SAN FRANCISCO â€" Mobile device attacks could be many of the most deadly threats enterprises face within the near term, in line with a top threat expert who spoke at RSA Conference 2012, as attackers leverage insecure consumer handsets as a pivot point for broader enterprise network intrusions.
During a discussion at the most important varieties of attacks facing enterprises at RSA Conference on Tuesday, Ed Skoudis, founder and senior security consultant with Washington D.C.-based security consulting firm InGuardians, said attackers are getting adept at conducting easy, low-cost attacks against iOS- and Android-based devices using malicious mobile applications.
"Bad guys are going to the Android Marketplace, flattening an app, building a backdoor into it and selling it in another Android app store for a cheaper price," Skoudis said. "Or they'll take the backdoor, grab an icon from an application someone desires to buy, and sell it in another app store for a cheaper price."
Though it's generally tougher to sneak malicious mobile applications throughout the Apple App Store vetting process, under no circumstances is it foolproof. Skoudis noted that two years ago a developer successfully snuck an unapproved iPhone tethering feature that violated carriers' policies into what seemed to be a benign flashlight app.
However, the actual concern, Skoudis warned, isn't the mobile device attacks themselves, but how attackers are endeavoring to make use of them as a gateway into enterprises' wired networks.
"We are going to see that mobile device pivot vector become a reality" this year, Skoudis said. "It will call into question the safety models of the mobile device makers. There are very different models employed by Android, Apple, RIM and Microsoft, and people organizations might need to appear really hard at whether to switch a number of those models."
To illustrate the creativity employed by attackers, Skoudis referenced a tactic first shared by Errata Security CTO Dave Maynor during which an attacker packages an iPhone with a high-capacity battery and sends it in the course of the mail to a target organization. While the device sits unopened within the mailroom, if the organization allows ad-hoc wireless connectivity to employees' consumer devices, the device simply connects and provides the attacker wide-open access to enterprise network resources.
Skoudis said most attacks, however, are far less creative, but equally successful because many enterprises don't restrict mobile device access, actually because executives demand unencumbered bring-your-own-device (BYOD) access to network resources.
To better secure mobile devices, Skoudis recommended adopting a policy for secure mobile device deployment, pointing to a mobile device configuration template by security practitioner Lee Neely.
He also encouraged enterprises to create a process for evaluating mobile apps for use in the enterprise. "Have IT folks have a look at them to be sure an app's interaction with the device and the network are reasonable and the functionality is sensible."
Additionally, Skoudis endorsed a sturdy, secure wireless infrastructure, and a segmented wireless network dedicated solely to mobile devices not deployed by the enterprise.
An attendee who requested anonymity and who works for a big defense contractor, agreed with Skoudis's advice. He said it is usually difficult to speak decision makers into implementing a separate wireless infrastructure for untrusted mobile devices, but a robust case can often be made by comparing it with the price of a possible breach.
Other threats: Hacktivism, IPv6, DNS
Co-presenter Johannes Ullrich, chief research officer with SANS and director of the SANS Internet Storm Center, discussed quite a lot of other pressing threats, including hacktivism. After disappearing for approximately five years, he said the rage re-emerged with a vengeance last year, as persistent socio-politically motivated attackers in significant numbers took up basic, easy-to-use tools to find and exploit weaknesses of their adversaries' defenses.
"The large difference is the attacker doesn't hide," Ullrich said. "They are attempting to open it up and show the realm what they accomplished."
Ullrich also pointed to weaknesses in home automation systems, cloud security implementations and IPv6.
"We keep seeing accidental deployments where people use IPv6 without knowing it," Ullrich said, leading to occasional exploits within which attackers use the emerging protocol for data exfiltration. "In case you are using an iPhone, Windows 7, MacOS 10 or Windows Server 2008 R2, you're using IPv6 unless you probably did something special to show it off."
Skoudis also expressed concern at the evolution of command-and-control systems using DNS code. Attackers can now craft malware in one of these way that so long as a machine on an internal network can resolve Internet domains, the attacker can maintain the relationship. He recommended searching for unusual DNS traffic, especially frequent barrages of requests to unusual destinations on the net.
View all of our RSA 2012 Conference coverage
Nessun commento:
Posta un commento
Comments links could be nofollow free