“Growing mobile threat requires better trained staff and processes” says expert
May 2015 by SANS INSTITUTE
In the wake of the recently uncovered DarkHotel attack which used compromised Wi-Fi networks in 5 star hotels to hack the traditional and mobile devices of visiting high-level executives, “…there is still a lack of awareness of the risks posed by mobile devices,” says Raul Siles, a SANS Instructor and a highly respected security researcher and one of the few individuals worldwide to earn the GIAC Security Expert (GSE) designation. “Many organisations have deployed MDM systems and this is a good first step in the right direction but it’s not an ‘install and forget’ situation as the environment is much more complicated than say Windows, OS X or Linux.”
Siles highlights three problem areas in the way organisations are managing the threat posed by mobile devices, “The first issue is the threat is often underappreciated as many of these devices move between the private and work life of the user. This challenges organisations to think differently about how to enforce management and security policies on devices that are not under the full control of the organisation.”
However, Siles also believes that some of the security enhancements that are embedded within many mobile device platforms such as built-in encryption, sandboxed applications and remote management capabilities although welcomed may lull organisations into overlooking some of the more pressing issues, “The rapid pace of change within the mobile space is both a blessing and a security curse,” he says, “With roughly 1.5 million applications for both Android and iOS, the amount of applications with malicious or unexpected behaviours or even applications that contain basic vulnerabilities is growing and many of the devices are lacking in features to effectively manage significant areas of risk.”
The researcher points to a lack of functionality to manage IPv6 and personal firewalls as two sample areas where mobile devices are particularly weak. “Another problem is the lack of skill sets within organisations to properly secure mobile environments and deal with threats,” says Siles. “The number of mobile devices in use at some organisations is starting to overtake fixed desktop PCs and laptops, yet budgets for mobile InfoSec training has not kept pace. This is a major issue although we are seeing some improvement especially as examples such as DarkHotel and others come to light.”
Siles will be teaching the "SANS SEC575: Mobile Device Security and Ethical Hacking" course in London this July. “This is one of the courses that we update most frequently to match the pace of change in the mobile industry,” he says of the course designed to help organisations secure their mobile devices, applications and services by equipping personnel with the knowledge to design, deploy, operate, and assess a well-managed and safe mobile environment.
The 6 day intensive hands-on course teaches attendees how to capture and evaluate mobile device network activity, analyse strength and weaknesses on each mobile platform, disassemble and analyse mobile code, recognise weaknesses in common mobile applications, and conduct full-scale mobile penetration tests. “We are also seeing more people from development backgrounds attending the course which is welcomed,” says Siles, “If you look at many of the recent hacks, they will often stem from vulnerabilities in libraries that are commonly used across families of applications – if we can help developers and integrators build secure apps – then we can certainly mitigate one of the areas of major risk.”
The "SANS SEC575: Mobile Device Security and Ethical Hacking" course will run as part of the ‘SANS London in Summer’ event from July 13th-18th at Grand Connaught Rooms in London’s West End. The event includes 10 courses with topics from across the SANS curriculum including Security Essentials, Incident Handling, Penetration Testing, Management and Forensics.