How to Respond to the Hacking of John Kelly’s Phone
15/10/17 13:05
According to Politico, the White House believes White House Chief of Staff John Kelly’s personal phone fell victim to cyber attackers. It is unclear or unreleased at the time of this writing the extent of the breach, but InfoSec specialists have been spiraling down every possible worst-case scenario for their own data since. Until definitive answers are proffered, we must operate with the understanding that any number of vulnerabilities may have led to the hack. U.S. National Security is on the line, and many questions have to be raised as to why a personal phone would be used in the first place by a person in possession of highly-classified government secrets.
For years, the novelty of mobile devices cultivated a toy-ish corporate image with little thought given to security. Enterprise applications and direct access to the organization’s local network were still several years out, after all. But then the “smartphone” era emerged, infiltrated the workplace, and its usefulness in mobile collaboration quickly outpaced the security market’s ability to keep these endpoints secure. This was nearly 10 years ago.
Today, mobile apps allow direct collaboration with peers and the corporate network and datacenter, creating a complex and disparate network perimeter that for many organizations is out-of-sight, out-of-mind in terms of security. IT administrators are overworked and understaffed as it is, trying to maintain IT services availability for thousands of employees in the hierarchy of priorities, relegating InfoSec and compliance to second, and mobile InfoSec to a distant third.
Other organizations, like government, take the opposite stance and make mobile security so draconian that officials, diplomats, politicians, and even soldiers give in to the temptation of using their personal device rather than deal with the locked down Gov phones they get from their IT departments. And who wants multiple phones littering their pockets, suitcases, backpacks, tactical garments? Functionality is a key differentiator in the phone market, and a major reason why people buy the phones they buy. This may or may not have played a role in Kelly choosing to use his personal device for State matters, and prompts still more questions as to how frequently personal devices are used in classified contexts across the board.
Mobile malware is on the rise, doubling in 2016, and we believe a major contributor for this increase is a common, twofold problem the InfoSec community fights almost as much as cyber attackers themselves:
According to the Ponemon Institute’s 2017 Cost of Data Breach Study, it took 191 days to discover a data breach in 2016. This lag time is where zero-day exploits run wild, and why your mobile fleet may be the most vulnerable threat vector in your enterprise IT infrastructure today. Sixty-seven percent of surveyed employees admit they use their personal mobile phone for work, regardless of the official workplace BYOD policy. So, you can imagine an organization with an EMM with authenticated users, and an entirely different set of unmonitored users (with a personal phone they like, prefer, and have more familiarity with) aligning personal applications and enterprise applications on the same device. Each app represents a certain measure of risk, and malware scanning on mobile is not yet up to snuff with that of its desktop counterparts, leaving extended periods of time where mobile cameras, mics, apps, and more may be at risk.
Gone are the days of the ubiquitous corporate-owned BlackBerry with limited functionality and minimal access to the enterprise network. BYOD and CYOD (Choose Your Own Device) prevalent, multiplying the complexity of securing enterprise network data and apps on mobile devices that have access to your datacenter. However, there are a few approaches with varying levels of success on the market:
Containerization: Mobile device containerization is a popular method for separating enterprise applications from employees’ personal applications, but this sandboxing takes place at the application layer and is often accompanied by compatibility issues, high resource utilization, and severe dampening in functionality. With few exceptions, containers use VPNs (Virtual Private Networks) to create encrypted connections with private networks. And while VPN encryption strength is sometimes desirable, they require immense management resources and greatly reduce connection/device performance – undermining end-user productivity.
Dual-modal Devices: Dual-modal devices have been around for a few years, allowing users to switch between their professional and personal personas on a single device. This separates enterprise apps and data from personal apps conceptually similar to containerization, but today there is much higher demand for more user personas per device. Two personas just doesn’t cut it today because of the variety of corporate and government employee security requirements coupled with the need to have different app types on personal devices.
Multi-modal Devices: The recent explosion in mobile app usage has increased the opportunity for mobile malware, and an upwardly-mobile younger workforce operating their mobile devices across a vast network of personal- and business-related applications. This younger workforce demands multiple personas across both home and work modes – case-in-point is making a mobile bank deposit on a BYOD phone. In addition to the user not wanting his/her employer to have access to this transaction, the user would also want this to be a separate transaction from his/her Facebook messenger and camera app, along with other social media/productivity apps.
Conversely, an employer or government agency might have multi-modal needs based on application set access or database access, or based on office/geo-location. It is not uncommon for a user to need five or more different personas on a single device. Gov and industry’s answer has typically been to give the user multiple phones with varying levels of security.
Redwall Mobile® is a viable option for organizations seeking to get ahead of mobile malware and avoid being headline news like John Kelly. The product features multi-modal personas, each with its own unique apps, data, settings, and encryption keys for five or six phones, all in a single device. Redwall Mobile® operates below the application stack by hardening the OS kernel itself, even unknown threats cannot penetrate. And because Redwall Mobile® does not reside inside the app stack, it truly is set-and-forget technology.
For more information about Redwall Mobile®, visit our product page here.
We will be at ATARC Annual Mobility Summit in Washington, DC, on October 24. Attendees can stop by the Redwall booth for a demonstration of Redwall Mobile® and an introduction to mobile device hardening and multi-persona functionality for more information. Complimentary government registration can be found here.
The Polarized Mobile InfoSec Landscape
For years, the novelty of mobile devices cultivated a toy-ish corporate image with little thought given to security. Enterprise applications and direct access to the organization’s local network were still several years out, after all. But then the “smartphone” era emerged, infiltrated the workplace, and its usefulness in mobile collaboration quickly outpaced the security market’s ability to keep these endpoints secure. This was nearly 10 years ago.
Today, mobile apps allow direct collaboration with peers and the corporate network and datacenter, creating a complex and disparate network perimeter that for many organizations is out-of-sight, out-of-mind in terms of security. IT administrators are overworked and understaffed as it is, trying to maintain IT services availability for thousands of employees in the hierarchy of priorities, relegating InfoSec and compliance to second, and mobile InfoSec to a distant third.
Other organizations, like government, take the opposite stance and make mobile security so draconian that officials, diplomats, politicians, and even soldiers give in to the temptation of using their personal device rather than deal with the locked down Gov phones they get from their IT departments. And who wants multiple phones littering their pockets, suitcases, backpacks, tactical garments? Functionality is a key differentiator in the phone market, and a major reason why people buy the phones they buy. This may or may not have played a role in Kelly choosing to use his personal device for State matters, and prompts still more questions as to how frequently personal devices are used in classified contexts across the board.
Mobile Malware Might Be Your Most-dangerous Cyber-Threat Vector
Mobile malware is on the rise, doubling in 2016, and we believe a major contributor for this increase is a common, twofold problem the InfoSec community fights almost as much as cyber attackers themselves:
- Users with CYOD or BYOD devices who regularly fail to update their devices quickly enough
- Enterprise IT departments who do not update operating systems regularly, or use software vendors without proactive patching processes
According to the Ponemon Institute’s 2017 Cost of Data Breach Study, it took 191 days to discover a data breach in 2016. This lag time is where zero-day exploits run wild, and why your mobile fleet may be the most vulnerable threat vector in your enterprise IT infrastructure today. Sixty-seven percent of surveyed employees admit they use their personal mobile phone for work, regardless of the official workplace BYOD policy. So, you can imagine an organization with an EMM with authenticated users, and an entirely different set of unmonitored users (with a personal phone they like, prefer, and have more familiarity with) aligning personal applications and enterprise applications on the same device. Each app represents a certain measure of risk, and malware scanning on mobile is not yet up to snuff with that of its desktop counterparts, leaving extended periods of time where mobile cameras, mics, apps, and more may be at risk.
What Your Organization Can Do to Secure Mobile Endpoints
Gone are the days of the ubiquitous corporate-owned BlackBerry with limited functionality and minimal access to the enterprise network. BYOD and CYOD (Choose Your Own Device) prevalent, multiplying the complexity of securing enterprise network data and apps on mobile devices that have access to your datacenter. However, there are a few approaches with varying levels of success on the market:
Containerization: Mobile device containerization is a popular method for separating enterprise applications from employees’ personal applications, but this sandboxing takes place at the application layer and is often accompanied by compatibility issues, high resource utilization, and severe dampening in functionality. With few exceptions, containers use VPNs (Virtual Private Networks) to create encrypted connections with private networks. And while VPN encryption strength is sometimes desirable, they require immense management resources and greatly reduce connection/device performance – undermining end-user productivity.
Dual-modal Devices: Dual-modal devices have been around for a few years, allowing users to switch between their professional and personal personas on a single device. This separates enterprise apps and data from personal apps conceptually similar to containerization, but today there is much higher demand for more user personas per device. Two personas just doesn’t cut it today because of the variety of corporate and government employee security requirements coupled with the need to have different app types on personal devices.
Multi-modal Devices: The recent explosion in mobile app usage has increased the opportunity for mobile malware, and an upwardly-mobile younger workforce operating their mobile devices across a vast network of personal- and business-related applications. This younger workforce demands multiple personas across both home and work modes – case-in-point is making a mobile bank deposit on a BYOD phone. In addition to the user not wanting his/her employer to have access to this transaction, the user would also want this to be a separate transaction from his/her Facebook messenger and camera app, along with other social media/productivity apps.
Conversely, an employer or government agency might have multi-modal needs based on application set access or database access, or based on office/geo-location. It is not uncommon for a user to need five or more different personas on a single device. Gov and industry’s answer has typically been to give the user multiple phones with varying levels of security.
Redwall Mobile®
Redwall Mobile® is a viable option for organizations seeking to get ahead of mobile malware and avoid being headline news like John Kelly. The product features multi-modal personas, each with its own unique apps, data, settings, and encryption keys for five or six phones, all in a single device. Redwall Mobile® operates below the application stack by hardening the OS kernel itself, even unknown threats cannot penetrate. And because Redwall Mobile® does not reside inside the app stack, it truly is set-and-forget technology.
For more information about Redwall Mobile®, visit our product page here.
Redwall Mobile® at ATARC Annual Mobility Summit 2017
We will be at ATARC Annual Mobility Summit in Washington, DC, on October 24. Attendees can stop by the Redwall booth for a demonstration of Redwall Mobile® and an introduction to mobile device hardening and multi-persona functionality for more information. Complimentary government registration can be found here.