With today’s increasing Mobile Enterprise Security Threats, do you have a strategy to mitigate the risk on your Corporate Network?

Corporations are increasingly utilizing mobile enterprise systems to meet their business objectives, allowing mobile devices such as smart phones and tablets to access critical applications on their corporate network.  These devices provide advanced technologies over traditional desktop clients, such as: information sharing, access from anywhere at any time, data sensors, location, etc. But what makes these mobile devices desirable, by their very nature, also poses a new set of security challenges.  Reports by research agencies in recent years show an alarming trend in mobile security threats listing as top concerns: Android malware attacks, and for the IOS platform issues with enterprise provisioning abuse and older OS versions.

These trends highlight the need for corporations to start taking seriously a mobile security strategy at the same level to which cyber criminals are planning future attacks. A mobile security strategy might involve adopting certain Mobile Security Guidelines as published by standards organizations (NIST) and Mobile OWASP project. See the references at the end of this document:

The following guidelines are a subset of Mobile Security Guidelines I pulled from various published sources with most coming from NIST. It is by no means a comprehensive list, however they can be considered as a starting point or additional considerations for an existing mobile security strategy.

1 – Understand the Mobile Enterprise Architecture

You should start with understanding and diagramming the flow from mobile application to business applications running on the back-end application server. This is a great starting point and should be done at the beginning stages, as most of the security guidelines will depend on what is known about the architecture.

  1. Is the mobile application a native application or mobile web application? Is it a cross-platform mobile application?
  2. Does the mobile application use middleware to get to the back-end API, or does it connect directly to a back-end Restful based Web Service?
  3. Does the mobile application connect to an API gateway?

2 – Diagram the network topology of how the mobile devices connect

Is the mobile device connecting to the business application servers over the cellular network or internally through a private WiFi network, or both? Does it go through a proxy or firewall? This type of information will aid in developing security requirements; help with establishing a QA security test bed and monitoring capability.

3 – Develop Mobile Application Security Requirements

At a high level, a security function must protect against unauthorized access and in many cases protect privacy and sensitive data. In most cases, building security into mobile applications is not at the top of the mind-set in the software development process. As such, these requirements should be gathered as soon as possible in the Software Development Life Cycle (SDLC). It has been my personal experience in many cases that you have to work with application software developers in adopting best security practices. So the sooner you can get that dialogue going the better. Security objectives to consider are:  Confidentiality, integrity, and availability. Can the mobile OS platform provide the security services required? How sensitive is the data you are trying to protect. Should the data be encrypted in transit, and in storage? Do you need to consider data-in-motion protection technologies?  Should an Identity and Access Management (IDAM) solution be architected as part of the mobile enterprise system? Should it include a Single Sign On functionality (SSO)? Should there be multi-factor authentication, role based or fine-grained access control? Is Federation required? Should the code be obfuscated to prevent reverse engineering?

4 – Incorporate a Mobile Device Security Policy

What types of mobile devices should be allowed to access the organization’s critical assets. Should you allow personal mobile devices, Bring Your Own Devices (BYOD’s) or consider only organization-issued or certified mobile devices to access certain resources? Should you enforce tiers of access? Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and BYOD’s by enterprise users. These technologies can remotely wipe the data or lock the password from a mobile device that has been lost or stolen. Should Enterprises consider anti malware software and OS upgrades to become certified mobiles on the network? To reduce high risk mobile devices, consider technologies that can detect and ban mobile devices that are jail broken or rooted, as these can pose the greatest risk of being compromised by hackers.

5 – Application Security Testing

According to a study performed by The Ponemon Institute, nearly 40% of 400 companies surveyed were not scanning their applications for security vulnerabilities, leaving the door wide open for cyber-attacks. This highlights the urgency for security teams to put together some sort of security vetting process to identify security vulnerabilities and validate security requirements as part of an ongoing QA security testing function. Scanning application technologies typically conduct two types of scanning methods: Static Application Security Testing (SAST) which analyzes the source code and Dynamic Application Security Testing (DAST), which sends modified HTTP requests to a running web application to exploit the application vulnerabilities. As the QA scanning process develops, it can be automated and injected into the software build process to detect security issues in the early phases of the SDLC.

6 – System Threat Model, Risk Management Process

What will typically come out of the application scanning process will be a list of security vulnerabilities found as either noise, suspect or definitive.  It will then be up to the security engineers knowing the system architecture and network topology working with the application developer to determine whether the vulnerability results in a valid threat and what risk level based on the impact of a possible security breach. Once the risk for each application is determined, it can be managed through an enterprise risk management system where vulnerabilities are tracked, fixed and the risk brought down to a more tolerable level.

7 – Consider implementing a Centralized Mobile Device Management System

Depending on the Mobile Security Policy that is in place, you may want to consider implementing a Centralized Mobile Device Management System especially when Bring Your Own Device (BYOD) mobiles are in the mix that can:

  • For mobile devices, manage certificates, security setting, profiles, etc through a directory service or administration portal.
  • Policy based management system to enforce security settings, restrictions for organization-issued, BYOD mobile devices.
  • Manage credentials for each mobile device through a Directory Service.
  • Self service automation for BYOD and Reducing overall administrative costs.
  • Control which applications are installed on organization-issued applications and check for suspect applications on BYOD mobile devices.
  • A system that can remotely wipe or lock a stolen or loss phone.
  • A system that can detect Jail-broken or rooted mobile devices.

8 – Security Information and Event Management (SIEM)

Monitor mobile device traffic to back-end business applications. Track mobile devices and critical business applications and correlate with events and log information looking for malicious activity based on threat intelligence. On some platforms it may be possible to integrate with a centralized risk management system to specifically be on alert for suspicious mobile events correlated with applications at higher risk.

References:

A Sobering Day for All CEOs

Sadly, the CEO presiding over Target during the recent data breach resigned today.  See USA today article.

This series of unfortunate events for Target begs a key question relating to the risks every company CEO faces today. Did Target leadership ask the right questions about overall IT security and the risk every company faces?

Protecting a company from Cyber bad guys is a never ending battle.  It’s a game of leap frog with some serious consequences if you get behind.  With all the opportunity for full-time, professionally paid, government backed hackers to spend all day every day figuring out new ways to wreck a company, the priority for combating this enemy needs to be pretty high on the list for every CIO and CEO.  But it’s not just about spending all the money you can afford to spend.  It’s about understanding where to spend the money on the right technology.

How do leaders responsible for protecting a company sort out all the noise from the real threats?  This has become a constant exercise in analyzing risk and applying financial priorities accordingly.

As fast as the bad guys are coming up with new ways to exploit a target, new innovative minds are working to counter their moves.  Many of these great technologies are being folded into a portfolio of products and solutions that can be layered across an enterprise to protect and prevent the latest threats from creating the worst kind of headlines.

IBM has been on a major buying spree for the last several years snapping up some of the best and brightest technologies and resources across the globe.  They are quickly assembling an array of tools that are being shaped into the worlds best security risk analysis platform.  By leveraging this risk-based assessment direction, IT leaders can depend on technologies that will not only provide the intelligence about where to address risk, but can be assured that these technologies are probably the best that money can buy.

IBM is currently the third largest security company in the world with the goal of being the largest and the best.  As a Premier IBM Business Partner, we see this investment first hand.  See ComputerWorld’s perspective.

PathMaker Group serves our customers by planning, implementing, and managing these security solutions across the enterprise.  IT Security is a rapidly changing, complex business and our partnership with IBM helps us keep our customers one step ahead of the bad guys.

Target Data Breach

How did they pull it off and how can you safeguard your environment from a similar event?

The Target Stores data breach started by exploiting a vulnerability in an externally facing webserver.  Once inside, hackers took command of an internal server and planted malware on the Point of Sale devices in stores all over the US.  The harvested data was stored internally until the hackers reached back in to grab the millions of credit card account records that were stolen.  More details can be found at http://krebsonsecurity.com/

With the tools available today, how could this event happen?  What can you do to safeguard your environment from a similar incident?

PathMaker Group recommends the following measures:

  1. Assess the overall security posture of your organization.  Our company provides a rapid assessment covering 16 security domains enabling you to understand where you may have major gaps.  We can help you prioritize these gaps to help you to maximize your risk mitigation.
  2. Test your environment (and your website code) for vulnerabilities.  External and internal penetration testing is a necessary starting place, but if you develop your own website code, scanning your application code prior to releasing the system to production is essential as these techniques and tools will surface many more vulnerabilities.  We can help with both of these services.
  3. Leverage security intelligence technologies to correlate and identify suspect events before massive damage can occur.  We can rapidly deploy an industry leading solution for you in a matter of days including setting up a managed service.

For help or more information, please contact PathMaker Group at 817-704-3644

Keith Squires, President and CEO, has been in high demand by the media to add insight to this recent news.  Radio and television news interviews, including CBS National News, are available to view at the following link:

http://www.pathmaker-group.com/home/pathmaker-group-news/

Have you had your Security Wellness Check?…

So you think your organization is secure . . . think again! IBM X-Force 2013 mid-year report says that many of the breaches recently reported were a result of “poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.” Covering the basics is exactly what we help companies achieve through our “SecurePath” 16 domain rapid security assessment. In one week we can review your security posture, cover all your bases and help you prioritize the big security gaps in your environment.

Application Security Webinar

 Presented By:

  • Tony Vera, Senior Certified Security Specialist at IBM.
  • Ryker Exum, Information Security Consultant at PathMaker Group
  • Jason Bellomy, Manager of North American Sales for IBM’s Application Security Segment

In this 50 minute webinar you will:

  • Learn about the top security vulnerabilities that have yet to be addressed
  • See common live hacking scenarios
  • Hear about the current trends in mobile app security
  • Learn how to get a free security assessment for your company

About the key presenter, Tony Vera:

Tony is a Senior Certified Security Specialist at IBM. Since joining IBM in 1995 Mr. Vera has worked as a technical professional, with a wide range of clients in all aspects of the software engineering lifecycle. This work requires skills in the areas of product technical competencies, training, project management, contemporary software engineering technologies, and most recently, application security.

About Ryker Exum:

Ryker is an information security consultant with the Dallas, Texas based consulting firm PathMaker Group. He received his MBA and a graduate certificate from the NSA accredited, University of Dallas Information Assurance program. He holds several professional security certifications including CISSP, OSWP, CEH, and SSCP.

About Jason Bellomy:

Jason manages North American Sales for IBM’s Application Security segment. For 3.5 years he has led the Application Security Sales Team and helped integrate two IBM acquisitions, Watchfire and Ounce Labs, that make up the current IBM Application Security Portfolio.

CUNA website attacked and user data exposed

Team GhostShell has released the data acquired through more successful attacks against a wide variety of websites. Victims include the Credit Union National Association (CUNA) and several other companies and government organizations. Initial estimates put the total number of leaked CUNA website usernames and MD5 hashed passwords at around 46,500. Many of the hashed passwords have already been cracked and were included in the release. The data released also included full names and physical addresses as well as individual names tied to phone numbers.

This attack was just the latest example of what can occur when your website has not been tested thoroughly for SQL injection (SQLi) and other vulnerabilities on a regular basis. SQLi occurs when an attacker finds a vulnerable or poorly protected website and passes commands directly to the backend database. When an attack is successful the effect can be a devastating disclosure of personal information. This type of attack has been documented time and time again and remains one of the top vulnerabilities listed in the OWASP top ten. (https://www.owasp.org/) Any company that maintains sensitive information on individuals should regularly have trusted third party security firms review the current security status of their websites through penetration tests.

Best practices recommend a penetration test be conducted at least annually to ensure security of your website has not been compromised by any changes that have occurred since the last test. Many of today’s websites utilize content management system like WordPress, Drupal, Joomla, etc. Content management systems (CMS) like this are regularly tested by both users and developers to ensure their security. However many vulnerabilities found on websites today will actually stem from plugins or software add-ons installed by the end user to the CMS platform. Unfortunately not all plug-ins are properly tested for security by their developers. We at PathMaker Group have found that even after being notified of a security vulnerability many customers will not implement a fix for some time leaving their website vulnerable to attack.

Another issue that stands out from this latest attack is the ability for users to set weak, dictionary based passwords on their accounts. Many of the cracked passwords were comprised of a single lower case word found in any standard English dictionary. This is not a recommended security best practice configuration. User account passwords must be administratively required by the system to be strong in nature. For example, a reasonably strong password should contain at least 12 characters comprised of UPPERcase, lowercase, numb3rs, and $pecial characters. By allowing your users to store weak passwords, you may be allowing attackers authenticated access to your systems. This can lead to a PR nightmare for both you and your client.

PathMaker Group can provide professional security testing of your current security controls including penetration testing of your websites. Talk to us about becoming your partner in defending your most valuable assets. Click the “Contact Us” button on the right to get in touch with a security expert who can assist with your annual security testing and provide guidance on securing your business from outsider attack.

We have not included link to the data exposed by Team GhostShell due to the sensitivity of the included data and respect for those who have been affected.

Update:
CUNA has now confirmed the attack via press release: http://www.cuna.org/newsnow/12/system121012-8.html

Included is a statement from CUNA President/CEO Bill Cheney.“We do not believe any sensitive personal information from our web site was accessed, however, we are contacting all users of our website to advise them of the breach. Further, we will continue to analyze the information posted online by the (hackers) group, as well as continue to validate that no other risks exist. We will also continue to monitor our website and take increased security measures to ensure it is safeguarded.”

Using WebSphere Process Server in your SOA Infrastructure

WebSphere Process Server (WPS) is the runtime engine for artifacts produced in a business-driven development process.   It allows orchestration of business assets into highly optimized and effective processes to meet business goals.  It is a single, integrated, runtime foundation for deploying service-oriented architecture or SOA based business processes.  Built on open standards, it deploys and executes processes that orchestrate services (people, information, systems, and trading partners) within your SOA or non-SOA infrastructure.  It helps increase efficiency and productivity by automating complicated processes that span people, partners, and systems.  It helps cut costs by enabling flexible business processes with reusable assets, thus reducing the need to hard-code changes across multiple applications.  It has the ability to track the state of process instances, handle human intervention, and deal with exceptions.

WPS is mounted on top of WebSphere Application Server (WAS) with its robust J2EE runtime and offers a new level of abstraction so the task of integrating applications and services becomes much easier. Read more