Mobile security best practices & Attack Surface

Information security experts are fond of the certain language they use to explore and explain the security threats that companies and organizations routinely face. One particularly interesting notion from this is that of an "attack surface," which identifies a potential point of attack on one's information or financial assets, intellectual property or ability to conduct business.

Because any successful attack brings with it a chance of financial loss, legal or regulatory infractions, or damage to reputation, best practices for dealing with attack surfaces mean limiting exposure to unwanted or uninvited access, hardening them against attack and imposing what's often called "defense in depth." This requires building multiple layers of protection around valuable stuff; if one layer gets breached, the bad guys aren't automatically handed the keys to the treasure vault.

All this makes security for mobile devices both important and vexing. The more that employees and contractors use mobile devices to access organizational systems, applications and data, the more important it is to protect such access. Furthermore, it's essential to prevent the mobile devices that are supposed to boost productivity and add to the bottom line from opening unauthorized means of access to information and other assets; this turns them into a danger and a possible drain on revenue instead.

Given that mobile devices are inherently moving targets used outside the organization's perimeter - and thus also outside its firewalls, threat management, spam and content filtering, and other tools used to keep evildoers at bay - it's vital to apply a battery of best practices to use of mobile devices to keep exposure to risk and loss to a minimum. As any security expert will tell you, though, there's a fine line between enough security to keep things safe and protected and a smothering blanket of security that gets between people and the jobs they must do.

Although it's challenging and comes with some costs, the following list of mobile security best practices can help protect mobile devices and their users from unwanted exposure or unauthorized disclosure of company or organization IP, trade secrets or competitive advantages. Some of these practices aim at securing the mobile devices themselves, while others aim to protect the data and applications with which mobile users need to interact. All will help reduce risk of loss or harm to your company or organization.

Anti – Malware software: A quick look at new malware threats discovered in the wild shows that mobile operating systems such as iOS and (especially) Android are increasingly becoming targets for malware, just as Windows, MacOS, and Linux have been for years. Anybody who wants to use a mobile device to access the Internet should install and update antimalware software for his or her smartphone or tablet. This goes double for anyone who wants to use such a device for work.

Secure Mobile Communications: Most experts recommend that all mobile device communications be encrypted as a matter of course, simply because wireless communications are so easy to intercept and snoop on. Those same experts go one step further to recommend that any communications between a mobile device and a company or cloud-based system or service require use of a VPN for access to be allowed to occur. VPNs not only include strong encryption, they also provide opportunities for logging, management and strong authentication of users who wish to use a mobile device to access applications, services or remote desktops or systems.

Require Strong Authentication, Use Password Controls: Many modern mobile devices include local security options such as built-in biometrics - fingerprint scanners, facial recognition, voiceprint recognition and so forth - but even older devices will work with small, portable security tokens (or one-time passwords issued through a variety of means such as email and automated phone systems). Beyond a simple account and password, mobile devices should be used with multiple forms of authentication to make sure that possession of a mobile device doesn't automatically grant access to important information and systems.

Likewise, users should be instructed to enable and use passwords to access their mobile devices. Companies or organizations should consider whether the danger of loss and exposure means that some number of failed login attempts should cause the device to wipe its internal storage clean. (Most modern systems include an ability to remotely wipe a smartphone or tablet, but mobile device management systems can bring that capability to older devices as well.)

Control Third-party Software: Organizations that issue mobile devices to employees should establish policies to limit or block the use of third-party software. This is the best way to prevent possible compromise and security breaches resulting from intentional or drive-by installation of rogue software, replete with backdoors and "black gateways" to siphon information into the wrong hands.

For BYOD management, the safest course is to require such users to log into a remote virtual work environment. Then, the only information that goes to the mobile device is the screen output from work applications and systems; data therefore doesn't persist once the remote session ends. Since remote access invariably occurs through VPN connections, communications are secure as well - and companies can (and should) implement security policies that prevent download of files to mobile devices.

Create Separate, Secured Mobile Gateways: It's important to understand what kinds of uses, systems and applications mobile users really need to access. Directing mobile traffic through special gateways with customized firewalls and security controls in place - such as protocol and content filtering and data loss prevention tools - keeps mobile workers focused on what they can and should be doing away from the office. This also adds protection to other, more valuable assets they don't need to access on a mobile device anyway.

Choose Secure Mobile Devices, Help Users Lock Them Down: Mobile devices should be configured to avoid unsecured wireless networks, and Bluetooth should be hidden from discovery. In fact, when not in active use for headsets and headphones, Bluetooth should be disabled altogether. Prepare a recommended configuration for personal mobile devices used for work - and implement such configurations before the intended users get to work on their devices.

Perform Regular Mobile Security Audits, Penetration Testing

At least once a year, companies and organizations should hire a reputable security testing firm to audit their mobile security and conduct penetration testing on the mobile devices they use. Such firms can also help with remediation and mitigation of any issues they discover, as will sometimes be the case. Hire the pros to do unto your mobile devices what the bad guys will try to do unto you sooner or later, though, and you'll be able to protect yourself from the kinds of threats they can present.

Security, Mobile or Otherwise, Is a State of Mind : While mobile security may have its own special issues and challenges, it's all part of the security infrastructure you must put in place to protect your employees, your assets and, ultimately, your reputation and business mission. By taking appropriate steps to safeguard against loss and mitigate risks, your employees and contractors will be able to take advantage of the incredible benefits that mobile devices can bring to the workplace.

Just remember the old adage about an ounce of prevention. That way, you're not saddled with costs or slapped with legal liabilities or penalties for failing to exercise proper prudence, compliance and best practices.

Note: The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment.

The Attack Surface of an application is:

1. The sum of all paths for data/commands into and out of the application, and
2. The code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding), and
3. All valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and
4. The code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).

Attack Surface targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (e.g. malware injection, social engineering attacks), and there is less focus on insider threats, although the principles remain the same. The internal attack surface is likely to be different to the external attack surface and some users may have a lot of access.

How to find “Attack Surface” Spend a few hours reviewing design and architecture documents from an attacker's perspective. Read through the source code and identify different points of entry/exit:

• User interface (UI) forms and fields
• HTTP headers and cookies
• APIs
• Files
• Databases
• Other local storage
• Email or other kinds of messages
• Run-time arguments
• …. [your points of entry/exit]

The total number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:

• Login/authentication entry points
• Admin interfaces
• Inquiries and search functions
• Data entry (CRUD) forms
• Business workflows
• Transactional interfaces/APIs
• Operational command and monitoring interfaces/APIs
• Interfaces with other applications/systems
• ... [your types]

You also need to identify the valuable data (e.g. confidential, sensitive and regulated) in the application, by interviewing developers and users of the system, and again by reviewing the source code.

Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.

Attack Surface Analysis is usually done by security architects and pen testers. But developers should understand and monitor the Attack Surface as they design and build and change a system.

Attack Surface Analysis helps you to:

1. identify what functions and what parts of the system you need to review/test for security vulnerabilities
2. identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend
3. identify when you have changed the attack surface and need to do some kind of threat assessment