Ten Tips for Managing Risks on Convergent Networks The Risk Management Group April 2012 Sponsored by: Lavastorm Analytics is a global business performance analytics company that enables companies to analyze, optimize, and control the performance of complex business processes, including financial, operational, and customer experience processes. The company s Lavastorm Analytics Platform offers a new, agile approach to fraud management and revenue assurance and is used by thousands of business and IT professionals at more than 50 CSPs worldwide. The platform s discovery-based, audit analytic capabilities provide users with selfservice analytics, visualizations of process/performance issues, continuous monitoring and auditing, and case management capabilities for issue resolution. 1 Page Extracted from TRMG's Fraud and Revenue Assurance Guideline www.trmg.biz For more information please visit: www.lavastorm.com
INTRODUCTION The convergence of mobile devices, public and private wireless networks and cloud services raises new issues for operators and their customers. Thirty years ago, business people and consumers relied on fixed line phones and postal services for information. Today the Internet, mobile communications, GPS and a wirelessly connected ipad or laptop are ubiquitous tools for research and communication. In addition, the network they choose for communication is likely to be a WiFi network in a local coffee shop and any files may be stored on a site like Dropbox for easy access and synchronisation in real time. Using convergent mobile, WiFi and Cloud services exposes business users, consumers, and their communication operators to numerous hazards. We will discuss some of the most important ones in this short paper, as well as the key steps that operators need to take to protect consumers and corporate clients. Figure 1 - WiFi vulnerability 2 Page Extracted from TRMG's Fraud and Revenue Assurance Guideline www.trmg.biz
While estimates vary, online research indicates that there are now at least 4.5 billion active mobile devices worldwide (with new growth led by India and China) covering more than 60% of the global population. Almost fifty percent of Facebook s 750m active users access the site via mobile handsets or tablets (http://www.facebook.com/press/info.php?statistics) while mobile Internet access in general was adopted by half a billion consumers in 2009. Indeed, more than 50% of all mobile users now reject the use of desktop computing for regular Internet access altogether, preferring to use a mobile device or tablet. In addition to social media take up, instant messaging, voice over IP services, multiplayer gaming, search engine usage, online banking and ecommerce are also major drivers for this growth. Understanding, marketing to and managing the security of this growing mobile only generation of users, sometimes described as the next billion users, is one of the main challenges facing mobile service providers, ISPs, banks, retailers, media outlets and anyone else providing goods or services in the modern world. WiFi Network Risks Other wireless technologies such as WiFi and Bluetooth compound the challenge and we now see mobile devices connecting to the Internet, or to corporate networks, via third party wireless networks that exist outside the span of control of corporate security. Indeed, our experience in this sector suggests that Smartphone usage is a major driver for WiFi expansion. As a result, ubiquitous WiFi coverage is now commonplace in most modern cities, and automatic searches for and connection to such networks is typically the default option for many users. This practice brings new risks with it, in particular the man-in-the-middle attack. A man-in-the-middle attack involves an attacker positioning himself between two parties who wish to communicate, without the knowledge of either party. So, the man in the middle (C) tricks party A into believing he is party B. He then tricks party B into believing he is in fact party A. In this fashion, C handles all communications between A and B without them realising this. He can copy or alter any messages sent. In Internet terms, this means that passwords, usernames, addresses, attachments, email and message content and all manner of confidential information can be captured. In recent years, WiFi services are reported to have been a common target for man in the middle attacks. The attacker selects a popular public WiFi network, for example in a coffee shop, and sets up his own separate WiFi network, but gives it the same name (Joe s Coffee Shop Network, for example). 3 Page Extracted from TRMG's Fraud and Revenue Assurance Guideline www.trmg.biz
Users who log on to the fake network do not realise that all of their communications are now passing through the attacker s devices, which are running special software to capture all content. The users receive the Internet services they expect and have no reasons to suspect that any of their activities have been intercepted. Cloud Computing Risks Cloud Computing adds significant complexity to an already confusing picture. Cloud computing is simply Internet based computing, (the Internet is the Cloud ) where shared IT platforms, typically remote, provide resources, software, and data storage services to local computers and other devices on demand. In effect, Cloud computing closely resembles the client-server (thin client) architecture that many users are already accustomed to, except that the data and, possibly, the server now sit in the Cloud. This frequently takes the form of web-based tools or applications that users can access and use through a web browser as if they were programs installed locally on their own computer. Figure 2 - Cloud Computing simplified architecture 4 Page Extracted from TRMG's Fraud and Revenue Assurance Guideline www.trmg.biz
Because Cloud services are remote, provided by third parties and often shared, Cloud computing introduces major new challenges for IT Security, Fraud Control and IT Audit teams, including: Reputational risks or brand damage from data exposure Litigation risks and financial liability Regulatory risks such as those covered by data protection legislation Due diligence requirements Corporate espionage risks National security risks (particularly for the defence sector) Data integrity, completeness and accuracy risks Communication network and systems failure risks involving remote servers Revenue risks associated with service provisioning failures (witness Sony Online Entertainment s recent $178 million loss) Third party fraud risks, particularly those involving staff of the Cloud service provider Cyber security risks such as hacking and malware attacks on Cloud servers or via the Cloud Cloud security risk assessments should map the pathways through your Cloud infrastructure and applications and establish clearly the routes by which key data travels or operational processes are executed, in order to assess the potential technical or business (operational, commercial or legal) impact of intrusions, fraud, data loss or process failures on your organisation, stakeholders, customers and brand. The impact of loss of service, governance failures and regulatory breaches should also be assessed. Cloud security risk assessments require you to go beyond the standard analysis of business needs, assets and controls to cover the corresponding needs, assets, controls, responsibilities and capabilities of every Cloud provider and each of their sub-contractors. In a Cloud context, risks and the responsibilities associated with the control of risks and the protection of key assets, cascade down from the subscribing organisation though every tier in the outsourced service provider model. The scope of risk management does not end, therefore, with the prime sub-contractor; risk control in the Cloud is an end-to-end function in the full meaning of the phrase. Mobile Device Risks The primary risks of relevance involve intrusions, interception and the delivery of Malware for the purpose of data theft and manipulation, identity theft, unauthorised monitoring of communications or geographic locations, and denial of service attacks against corporate or 5 Page Extracted from TRMG's Fraud and Revenue Assurance Guideline www.trmg.biz
public sector servers. Convergent mobile, wireless and Cloud computing services all include features that can provide a vector for these risks. Modern mobile devices are powerful computing devices in their own right. The mobile user is therefore also a system administrator and this is especially true when a device such as a tablet or PDA is used on the move, in the home and also on the corporate or government network. The rise of the App, a low cost, readily available software application that may offer anything from productivity improvements to games, combined with the potential role of occasional child users and other family members at home, means that the introduction of Malware to the device is more likely than ever before. Take up of mobile anti-virus and other security applications is still very low and the vast majority of our clients still seem to have no such protection on their mobile devices. Private users rarely have mobile anti-virus in place. When one considers the categories of information held on a typical mobile device (contact lists, calendars, email messages, user names and passwords, location service data, browsing habits, photographic records and much more) the risks of data exposure via extraction or key stroke logging are readily apparent. Basic user awareness is therefore a key concern. Even simple errors, such as naming a device with the user s full name (as in John Smith s iphone ) and then leaving the Personal Hotspot active, can allow a stranger with their own WiFi enabled device to deduce the name of a passerby when that network name appears temporarily on their display. Social engineering exploits may follow, either face-to-face or via social media and other means. Risk Control Responses This convergence of vulnerabilities suggests a likely convergence of attackers, with mobile, ICT, ecommerce, efinance and social engineering fraudsters, malware developers, hackers and other threat actors all acquiring and engaging targets across this common set of technologies. A converged threat calls for a converged response and the prevention-detection-investigationmitigation cycle of fraud risk control will require the following features or capabilities: Fraud Prevention and Security o User awareness extending down to the families of corporate employees o Guidelines on personal use, including home WiFi and social media best practices o The installation of mobile anti-malware applications o Two or three factor authentication to reduce the risk of password exposure o Encryption of data as a routine requirement o Standards and auditing for an expanded set of third party providers Fraud Detection 6 Page Extracted from TRMG's Fraud and Revenue Assurance Guideline www.trmg.biz
o Monitoring of social media and other channels for reputational harm and new threat indicators (e.g. by using deep packet techniques) o Improved reporting by users of suspicious events, such as strange file attachments or unexplained hardware performance issues Fraud Investigations & Mitigation o Consolidated case management across corporate firms and third parties o Faster response times when the potential for brand damage is identified (e.g. by having a social media response plan in place) Conclusions In a nutshell, the convergence of mobile technologies, wireless networks and the Cloud means that we are seeing a shift to a model in which billions of potentially insecure computing devices, many holding or accessing sensitive data, will interface across millions of insecure or poorly managed private networks and access data or use services that are hosted in a virtualised setting and over which few, if any, risk and security teams have end-to-end control. Risk and security managers therefore need to focus on Convergent Risk as a top priority. ABOUT TRMG The Risk Management Group has specialised in the delivery of training and consultancy on high tech fraud for leading firms worldwide for over a decade. For more information on TRMG, visit www.trmg.biz. 7 Page Extracted from TRMG's Fraud and Revenue Assurance Guideline www.trmg.biz