Trust Digital Best Practices



Similar documents
Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Securing mobile devices in the business environment

BlackShield Authentication Service

IBM Endpoint Manager for Mobile Devices

10 Quick Tips to Mobile Security

Feature List for Kaspersky Security for Mobile

Secure Your Mobile Workplace

IT Best Practices: Mobile Policies and Processes for Employeeowned

BEST PRACTICE GUIDE MOBILE DEVICE MANAGEMENT AND MOBILE SECURITY.

Symantec Mobile Management 7.1

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Kaspersky Security for Mobile

Bring Your Own Device. Individual Liable User Policy Considerations

Welcome Guide for MP-1 Token for Microsoft Windows

Securing Corporate on Personal Mobile Devices

Guideline on Safe BYOD Management

Symantec Mobile Management 7.1

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

BlackBerry 10.3 Work and Personal Corporate

Mobile First Government

Symantec Mobile Security

Symantec Mobile Management 7.2

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

10 best practice suggestions for common smartphone threats

Perspectives on Cybersecurity in Healthcare June 2015

Mobile Device Management for CFAES

Good for Enterprise Good Dynamics

PULSE SECURE FOR GOOGLE ANDROID

Symantec Mobile Management for Configuration Manager 7.2

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

The Business Case for Security Information Management

Marble & MobileIron Mobile App Risk Mitigation

Building an Effective Mobile Device Management Strategy for a User-centric Mobile Enterprise

BYOD Policy for [AGENCY]

Securing end-user mobile devices in the enterprise

Bell Mobile Device Management (MDM)

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

ADDING STRONGER AUTHENTICATION for VPN Access Control

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

How To Protect The Agency From Hackers On A Cell Phone Or Tablet Device

Ensuring the security of your mobile business intelligence

How To Protect Your Mobile Device From Attack

Tutorial on Smartphone Security

iphone in Business Mobile Device Management

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

[BRING YOUR OWN DEVICE POLICY]

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Enabling Seamless & Secure Mobility in BYOD, Corporate-Owned and Hybrid Environments

Feature Matrix MOZO CLOUDBASED MOBILE DEVICE MANAGEMENT

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Kaspersky Security 10 for Mobile Implementation Guide

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

A number of factors contribute to the diminished regard for security:

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Managing Mobility. 10 top tips for Enterprise Mobility Management

Best Practices for Secure Mobile Access

Beyond the Hype: Advanced Persistent Threats

Hesperbot. Analysts at IKARUS Security Software GmbH successfully removed a self-locking Android Malware from an infected smartphone

Mobile App Containers: Product Or Feature?

STRONGER AUTHENTICATION for CA SiteMinder

WHITE PAPER. Mobile Security. Top Five Security Threats for the Mobile Enterprise and How to Address Them

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Securing the mobile enterprise with IBM Security solutions

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Practical Attacks against Mobile Device Management (MDM) Michael Shaulov, CEO Daniel Brodie, Security Researcher Lacoon Mobile Security

How To Protect Your Data From Being Hacked

McAfee Enterprise Mobility Management

SHORT MESSAGE SERVICE SECURITY

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

Why Switch from IPSec to SSL VPN. And Four Steps to Ease Transition

The ForeScout Difference

Mobile Device Management and Security Glossary

Deploying iphone and ipad Mobile Device Management

Copyright 2013, 3CX Ltd.

Securing Virtual Desktop Infrastructures with Strong Authentication

CA Mobile Device Management 2014 Q1 Getting Started

WHITE PAPER Usher Mobile Identity Platform

The Oracle Mobile Security Suite: Secure Adoption of BYOD

Use of tablet devices in NHS environments: Good Practice Guideline

Athena Mobile Device Management from Symantec

The smartphone revolution

Key Capabilities for Safeguarding Mobile Devices and Corporate Assets

Protect Your Business and Customers from Online Fraud

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

Norton Mobile Privacy Notice

Transcription:

> ARMING IT AGAINST SMARTPHONE THREATS Trust Digital Best Practices April 2009 The information contained herein is subject to change at any time, and Trust Digital makes no warranties, either express or implied, with the respect to this documentation and disclaims all implied warranties of merchantability and fitness for a particular purpose. Trust Digital, the Trust Digital logo, are trademarks or registered trademarks of Trust Digital, Inc. All other trademarks are the property of their respective holders. 2009 Trust Digital. All rights reserved.

TABLE OF CONTENTS Introduction........................................... 3 Smartphone Convergence................................. 3 SMS As An Attack Vector................................. 4 Business Card Attacks................................. 4 Lost Device Attack.................................... 5 The Security Fix........................................ 5 Deploying the Fix....................................... 6 Conclusion............................................ 6 2009 Trust Digital. All rights reserved. 2

Introduction In the last decade, mobile devices have evolved from basic cell phones to Internet connected devices accessing Web applications and VPNs via the enterprise network. As such, users have come to depend on these devices to facilitate work and play. Enticed by the latest and coolest smartphones like the Apple iphone and Google Android, employees have begun using these devices for work unbeknownst to corporate IT. This employee independence is creating security angst for IT organizations responsible for the data contained on that phone. The growing number of smartphones being used at work represents an opportunity for corporate spies since smartphones are typically the weak link in IT security policies. Most organizations fail to take precautions to secure smartphones and therefore cannot track or manage which devices are hooked up to the network. Attacks via short message service (SMS) are a prime example of how a hacker may exploit this weak link. Although consumers think of SMS as simply just text messaging for cell phones, SMS is actually a far richer protocol. This white paper discusses SMS security threats, describes some easy to duplicate attacks on smartphones, and suggests approaches to both recognize and mitigate SMS threats. Smartphone Convergence Smartphones offer a number of ways to connect to a network, including USB, infrared and WiFi. Hackers can use these capabilities in a variety of malicious ways including: injecting viruses and malware, creating denial of service attacks against the enterprise, stealing employee s data (emails, contacts, text messages and proprietary files) and eavesdropping on employee conversations. USB Attacks Protocol Stack Attacks Cell Tower Email Server GPS IrDA Internet IrDA/Bluetooth Attacks Installing Malware 2009 Trust Digital. All rights reserved. 3

While WiFi, USB and browser based vulnerabilities are shared with laptops, other security holes that affect the network protocol stack or employ SMS messages are unique to the cellular capabilities of the smartphone. So, what is IT to do? The remainder of this paper will explain how hackers can exploit SMS messaging and how IT can counter the hacker using an enterprise mobility management (EMM) platform. SMS As An Attack Vector Approximately seven billion SMS text messages are exchanged daily worldwide according to GSM-World reports. The SMS protocol can deliver rich data, control messages and applications to devices that control usability and change security policies. As a result, the SMS protocol can be used as an attack mechanism to send a message that is device or SIM card specific. Typically all that is needed is a phone number, which is easily gleaned from a business card or email signature. The following scenarios will detail how SMS messages can be used to compromise a smartphone. Business Card Attacks The Business Card attack can be performed by the hacker without any knowledge of the intended victim other than their mobile phone number. To exploit the Business Card attack, the hacker sends a series of SMS messages to the phone. These messages are known as control messages. Control messages instruct the phone to act on the SMS instead of displaying it as a text message. These control messages can download applications to the phone, collect and forward data from the phone, force the phone to visit a website or change phone configurations. This gives the hacker control over the phone and access to the data on the phone. Much like viruses found on laptops today, the attack can happen silently and is highly targeted. It gives a hacker access to a device that otherwise may be under careful control. THE HACKER S TOOLKIT Laptop with WiFi connectivity to the Internet Tools available on the Internet Smartphone Mobile number of victim The Business Card attack can be separated into three different attacks. The first attack utilizes a wireless application protocol (WAP) PUSH message. WAP PUSH messages have the ability to redirect a device to a website to download an application which is then installed on the targeted device. The application accesses information such as contact lists, text messages and emails and sends it back via SMS or email. The second attack involves sending the device an SMS control message that causes the phone to silently change configuration. This attack can be used for multiple purposes, for example it can expose user information by turning off 2009 Trust Digital. All rights reserved. 4

security settings for email transmission such as SSL or it can render the data capabilities of the device useless by remotely wiping the device. The third attack is a Denial of Service attack. A denial of service attack sends multiple control SMS messages to the targeted device making the device slow and ultimately rendering it useless with no indication as to the cause of these issues. The Business Card attack is easy to understand and simple to perform even for a non-expert hacker. Free software is available and can be downloaded directly from the Web to help create these SMS control messages. The hacker uses his/her own phone to send the messages. Lost Device Attack In our second scenario, the hacker targets a lost or stolen smartphone. Like the Business Card attack, the Lost Device attack works even if the phone is locked with a PIN or password screen, since the hacker can push an application via SMS that unlocks the device. Once unlocked, the hacker has full control of the device and can access any information on the device or use the device to access corporate resources. The Security Fix The security fix for SMS attacks is to deploy a software file that blocks control messages on the affected smartphones. In effect, this fix only permits the smartphone to receive SMS text messages and prevents silent attacks. The Trust Digital EMM platform for smartphones blends security and device management into a single solution, providing IT with the facilities and tools needed to effectively counter SMS attacks and other smartphone security threats. Trust Digital EMM is a Web Services platform that provides robust support across a diverse set of handheld mobile devices and includes: A self-service portal allowing end-users to load security software and policies on personal devices A flexible device agent enabling IT to secure and manage a wide variety of device platforms including Windows Mobile, Symbian and iphone Policy-controlled security for protecting against hacker access and device loss A centralized management console with integrated help desk capabilities for simplifying policy implementation and user support A compliance management and reporting facility to ensure users adhere to IT policy 2009 Trust Digital. All rights reserved. 5

Arming IT Against Smartphone Threats Deploying the Fix To deploy the security fix to affected users, IT can run asset management reports to identify users that may own an affected smartphone. The granular software distribution facilities of the Trust Digital EMM platform can deploy the needed software according to a criteria that includes: carrier, user group, device or operating system. In our SMS example, IT would use the EMM platform to push the needed CAB file to those users of affected smartphones. For ongoing support and reassurance, compliance reporting and enforcement ensures the CAB file remains in place and alerts IT if a device is not compliant. Group Based Policies & Software SQL AD Executives Single Console for Centralized Control TD_Centralized_Control_Dia_040809 Conclusion Unlike laptops, smartphones converge voice and data, creating new security challenges for IT. Hackers are increasingly focused on corporate espionage and the smartphone is a ripe target. Frequently ignored by IT, smartphones are often the weak link in enterprise security strategies. New threats, such as Business Card attacks will continue to appear and evolve. Trust Digital EMM arms IT with a sophisticated device management facility that quickly delivers security solutions on an individual or group basis to tactically counter hackers as they employ new methods to penetrate the enterprise. 2009 Trust Digital. All rights reserved. 6

Trust Digital is the leading provider of enterprise mobility management software for government organizations and Global 2000 companies. IT organizations rely on Trust Digital s solution to cost-effectively secure, rapidly deploy and centrally manage their smartphones. Trust Digital s unique software-overlay methodology simplifies how IT administrators and help desk specialists implement policies, assist users and enforce compliance for mobile applications. Trust Digital is the trusted mobility company. For more information, please visit our website, www.trustdigital.com. Trust Digital 1760 Old Meadow Road, Suite 550 McLean, VA 22102 Toll Free 888-760-9401 703-760-9400 www.trustdigital.com info@trustdigital.com 2009 Trust Digital. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information