Thursday, December 14, 2017
Home Tags Encryption

Tag: Encryption

In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not of itself prevent interception, but denies the message content to the interceptor. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, large computational resources and skill are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.

Stealth for Mobile uses advanced data cloaking and encryption techniques to help organizations mitigate cyber-security attacks and hacker incidents. Unisys announced the availability of its Stealth for Mobile platform, which enables secure access from data centers to the applications on mobile devices. The offering grants users access rights based on identity, to help ensure authorized users reach or have visibility to only the information they are approved to access or see.

The platform is transparent to users, who will have the same access rights no matter which device they use to access the data center. In addition, the platform combines Unisys Stealth technology with application wrapping security software that allows users to define specific security policies on a per-mobile application basis. Stealth for Mobile then adds a layer of identity-based security that gives users access and visibility rights to only the assets within the data center they are entitled to access and see. "Stealth for Mobile allows enterprises to capitalize on the productivity gains and customer service improvements associated with mobility and consumerization of IT, while increasing assurance that their critical data remains safe," Rod Sapp, vice president of products and technology at Unisys, said in a statement. "Unlike other security solutions such as virtual private networks, Stealth for Mobile cryptographically protects data all the way to the application—a much more secure approach for BYOD environments." Stealth uses advanced data cloaking and encryption techniques to help organizations mitigate cyber-security attacks and hacker incidents by rendering devices, data and users virtually invisible on the network.

The solution creates secure user communities within an enterprise where only authorized users can access or see information. Unisys has entered into a worldwide reseller agreement to offer Mocana MAP, an application wrapping software, in connection with Stealth for Mobile. Unisys also is a customer of Mocana MAP, in support of Unisys internal mobile initiatives. The announcement comes as rapid proliferation of bring-your-own device (BYOD) initiatives in the workplace has resulted in an alarming increase in cyber-security risks. Within the next two years, hundreds of millions of people are expected to be using smartphones for work, and many of them will be employee-owned devices. However, mobile security is still a top concern among IT professionals as well as for employees using BYOD systems, according to The BYOD and Mobility Security Report, which surveyed 1,650 information security professionals around the world through Holger Schulze's Information Security Community group on LinkedIn. The survey, sponsored by endpoint management and security solutions specialist Lumension Security, revealed mandatory use of encryption was cited as a risk-control measure for mobile devices by 40 percent of respondents. Encryption is considered best equipped to deal with lost or stole devices, which was the third-ranked security concern, after lost data and unauthorized access.

The majority of respondents were information security specialists in organizations of between 10 and 99 employees.
The Information Commissioner's Office (ICO) insists it does not discriminate between private and public sector firms when deciding on data breach fines, and says that nobody has been "let off" fines since it was given the power to sting culprits for up to £500,000 in late 2010. "I think there's certainly no discrepancy on our part, favouritism or thoughts like that in any way; I certainly wouldn't suggest people have been ‘let off'," the ICO's group manager of technology, Simon Rice, told Computing. Speaking at a Westminster eForum on mobile and remote working this week, Rice also commented specifically on Google, who the ICO decided not to fine after it was caught gathering personal data during its street mapping projects."They were found out to have broken the Data Protection Act," admitted Rice, but stated as a comparison that "by its very nature, the public sector processes more sensitive data than the majority of the private sector, and our framework says that the penalty must be for the most serious cases - that you can only fine in the most serious cases." Rice insisted that Google had not been "let off", but implied that though the company was guilty of a breach, the seriousness did not compare to many public sector breaches. "It's unfortunate that the private sector aren't very open about notifying about breaches in a voluntary process," said Rice. "It's a factor of a number of things, but certainly not favouritism. But having said that, we now publish a summary [of companies fined], which is showing the private sector is coming out better in protecting against breaches." However, Rice said all organisations needed to do more to protect data held on mobile devices, including greater use of encryption. Paul Graham, a partner at law firm Field Fisher Waterhouse, said informing the ICO of a breach should not be the victim's first priority. "The first thing you should be doing is making sure you contain that breach and remedy it," said Graham. "So if you're looking at these issues purely on the basis of ‘will I get a penalty notice against me' your first instinct might be to notify the ICO of the breach. That might not be the right thing to do. "The first course of action is to try and remedy the breach and contain it, and then look at your obligations."
Messages sent over Wi-Fi and other public channels can be decrypted using known methods.    
Researchers from the Citizen Lab detail how old Microsoft vulnerabilities are enabling remote admin tools to exploit dissidents. TORONTO—People around the world are being targeted for exploitation with malicious remote admin tools (RATs) that are taking advantage of old, already patched Microsoft vulnerabilities. That's the finding of researchers from the Citizen Lab based at the Munk School of Global Affairs at the University of Toronto, speaking at the SecTor security conference here this week. The Citizen Lab has been tracking the activities that nation-states, in particular China, have taken against dissidents for years. Today a number of different techniques are being used around the world to get malicious RAT tools onto computers, according to Katie Kleemola, security analyst at the Citizen Lab. In Syria, which is currently embroiled in a bitter civil war, one of the most common ways users are being exploited is by way of fake Skype tools, Kleemola said. The fake tools are typically presented to the user as encryption tools that will help the user stay safe from prying eyes.

The irony is that the encryption tool is, in fact, the vehicle that enables an attacker to place a RAT on the user's system. In addition to the fake Skype tools, Kleemola said there are also fake hacking tools for conducting distributed denial-of-service (DDoS) that are being used in Syria. Tibet One of the key geographic areas of focus for the Citizen Lab has long been the Tibet area in China. Kleemola noted that in Tibet, the lab is mostly seeing document malware as the root to infection for a RAT. The document malware is some form of embedded malware that executes when a user opens an infected document.

For the most part, two vulnerabilities are to blame for the vast majority of document infection, she said.

The first is CVE 2010-3333, which is a stack overflow flaw in Microsoft Office files that was patched in 2010. CVE 2012-0158, which is an ActiveX control flaw in Microsoft Office documents, is also being actively exploited, even though it was patched by Microsoft in 2012, Kleemola said. Kleemola noted that there are a number of reasons why old vulnerabilities are still being exploited.

For one, some people simply haven't patched their systems.

The other more insidious reason is because antivirus (AV) software is being evaded by the malware authors. Documents, typically some form of Rich Text Format (RTF) file, can have their header information modified, which in some cases is enough to trick antivirus software into believing that the file is safe, Kleemola said. She added that antivirus vendors have been adjusting, but there is often a lag between the time a new evasion technique is discovered and when vendors have protections in place. Macs Seth Hardy, senior security analyst at the Citizen Lab, detailed the world of Mac RATs and exploits at the SecTor 2012 conference.

Now in 2013, Hardy said the unfortunate reality is that nothing has really changed in the last year for Macs, and users are still being targeted by the same vulnerabilities. The two key vulnerabilities that are affecting Mac users are also document related. One, CVE-2009-0563, is a stack overflow issue in Microsoft Word for Mac. The other key vulnerability is CVE 2012-0507, which is a Java-related vulnerability that was patched by Oracle in 2012. "You would think people would have patched by now, but they haven't," Hardy said. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Large enterprises are not doing enough to detect and address insider threats, a survey of more than 700 IT security decision-makers has revealed. Less than a third of respondents said they block privileged user access to data to mitigate insider attacks, according to the 2013 insider threat study by security firm Vormetric and the Enterprise Strategy Group. This means 73% of organisations polled are failing to block privileged user access to sensitive data, which is a proven method of reducing the insider threat to data security. However, two-thirds use perimeter-focused network intrusion detection and prevention tools for this purpose, although the tools are designed to protect from external threats, not internal. More than half said they use network traffic monitoring to identify and prevent data breaches. “While IT decision-makers are concerned about insider threats and data breaches, they tend to rely on perimeter and network security tools, rather than securing the data at its source,” said Jon Oltsik, senior principal analyst at Enterprise Strategy Group. “This research highlights that large organisations need to switch to data-centric security strategy to prevent and detect insider threats,” he said. The study showed that more forward looking and sophisticated organisations are using technology approaches that are proven protections against malicious insiders and malware attacks that compromise insider credentials. But these were in the minority, with only 40% monitoring privileged user activities, 48% reviewing sensitive data access only monthly, and 76% unable to detect unauthorised data access in realtime. However, the study shows attitudes are changing, with 45% saying that Edward Snowden’s revelations about US internet surveillance has caused them to be more aware of insider threats. Some 53% said they are increasing their security budgets to offset the problem in the next year, with 78% either using or planning to use data encryption and 70% using or planning to use data access controls. “It is clear that organisations of all kinds are concerned with securing access to sensitive data,” said Alan Kessler, CEO of Vormetric. “While many of the respondents are using more of the right security technologies and tools to help reduce their attack surface, a much larger group is falling short in taking the additional step to protect from insider threats and thwart attacks that steal insider credentials,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
NEWS ANALYSIS: The encrypted Tor browser that's making extra work for the National Security Agency was created by the U.S. Navy with support from other agencies. There’s a saying about the left hand not knowing what the right had is doing. Nothing illustrates this more clearly than the federal government’s dysfunctional relationship with the Tor browser and the onion router. By now, you’re heard that the National Security Agency is having a tough time unraveling Tor.

This bundle of software based on the Firefox browser enables a process in which Internet traffic is routed among a series of routers, each of which adds a layer of encryption and anonymity as it happens.

The Tor browser is freely available to anyone who wants to use it, including dissidents in nations with oppressive governments and even child abusers. The problem with Tor from the NSA’s viewpoint is that it works too well.

Actually nailing down who’s using it, decrypting what they’re doing, and doing all of that in a timely fashion is driving the NSA crazy. So, naturally, you have to ask yourself what band of privacy advocates dreamed up this nearly uncrackable communications pathway? The answer may surprise you. Tor is the brainchild of the U.S. government. In fact, Tor was invented with the support of the U.S. Naval Research Laboratory, located near Washington, D.C., in suburban Maryland, just inside the Beltway.

And yes, this is pretty close to the NSA, which is also located in suburban Maryland, although it’s outside the Beltway. And I know what you’re thinking.

The U.S. Navy is part of the same Department of Defense that also operates the NSA, which is theoretically part of the U.S.

Army and is run by an Army general, Keith Alexander.

The Naval Research Laboratory has continued to fund the development of Tor. But the Navy has help. An even larger supporter of Tor is the Broadcasting Board of Governors (BBG), which is the propaganda arm of the U.S. government.

The BBG runs the Voice of America, Radio Free Europe, Radio Martí and other similar services around the world. Tor is also supported by the National Science Foundation.

According to The Washington Post, Tor also receives substantial funding from the U.S. Department of State. In other words, one part of the U.S. military is arguing with sister federal agencies about the creation of a secure browser that it says could be used to hide the nefarious activities of criminals and terrorists. If this were some long-ago creation that somehow went rogue, you might understand the frustration of the NSA, but it’s not.

The Army-run intelligence service is stymied by the Navy-created and run encryption technology.

And you thought the Army-Navy football game was the height of inter-service rivalries. Now, I have to admit that as a retired Navy officer, it gives me a certain amount of satisfaction to see my service create something that works so well. It gives me even greater pleasure to see the Navy driving an Army general nuts.   ${QSComments.incrementNestedCommentsCounter()} {{if QSComments.checkCommentsDepth()}} {{if _childComments}}
ExtraHop teams with Splunk to deliver a new compliance and security product for tracking wire data and using the Splunk operational intelligence platform. LAS VEGAS—ExtraHop Networks, a provider of analytics for wire data or data in motion, joined forces with Splunk to deliver a new compliance and security offering. The product provides pervasive, context-aware monitoring that imparts intelligent compliance and security, ExtraHop officials said.

The ExtraHop compliance and security offering provides correlated, cross-tier visibility and anomaly detection that complements intrusion prevention systems (IPS), intrusion detection systems (IDS) and Security Information and Event Management (SIEM) systems. Moreover, the new product is extensible and demonstrates the programmability and ease of ExtraHop integration with security platforms. In addition, ExtraHop’s integration with Splunk Enterprise transforms real-time security-related wire data into machine data for in-depth visualization, enabling IT, compliance, and security teams to easily pinpoint the system, application or infrastructure element in which a security event is occurring without using agents or offline packet capture. ExtraHop demonstrated the compliance and security offering at Splunk .conf2013, Splunk’s annual user conference here. “As security threats, including zero-day attacks that exploit previously unknown vulnerabilities, become increasingly varied and sophisticated, real-time monitoring across all components of the application delivery chain is becoming a crucial first line of defense,” said Jesse Rothstein, CEO of ExtraHop, in a statement. “With the ExtraHop compliance and security solution and our integration with Splunk Enterprise, enterprise security teams are armed with a highly scalable solution designed to detect potential security events as they happen. With Splunk Enterprise, these anomalies can be easily visualized, enabling organizations to pinpoint the source before a serious breach occurs and prove that they have had adequate controls in place.” The ExtraHop compliance and security solution delivers continuous, real-time auditing and anomaly detection across the entire application delivery chain, analyzing all wire data, including encrypted traffic, to deliver visibility and intelligence that mitigates risk and helps ensure compliance with both internal policies and regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS) and Sarbanes-Oxley (SOX). “Part of the answer to the seemingly insurmountable problem of how to identify attacks without signature-based mechanisms lies in pervasive monitoring to identify meaningful deviations from normal behavior to infer malicious intent,” wrote Neil MacDonald, vice president and Gartner Fellow, in his May 2013 report titled Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence. “If you assume systems will be compromised with advanced targeted threats, then information security efforts need to shift to detailed, pervasive and context-aware monitoring to detect these threats.” The ExtraHop compliance and security offering provides encryption auditing, which identifies all Secure Sockets Layer (SSL) transactions and certificates used by servers and clients, including those using weak keys and cipher suites, and tracks certificates that are about to expire for proactive remediation. Encryption auditing makes it easier to prove that all sensitive data is actually being encrypted in flight and that keys and ciphers are the correct strength. Also, monitoring for locked-down virtual desktop environments enables users to track all ICA communications and provides continuous monitoring of any data passing over protected channels, with per-user and per-client details so that IT teams can identify users violating policy.

For example, ExtraHop continuously monitors VDI channels such as print and USB, and it sends an alert if any of these channels become active on unauthorized machines.
Advanced persistent threats (APTs) are more dangerous than ever, says a researcher at Intel-owned security firm McAfee. A study of the March 2013 shutdown of South Korean computer networks at several major broadcasters and banks provided insights into how attackers avoid detection. “Although APTs tend to re-use malware code and techniques, the advanced encryption and obfuscation methods are different for every attack,” said Ryan Sherstobitoff, senior security researcher at McAfee. “They obfuscate very heavily to evade detection,” Sherstobitoff told attendees of the McAfee Focus 2013 customer and partner conference in Las Vegas. But the discovery of an encryption key enabled researchers to link a series of attacks against South Korean targets over a four-year period, culminating in the March 2013 attack. “Preparation over a long period of time is what enabled the attacker to shut down thousands of computers on a single day,” said Sherstobitoff. The attacker also went to great lengths to set up two fictitious hacktivist groups to evade identification and create the impression that the various attacks over the four-year period were unrelated. Anatomy of an attack The malware used against commercial and military targets was introduced into the target networks through compromising bulletin board software used by legitimate sites. “The attacker compromised websites known to be visited by people in the target network; a technique known as water-holing and commonly used in by APT-style attackers,” said Sherstobitoff. Once the malware was installed on the target network, it searched directories for keywords like “secret” and reported back to command and control servers using encrypted internet relay chat (IRC) channels. Armed with a snapshot of directories on the target network, the attacker was able to copy only selected files, never generating large volumes of traffic that would trigger alerts. Although chiefly aimed at military networks in South Korea and documents relating to joint US exercises, the same attack methods are used against commercial organisations, said Sherstobitoff. Research also indicates that cybercrime and espionage campaigns sponsored by nation states are increasing in number and sophistication. Sharing threat information To make the indicators of compromise (IOCs) found in the South Korean research more widely available, McAfee turned to the OpenIOC format for disseminating threat information. “OpenIOC provides an open source XML-based framework for sharing threat intelligence,” said James Walter, senior manager of security research at McAfee. By using OpenIOC, he said, organisations using security products that consume that data can automate defence activities based on that data. Security products from multiple suppliers are designed to consume OpenIOC data, including McAfee’s host intrusion prevention system and network security platform, said Walter. Counter APT measures At a separate news conference, Phil Ferraro, chief information security officer of the Sands hotel group, said leading-edge technologies capable of learning and taking action are vital in defending against APTs. A former US federal government CISO, Ferraro said APTs demand that organisations have the capacity to keep up to speed with the latest attack methods and detection evasion capabilities. “No one is immune from APTs because they go after all industries,” he said. “Tapping into threat intelligence is crucial to learn how attackers are likely to come at you.” According to Malcolm Harkins, chief privacy officer at Intel, it is important to know what attackers are likely to target and how they are likely to attempt to access it. “The ‘what’ and ‘how’ are more important than the ‘who’ because they can be used to formulate defence strategies,” he said. Budget, technologies and partners Ferraro said the most effective way for information security professionals to get budget for the technology they need is to tell the board how such an attack could impact the business. “Tell the board how a breach could cause damage to the reputation of the brand and adversely affect share value,” he said. But Harkins said dealing with APTs is not a simple as plugging in a network appliance, isolating networks or conducting awareness training. “There is no silver bullet; it requires an integrated set of overlapping technologies that can learn, correlate information across the organisation, identify indicators of compromise and take action,” he said. Ferraro said organisations also need to look at the security practices of their partners. “Attackers typically go after the weakest point, which may be a business partner,” he said. Dangers of consumerisation Consumerisation is another typical area of vulnerability, he said, as employees increasingly use their own devices for work purposes and organisations open up bring your own device (BYOD) programmes. “I have always ensured that I have a mobile device management system in place that provides an encrypted container to separate personal from business activities on the device,” Ferraro said. This approach, said Ferraro, enables employees to use the device as they please, but the business retains the capability to set stringent access requirements and wipe corporate data if necessary. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Bitcoin and security tend to go hand in hand.

The wallets are mostly electronic; there are no charge backs; and, done correctly, it can be impossible to track who stole what funds. That makes businesses that operate with Bitcoin prime targets for criminals and also means these businesses have to be pretty savvy if they want to survive. Case in point is Bitcoin Video Poker, an retro-style online gambling house where players use Bitcoin to purchase credits. It recently launched and had enjoyed its 100 percent uptime for a while, until what seemed like a network issue knocked it offline for several hours until its server restarted. As one of the company's employees explains on Reddit, the outage was actually an attack on its infrastructure, likely going after the Bitcoin wallet that the site uses to store funds. It doesn't have to be a Bitcoin wallet that makes a business an interesting target for criminals. It can be intellectual property, a list of clients, personal information (Anonymous trying to prove a point, anyone?), or credit card information. Bearing this in mind, there are two things in particular that this startup did that any business could learn from. The first was a high level of vigilance on server logs and tracing back over what had changed in its infrastructure. Admins from the startup took a look at the running processes on the server, finding a foreign script in /etc called bitcoin.sh, and a scheduled task in crontab to restart it.

This phoned home to the attacker's machine, presumably to allow for remote access. This activity was also correlated in logs as occurring during the time that the server was meant to be inaccessible, raising more red flags. The second was the use of encrypted partitions.

The gaming services, along with wallet information, were contained within a protected partition that does not automatically mount in the event of a reboot.

While this meant that the startup couldn't return to business immediately, it also meant that the attacker was unable to compromise the system any further. But how did the attacker even get that far? If the server's filesystem is relatively standard, writing to /etc implies root credentials were used to access the system.

While the startup's credentials weren't compromised, it turns out that the server itself physically was, in a way. The startup's admins had noted that its server had an open login on /dev/tty1, but this should almost never happen in a datacentre unless someone is in the racks. After talking to the hosting provider, it was revealed that yes, someone had been in the racks, but the person had been authorised to install a remote keyboard, video, mouse (KVM) console.

This would allow for the remote administration of a machine as if the operator was there. But the startup never authorised the installation of such a device.

This is where its attackers took a different angle to their attack. Using a vulnerability in the host's HostBill software, the attackers ordered and authorised for the remote KVM to be installed.

The webhost none-the-wiser, complied, not knowing it was physically installing a backdoor for its customer. Once installed, the attacker rebooted the machine to get into single user mode, effectively bypassing the server's login procedures, and enabling them to write to the filesystem and grant themselves root privileges.

This is where the attackers hit a wall as, without the key to remount the encrypted partition (and not storing this key on the server is an important practice), they were unable to steal anything valuable. The final twist is that the script that the attackers left running pre-empted this.

Its purpose was to wait for the startup to restart its services and unlock the encrypted partition. Which takes us again back to the first point of always being vigilant about what is happening on your server. There are so many places where this could have ended badly.

A lack of encryption would have spelled disaster, an oversight of what was going on would have seen them open themselves up to theft, and sheer laziness could have seen them store the keys on the server.

The startup has said, perhaps modestly, that encryption saved the day, but had it not been for a keen set of eyes, it might have all turned out very differently.
The secure-communications company says it's moving away from the the US government agency's standards after reports of NSA tampering. September 30, 2013 9:22 AM PDT The National Security Agency's apparent attempts to weaken encryption technolog...
Government surveillance has been a business boon for PGP creator Phil Zimmermann, whose company Silent Circle counts SEALs and the CIA as clients. Plus: why encryption needs a "Spartacus" moment. PGP creator and Silent Circle co-founder Phil Zimmermann...
It’s hard enough securing a high-powered internet-connected workstation from all the threats it may face. But what about mobile devices, which are typically less powerful yet just as connected? Indeed, what about mobile devices that do not even belong to the organisation, but individual staff, under bring your own device (BYOD) policies? “One of the challenges of mobile security is that the device landscape is changing so quickly and the range of devices is constantly changing,” says Jason Brown, enterprise solutions architect at McAfee. The range of potential threats is far reaching. First, there is the huge range of apps that can be downloaded.

While PCs in the enterprise were (eventually) locked down to prevent users from loading any applications they wanted, mobile devices have yet to be subject to the same treatment. As a result, mobile has become the primary target of malware writers. In 2010 McAfee picked up just a handful of samples of mobile malware. But by the beginning of 2013, it had counted more than 35,000 samples – 95 per cent of which had appeared during 2012, overwhelmingly targeting Android. That would not matter so much if mobile devices had not become the lynchpin of personally and professionally valuable data – devices used to access corporate systems, to transfer files between PCs, and as communications hubs containing valuable contact details.Testing timesPerhaps most ominous of all though, warns Brown, is that even some apps that have been approved by Apple, Google, or any other platform controller may contain questionable features.  “McAfee conducted a test across the app world. We were not looking at the way it was created or what it does, we were looking at what it was ‘talking’ to. Of the 100,000 apps that we were looking at in this test, about four per cent were connecting to untrusted locations,” says Brown. Even popular apps can exhibit worrying traits.

For example, Angry Birds sends such data back to its maker Rovio as the last number dialled on the device.

For an organisation, this is an unforgivable security flaw. Other apps demand far-ranging permissions before users can run them. “The problem is that it’s not the permissions individually that causes the problem, it’s the combination of permissions,” says Brown. “It’s ‘what can it do if it combines those permissions?’” There’s a number of different ways of delivering security to mobile devices, Brown continues. However, endpoint security cannot be deployed on Apple’s iOS operating system – the company does not allow it in its app store. While the company’s tight control of its own platform and the apps that can be run on it keeps it relatively secure, if sufficiently serious flaws are found – some 200 vulnerabilities were found in iOS 6 – it can become a wide open target. That is why iOS exploits carry such a high price tag on the black market. Android, though, remains the most vulnerable mobile platform, crackable as easily as the user simply clicking on a URL they may have received in an email. Or, malware can find its way onto devices via “trojanised apps”, which look and work like legitimate apps, but which have been adapted to contain malicious features. While security software is available for Android devices, it can slow them down and the risk is that users will remove it rather than persevere with it. Enterprise-wide, if an organisation wants to secure its mobile devices, it does not need new infrastructure. “A mobile device is just another endpoint device. You shouldn’t need to do anything special just because it’s a mobile device,” says Brown.“Our strategy focuses on three areas: the device itself, protecting the data that is held on the device and, finally, protecting the device from the apps,” he continues.  A large part of this is enforced via the corporate security policy. Protecting the device means enforcing policies in the configurations that the device supports: if it supports encryption, that should be switched on; and, if it has a passcode facility, that should be switched on too. URL filtering should also be mandatory. Where things get trickier is in such abilities as remote lock and wipe, especially if the devices don’t belong to the company. Brown recommends “containerising” corporate data on the device so that it can be treated differently from personal data and apps. “If you do need to wipe a device, it’s not going to wipe everything off,” he says. The value of such a policy will become clear when someone leaves an organisation, potentially taking corporate data on their devices with them.

The security software should also be able to analyse and report on devices that are not compliant with the organisation’s security policies. @GraemeBurton