With today’s increasing Mobile Enterprise Security Threats, do you have a strategy to mitigate the risk on your Corporate Network?

Corporations are increasingly utilizing mobile enterprise systems to meet their business objectives, allowing mobile devices such as smart phones and tablets to access critical applications on their corporate network.  These devices provide advanced technologies over traditional desktop clients, such as: information sharing, access from anywhere at any time, data sensors, location, etc. But what makes these mobile devices desirable, by their very nature, also poses a new set of security challenges.  Reports by research agencies in recent years show an alarming trend in mobile security threats listing as top concerns: Android malware attacks, and for the IOS platform issues with enterprise provisioning abuse and older OS versions.

These trends highlight the need for corporations to start taking seriously a mobile security strategy at the same level to which cyber criminals are planning future attacks. A mobile security strategy might involve adopting certain Mobile Security Guidelines as published by standards organizations (NIST) and Mobile OWASP project. See the references at the end of this document:

The following guidelines are a subset of Mobile Security Guidelines I pulled from various published sources with most coming from NIST. It is by no means a comprehensive list, however they can be considered as a starting point or additional considerations for an existing mobile security strategy.

1 – Understand the Mobile Enterprise Architecture

You should start with understanding and diagramming the flow from mobile application to business applications running on the back-end application server. This is a great starting point and should be done at the beginning stages, as most of the security guidelines will depend on what is known about the architecture.

  1. Is the mobile application a native application or mobile web application? Is it a cross-platform mobile application?
  2. Does the mobile application use middleware to get to the back-end API, or does it connect directly to a back-end Restful based Web Service?
  3. Does the mobile application connect to an API gateway?

2 – Diagram the network topology of how the mobile devices connect

Is the mobile device connecting to the business application servers over the cellular network or internally through a private WiFi network, or both? Does it go through a proxy or firewall? This type of information will aid in developing security requirements; help with establishing a QA security test bed and monitoring capability.

3 – Develop Mobile Application Security Requirements

At a high level, a security function must protect against unauthorized access and in many cases protect privacy and sensitive data. In most cases, building security into mobile applications is not at the top of the mind-set in the software development process. As such, these requirements should be gathered as soon as possible in the Software Development Life Cycle (SDLC). It has been my personal experience in many cases that you have to work with application software developers in adopting best security practices. So the sooner you can get that dialogue going the better. Security objectives to consider are:  Confidentiality, integrity, and availability. Can the mobile OS platform provide the security services required? How sensitive is the data you are trying to protect. Should the data be encrypted in transit, and in storage? Do you need to consider data-in-motion protection technologies?  Should an Identity and Access Management (IDAM) solution be architected as part of the mobile enterprise system? Should it include a Single Sign On functionality (SSO)? Should there be multi-factor authentication, role based or fine-grained access control? Is Federation required? Should the code be obfuscated to prevent reverse engineering?

4 – Incorporate a Mobile Device Security Policy

What types of mobile devices should be allowed to access the organization’s critical assets. Should you allow personal mobile devices, Bring Your Own Devices (BYOD’s) or consider only organization-issued or certified mobile devices to access certain resources? Should you enforce tiers of access? Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and BYOD’s by enterprise users. These technologies can remotely wipe the data or lock the password from a mobile device that has been lost or stolen. Should Enterprises consider anti malware software and OS upgrades to become certified mobiles on the network? To reduce high risk mobile devices, consider technologies that can detect and ban mobile devices that are jail broken or rooted, as these can pose the greatest risk of being compromised by hackers.

5 – Application Security Testing

According to a study performed by The Ponemon Institute, nearly 40% of 400 companies surveyed were not scanning their applications for security vulnerabilities, leaving the door wide open for cyber-attacks. This highlights the urgency for security teams to put together some sort of security vetting process to identify security vulnerabilities and validate security requirements as part of an ongoing QA security testing function. Scanning application technologies typically conduct two types of scanning methods: Static Application Security Testing (SAST) which analyzes the source code and Dynamic Application Security Testing (DAST), which sends modified HTTP requests to a running web application to exploit the application vulnerabilities. As the QA scanning process develops, it can be automated and injected into the software build process to detect security issues in the early phases of the SDLC.

6 – System Threat Model, Risk Management Process

What will typically come out of the application scanning process will be a list of security vulnerabilities found as either noise, suspect or definitive.  It will then be up to the security engineers knowing the system architecture and network topology working with the application developer to determine whether the vulnerability results in a valid threat and what risk level based on the impact of a possible security breach. Once the risk for each application is determined, it can be managed through an enterprise risk management system where vulnerabilities are tracked, fixed and the risk brought down to a more tolerable level.

7 – Consider implementing a Centralized Mobile Device Management System

Depending on the Mobile Security Policy that is in place, you may want to consider implementing a Centralized Mobile Device Management System especially when Bring Your Own Device (BYOD) mobiles are in the mix that can:

  • For mobile devices, manage certificates, security setting, profiles, etc through a directory service or administration portal.
  • Policy based management system to enforce security settings, restrictions for organization-issued, BYOD mobile devices.
  • Manage credentials for each mobile device through a Directory Service.
  • Self service automation for BYOD and Reducing overall administrative costs.
  • Control which applications are installed on organization-issued applications and check for suspect applications on BYOD mobile devices.
  • A system that can remotely wipe or lock a stolen or loss phone.
  • A system that can detect Jail-broken or rooted mobile devices.

8 – Security Information and Event Management (SIEM)

Monitor mobile device traffic to back-end business applications. Track mobile devices and critical business applications and correlate with events and log information looking for malicious activity based on threat intelligence. On some platforms it may be possible to integrate with a centralized risk management system to specifically be on alert for suspicious mobile events correlated with applications at higher risk.


Leadership Essential in Cybersecurity Dynamics

Are your C-level leaders sending a clear message about Cyber Security?

Despite the high profile security breaches making news headlines and increased attention around cyber risks, executives in the C-suites are still lacking commonality and communication of a clear goal when it comes to a cybersecurity strategy. These individuals need to work together to manage their organizational risks to help prepare, mitigate, and minimize the damage caused by cyber incidents.

Every organization needs a clear strategy and roadmap with supporting tools that protect critical assets. Read more about this topic and the crucial role the C-suite plays in the dynamics surrounding Cybersecurity.


A Sobering Day for All CEOs

Sadly, the CEO presiding over Target during the recent data breach resigned today.  See USA today article.

This series of unfortunate events for Target begs a key question relating to the risks every company CEO faces today. Did Target leadership ask the right questions about overall IT security and the risk every company faces?

Protecting a company from Cyber bad guys is a never ending battle.  It’s a game of leap frog with some serious consequences if you get behind.  With all the opportunity for full-time, professionally paid, government backed hackers to spend all day every day figuring out new ways to wreck a company, the priority for combating this enemy needs to be pretty high on the list for every CIO and CEO.  But it’s not just about spending all the money you can afford to spend.  It’s about understanding where to spend the money on the right technology.

How do leaders responsible for protecting a company sort out all the noise from the real threats?  This has become a constant exercise in analyzing risk and applying financial priorities accordingly.

As fast as the bad guys are coming up with new ways to exploit a target, new innovative minds are working to counter their moves.  Many of these great technologies are being folded into a portfolio of products and solutions that can be layered across an enterprise to protect and prevent the latest threats from creating the worst kind of headlines.

IBM has been on a major buying spree for the last several years snapping up some of the best and brightest technologies and resources across the globe.  They are quickly assembling an array of tools that are being shaped into the worlds best security risk analysis platform.  By leveraging this risk-based assessment direction, IT leaders can depend on technologies that will not only provide the intelligence about where to address risk, but can be assured that these technologies are probably the best that money can buy.

IBM is currently the third largest security company in the world with the goal of being the largest and the best.  As a Premier IBM Business Partner, we see this investment first hand.  See ComputerWorld’s perspective.

PathMaker Group serves our customers by planning, implementing, and managing these security solutions across the enterprise.  IT Security is a rapidly changing, complex business and our partnership with IBM helps us keep our customers one step ahead of the bad guys.

Email Attacks and Hate Mail Response: Recognizing When You Need to Hire an Incident Response Expert

Many people who use email think that their true identity and location are anonymous. Hidden behind their supposed “cloak of anonymity,” these people may sometimes lash out at their employers, colleagues, political adversaries, ex-lovers, and so on. Thankfully, there are a number of identity management services that can help to reveal the identity of the person who sent you a threatening message.

If you receive an email that is of a threatening or illegal nature, it’s not difficult to initiate an enquiry leading directly to the person involved for appropriate actions by authorities. Here is a look at how the specialists at PathMaker Group can handle your situation:

Forensic Expertise

The key to finding out who is responsible for sending a threatening message is the technical knowledge that incident response experts have about the inner workings of electronic mail. By examining the Internet Headers of a particular email, our incident response experts can identify the exact source of the message. Read more

Consequences of Not Maintaining a Secure Website

It’s estimated that nearly one-third of the global population uses the internet on a regular basis. It’s no surprise, then, that businesses of all sizes are starting to rely more heavily on their websites for marketing, sales, client services, and more. Unfortunately, many of these websites pose considerable security risks for the businesses who operate them.

As a premier security and identity management firm in the Dallas area, PathMaker Group is intimately familiar with the consequences of not maintaining a secure website—consequences that can be avoided by utilizing our proven security and identity management solutions. Some of the risks of not maintaining a secure website include:

  • Identity Theft
    Unsecured websites are ideal targets for hackers and cyber-criminals looking to steal valuable customer information. Once they obtain your customer’s information, it is very easy for them to commit identity fraud. Besides the devastating consequences this can have for your customers, it can also be extremely damaging for your company’s reputation. To ensure that your website is secure from such attacks, contact the security and identity management professionals at PathMaker Group. Read more

Stuxnet Worm, Research and Recommendations

As you may be aware, a worm (originally appearing in 2009) and named Stuxnet has recently resurfaced as a focused attack at Industrial and Energy control systems, namely but not exclusively targeting those systems built by Siemens, AG. This worm has the capability to take control of and/or alter settings within SCADA systems and PLC/RTU sub-components.

Below are some good articles related to recent research into the worm.

Why Stuxnet spread

Stuxnet, a wakeup call
http://www.scmagazineus.com/stuxnet-should-serve-as-wake-up-call-say-experts/article/179858/ Read more

Cyber attacks, they occur more often than you think!

Cyber attacks have become a ‘weapon of choice’ for many terrorist organizations. Cyber attacks can be launched from anywhere in the world that has Internet access, are often untraceable, and have the potential to wreak havoc on our financial and economic systems, defense networks, transportation systems, power infrastructure, and many other essential capabilities.

Although not widely publicized, cyber attacks occur routinely. Within the State of Texas, a major computer security incident with significant financial and operational impact is an annual event for most organizations, including state government entities. In fact, state entities reported a daily average of almost 575 security incidents in fiscal year 2009, including malicious code execution, unauthorized access to data, and service disruptions. Most of these attacks are blocked, prevented, or result in only minor disruptions.

Between January 2005 and August 2009, Texas-based organizations reported 105 incidents involving privacy data; 43 of these incidents were government-related (universities, cities and counties, and state agencies). These 105 incidents exposed over 3 million records, with the cost estimated at an all-time high of $202 per record exposed, totaling $606 million dollars to recover from the attacks. This is why it is imperative for organizations to have a “multi-layered” approach to security to ensure these attacks remain unsuccessful or only do minimal damage and disruption.

Why is it even more important to have an IR plan than a DR plan?

Virtually every organization has a DR (disaster recovery) plan in place as they should. However, most organizations don’t have a detailed IR (incident response) plan in place for when their IT systems are impacted by malicious behavior from either external or internal causes.

Why is it potentially more important to have an IR plan in place vs. a DR plan? The answer is simple, statistics. According to several creditable sources, the percentage of companies in the United States who experienced an IT incident in 2009 related to a directed malicious attack from either an external source (malware, etc.) or internal source (privileged user, disgruntled employee) was 49% compared to less than 10% of organizations who actually activated and used their DR plan.

Over the last few years we, at PathMaker Group, have seen the number of incidents, and the impact from those incidents, dramatically increase in number and impact (both downtime and financial). Suprisingly, most organizations still don’t have a defined Incident Response team and procedures to address these issues in a timely fashion to reduce downtime and financial impact. Read more