within each vendor s protected mobile container area, and hits send. If the spy application can see it, a copy of this same content will also be sent to the hacker-designated command and control server. 3. Monitor the mobile spy application s command and control server to see what, if any, content has been shared with it. You can find more information on spyware applications, Mobile Trojans and protecting mobile devices in the following research done by Check Point and Lacoon Security: https://media.blackhat.com/eu-13/briefings/brodie/bh-eu-13-lacoonattacks-mdm-brodie-wp.pdf https://www.blackhat.com/docs/eu-14/materials/eu-14-koretsky-a- Practical-Attack-Against-VDI-Solutions-wp.pdf Test Goal: The goal of this test is to determine the extent to which each vendor s container solution can protect mobile devices after infection with a spy application. TEST RESULTS Check Point Capsule: The intended recipients received the test email. The spy application command and control (C&C) server was not notified that an email was sent and none of the email content was collected by the spy application s C&C server. Good: Good for Enterprise cannot prevent the spy application installed on the device from sending data to C&C server. Below is an example of a user writing an email on Good For Enterprise using a device infected with malware. MobileIron, AirWatch and Citrix: These vendors cannot prevent the spy application installed on the device from sending data to C&C server. 7

TEST SCENARIO 4 DOCUMENT AND CONTENT PROTECTION Sending email with company-sensitive documents attached is a common workplace occurrence. This evaluation has two parts, the first part evaluating how protected is the original document s content, and the second part evaluating how well protected is the original document if accidentally sent to an incorrect recipient. 1. Encrypt a company sensitive document using each vendor s document protection approach 2. Attach the encrypted document to an email and send to a recipient inside the company who opens the document on their vendor protected mobile device 3. Check if the document protection system allows for the copying of document content to the mobile device s clipboard or to a new email/ document inside the mobile container For the second part, the executive needs additional input from their team and forwards the original document along with his change notes to six other people. Unfortunately, he accidentally selects the wrong name for one of them and sends it to a competitor instead. This test will determine whether this competitor will be able to open and read the original document. 1. Encrypt a company sensitive document using each vendor s document protection approach 2. Attach the encrypted document to an email and send to a recipient inside the company who opens the document on their vendor protected mobile device 3. The recipient opens the attachment on their mobile device and saves it within their secure container 4. The user then attaches the decrypted attachment, attaches it to another email, and sends it to a competitor recipient outside the corporate network 5. Check if the decrypted document is accessible outside the container 6. Check if the competitor can access the received document Test Goal: The first goal of this test is to evaluate the ability of Mobile Security to prevent the transfer of data from a protected document to another application or for it to be copied and saved outside of the mobile container. The second goal of this test is to determine if the same document protections still apply when the document is accidently transmitted outside the protected network. 8

TEST RESULTS Check Point Capsule: The documents protected by Capsule s document protection are recipient specific. All documents are protected by permissions that specify what each recipient can do with the document. There is a record and an audit trail of any activity to reflect any action that was done to the document. Protected documents can be opened only in the secure container on the device. Capsule blocks the competitor recipient from being able to open the document. Good, MobileIron, AirWatch and Citrix: These vendors encrypt and protect documents as long as they reside on the secure container. Once documents are sent from the device to an external recipient, these documents are no longer protected and can be opened and viewed by anyone. SECURITY FINDINGS Most employees dislike carrying multiple devices and tend to combine work with personal information. Attempting to limit this through MDM policy motivates employees to seek ways to bypass device and operating system security features. This can be more dangerous than not having policies in the first place as many of the workarounds themselves can contain malware. All of the vendors were capable of remote wiping of compromised devices Although some only offer email wiping or complete device wiping capabilities so it is important to read the fine print. Check Point is the only solution capable of detecting and blocking mobile device malware Other than Check Point, none of the MDM/mobile containers evaluated could detect whether content downloaded to mobile device was malicious. Check Point Capsule is the only solution capable of detecting and protecting mobile devices from malware infection. Check Point is the only solution capable of preventing data theft from devices infected with malware Other than Check Point, none of the MDM/mobile containers could protect a device already containing malware. Check Point Capsule is the only solution to detect and block the spy application software from exporting data outside the container area. Check Point is the only solution capable of protecting documents outside of the container While all the vendors could prevent copying of document data within the container, Check Point is the only solution capable of tracking and protecting documents once they leave the protected network. 9

SUMMARY Managing a fleet of mobile devices and creating consistency on configurations is important. However, the main reason you undertake this is for security. Keeping mobile devices safe the majority of the time by securing applications only or some other subset of the problem does not create a secure mobile experience. Although there are many mobile security solutions offering, they typically address only a partial solution for mobile device protection. Therefore it is important to uncover the myths behind mobile device security and the false sense of security that is given by current solutions. The first myth disproves MDM as a secure solution. While MDM offers device and application controls, it solves only part of the security problem and only for corporate owned device. The second myth dispelled is the security provided by mobile containers against threats. Mobile containers protect and segregate business data on mobile devices, but leave the device and all personal data and applications exposed to all kinds of threats, such as rogue applications (spyware) and malicious content that can be downloaded to the device. The last myth dispelled is about document and data protection. Documents must be protected not only on the device itself, but also when sent to and from the device. This should be done by restricting recipients, restricting actions, and revoking access to documents on any platform and at any time. Uncovering the myths of mobile security proves that in order to keep mobile devices safe, there is a need for a new comprehensive approach. Check Point Capsule is the only solution that offers complete security for mobile devices by: Providing a secure business environment encrypting and segregating business data from private data and apps. Protecting mobile devices from threats everywhere. It extends the corporate security policy to mobile devices to prevent access to cyber threats. Encrypting and protecting business documents everywhere they go. It ensures that only authorized users can access them whether inside the container or even outside the organization s protected network. MDM, mobile containers, and even EMM suites provide a partial solution for mobile device security. Only Check Point Capsule protects the device, the data inside, and the larger connected network with the same level of malware protection. We challenge you to try Check Point Capsule and see the difference for yourself at capsule.checkpoint.com. CONTACT US Worldwide Headquarters 5 Ha Solelim Street, Tel Aviv 67897, Israel Tel: 972-3-753-4555 Fax: 972-3-624-1100 Email: info@checkpoint.com U.S. Headquarters 959 Skyway Road, Suite 300, San Carlos, CA 94070 Tel: 800-429-4391; 650-628-2000 Fax: 650-654-4233 www.checkpoint.com 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information