Hygiene is the practice of maintaining good health. When we were young, our parents reminded us to brush our teeth, make our beds and not talk to strangers. Security hygiene in the enterprise is very similar. Don’t connect to unknown access points, change your password and keep your work area clean. All hygiene is a personal decision. And just like our parents’ policies, IT can both encourage and enforce employee hygiene at work.
We should not have any naïve expectations of privacy by default. Those interested in acquiring our data will try and find ways to trick us into giving them access. Two weeks ago at the Black Hat 2016 information security conference, someone set up a wireless access point that tricked about 35,000 devices into thinking that it was a safe network to connect. Earlier this week at the Olympics in Rio de Janerio, mobile threat defense company SkyCure announced that they had discovered several suspicious access points and some malicious applications.
These stories of hackers setting up malicious access points, applications and other tools to gain access to users’ devices are not new.
Stories from the 2014 Sochi Winter Olympics and the 2014 FIFA World Cup (here, here and here) prove that whenever there is a large gathering of people, hackers will try to exfiltrate our data. As these bad guys practice and hone their skills at large events, it should not be a surprise that they are taking their craft to the streets and targeting smaller markets across the globe.
Most public stories talk about losing personal information, bank records, personal correspondence, pictures and payment information. These targeted attacks can also expose your employer to greater risk. Gaining access to enterprise emails, VPN credentials or other enterprise intellectual property could prove to be costly.
If you find yourself headed down to Rio for the closing ceremonies or preparing for the start of the new college and pro football seasons—or you’ve decided that you need to re-examine your personal hygiene—here are a few recommendations on improving mobile security:
- Don’t connect to unknown networks. Above, I discussed malicious Wi-Fi networks that propagated around the Rio and Sochi Olympic Games and Black Hat 2016. It is just as easy to set up and configure a malicious network in your local shopping center. As an end user, it is difficult to know what may be safe or not. To ensure safety or if you are uncertain, don’t connect to the random network.
- Bring your own cables and plugs. In 2011, Krebs on Security highlighted a vulnerability called “juice-jacking” in mobile devices. This vulnerability allowed a computer disguised as a charging station to pull data off of mobile devices. At Black Hat 2013, security researchers from Georgia Tech highlighted the vulnerability on iOS. Along with this disclosure, the group worked with Apple to close the security hole in iOS devices. At Black Hat 2014, a group of researchers from Security Research Labs held a discussion on exploiting USB connectivity on an Android device. Both Apple iOS and Google Android have addressed this issue and now require the end user to manually enable the device to connect and mount as a hard drive. If you are ever presented with the request to connect your device when charging, decline the option and disconnect from the plug.
- Install applications from trusted application stores. Google has published data showing that installing an application from a source outside of Google Play is around 10 times more likely to be harmful. [Tweet This] Check to see if you are able to download applications from “unknown sources.” Disabling this option won’t prevent you from downloading applications from third-party stores in the future. If you do try to install applications in the future from a third-party store, heed the warning that you are downloading an app from an unknown source.
- Improve password complexity. If you use a simple passphrase, increase the length of the passphrase by a character or two. Go wild—use a special character at the beginning of your passphrase instead of the end. If you used the same passphrase for years, one more character won’t be difficult to remember.
- Inventory all the applications on your device. Are you still playing Angry Birds? Do you still need that second Office application? What about the flashlight application? If you find unused applications, remove them to reduce the clutter (and potential security threats) on your device.
- Check your device for any unknown policies, iOS or Device Administrators on Android. If you find things that are unfamiliar or unrecognizable, search the internet for what they are and what they do.
- Consider a factory reset on your own device. Back up all your pictures, contacts and other important personal information. Check with your company about self-service portals, so you can get back to work without your IT department’s help desk.
If you find unknown or odd things on your device and connected that device to your enterprise, let your IT department know. This proactive behavior may help them identify items that could be malicious in nature.
In my next blog, I’ll go into more details on how IT can proactively discover threats on the enterprise network. Subscribe to the AirWatch Blog newsletter to the right or follow @AirWatch on Twitter, so you don’t miss it!
Arm yourself with more mobile security guides from my “What You Need to Know” series:
- What You Need to Know about HummingBad
- What You Need to Know About Dogspectus
- What You Need to Know about SideStepper
- What You Need To Know: Google’s Android Security Advisory