Mobile Security Threat – awareness

We live in a world of branch offices, remote workers, BYOD, transient and mobile users. Today’s wide array of smartphones, tablets and devices of many shapes and sizes access our network and data. These non-patched and mis-configured devices storing unencrypted data such as credit card and social security numbers provide a feeding ground for hungry hackers. Adding to the cause is the adoption of cloud syncing and sharing between computing and mobility (iCloud, Google Drive and Dropbox) where confidential PII data is both at rest on your office desktop and now in your pocket.

The Verizon 2013 Data Breach Investigation Report puts it simple – “Attacks are inevitable. Companies should devote more time and effort to detection and remediation.” For a southern translation, Ross Perot knows best, ‘In plane Texas talk people, its do the right thing,’ scan it and fix it!

With the global population over 7 billion and continuous adoption of mobility, it would be great to see Verizon’s next DBIR to incorporate data breach mobility metrics. Now that PCI DSS 3.0 is public and the death of Windows XP nears, we are seeing small businesses flock to mobility for credit card processing. Although testing procedures are lacking, customers should not interpret this as a means for escaping compliance, but rather as an opportunity to assess for both vulnerabilities and unprotected data as mobile threats continue to evolve.

Here at iScan Online, we are in a unique position to analyze mobile threats and cardholder data at risk.

Bad News – Mobile Analysis by the Numbers:
1 out of 20 devices are lost are stolen
1 out of 12 devices store credit card data in Contacts, SMS or synced documents
57% of smartphones scanned in October had no onscreen password
98% of Androids scanned in 2013 had at least a vulnerable Browser and/or Adobe app
More than half of Android & Apple iOS devices had at least 1 vulnerable browser

Good News – RECOMMENDATIONS – Assessing for Mobile Threats and Unprotected Data

Mobile devices contain more sensitive information than you might expect. The notion of assessing your network by inserting IP Addresses is no longer a viable means when Mobility and BYOD are in play. The goal of any organization should equate to 100% visibility of your security or compliance posture for both Mobility and Computing, regardless of where they are located.

IT needs the ability to know –
– How vulnerable is my Corporate and BYOD mobile world?
– What unprotected confidential data resides on my devices?

Over the past year, here at iScan Online, these are the questions we are educating customers that the answer can be provided very simple and fast.

Last week press, iScan Online announced the availability of our free mobile security scan for both Apple iOS and Android providing users to scan for vulnerabilities.

Vulnerabilities – Applications and Operating Systems
Scan mobile devices for both application and operating system vulnerabilities
Review vulnerable results, and then apply appropriate updates

The registered iScan Online version unlocks the additional scanning of Confidential data, Configurations and an optional MDM feature for the remote administration of: Scan, Lock, Locate and Wipe.

Confidential Data
Scan mobile devices to identify if cardholder and other confidential data are at risk
Analyze unprotected data discovered, and then delete or encrypt the data

Configurations
Scan mobile devices to ensure proper configurations are in place
Ensure your devices settings are enabled/disabled per your mobile security policy

Curious if your mobile device is vulnerable? Find out with iScan Online’s free mobile scan from Apple iTunes or Google Play. Interested in scanning multiple mobile and computing devices for vulnerabilities and unprotected credit card data, visit iScan Online for a free trial.

Remote Vulnerable Laptops – fertile attack targets

What 3rd party apps do remote workers have installed?

Remote workers are nothing new, but the challenge of hunting down employees on-the-go and assessing these devices can be a task in and of itself. With the increase of cyber incidents triggered by remote connectivity & insecure 3rd party apps, one would think these devices are in-scope for security and compliance quarterly checkup scans. After speaking with security and auditing colleagues, it proved to be quite the opposite.

Why you should care about 3rd party client software
When analyzing exploit development and attacks trends, one will find concentration is centered around popular client applications such as Browsers, Adobe and JAVA. Attack code that takes advantage of such 3rd party apps are known as client exploits. Poor configurations and un-patched laptops are still the norm, while unknown or forgotten installed vulnerable software is often overlooked, but not by the Bad Guys.

Hackers understand this and so should the rest of the industry tasked with protecting remote employee computing. Penetration testers find a high success rate when simulating a client exploitation attack against remote workers. A few takeaways here: Attacks targeted around the telecommuter are increasing as BYOD laptops trend to be juicy un-patched systems with an intent of gaining entry to the corporate fortress. The attack process is merely to entice an employee to click a link, connect to an insecure wifi access point or visit a website, whereby the exploit takes advantage of the non-patched 3rd party client software.

Why bang away at external network devices where border security is increasingly tightened, when what’s in your pocket or briefcase is where hacker fertility awaits.

When speaking with our Managed Service Provider partners here at iScan that understand the endpoint, Systems management and RMM footprints appear to be growing as teleworkers increase. Scanning, Patching and Configuring are equally important for internal devices, although the what’s in your pocket and briefcase tend to be neglected by most. If you don’t use a service provider or have a challenge answering “How vulnerable are my employees’ device”, let’s look at another option of discovering exactly what 3rd party software is on such endpoints.

How to discover what’s installed, simple and fast

A. Run the free sample script provided below
B. Try iScan Online’s free Inventory scan to enumerate all HW/SW details

DOS Prompt + Script

Whether you’re a skilled consultant or a novice technological enthusiast, this script is simple but loaded with information and takes roughly a few seconds to perform. In Windows, navigate to your terminal window, aka a DOS or CLI prompt and enter:
C:\> dir /s “C:\Program Files” > myapps.txt

This will create a file called myapps.txt discovering your installed apps with the name of the application, last patch date, versions and more. Once you have performed this exercise, open the “myapps.txt” file to have a peek. If you assess or audit systems, this script should come in handy down the road.

iScan Inventory Scan or Script
For consultants and service providers with an iScan Online account, additional hardware and software details are uncovered. iScan’s Inventory scan type takes roughly 2-3 seconds and produces results in HTML, PDF or JSON. Sample iScan Inventory Report.

Removing the barriers of assessing the remote user, iScan includes several delivery options and sample usage:

• CLI executable – Utilize any systems management tool to initiate the script, create login scripts or add it to your batch file, scanning users upon VPN connectivity. Active Directory can also initiate and schedule tasks with the iScan binary.
• Browser Plugin – Send an email with a URL where the user initiates the inventory. Alternatively, an iScan HTML snippet can be embedded into any web app that can also auto-facilitate the scan discovery
• RMM Procedures – Remote Monitoring & Management tools are popular with MSP’s and iScan includes pre-configured procedures for Kaseya, Labtech and others for Inventory Discovery & many other Scan types.
• Executable plus a visual – This creative example illustrates a CLI Script that will trigger a browser to automatically open, scan and present the results to the user

Regardless of the method or script chosen, inventory assessments take 2 seconds and in most cases, provide a wealth of value to the assessor. This should not be a substitute for scanning and keeping remote laptops updated, but purely another method of discovering potentially vulnerable apps.

In short, ensure your consultant or service provider is assessing 100% of your devices and not a partial assessment for what is physically at the office. If you have challenges for assessing remote on-the-go employees or teleworkers, drop us a line to learn more about iScan Online’s compliance, vulnerability and data discovery scanning solutions.

Apple iOS Security Tonight – Mobile Vulnerabilities Tomorrow

Apple iOS Security Night
As Apple WWDC continues to make thunder out in San Francisco, iScan Online is bringing the hot topic of Mobile Security to a very hot Scottsdale, AZ over the next 48 hours.

Tonight at 8:00 we start off with Apple iOS Security Night, located on the 18th hole of the beautiful Westin Kierland Resort.
With over 50 Infosec and Compliance professionals in attendance, the topics of vulnerabilities, detecting unencrypted cardholder data and mobile payment application security are discussed.

Apple iOS Security Scanner by iScan Online
Attendees get a Sneak Peek and hands on with the iScan Online security scanner for Apple iOS, currently in beta with general availability coming soon to an Apple iTunes store near you.

Mobile and BYOD Vulnerability Analysis
Tomorrow, the Interface Security Conference begins at the same venue. At 930 am, president and co-founder, Billy Austin of iScan Online provides the BYOD vulnerability analysis of 500 recent Android devices that were scanned in addition to approaches, technologies and practices used. Employees on the go, connectivity everywhere, the risks is in your pocket and yesterday’s approach to assessing the endpoint is no more the norm.

Come join us at Apple iOS Security Night and/or the Interface Security Conference. Next 48 hours, were talking – Find out what mobile vulnerabilities are connecting to your network and whether they include unprotected cardholder or other PII data. 6 1/2 CPE credits are provided for tomorrow’s event.

Mobile Security Nights coming to a city near you will be posted on our corporate Linkedin page.

7 Billion Threats from 3 Droids Lost in Space

Recently NASA launched 3 smartphones to space to take 100′s of snapshots of a circular object we have all come to know and love as Earth. After straddling the stratosphere, the Phonesat Androids begun to scan the globe with a multitude of spacial blue illustrations. While some bits and bytes were lost with the transmission of packets via ham radio waves enough were captured to show some amazing shots. Despite this though, the mission was considered only a partial success. Unfortunately the trio of Droids burned up on reentry, sort of like the Jupiter 7, the TV series that resulted in the 1st Android in orbit, “Lost in Space”.

In the security world, many of us that speak on the topics of threats and vulnerabilities, also frequently find ourselves using similar verbiage; camera, photographs, packets and snapshots. In most scenarios, Kodak cameras are used as an analogy, referring to the security scanning of our networks for threats and weaknesses. A snapshot of our security posture at that moment in time.

It’s all about the numbers
Global population is now reported to be above 7 billion. Interestingly, mobile device are pegged at roughly 6.3 billion. It is expected that the amount of mobile devices will surpass global population in 2014. Talk about a chicken in every pot and a car in every garage, this is a mobile device in every hand! The numbers seem in line with the growth we are currently seeing. Mobile subscribers and mobile devices are multiplying daily.

Dark Matter
But what we don’t know can be dangerous – while we can recognize the mass of all of these devices, we don’t know a lot about these devices. Things like where they are located, the vulnerabilities or risk that they present. Less than 1% of these devices are scanned for vulnerabilities or tested for unprotected confidential data. Data that could put you at risk such as cardholder data or PHI.

Much like the universe is made up of dark matter that we can’t see or touch but we know is there, our networks are too. Sending packets, taking pictures and traditional security scanning are great for discovering what we can see and touch. But this approach simply does not work with BYOD – bring your own devices in the universe. Smartphones, Tablets, Laptops on-the-go, they are on and off the network and must be scanned differently as this is the Dark Matter of Your Network.

Looking down from Space on BYOD
In 1999 during the .com days, I had the luxury of traveling from London to New York on a Concorde. 59,000 feet high and at a Mach 2 supersonic speed, I felt as though I could touch the curvature of the earth. When I reviewed the recent NASA Droid pictures of Earth, I was expecting a pretty blue ocean but was instead, blinded with a handful of BYOD dots and a plethora of mobile connectivity fuzzing my vision. Today’s Androids and iPhones don’t burn up upon arrival from space. They have arrived and are only going to grow. The battle on BYOD security is a challenge, yet will take innovation and a shift on how we perform assessments. The main question we all have is, how can we identify vulnerabilities, creatures and aliens brought to our dynamic networks from outer space.

Packet Scanning from Space didn’t work, but

BYOD Security Scanning

does…