Good to be back at RSA this year. A very optimistic outlook in innovation, economics and trying to accomplish what this industry is meant to do – find ways to protect data. The expo floor is full and sessions are jam-packed, so not only is that good for RSA, its good for business.
It’s clear talking to everyone at RSA that no one has really nailed their mobile security strategy, much less their overall enterprise mobility strategy. It seems to be what’s keeping people up at night, and it’s a real threat emerging in terms of impacting businesses from data breaches.
John Stewart of Cisco presented in a closed-door session at the ISSA CISO Forum that the “bring your own device” culture is starting to become unmanageable from a security perspective. He articulated a few issues organizations are struggling with, including securing mobile apps, security
flaws in the embedded architecture of devices and of course, the security implications in how providers are protecting endpoints and networks.
Talking to a few reporters, most notably, Ericka Chickowski who writes regularly for Dark Reading, mobile is on the mind with the press and analysts too. In fact Ericka is following this topic closely and is in agreement, that companies have known this was what they’ve needed to focus on, but now they are really starting to do something about it despite the fact that there isn’t necessarily a set of standards that is generally agreed upon as the uber best practices model.
At a 451 Group breakfast, I was talking with a few of the analysts there who essentially said the same thing – all their clients are trying to figure out the best approach to solving this problem. There isn’t enough research at this point to know enough, but this is absolutely an issue the analysts are starting to prioritize much, much more.
One of the few sessions I wanted Jacob West of HP presented an insightful session on what some of the trends are in mobile software security. He pointed out that with mobile OS, there’s a less constrained problem space. And with the pace of deployment speeding up, developers have to
learn a new set of skills to keep up and figure out how to build security into their methodologies.
Android applications seem to be giving just a little more difficulty than iOS apps based on the checks from Google and Apple in their stores, but that security could be the point of differentiation that sets one apart from the other in a positive way.
The key priorities around mobile software security are sensitive data, environment and configuration. And of course the key actors are the app owners, developers, manufacturers, OS/providers - - but that the end users represent a wild card for any security organization.
Jacob then punctuated the presentation with some examples of the major threats/attacks, and offered some intelligence around each (it was nice to learn about these BTW)
- Intent hijacking - apparently intents are how the OS and app communicate. It’s possible to install an eavesdropping app to hijack sessions. The use of explicit intents can help
remediate against this method. - Sticky broadcasts – this is a special form of intent where if an app has access to modify one sticky broadcast on a device, it opens up access to pretty much any file on the system.
- SQL injection – we are repeating the same mistakes in mobile software that we made on web apps. He recommended using perimeterized interfaces as a counter-measure.
- Promiscuous permissions – this means that apps are essentially asking other apps to do things but that the data accessed during the sessions isn’t secured all the way through. This is
becoming a favorite penetration tactic of attackers.
Questions you should be asking yourself: What do your apps do and for whom? What's your platform strategy? Who develops your apps? And very importantly from a process standpoint, do you have an SDLC? Do you rely on your platform provider or app distributors for security? Are mobile apps prompting back end changes? And lastly, are your apps appropriately permissioned?
Lots of questions here around this issue. We’re just scratching the surface on mobile security, but it seems the industry is paying attention now and folks are placing priority on getting ahead of this issue.
