This content is part of the Essential Guide: Lock down enterprise mobility and security

Mobile Data Loss: Threats and Countermeasures

In this excerpt from chapter three of Mobile Data Loss, author Michael T. Raggo discusses mobile security countermeasures.

Mobile Data Loss

The following is an excerpt from Mobile Data Loss: Threats and Countermeasures by author Michael T. Raggo and published by Syngress. This section from chapter three explores countermeasures to mobile security threats.

So far I've outlined many of the mobile device threats that could lead to data loss. Fundamentally, when considering data loss one must encompass data-at-rest and data-in-motion to ensure confidentiality and integrity of the data. But a mobile device is more sophisticated than that. This involves protecting data on the device, data in the app, and data over the network (Figure 3.1).

Fortunately, mobile devices and complimentary products leverage new features in the mobile operating systems not previously found in traditional PCs. Let's continue by detailing these newer features and outline countermeasures to many of these aforementioned threats.

Mobile OS compromise

In the previous chapter I outlined a myriad of ways in which a mobile device can become compromised. There are multiple approaches for detecting and mitigating this threat. First, the EMM client should provide ways to identify an OS compromise locally on the device, and then report that back to the console. In response, the administrator should have a policy to quarantine devices when a compromise is detected. This automation should allow the console to send down a Selective or Full Wipe of the device. A selective wipe would remove the enterprise data only, while leaving the personal data alone. A full wipe of course wipes the entire device back to factory defaults, and is typically only suited for corporate-owned devices. Selective wipes can be accomplished in a few ways. One way is to remove the previously deployed configuration profiles such as email, Wi-Fi, VPN, etc. Additionally, managed apps and/or their data can also be removed (note that this capability varies across the different mobile operating systems). When using a container, the selective wipe would purge the container itself.

mobile data loss protection
Figure 3.1 Mobile Data Loss Protection Triad

Also, when a compromised device is detected, other lockdowns can occur. For example, the mobile device can also be automatically blocked from remote access to the network by a secure mobile gateway, until the device is brought back into compliance. The same can be done for the local network. A similar approach can be employed with NAC (Network Access Control), where the NAC solution checks in with the MDM/EMM when a device connects to the network to determine its security posture and if it's a registered device. If out of of cloud services, EMM integration with Azure Active Directory can compliance, the NAC can block access similar to a secure mobile gateway. In terms block rogue and out-of-compliance devices from accessing Office 365.

It's important to note that there's an issue not addressed by the aforementioned countermeasures that is lost or stolen devices. Assuming the lost or stolen device remains on the network, the EMM can still receive threat notifications from the EMMclient and issue a quarantine to protect corporate data with a selective wipe. But if the device is a Wi-Fi-only device and it's no longer on theWi-Fi, how does the EMM still quarantine the device? If it's off the network, the EMMloses visibility into the device.

More recently some EMM products have added offline policies that can reside on the device, specifically when using a container solution for your enterprise data. The local EMM client can still look for the same types of OS Compromise threats, but now when a threat is detected it doesn't need to "phone-home" to the EMM management console to receive a quarantine command. Instead a local policy selectively wipes the container. This is particularly helpful in organizations that have many Wi-Fi-only mobile devices. In fact, the PCI Council added this to its Mobile Point-of-Sale (POS) "Mobile Payment Acceptance Security Guidelines v1.1, July, 2014.1"

Mobile Data Loss

Author: Michael T. Raggo

Learn more about  Mobile Data Loss from publisher Syngress

At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles

Most recently in Windows 10, the operating system now performs a device health check to validate the integrity of the device during the bootup process. This can then be reported to the MDM or EMM and used to block access to corporate resources.

Summary of Mobile OS Compromise Countermeasures:

  • PIN or Password enforcement
  • Encryption
  • Containerization of enterprise data
  • OS Compromise detections (Jailbreak and Root detections) and Quarantine
  • Online selective wipe
  • Offline selective wipe
  • Out-of-compliance device triggers the network gateway to block access

Malware and risky apps

Based on the plethora of threats I outlined in chapter "Understanding Mobile Data Loss Threats," it's important to detail an approach to deterring malware and risky app behaviors. Since we know that iOS is no longer immune to malware threats, a comprehensive mobile security strategy should address these threats across all of your mobile devices.

Anti-virus alone has taken a backseat to more comprehensive mobile malware security products. The reason for this is that on a mobile device anti-virus is just another app, and therefore the sandboxing limits its ability to remove a malicious app, limiting it to alert the user and rely on them to remove it. This is very different from the PC world where we've always relied on anti-virus to both identify the threat and remove it.

Due to this shortcoming of anti-virus alone, a new group of products has emerged referred to as App Reputation and Mobile Threat Prevention. This is a broad exploding category of products designed for mobile threats. The key difference here is that they all integrate with the EMM to leverage the EMM's ability to respond to an identified threat with a quarantine.

App Reputation commonly uses the EMM app inventory of the mobile devices under management and correlates it against their database of known malicious and risky apps. It will then report on malicious or risky behaviors for each app, either in its own console or also in the EMM console to give the administrator a single monitoring dashboard. The App Reputation may then feed into an EMM App blacklist to spawn a quarantine. It may also tie into APIs to allow profiles to be removed from the device and selectively wipe corporate data.

Mobile Threat Prevention is also a broad category of products that rely largely on an anti-virus-like app on the device that may include some intrusion detection features, malicious app behaviors, and more. These products can also integrate with an EMM to kick off a quarantine when a threat is identified on a mobile device. Furthermore, some of the features between App Reputation vendors and Mobile Threat Prevention vendors have also begun to overlap. Some App Reputation vendors have added an app to analyze local behaviors on the device, thus providing a more defense-in-depth approach.

These products are changing quickly with more features always being added. App Reputation and Mobile Threat Prevention solutions are very important to an overall Mobile Security Strategy as concerns about malware continue to increase.

Access control and conditional access

Ensuring the network is secure for remote access is key in a mobile world. Traditionally in the PC world this has been delivered through a remote access VPN. Mobile requires a more mobile aware secure gateway. This gateway can control access to resources such as ActiveSync or Lotus Notes email. In addition, it can control access to content, internal web services, and application servers. Access control is performed by authenticating the user and the device.

When a device is under MDM or EMM management, the management system can collect hardware and software information about the device. This is key to eliminating impersonation and cloned devices, and

Thwarting a MitM attack
Figure 3.2 Thwarting a MitM attack

used for authenticating the device. In addition, the security posture can be analyzed to identify when a device is outside of corporate compliance policies, as defined in the security policy. By combining this with user authentication, the device authentication provides yet another factor of authentication when a device remotely connects to the network and is far superior to traditional gateways.

Most of the mobile operating systems have native support for certificates, making it quite easy for certificates to be deployed with an EMM profile automatically for authentication, unlike their PC counterparts, which normally required cumbersome manual techniques for deploying certificates to users PCs and laptops. Therefore, when a profile is deployed to a device for services such as email, SharePoint, and intranet web access, a certificate can be generated and deployed to the device automatically. This also eliminates hassles such as required password changes every 90 days. It also allows an organization to meet security or compliance requirements requiring strong factor or two-factor authentication. When combined with a secure mobile gateway, it also provides proactive protections against MitM attacks by offering both mutual authentication, and certificate pinning on the secure mobile gateway (Figure 3.2).

Steps to thwarting a MitM attack:

  1. Attacker presents fake server-side certificate (impersonating the network back at corporate)
  2. Certificate pinning prompts the fake certificate to be compared to what has previously been sent to the device and quickly identifies that they don't match
  3. Client certificate mutual authentication handshake fails
  4. No per-App VPN tunnel is set up
  5. No data communicated
  6. Data breach is prevented

A secure mobile gateway also can support mobile-specific encrypted protocols, such as per-App VPN over SSL/TLS. This was released in iOS 7, and gained mass support across public apps in iOS 8 and iOS 9. Supporting a VPN at the app-level allows the administrator to further refine what apps can access the corporate network. In contrast, a VPN typically allows all apps to access the network, including malicious apps. A per-App VPN provides additional layers or security as well as better efficiencies and ease-of-access for the user.

Lockdowns and restrictions

Lockdown and restriction APIs have been available from device manufacturers for some time, and allow EMM solutions to leverage these APIs to disable features. These include unwanted network services (Bluetooth, IRDA, NFC, etc.), device level features (camera, screenshot, etc.), and a plethora of other lockdowns. These vary across the different mobile operating systems.

Read an excerpt

Download the PDF of chapter three in full to learn more!

Furthermore, many EMM solutions allow these to be applied to manage mobile devices in different ways. For example, for a mobile POS, unwanted services such as Bluetooth or NFC can be disabled to avoid targeted attacks. But disabling these on BYOD devices may not be desirable since users commonly use these services for Bluetooth headsets, NFC-based retail purchases, and more. It's important to ensure when implementing these controls to evaluate each of the use-cases and perhaps different lockdown and restriction policies for each scenario.

Live monitoring, audit logs, events, and reporting

EMM solutions provide inherent live monitoring of mobile devices. This can be mobile device monitoring, device security posture monitoring, network access monitoring, and more. Additionally, EMM can integrate with SIEM, Big Data Analytic products, App Reputation, Mobile Threat Prevention, Network Access Control, and proxy solutions. All of these provide the ability for logging, alerting, correlation, and reporting.

The administrator can force a device check-in to check the security posture or location of the device. Per-device logs can be stored in the EMM to allow deep analysis by the administrator. While this may be helpful for troubleshooting, it can also be helpful for security analysis. Furthermore, an EMM can provide information about when a device is connected to a network, and to what resources.

About the author:

Michael Raggo (CISSP, NSA-IAM, ACE, CSI) has more than 20 years of security research experience. His current focus is threats and countermeasures for the mobile enterprise. Michael is also the author of Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols for Elsevier's Syngress Books. A former security trainer, he has briefed international defense agencies including the FBI and Pentagon, is a participating member of the PCI Mobile Task Force, and is a frequent presenter at security conferences, including Black Hat, DEF CON, DoD Cyber Crime, InfoSec, SANS and OWASP.

This was last published in April 2017

Dig Deeper on Network security