Party out of bounds
Mobile security has long been a thorn in enterprise security teams’ sides. Consumer-grade mobile devices have been inserted into corporate environments (often initially by the C-suite) while security teams are forced to sit on the sidelines of decision making.
The complexities of bring your own device (BYOD) programs are well known, and security teams have developed workarounds, focusing on securing the data the devices are touching instead of securing the devices themselves. Still, any time a device touches data—which is the point of having the device in the first place: using it to increase productivity, i.e., access from anywhere, at any time—a vulnerability is introduced. Even in the best case scenarios, security teams are hindered by employee-owned devices, but now we’re starting to see preinstalled mobile malware shipping directly to the consumer, making it even trickier to detect.
Crashers getting’ bombed
Researchers at Check Point Mobile Threat Prevention discovered the presence of malware on thirty-eight different Android devices types, but noted that “The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain.” In other words, somewhere along the supply chain, these devices were compromised.
The problems with this are myriad: A (theoretically) trusted partner went rogue to intentionally cause harm by surreptitiously preinstalling infected apps that are not only designed to steal data and introduce malicious ad networks secretly, but these apps cannot be removed by the average end user (if the user is aware of their presence in the first place). On top of this, since preinstalled apps ship with escalated privileges (and can’t be removed), they have greater control over the device itself and are more easily able to achieve persistence. This leaves the organization to which these infected devices are connected extremely vulnerable. Though an asset inventory of connected devices will help identify potentially exploited devices, “Many of our current enterprise security controls do little more than identify a device as ‘Galaxy Note 8,’” for instance, says Georgia Weidman, CTO, and Founder of Shevirah, Inc. From this aspect, she continues, it is “impossible to understand the finer points of the security risks the device introduces to the enterprise.”
Jeffrey Schwartz, VP of North America Engineering at Check Point, concurs and adds that “preinstalled malware on mobile devices demonstrates a very dangerous shift in the need for mobile security solutions. While as consumers we expect the same real-time access to resources from a laptop vs. mobile device, the gaps in the current security implementations (between laptops and mobile devices) is severe.”
Who’s to blame?
Unfortunately, it’s more than mobile security that needs the industry’s attention, as highlighted by Check Point’s finding. This is hardly the first time a third party has introduced a vulnerability into a product or organization. Supply chain security has been a concern for many years, but organizations are not yet entirely efficient with their processes. Because it’s hard, extremely time-consuming, costly, requires internal support, and companies have enough internal security problems that oversight of third-party vendors drops in prioritization. Regardless of the challenge, Weidman says, “Security must be done in-depth in the supply chain process in order to be effective.”
Third-party risk assessments are a must for any company that works with vendors, suppliers, partners, etc. …which is every company. Especially when it comes to critical systems, hardware, or connected assets, the assessment process needs to begin before a vendor/partner/supplier is on-boarded. This means that the organization has to work together—from the internal buyer/reviewer/department to purchasing to legal and contracting—from the get-go and adhere to policies, guidelines, and standards. This alone will be a monumental shift for many organizations.
Jerod Brennen, Security Architect at GBQ Partners, advises organizations to “treat assessments like projects. Assign task owners, due dates, and milestones.” Doing so sets the foundation for ongoing management, and gives owners a benchmark against which to measure progress rather than the more ephemeral, “this will help us drive down risk.” Where possible, automate these processes, which will assist with the “wash, rinse, repeat” that’s required of recurring assessments.
Can you pull it back in time?
It’s the last part—the repetition—that sounds overwhelming, but it’s only through ongoing risk assessments of third parties that organizations will be able to quantify and manage risks appropriately. Even companies with the best of intentions have constant shifts in their security postures, and this recent story, says Brennen, “underscores the need for organizations to do more than just a point-in-time risk assessment of their technology supply chain.”
Building upon the idea of continuous assessments, Brennen suggests that organizations “create airtight contracts with supply chain vendors” which are updated at regular intervals. Doing so helps to not only define expectations for minimum security controls but also assigns liability for incidents and “gives the organization an opportunity to either reclaim costs or sever a relationship with an insecure supplier” if or when an event occurs. Contracts, no matter how iron-clad, won’t prevent all breaches and malicious behavior, but they will reinforce the need for tighter controls and oversight of the supply chain.
What can you do to save a party?
The unfortunate truth is that bad guys will be bad guys, and no one has yet found a way to eliminate everyone with malicious intentions from working with our organizations (if so, we’d all sleep a little better at night). The most effective counter to this problem—as well as issues arising from less deliberate data loss—is to institute a continuous risk assessment program that allows your organization to identify and adjust to third-party risks. Third-party risk programs are one element of security in-depth, and while running a detailed program is not new, it is challenging, time-consuming, and requires security teams to focus on the foundational elements of security that are less groundbreaking and boundary pushing. They are, however, called “foundational” for a reason.
Click here for more information on our InfoSec World Conference & Expo in Orlando.