You're Not Getting Fooled Again: the New Boss is Not the Same as the Old Boss

It’s hardly uncommon for security policies and tools to be perceived as draconian or invasive. The consensus is that— more often than not— they hinder rather than help the day-to-day efforts of most employees. Looking at the way these tools have traditionally operated, it’s easy to be cynical: everyone can picture the seemingly endless prompts to update anti-virus signatures, the performance impact of scheduled scans, or having their computer unexpectedly reboot to install application updates and apply OS patches.

We’ve been talking about it for a long time, but there’s a message that bears repeating: mobile is different and that has very significant (and, yes, even positive) implications for security. Even though it may feel like the opposite is true, modern mobile hardware and OSes make legacy computing look like the wild, wild west from a security perspective. For the uninitiated or those seeking a recap, here’s a short list of some of the key differences between mobile and legacy endpoints:

  • Locked bootloaders - Because the boot sequence is more tightly controlled, tampering with the OS is a much more difficult proposition. This is a fairly radical departure from legacy computing where accessing bootable media (which can modify or replace the OS) via removable storage or the network is trivial.
  • Mandatory Access Control (MAC) - Once a somewhat esoteric concept, MAC is commonplace in mobile OSes, enforcing very specific interactions between subjects (e.g. users and/ or processes) and objects (e.g. files, directories, network interfaces, etc) at the operating system level. In Apple iOS, MAC is implemented through entitlements, while in Google Android it is implemented via Security Enhanced (SE) Android, which performs partial enforcement in Android 4.4 (KitKat) and full enforcement in 5.0 (Lollipop). The default operational mode for MAC is denial and this essential characteristic means that the principle of least privilege is baked in.
  • OS-level (vs. agent-based) encryption - Whereas legacy computing sometimes requires convoluted third-party disk encryption tools, modern OSes offer very simple and relatively painless ways to encrypt the local storage.
  • Mandatory code signing - In order for any apps to be installed on devices, they need to be signed. Root Certificate Authority requirements vary between Apple iOS and Google Android, but this is an important step for establishing the identity of software developers and ensuring the integrity of applications.
  • Curated app stores and centralized app delivery infrastructure - Apps submitted to commercial app stores are subject to review. While these reviews may not detect every piece of poorly written or overtly malicious code, it means there is another line of defense in preventing breaches. Perhaps equally important is the capability of the app delivery infrastructure to remove malicious applications from devices.
  • Sandboxed apps - Like MAC, app sandboxing is not a new concept but its first meaningful implementations appeared in Mobile OSes. Sandboxed apps have no access to low-level OS functions and no direct access to hardware. They also have limited capability to access and manipulate the data of other apps.

Of course, while they represent important improvements in the overall security foundation for modern computing, these features are not a panacea. In fact, this is the beginning— rather than the end— of the journey toward more secure computing. And it’s already clear that new threats are emerging all the time; the numbers are staggering.

Mobile is different in other ways too. If you think about it, our use of legacy endpoints was really a “part-time” endeavor: laptops may have been portable, but they were often powered off or disconnected. In contrast, mobile devices were designed to be on and connected all the time. Moreover, while we may have conducted both professional and personal business on our company-issued laptops and desktops, there was a much clearer delineation (e.g. while I might have done a little online shopping on my work laptop, I probably wasn’t storing and editing my vacation pictures on it). While the technology to keep professional and personal data separate on mobile devices is quite mature at this point, both types of data still live in the same “place”. The convenience of having a single device that helps us with work and play is what makes them so useful and attractive. Unfortunately, it’s this very same overlap that makes these devices rich potential targets for an attacker: it's now possible to gain access to both corporate and personal data by compromising a single endpoint. While the efforts of attackers used to be largely focused on enterprises, it’s increasingly apparent that personal data is at least as (if not more) valuable. Mobile computing gives attackers an elegant way to potentially kill two birds with one stone.

The good news is that your organization’s interests and yours are very much aligned when it comes to protecting the computer in your pocket and the very same solutions enterprises are deploying to protect their data as it moves to mobile and cloud can help to protect your personal data, as well. At first blush, they may seem like more intrusive tools deployed by Big Brother and encumbering the operation of your device. The reality is that, when properly configured, these tools can confer many benefits and don’t need to infringe on your privacy. Consider just a few of the benefits:

  • The presence of a passcode (now rapidly being supplanted by biometric identification) protects your device from unauthorized access if lost or stolen. This means a thief can’t read emails between you and your boss about the secret widget you’ve been developing, but it also means that same thief can’t access your mobile banking app.
  • Device encryption provides an additional layer of protection for data, making it next to impossible to access pictures of the prototype of your secret widget by reading the storage… and the same goes for the photos from your backyard BBQs and your children’s extracurricular activities.
  • If passcodes and encryption aren't enough, the ability to locate, lock, and/ or selectively or completely wipe a device gives your organization a way to prevent its data from being compromised. The selective wipe means your personal data is protected, but you also have a way to find your lost device or turn it into a paperweight if you have to.
  • Mobile threat detection products are designed to protect mobile devices from OS and application vulnerabilities or network-based attacks. The protection, however, is the same whether you’re being warned about a Man-In-the-Middle (MItM) attack on your corporate VPN connection or that the version of Plague, Inc. you just installed is not what you think it is.

The larger point is that bad actors are more-or-less indifferent to types of data they steal, but by leveraging the security capabilities of modern mobile devices/OSes and the platforms that enable them, you and your organization aren't just looking out for yourselves, you’re looking out for each other.

Be safe out there.

James Plouffe

Strategic Technologist

About the author

With 20 years of experience, James has provided IT and InfoSec services and insight for customers ranging from mid-size enterprises to the Global 10. He also served as a technical consultant for seasons 1 – 3 of the award-winning “hacker” drama, Mr. Robot, on USA Network.