No breaches, but cloud and smartphones challenges still lie ahead

The threat of employees bringing their own smartphones and software to work was entirely overblown. But consumerisation can still be headache.

A wave of consumer tech, it was once thought, would crash upon the enterprise with disastrous consequences for anyone who didn’t prepare. Careless employees, the story went, would bring in their iPhone and use it to leak corporate data or lose an unencrypted device. Consumer services like Gmail and Facebook was another leakage point. Then came perpetually vulnerable Android devices. And today, businesses continue to grapple with so-called “shadow IT” where employees find better apps than what the IT department makes available.

However, nine years after the iPhone arrived, there’s no evidence that ties a smartphone or personal cloud apps to a major data breach, as the numbers in Verizon’s 2016 Data Breach Incident Report (DBIR) demonstrate. That’s despite an abundance of critical vulnerabilities in Apple’s iOS or Google’s Android, a huge rise in mobile malware, and the fact a smartphone’s size makes it easier to lose than than a laptop.

“Phishing still works, ransomware still works, there are still loads of vulnerabilities [on desktop software] that are still exploitable months and years after they are published, and weak passwords, default passwords. All that stuff is still working,” Laurance Dine, managing principal at Verizon Enterprise Solutions, told CSO Australia.

The 2016 DBIR found that weak, default or compromised passwords were behind 63 percent of breaches in a dataset consisting 100,000 incidents.

The report included nearly 10,000 incidents of physical theft and loss of devices. Laptops, according to Verizon, were the top asset in this category, but even they were a distant second to paper when it came to confirmed data breaches, due to controls like encryption.

“If you lost your laptop without encryption, I don’t need your password. On a mobile device, I need your passcode,” said Dine, pointing to Apple’s recent dispute with the FBI over its troubles brute-forcing an iPhone’s passcode.

The absence of smartphones from the report however doesn’t mean they shouldn’t be a concern. Dine said he is regularly called on to break into mobile device for cases involving intellectual property theft, though that’s typically between two people using SMS or Apple’s iMessage to collude to steal data, or when a whole team moves from one business to another business.

The other frequent focus of mobile investigations is location data on the phone to see where a person was at a particular time and date. Even when granted physical access to a smartphone, Dine said it was difficult due to the sheer variety of hardware.

“We think at some stage mobile devices are going to be more prominent. Personally, I have not, in any of the breaches that I’ve investigated, traced it back to a mobile device,” said Dine.

Dionisio Zumerle, a mobile security research director at analyst firm Gartner, said he agrees that malware on mobile devices is an overstated concern. However, he still sees a problem in “leaky” third-party apps, such as cloud file storage services or apps that hoover up contact lists.

“They don’t do anything malicious but that behaviour can clash with corporate policies,” said Zumerle.

The next frontier that Zumerle sees complicating corporate policy are virtual personal assistants, like Apple’s Siri, Microsoft’s Cortana, and Google Now, where users interact less with single apps than they do with an underlying system that recommends and predicts what people want.

Artificial intelligence (AI) powered features are quickly arriving for consumer products and Microsoft, Facebook and Google are pushing this technology towards the enterprise.

In Google CEO Sundar Pichai’s first ‘founder’s letter’ in April, he outlined the search company’s vision for the enterprise as one powered by Google data centres, analytics and AI, connecting directly to employees through their smartphones.

“Your phone should proactively bring up the right documents, schedule and map your meetings, let people know if you are late, suggest responses to messages, handle your payments and expenses,” said Pichai.

Likewise, Microsoft is working to integrate Cortana with Office 365 and its Power BI dashboard.

The catch here for the enterprise is that the model of blacklisting or whitelisting certain apps may not fit so neatly within such integral components of a device's platform, leaving customers at the whim of the vendor to make them enterprise-ready.

“If you look at all these technologies, apart from policies that say avoid using certain applications when you’re sending sensitive data, the only technological answer that can come is from the vendor themselves,” said Zumerle.

One example of this dependency on the vendor is Google opening up application protocol interfaces to bette support mobile device management (MDM) on Android. Another is Evernote for Business, which allows users to create a separate work and personal space.

In the present however, many organisations are dealing with a much messier Shadow IT challenge and the question of how to improve security at the same time as supporting hundreds or potentially thousands applications that have a legitimate business use. Blacklisting and whitelisting applications both present their challenges, depending on the environment.

“If there is a purported ‘better way’ to handle a specific workload, it will have worked its way into the environment,” Mike Weber, vice president of penetration testing firm Coalfire Labs, told CSO Australia.

Weber said whitelisting would be better the better option to control shadow IT, and that organisations should consider web-based service offerings through the user’s whitelisted browser.

Still, getting a handle on shadow IT may be less a matter of technology choice than process and IT security teams communicating with different business teams.

“You may need to be open to approving “sanctioned” — as opposed to supported — services that have had proper due diligence and accept the risks of using a cloud provider, said Weber.

“In these sanctioned solutions, IT and the business may have to develop agreements on support and costs, but that can be a way to reduce “Shadow IT” instead of these offerings being considered as a formal part of the IT ecosystem,” Weber added.

Join the CSO newsletter!

Error: Please check your email address.

Tags shadow ITCoalfire labsMDMDBIRverizonApple iOSfbiPower BIAICSO Buyers GuideMicrosoftCloudsmartphonesbreaches

More about AppleCSOEvernoteFacebookFBIGartnerGoogleMicrosoftVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place