Tikit User Group Conference November 2017

richard-roebuck-headshot

For my sins, I was tasked by your ever enthusiastic, Chairlady Jane to speak to you about maintaining compliance in the mobile era. Not the most exciting of topics I know, but given GDPR and the ever-increasing demand for mobility it’s a topic that’s certainly worth 30 minutes of our time today. Such a huge area this one and one that we could spend the entire conference covering without doubt.

What I want to do today is try and share with you some of the main issues and concerns that you at least ought to be having these days when it comes to mobility – and that’s with or without the arrival of the GDPR.

It’s plain to see isn’t it really, that more and more of us use smartphones not only as telephones but for email, instant messaging, IP telephony and even to plan and organise our work schedules and private life. Within the firms we ourselves work with, these technologies are causing profound changes in the way in which information systems are organised and accessed and have become a source of new and not insignificant risk. Indeed, we’re using smartphones to collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and more over the intellectual property and client related data of the practice.

Much of the control that needs to go into place around GDPR as we’ve heard a number of times today centres around policy and business process and as such isn’t an area that should be under the purview of your IT people alone. Though if they are on the ball I can see a few of them using GDPR as a reason to get more money out of your Partners! It is an area though, that will require closer communication between business managers and their IT teams.

From the many people that I have spoken with on this particular subject its seems that most know the basics but are finding it hard when it comes to approaching such things as policy design and process. I can understand this especially within the mobile arena where it can be hard to understand what it is that we are actually trying to achieve and where the vulnerabilities that wish to avoid and protect ourselves actually exist.

The fact is with mobility, that there are vulnerabilities everywhere. By very definition controlling access to data whilst on the move or even accessing centralised data whilst on the move is a tough proposition – because we’re on the move and not sat in the office within our hopefully well protected well firewalled networks. There are other problems that rise to the surface when we start to consider how we control these things when staff members use their own devices for business related purposes.

The Smartphone is a phenomenon the likes of which we haven’t seen before. The adoption rates and advancement in the technology itself has been unprecedented and seems to be unstoppable. Look how far it has all come since the first Blackberry hit the streets. The problem is, that as technology has advanced, so have complexities with the scams, hacks and exploits. We have adopted bad habits that the budding Hack-trepreneur will exploit without fear. To bring about good usage policy, governance and compliance, I think we first need to understand at a more fundamental level where the weaknesses actually are.

Threats

Let’s look at the threats in a little more detail then.

First of all, I’d like you all to think about your smartphones and mobile devices in a new light. Don’t consider it as your lifeline to the world, your artificial heart, the thing you can’t live without for fear of missing out. Think of it as a time bomb in your pocket or handbag, a device that can hurt you and your firm in the most unimaginable ways if it one day metaphorically speaking explodes.

Though many of the threats that exist today are geared toward the illicit or fraudulent obtaining of your own hard-earned cash – which we could also spend the rest of the day on, there are many threats that exist to gain access to information either locally on your device or by using your mobile devices to gain intelligence in a bid to access data stored within your corporate environments.

These threats can disrupt the operation of the device itself, and transmit or modify user data. On that basis applications or APP’s as we know them, at a very basic level must guarantee privacy and integrity of the information they handle. In addition, since some apps could themselves be malware and as such their functionality and activities should and must be limited. For example; from a policy perspective, you should consider how you restrict certain apps from accessing location information via GPS or by ensuring that Apps are blocked from accessing the user’s address books. How many people in the room (and don’t show me your hands) have banking details, pin numbers, alarm codes and other such information stored against a contact – I’m guessing quite a few and if it’s not you, there will be many within your organisations that do do this.

For company, mobile devices you may wish to consider a policy provision therefore that prevents the downloading of any app unless it’s business case has been made and been centrally approved. How will you tackle this for staff with their own devices; this really needs careful thought. Maybe at the end of the day perhaps GDPR spells the end of the popularity of BYOD simply because its hard for us to control a device owned and paid for by its user.

So, if you need any further convincing on how clever some of these exploits are let me give you just one example – and quite a scary one that was originally made public in mid two thousand and fourteen this one specifically affecting Android phones.

Discovered by small security firm this was an exploit dubbed ‘FakeID’ which offered a way for a malicious app to hijack the trusted status of a legitimate app (by forging its digital certificate), effectively escaping any security on the device. In other words, this hack, actually exploited the security systems that vendors have in place on their App stores and within their operating systems that verify a legitimate App’s legitimacy. This problem affected every Android phone running from software versions 2.1 to 4.3 of the operating system – that’s a lot of releases. The conclusion – we should find it hard to trust even the most trusted of sources and must question absolutely everything.

Smartphones are complex beasts and are highly customisable. Many things take place on a Smartphone that the average user may not be immediately aware of. iPhones syncing your entire life to its iCloud for example – proudly prompting you to give them some money so you can have more space to unwittingly send them more of your stuff. Now, perhaps a risk your prepared to take as an individual, but what about work related material. Again contacts, items of data that identify you, which can be further exploited to gain access to corporate based information.

We are the weakest link!

It’s important to understand that a device or its contents can easily be associated with a specific person i.e. you the owner or user. For example, every mobile device can transmit information related to the owner of the mobile or phone contract holder, whereafter the attacker may want to steal the identity of the user to again perpetrate further offences; to emphasise that point in today’s GDPR related context, once again perpetrators using what they have learned from you to access your corporate data where after they can exploit not just you as an individual, but all the people whose information you store or process.

richard roebuck presentation

So then, what sorts of vulnerability can we be an unwitting victim of:

Botnets: attackers infect multiple machines with malware that victims generally acquire via e-mail attachments or from compromised applications or websites. The malware can then give hackers remote control of your device, which can then be instructed to perform harmful acts.

Malicious applications: which we touched upon earlier, where hackers upload malicious programs or games to third-party smartphone application marketplaces – Apples AppStore. The programs steal personal information and open backdoor communication channels directly to your device to again garner intelligence and perpetrate further attacks.

Malicious links: on social networks and email, we’ve all seen them: this is a highly effective medium via which to spread malware where hackers can place Trojans, spyware, and backdoors that you simply won’t see. We all remember the NHS grinding to a halt for this very reason.

Spyware: hackers use this method to hijack phones, allowing them to hear calls, read text messages and e-mails as well as track someone’s location through GPS updates.

Your policies need to cover accepted usage practice in all of these areas. What will or won’t you accept a staff member doing on Facebook on a mobile be that a smartphone, tablet or laptop for example. Would you allow the Facebook App to be downloaded even? If so how will you or your IT department control this.

Outside of this, and perhaps more unique to Smartphones, above devices such as Laptops, attacks can also exploit inherent weaknesses that can come from exploiting the alternative communication modes that we are particularly drawn to, for example Short Message Services or Texting as we all like to call it. Embedded links in a text enticing you to click, can have the same devastating effect as those buried in emails. Far harder to control such things on SMS and Instant Message Services where the likes of applications akin to Mimecast for example have little or no effect. So what practices will your policies allow for when it comes to texting.

Other areas where methods of communication can be exploited are Multimedia Messaging Service (MMS), WiFi, Bluetooth and also the more general GSM type of traffic. Outside of this, keep in mind, as with standard desktops and laptops there are also exploits that target software vulnerabilities in browsers as well as operating systems – the zero-day type exploit.

Habits

Hands up how many of us as soon as we arrive at a new venue hunt down the WiFi name and jump straight on. How often do we think about what that may mean? Did we have to enter an email address, did they want us to provide a password for future logons. If so what password did you use – the one you always use? If you were in a pub or restaurant what other items of personal information did you give them. These are questions we must ask ourselves daily. If we don’t, you may one day find that you have just given away the keys to your workplace castle.

Do you just go onto WiFi as a matter of course, or do you pause and ask yourself have I a need to do this, have I got a good 3 or 4g connection?

What do we think about the owner of the WiFi hotspot we’re about to connect to. How diligent are they. How do we know they haven’t been penetrated and if they have what are the ramifications if the information you transmit via them is stolen and misused?

For commercial reasons, we actually make legitimate use of management tools within our own hosted environments – applications that can actually show us when necessary, what streams up and down our cables and WiFi airwaves. It’s easy to purchase and can be used by a relatively inexperienced operator.

Shouldn’t we be asking ourselves if I have 3/4G services available, why wouldn’t I use that. That’s using one device less between ourselves and the online world. One possible point of weakness removed. Should your policies dictate that 3/4G is always used when available over that of public based WiFi?

Now, it’s not all unwanted impositions that are perpetrated as a direct result of miss-using software technology. Some methods are far more, old fashioned. Again, they exploit our human weakness – especially in environments where we feel secure. Back in 2010 already, a researcher from the University of Pennsylvania investigated the possibility of cracking a device’s password through what’s known as a smudge attack (literally imaging the finger smudges on the screen to discern the user’s password). The researchers were able to correctly ‘guess’ the device password up to 68% of the time. Put another way that’s 68 phones accessed out of every hundred stolen. Whilst your sat in your favourite coffee bar typing away sipping on a double de-caf-half-caf-skinny late and feeling secure, imposters may be performing what’s known as over-the-shoulder tactics on you, watching specific keystrokes or pattern gestures, to gain your devices password or passcode – an extension of steeling you debit card pin number whilst you’re at the cash point – and we all know someone who has had that type of problem.

The consequences of our actions – and many a time in-action really can have profound and untold consequences that really do place an immense amount of strain, worry and personal pressure upon us.

Before we move on to what else we can do to protect ourselves, let’s spend a final moment or two to summarise what can happen if we fall victim to a hack or unwarranted access to a mobile device.

  • The attacker can manipulate the smartphone or mobile device as a zombie machine, that is to say, a machine with which the attacker can communicate and send commands which will be used to send unsolicited messages – perhaps to one of your clients enticing them to reveal further personal information about themselves – a definitive issue under GDPR.
  • A compromised smartphone can record conversations between the user and third parties – in other words your clients for example, the ramifications and misuse of such content to me are unimaginable.
  • An attacker can also steal a user’s full identity – with a copy of the user’s simcard or even the telephone itself, and thus is able to impersonate you, the owner. This raises security concerns in countries where smartphones can be used to place orders, view bank accounts or are used as an identity card. A good number of European countries who will also be operating under the auspices of GDPR make full use of such technology today.
  • The attacker can remove your personal photos, music, videos, etc. or indeed professional data including contacts, calendars, notes and email.

Those are just a few broad-based examples that sprang immediately to mind as I was collating the material for today. Perhaps the largest horror for me and I have seen the devastation caused first hand is when a number of these types of techniques are put together and used in combination with each other. This is true organised crime and really is highly prevalent – here and now.

At this point then, have we perhaps arrived at a conclusion that says “the cost of not controlling the way such services are accessed and used could far outweigh the perceived benefits if we don’t control things properly”.

Ok, so other than looking at our own habits more closely, distrusting everything and everyone and introducing good policy and procedure, what else can we really do to help ourselves out, especially when things go wrong.

We can buy some more IT services to help us police our IT services!

Hear that groan! I said the IT guys would find their moment.

Seriously, there is now one service that no firm should be without these days and its as important as your anti-virus and backup solutions and that is an End Point and Mobile Device Management solution.

An End Point Management solution, in a nutshell helps you manage, govern control any device connected to your network (an end point). When we talk about manage, in this particular case we mean electronically maintain asset registers, keep control of installed software applications from a licensing perspective, provide administrators with the ability to shut devices down, restrict access and so on. Think of it as an elevated or augmented automated IT asset maintenance service.

The inclusion of an MDM (or Mobile Device Management) solution will extending your asset inventory reach to well beyond your own networks to include some of those more difficult areas that we have touched upon like BYOD (bring your own device) and COPE devices – COPE devices (corporate-owned, personally enabled).

Although mobile device management (MDM) and the encompassing End Point management markets are still mostly separate there are a number of vendors and service providers that can offer both End Point and MDM solutions as a cohesive solution.

Is an Endpoint Management Solution Right for Your Business?

Now that you have an understanding of what endpoint management is, you should determine what type of solution is right for your business. To help you decide, consider the following questions that will hopefully help you come to the right conclusion.

  1. What technology is my organisation using today?
  2. How much of these technologies are they using and how frequently?
  3. Will our risks increase or decrease as a result of this technology?
  4. Do I have a need for both End Point and MDM solutions?
  5. Have I got the necessary in-house skills to manage and maintain an Endpoint and/or MDM solution?

These solutions can be purchased outright or bought in as a service and are usually charged for on a per end point or mobile device basis. Again, I could occupy the rest of the conference looking at this side of mobile management in much more detail but I’m afraid that’s my time with you fully but hopefully well spent. I am around for the rest of the day and evening as are a number of my colleagues from Accesspoint, so given time pressure right now, please do come and find any one of us afterwards with your questions or to discuss any problems you have in this area.