Are dangers lurking on your workers' operating systems?

We have had enough wake-up calls now, right? Enough squeaky-bum moments.

Events over the past year have made it clear that hackers, whether sponsored by the NSA, GCHQ or a crooked millionaire, can and will breach the defences of mobile operating systems of any type.

For IT, it has become apparent that guaranteeing the security of all the myriad operating systems across its client base is close to impossible.

“Each platform has its own security needs and therefore it is not possible to implement a policy that could cover all of them,” says Guillermo Lafuente, security consultant at MWR InfoSecurity.

"Companies have to decide which operating systems and versions of those operating systems can offer the level of security they are looking for

Flaws in the system

When security types think of mobile insecurity, many point fingers at Android. Its fragmented nature and its open-source code leave it open to attack. And there have been some significant bugs in recent months.

A startling flaw uncovered by Bluebox Security this year made it possible for hackers to create fraudulent identity certificates which would appear to come from legitimate companies such as Adobe.

By signing a malicious app with that certificate, it would have been possible to pilfer a fair amount of data from an unsuspecting victim. A certain shade of Android was also vulnerable to Heartbleed, the OpenSSL bug that left crypto keys open to crackers, while other mobile operating systems weren’t.

This year has also proved iOS is far from invulnerable. Just before Heartbleed caused panic across businesses and newsrooms, Apple revealed an SSL bug that caused a similar hullabaloo.

Known as the “gotofail” flaw, it meant Apple’s code skipped some vital security checks for encrypted connections over SSL, which made man-in-the-middle attacks on apps sitting on iOS trivial.

As more operating systems hit the market, with Windows Phone and Firefox getting plaudits as well as criticism, IT will have an even tougher job on its hands deciding how to handle the security issues that come with each.

Every release will bring with it fresh vulnerabilities. And as hackers, whether sponsored by gangland overlords or government mandarins, continue to up their mobile-cracking game, much is at stake.

Trouble in store

All this would suggest that having an agnostic approach to BYOD (bring your own device) would be unwise. There are many specific operating system areas that IT teams would be advised to explore when drawing up mobile policies.

For those without a large security team (which is most businesses in the world), one sensible approach is to consider how far the security community has probed for vulnerabilities in an operating system.

Take Android: though it is considered far more vulnerable than iOS, the number of researchers hacking away at it is high, meaning IT teams will learn about critical weaknesses in Google’s operating system not long after they are uncovered. As the furores around Apple’s recent technology problems attest, the same goes for iOS.

“[Android] is a platform that has been thoroughly tested and has a well-known attack surface for which companies can place adequate security controls,” says Lafuente.

“Android can be as secure as any other platform if the phone is configured adequately. However, other platforms such as Firefox OS may require additional research before it can be established that they are suitable for a corporate environment.”

IT teams would also be wise to check the security of app stores related to particular platforms, adds Lafuente.

“For example, iOS has tight controls over the applications published in its market, making it difficult for hackers to publish malicious applications. Another good example is the Windows Phone. Microsoft recently went through it removing thousands of apps from its store because they were bogus,” he says.

The Google Play store, however, has been riddled with malicious apps. And for anyone hoping to do regular audits of mobile operating system security,  GCHQ’s CESG body produces End User Devices Security Guidance bulletins, which can include useful tips from the world’s top spies.

Whether the business is considering a BYOD policy, or a CYOD (choose your own device) approach where workers select from a range of pre-selected phones, knowing the type and state of each operating system can vastly help secure the business.

Any organisation that has the budget should certainly consider getting as granular as possible on operating system security.

Running to stay still

But here’s the quandary facing most underfunded IT professionals today: while a policy covering every single operating system in detail might provide the ultimate solution, it is time-consuming and close to impossible for the average business.

Even attempting one might be the wrong route to safety, according to Lafuente.

“If you want to accept all platforms available then you have to make sure that your IT department can handle the security concerns on all platforms. It will not be easy to keep up with the numerous new platforms that are coming to the market,” he says.

Think of the complexity of Android or any open, multi-device operating system: problems are not just in the operating system code, they are across the myriad handsets produced by partners.

“The challenge with Firefox OS is the same with Android... Mozilla could do a sterling job but the handset OEM can potentially undo a lot of their security work,” says Ollie Whitehouse, technical director of security consultancy NCC Group.

This untold complexity that comes with BYOD, added to the fact that every mobile operating system is vulnerable, has led to some calling for a shift away from OS-focused approaches and towards a holistic, flexible methodology.

The policy should allow IT to quarantine or wipe devices that pose a threat

Nigel Stanley, practice director for cyber security at consultancy OpenSky UK, says the ideal policy would install the adequate technology to cover the majority of issues across operating systems and shift far more responsibility onto users, without getting mired in the details of every operating system’s security.

“You have to push the onus onto the user. The most important control is to have employees use pins and passwords,” Stanley says, noting that many still don’t enforce this basic rule effectively.

Every organisation should carry out thorough education programmes on the basics of mobile security, he adds.

The argument against such an approach would read thus: what does IT do when an OS-specific vulnerability lands, as happens every month or so? Can it simply be ignored?

Stanley, who has been helping clients draw up BYOD policies for a decade, says caveats within the policy should allow IT to quarantine or entirely wipe devices that pose a threat.

When a major flaw or a pernicious piece of malware is reported, IT can simply call in workers running vulnerable systems and apply patches or take more drastic action. In drawing up such policies, HR and legal departments should be brought in to assist, he adds. When employee devices contain photos of their family members or any data they deem vital to their existence, things could get sticky.

“In the policy, the user has to take care of the apps. If they are suspicious they have malware on their phone, they have to contact IT,” Stanley says.

“You need a right to remove device access to company systems if the organisation believes there is an app that presents a risk.”

This kind of BYOD strategy is likely to appeal more to business leaders too. For them, the aim of BYOD is to improve productivity; security comes later.

“The best strategy is to embrace mobile as a means to improve productivity and in parallel adopt security solutions that can identify and protect against attacks on mobile,” says Yair Amit, CTO and co-founder of Skycure, a Tel Aviv-based mobile security company.

“Employees push for being able to use their beloved devices. In some cases, fighting this trend is futile, especially in employee-oriented companies. Therefore the IT role is to find a security solution that allows them to support the business and still be able to sleep at night.

“The rules have changed and the perspective on security is that it should enable business, not block it. Employees want to use their favourite devices for personal and business activity. They really don’t like to be dictated to on the devices and apps they use.”

At the technical level, there are a variety of products that can support a broad policy covering all operating systems. Indeed, some are essential, such as support for full device encryption and remote wiping in case of a lost or stolen device.

Another fine mess

Mobile device management and software that can do containerisation and allow for “dual personas” to split work and life usage, as seen in BlackBerry phones and in Samsung’s Android-based Knox technology, enable security to be applied, depending on where the data resides and who produced or owns it.

“With this type of technology I as a user can install my apps and do what I want to my data. However as an administrator of a dual-use device I can apply my policies over the organisation’s data, be it password requirements, limiting which apps are used and so on,” says Whitehouse

“The modern mobile device management platforms typically make management simple these days.”

Despite all these solutions, for many organisations BYOD has become one of the the most troubling IT issues of recent memory. Stanley believes it is the biggest information security problem since the dawn of the USB stick (which one might consider part of the same issue).

“The majority of people haven’t a clue.They are really struggling to get their heads around BYOD,” he says.

“The smartphone is the most intimate form of computing we’ve ever had.Think about the personal and corporate data it has about you. Therefore protecting these assets is vital.”

Amit thinks most businesses just don’t understand the nature of the threat.

“Organisations today are not only exposed to a variety of network and app-level attacks. The shocking reality is that most don’t even know when their employees get attacked and what are the attacks’ nature and impact,” he says.

“As a result, they are unaware of the mobile security exposure in their organisation. This is a clear growing concern among CIOs and CISOs of organisations we are interacting with.”

In short, the state of BYOD across the world is in something of a mess. That mess is a product of a threat climate that is riddled with complexity, and the multiple issues affecting the various operating systems.

With budgets in mind, companies have come critical choices to make when it comes to BYOD and the influx of various operating systems. They could invest heavily in mobile security, go as granular as they can and apply rules for for each operating system.

Nothing is perfect

Alternatively, they could opt for a set of policies that can cover all bases at once without focusing on specific software. This would appear to be the most sensible course, though the former approach would undoubtedly better protect the enterprise. As with anything in security land, all paths are fraught with expense and vulnerability.

But here’s the upside: mobiles bring better security than desktops (especially in a world full of unsupported Windows XP machines) and greater productivity.

“Mobile security is head and shoulders ahead of the desktop. If you are still running Windows XP in your organisation we’d recommend you focus on that,” says Whitehouse.

“You are more likely to have an employee phished and be hacked that way than have someone target a mobile device.

“While organisations should be risk aware and take steps, it shouldn’t stop them realising the benefits of having a mobile and functional workforce.” ®