Corporate computing is going mobile, with mobile corporate internet usage surpassing desktops in 2016. Now, mobile and tablets account for a full 57% of corporate internet use. With this trend, though, there’s been a commensurate increase in cybercrime targeting mobile devices.

Why wouldn’t there be? Hackers want to be where the action is. The problem for hackers is that mobile devices typically have stronger basic security than their desktop peers. Between mobile device manufacturers and telecom carriers, mobile apps tend to get more vetting than traditional software. Operating systems are more tightly controlled. Sandboxing is more common as well, making data leakage less likely.

Michael Covington, VP of Product Strategy at Wandera

The attackers have improvised in response. Mobile phishing, for example, has become far more sophisticated in recent years. Phishing URLs have adapted to mobile browsers. Also, according to Michael Covington, VP of Product Strategy at Wandera, the mobile device security company, we’re experiencing a rise in “malvertising.”

The practice, which sounds like something that should have been cut out of the script of Mad Men, involves placing phishing links in mobile ads that get served through bogus ad networks. “It’s pretty crafty, you have to admit,” Covington remarked. “You might be using an app on your phone that’s totally legitimate, but the ad running at the bottom of the screen is phishing bait.”

Covington further outlined why mobile use is becoming riskier as hackers reinvent themselves for this age of mobile internet. Citing research from Gartner, IDC and CIO as well as Wandera itself, he shared a few startling facts: Over 50% of corporate data usage is not business critical; One in seven employees accesses adult, gambling or extreme sites weekly on mobile devices; 72% of employees use unauthorized “Shadow IT” services like public cloud-based file sharing services; 25% of all business have devices that are being cryptojacked; One third of all malware will be mobile by 2019; and, one in 25 mainstream apps leak sensitive credentials.

Ouch! Seriously, how are you supposed to play online poker on your corporate-issued mobile device if it’s being used for cryptojacking? That doesn’t seem fair.

What’s clear is that corporate mobile devices now present a far broader attack surface area than ever before. Risk mitigation processes must keep pace with the rapid evolution of the threat landscape. This is the work Wandera has undertaken.

How are you supposed to play online poker on your corporate-issued mobile device if it’s being used for cryptojacking? That doesn’t seem fair.

Wandera belongs to a new generation of cyber security companies that are transcending the static modes of protection that have dominated the field for years. They seem to understand that the threat actors are not standing still, so the defender can never rest, either. Theirs is a dynamic, wide-ranging set of countermeasures.

The Wandera app

Structurally, Wandera is pretty simple. It’s an app that tracks mobile device usage and system characteristics. The app connects to a mobile first gateway that interfaces with a real-time threat intelligence and reporting engine. There is no VPN, which can introduce performance lags and drain batteries. Beyond this simple architecture, however, lies a rich threat detection and response capability.

The app looks for suspicious behaviors, like excessive CPU usage. It also flags known malware, potentially untrustworthy access points or data leakage. For example, if the device is sending out personally identifying information (PII) without encryption, Wandera will issue an alert. This event could signal an attack or use of insecure mobile site. Both expose the device (and the device issuing organization) to risk.

It never stops. This is the new world of cyber security. Every second, as the threat intelligence database grows larger and smarter, the app continues its vigil. It’s a continuous process.

Wandera is also approaching mobile security from a holistic perspective. For instance, as companies shift to an all-mobile strategy and provision employees with a single device for mobile and virtual desktop use, they need a security solution that works across all use cases. This is the Samsung strategy, where the DEX solution enables a worker to move around a corporate campus with a Samsung phone that plugs into docking stations and transforms into a desktop experience.

It never stops. This is the new world of cyber security. Every second, as the threat intelligence database grows larger and smarter, the app continues its vigil. It’s a continuous process.

The security challenge in this case, however, is to ensure that all communications between the device and corporate network are secure. “There’s a potential gap in security with phones acting as virtual PC,” Covington noted. “If you’re relying on cellular connections for backhaul to the corporate network, you’re making yourself vulnerable.” Wandera tracks such connections along with everything else. They partner with the major players in the space, including Citrix, Samsung, and IBM.

These are early days for mobile security. The innovations we’re seeing in the market are encouraging, though. As mobile device use becomes a universal aspect of corporate life, we’re going to need all the help we can get.

 
Photo Credit: Semtrio Flickr via Compfight cc

By Phil Neray, VP of Industrial Cybersecurity at CyberX

Operational Technology (OT) networks were traditionally kept separate, or “air-gapped,” from IT networks. However, new business requirements associated with the efficiency benefits of digitalization, such as smart environmental control systems, just-in-time manufacturing, and interactive systems tied to Big Data, are forcing increased connectivity between IT and OT networks. This has led to an increase in attack surface and cyber risk.

Protecting OT networks is a challenge. While some OT networks may have similarities to IT networks – and lend themselves to the traditional types of security measures used to protect them, such as SIEMs and firewalls – there are many characteristics of OT networks that differ from traditional IT systems. These differences include: specialized protocols such as Modbus for PLCs; difficulties with patching systems that run 24/7; legacy embedded devices with proprietary architectures; differences in network behavior; and long equipment replacement cycles.

This means that simply transferring security processes and technology from IT to OT will not succeed in protecting OT networks. It’s important that your board of directors understand these key differences, as well as risks associated specifically with OT networks.

Framing a Board Discussion Around OT Security

A key goal of the boards of most enterprises is to maintain an appropriate balance between protecting the security of the enterprise and its ability to function, as well as controlling financial outlays from losses.

Boards care about “strategy – not operations,” “risk oversight – not risk management,” and “business outcomes – not technology details.”¹

Boards care about “strategy – not operations,” “risk oversight – not risk management,” and “business outcomes – not technology details.”¹

A recommended approach of engagement with your board involves six questions outlined by the US Department of Homeland Security (DHS).

Question #1: What’s at risk – are assets prioritized and potential consequences identified if our ICS is compromised? Can we sustain operations of critical processes following a cyber incident?

 #2: Who is ultimately responsible for cybersecurity?

 #3: Is there Internet connectivity to our ICS environment? If no, how did we validate that fact?

 #4: Is there remote access to our ICS network? If so, why, and how is it protected and

monitored?

 #5: Do we have a DHS HSIN account to receive alerts and advisories?

 #6: Are best practices being applied?¹⁰

Ideally, in any discussions with your board regarding OT security risk you will be able to describe your OT cybersecurity efforts in the context of a cybersecurity framework based on OT industry best practices.

Identifying Key Metrics to Present to Your Board

Time, safety and continuation of services are of great importance, since many ICSs are in a position where failure can result in a threat to human lives, environmental safety, or production output.²

A critical element in eliciting a meaningful metric is to gather the relevant information about one’s system and to align that metric with measurable goals and strategic objectives which lie within the scope of a given project or the domain of an enterprise structure. Categories may include enterprise, operational, and technical metrics.³

Simple metrics might include checks to ensure that employees received appropriate background checks, activation of locked gates, or data being encrypted at appropriate levels.

Cyber Insurance for ICS/OT

One of the responsibilities of a board is to transfer risk inherent in operating an enterprise. That is often done through the purchase of insurance policies from third-party enterprises.

ICS-specific cyber insurance is also available. However, unlike the predictable costs associated with the loss of personal data, or the relative ease of projecting the amount of revenue lost from an e-commerce site not being available during a specific period, modeling the costs associated with attacks against an ICS and related infrastructure tend to be unique.

As such, the insurance premiums charged to protect against ICS/OT-type losses tend to be very customized – and much higher than IT-related cyber insurance, as it is near impossible in many cases for an insurance underwriter to spread your distinct ICS/OT risks across multiple policy holders.

It is imperative to provide the BoD with a financial model that enables them to engage in an informed discussion with insurance providers. This will enable your Board to decide whether to utilize third-party insurance to transfer risk or self-insure.

Presenting OT Security Risk to Your Board

While it may seem obvious, preparing to present to your board should include knowing your audience: Who are they? What is their background? What role do they serve on the board? What are their biases and passions?

Keep the presentation short and to the point

Keep the presentation short and to the point (Gartner’s Rob McMillan suggests a 7-slide approach), and focus on facts, risks, the future and actionable plans. Topics to be discussed may include⁴:

• Disclosure of any known threats, including insider, supply-chain/third-party risks, nation-state, etc. and potential business impact for each risk
• The maturity of your cybersecurity efforts that includes a mapping of your cybersecurity framework to an accepted capability maturity model. This should include enterprise readiness, areas of most concern, ability to transfer (outsource) risk, etc.
• Updates on key security metrics that you are tracking
• Anecdotes about other enterprises within your industry that have experienced – and addressed – ICS cyberattacks

Summary

There are increasing security risks associated with OT networks. According to the most recent SANS Survey, the current lack of visibility into the security and resiliency of OT networks is far-reaching – with the majority of respondents (59%) stating they are only “somewhat confident” in their organization’s ability to secure their ICS/SCADA infrastructure.

In addition, the increasingly blurred lines between traditional IT networks and OT networks has introduced additional challenges.

Given the potential implications to the health and safety of human lives, environmental damage, financial issues such as production losses, negative impact to a nation’s economy, and in a worst-case scenario the very ability of a society to function, it’s important that OT network security be addressed in a manner like IT network security – including having board-level visibility.

Centralized leadership for both IT and OT security, combined with a security program that incorporates a cybersecurity framework designed specifically for OT networks, along with the

appropriate ongoing monitoring and measurement of that program, will help enterprises manage and minimize their OT security risks.

Endnotes

1 Gartner – Security & Risk Management Summit 2018 – ‘What Your Board Wants

to Know’

2 NIST Guide to Industrial Control Systems – SP 800-82

3 Sandia National Laboratories – Security Metrics for Process Control Systems

4 Gartner – Security & Risk Management Summit 2018 – ‘What Your Board Wants

to Know’

About the Author: Phil Neray is the VP of Industrial Cybersecurity for CyberX. Prior to CyberX, Phil held executive roles at enterprise security leaders including IBM Security/Q1 Labs, Symantec, Veracode, and Guardium. Phil began his career as a Schlumberger engineer on oil rigs in South America and as an engineer with Hydro-Quebec. He has a BSEE from McGill University, is certified in cloud security (CCSK), and has a 1st Degree Black Belt in American Jiu Jitsu.

(Twitter: @redecker99)

Photo Credit: Pigeoneyes.com Flickr via Compfight cc

As we come to the end of 2018, it’s difficult to see what meaningful progress has been made in cyber security. There has been a creeping shift in awareness. Executives and politicians are getting the message, however muffled, that cyber is not going away nor will it not get any easier to manage risks. The DHS’s decision to upgrade cybersecurity to its own agency is a welcome step. Still, the epic Marriott breach felt like the perfect end to a year when few seemed to have learned much about the cyber threat facing the United States and the world at large.

New products and ventures are taking on bigger challenges, raising the stakes and declaring that the status quo will no longer suffice.

Signs are on the horizon, though, that big changes are on the way. New products and ventures are taking on bigger challenges, raising the stakes and declaring that the status quo will no longer suffice. This spirit is in evidence with Acceptto, an early stage company that just emerged from stealth mode. Acceptto is one of several companies driving paradigmatic changes in the area of identity and access management.

It’s a very timely and worthwhile effort. Having spent 2018 looking at an exhausting series of data breaches and cyber defense meltdowns, I can say with some confidence that the issue of identity is at the heart of most serious risk exposure. It’s not the only factor, of course, but if you can’t be sure of who is who and whether a user is authorized to access a particular digital asset, you’ll never be truly secure. This is the founding premise of Acceptto.

Shahrokh Shahidzadeh, CEO of Acceptto

Acceptto’s approach is to remove reliance on binary methods of authentication such as username/password. Such two-factor authentication (2FA) and even more complex multi-factor (MFA) methods are simply not strong enough anymore on their own. “They give you a yes or no without context,” said Shahrokh Shahidzadeh, CEO of Acceptto. “It’s imperative to have smarter auth. Existing 2FA and MFA systems are too easily fooled.”

Instead, Acceptto offers a continuous, cognitive method of authentication.  The solution blends AI and machine learning to distinguish good users from threat actors. It analyzes access requests along multiple, behavioral dimensions to determine if a user is legitimate. For example, if a user logs into a corporate VPN from the same zip code 100 times using an iPhone during business hours, but then tries to log in from a foreign country at 2:00AM using an Android device, this anomaly will trigger the system to throw up barriers to access.

The standard MFA solution to this problem is to issue a verification code via SMS or a comparable step. This can be hacked, however. More in-depth countermeasures are needed.

“Our goal is to reduce friction,” Shahidzadeh added. “We create a derived credential from many different data points about the user and his or her access patterns. We call this a dynamic Level of Assurance or LOA. We can go without a password for the best users. They get through with almost no interference. Bad actors get shut out.”

“We create a derived credential from many different data points about the user and his or her access patterns. We call this a dynamic Level of Assurance or LOA.”

Acceptto then follows the user through their session, continuously re-checking their authentication status. “One of the big problems we have in security is the ‘all-you-can-eat’ mindset of many access control frameworks. Once you’re in, you’re in. That is not a wise way to mitigate risk, especially when you consider how malicious actors move across networks into places they’re not supposed to be.”

If a user normally accesses a certain set of digital assets, but then diverges and goes elsewhere in the network, Acceptto flags this behavior. It may be nothing, but it’s a good practice to know where users are going. Once flagged, a suspicious user can be subjected to a variety of MFA techniques for further verification. The level of verification depends on the perceived level of risk. Acceptto runs in parallel with most major IAM solutions. These include LDAP, Microsoft Active Directory, Palo Alto VPN and others.

Photo Credit: TheBetterDay Flickr via Compfight cc
Paste this HTML on your we 

When we look back on this era, we might observe that the road to security nightmares was paved with convenience. In an understandable drive to make our lives easier, we are now succeeding at exposing ourselves to greater risk. Mobile apps for cars provide just one example of this phenomenon. Many cars now offer a mobile app for remote unlocking, remote starting and more. The problem is these apps make life convenient for car thieves as well.

The architecture of mobile car apps creates some of the vulnerability. For instance, the app does not connect directly with the car in most cases. It typically sends a message to a cloud-based server, which then sends instructions to the car through a cellular connection. The convenience here is to allow the car owner to activate the car even while out of range of the device’s Bluetooth. The vulnerability is that a malicious actor can take over the app and unlock the car without the owner knowing it.

Asaf Ashkenazi, VP of Product Strategy at Inside Secure

“Even if cloud service is secure, you can still hack the device,” explained Asaf Ashkenazi, VP of Product Strategy at Inside Secure. He added, “Once car has authenticated cloud, it’s not usually designed to authenticate the device. You can attack the app on the phone and fool the cloud.” He also explained that reverse engineering or stolen credentials could achieve the same objective for the hacker.

While cars provide an understandable example, the risk is actually much broader in scope. The entire Internet of Things (IoT) suffers from similar vulnerabilities. One solution, according to Ashkenazi, is to apply security engineering principles at the app level. This is the Inside Secure approach. The idea is to protect the app itself, independent from the device’s operating system.

“If you’re depending on the OS for security, you may be exposing yourself to risk,” he noted. “Though smart phones are relatively safe now, if you’re paying attention, you’ll see that the race is on to crack mobile devices far worse than they’ve been to date.”

Inside Secure offers developers a toolset that enables them to embed protections into the app code itself. The company, which has been in business for 20 years, has its technology inside many banking apps and network routers.

Photo Credit: Thomas Hawk Flickr via Compfight cc

The Talmud, the 2 million word-long book of Jewish law, contains a number of discussions of whether it is possible to commit two or more sins in a single act. For example, if you eat non-kosher food on a fasting day, you’ve carried out two forbidden acts by taking just one bite. We have a similar issue in the modern world of cyber security.

It is possible, it seems, to violate multiple laws and security policies by clicking just one button. Consider what happens when a healthcare professional in the EU sends an unencrypted email containing patient medical data to a recipient in the US. One message, but at least two security and compliance transgressions.

This is conundrum of secure collaboration. You want your people to be able to communicate and collaborate easily no matter where they are. Employees move around a lot, whether it’s simply commuting or working at home on certain days or running around the globe on business. Projects must go on. Team members need to exchange information to get things done.

Aaron Turner, CEO of Hotshot

A variety of tools make this possible. These include collaboration and communication apps like Skype and Slack as well as traditional forms of communication like email. There’s a big problem with most of these solutions, however. They tend to leave data vulnerable to hacking. Data gets left on servers. Devices can get compromised. In some locations, the government has access to encryption keys, the better to spy on citizens and foreigners.

Even with security safeguards in place, roaming employees might easily run afoul of data sovereignty laws like GDPR. Or, if they work in healthcare, they might inadvertently violate HIPAA by messaging about a patient’s health problems. If nothing else, employees might transgress corporate data protection policies through the use of everyday collaboration tools and email.

Hotshot has taken on the job of resolving this conundrum. The company has developed a team messaging tool that addresses many of the most challenging security and compliance issues that arise in collaboration. The Hotshot app, which is available in native form for iOS, Android, Windows and Mac, is based on a proprietary secure message channel.

The app’s users control both encryption and data use policy. The central Hotshot infrastructure serves as what CEO Aaron Turner calls a “dumb switchboard.” The end user owns the encryption keys. Hotshot does not have access to them. “There is no central data store to hack,” Turner explains. “The user has the keys.” Hotshot does maintain and audit log of communications, but the central server has no personally identifying information on it.

Hotshot’s policy management interface

Hotshot also provides a policy control interface. Administrators can establish data retention policies for the app. This way, users can collaborate without concern about inadvertently violating policies. Similarly, the app allows admins to establish geographic boundaries for users. For example, users can be prohibited from receiving messages in certain countries to avoid violating GDPR rules.

The app and its broader system appear to make it possible to enjoy a high level of security in a flexible, collaborative environment. It’s likely the industry will see more innovations like this in the near future as organizations struggle to enable remote work and collaboration with third parties while not running afoul of the law or exposing themselves to damaging security incidents.

Photo: Image of a page of The Talmud, Credit: Chajm Flickr via Compfight cc

A few years ago, when I had a regular job, my employer gave me a company phone. The phone number assigned to the phone seemed to have led an interesting life before it got to me. I would get mysterious hangups in the middle of the night and voice mail messages like, “Hi, uh, Jack, it’s, uh, me…you got anything for me?” This experience predated today’s current cybersecurity crisis, but it was a good lesson in the imperfections of company phones.

Brian Egenrieder, Chief Revenue Officer of SyncDog

Business and public sector organizations are struggling with the competing mandates of mobility and security. With or without a company phone, you can be mobile or secure, but rarely both. Phones, whether they are company-managed or BYOD’ed, expose organizations to cyber risk. They get lost or stolen. They’re easily hacked, no matter how the device is secured.

SyncDog has committed itself to solving this problem. Like many of the more innovative solution provider’s I’ve seen in the last year, they’ve approach the challenge by side-stepping the accepted approach to risk mitigation. “We ignore the device itself,” explained Brian Egenrieder, Chief Revenue Officer of SyncDog. “You can disagree with us if you like, but in our view, trying to keep a device secure is never going to work. There are just too many vulnerabilities to exploit.” Instead, SyncDog provides a secure container for work-related communications and data that sits on top of the device.

SyncDog secure container screen

SyncDog works through an app. The app creates a secure container that is encrypted and walled off from the rest of the data and applications on the device. “It’s like your own private, secure island on the phone,” Egenrieder added. Users cannot cut and paste in or out of the container. Nor will SyncDog allow screen captures on Android. Screen shots on iOS trigger an alert. It requires two-factor authentication (e.g. biometric) to open. Encryption is 256-bit, which is the FIPS and DoD level.

The app works on its own, with email, file manager, browser capabilities and Office 365 integration. It also integrates into other apps, allowing app-makers to add a higher level of security to their products. In this way, SyncDog is helping resolve the tension between mobility and security.

Photo Credit: R~P~M Flickr via Compfight