Android, Apple iOS and BlackBerry devices are being adopted by many enterprises as a must-have mobile business tool. However, as enterprises embrace the business benefits, these devices introduce unique risks to the enterprises. Security controls and processes for these devices need to be implemented just like any other network enabled device connected to an enterprise’s network.
SecureState is able to assess and evaluate a company’s existing deployments to determine current security posture. A company recently contracted SecureState to find out. They had a certain high level exec who kept misplacing his company issued iPads. The company was using the iPads to distribute highly sensitive data: company financials, mergers and acquisitions, trade secrets, etc.
The bottom line: this exec was leaving the company’s sensitive data vulnerable, but the company wanted to effectively gage how vulnerable it was, given the controls they put in place. If those controls proved ineffective, they wanted recommendations as to how to improve their mobile device security.
SecureState simulates a lost device and/or theft scenario to determine if the company’s mobile devices can be attacked and if corporate data can be compromised. To begin the assessment, the company ships one of their devices to SecureState. The Profiling Team uses a wide array of attack vectors, including advanced, targeted attacks. Some of these attacks include:
• Attempting to back up the device and access the backup
• “Rooting” or “Jailbreaking” of the device
• Attempting to bypass third-party MDM controls
• Exploiting known and unknown mobile OS vulnerabilities
However, before any of that began, our consultant entered a passcode of 1-2-3-4 and had full access to the device in a matter of seconds. So not only did the company have an executive providing multiple opportunities for compromise, but the lack of properly applied MSBs meant that even the most casual and unskilled attacker could easily gain access to the device.
SecureState provided a detailed report on numerous measures the company needed to take to provide adequate protection for their confidential corporate information. However, one key recommendation, geared toward the executive in question, was omitted from the report: