Smartphone Security - Best Practice

Smarphons are becomming more popular as business tool. Soon it will overtake PC's as most common internet access device.

As mobile phones provide cutting-edge smartphone technology, employees will look to consumer-oriented vendors that cater to their own personal needs, rather than those of their employers.

A smartphone that can access the network via a wireless access point represents the same kind of threat as any other endpoint. The only difference is that a phone is less likely to be running the very latest (if any!) antimalware security software and so more exposed then any other device.

The proliferation of smartphones in corporate environments creates a new and wider potential for data loss and leakage, whether by theft, unauthorized access or unauthorized transmission. As with any mobile endpoint on the network, password and authorization security are paramount to securing network access at the gateway. In addition, a growing amount of sensitive and proprietary data is lost and leaked via smartphone email attachments and FTP uploads, unintentionally or maliciously.

Smartphone content is more vulnerable to loss or theft, as network access codes, usernames and passwords are often unsecured or set for automatic log-on. Consumers who "jailbreak" phones to customize carriers or features often leave themselves open to root password hacks.

Moreover, the same threats that traditionally plague computer operating systems can attack smartphones when they are being transmitted in emails, social media sites, games, screen savers, pictures, text messages, tweets, audio clips, slide shows or in some cases, by shady URL-shortening services.

Smartphones can magnify malware distributions that employ email spam, phishing, pharming and pretexting. Because smartphones represent a more intimate communications channel than computers, users are more likely to interact with files masquerading as personal communications.

Likewise, users cannot as easily detect cues that a website is a false front on a handset with a small screen. While the infection may not be apparent, even after the phone has been compromised, the malware file can still propagate into an IP network from the unsecured handset endpoint.

Further, the preponderance of interactive Web 2.0 and streaming media traffic over smartphones can potentially affect wireless network throughput. Some of these applications, such as streaming video applications, constantly evolve to avoid control. In addition, like any Web-facing endpoint device running applications over the network, smartphones present a potential channel for forced denial-of-service attacks.

In such scenario, organizations should consider implementing best practices mentioned below.

1. Treat all smartphones as uncontrolled endpoints - Smartphone users identities can be stolen, hacked or inappropriately shared. Smartphones can get lost, stolen or borrowed. Device identification technology uses serial number information to allow organizations to associate a specific smartphone to a specific user. This provides a watermark for the device, and allows IT to remotely disable it and erase all sensitive data.

2. Establish corporate smartphone policy - IT should define and communicate a corporate smartphone use policy, even if difficult to enforce on personal devices.

3. Establish SSL VPN - Secure Sockets Layer Virtual Private Networking access to corporate resourcescan provide a authenticated and encrypted Web-based access to network resources from multiple smartphone operating systems like Windows, Symbian, BlackBerry, iOS and Android

4. Comprehensively scan all smartphone traffic - To protect network resources adequately against sophisticated smartphone-transmitted attacks, IT should deploy a Next-Generation Firewall that conducts deep packet inspection of all smartphone traffic traversing the SSL VPN

5. Control encryption and decryption of smartphone traffic - IT should ensure encryption of smartphone traffic while in transit between the device and the network gateway using SSL VPN. In addition, IT must be able to decrypt smartphone traffic for comprehensive scanning using DPI SSL, and re-encrypt it for subsequent transmission

6. Maximize firewall throughput to eliminate latency - To minimize impact upon latency-sensitive applications, such as videoconferencing, voice over IP (VoIP), and real-time interactive Web 2.0 applications, the next-generation firewall platform must be able to comprehensively scan and prioritize smartphone traffic in real-time

7. Establish controls over smartphone application traffic - Smartphone users rely heavily upon Web 2.0 applications, and are especially prone to their inherent threats and vulnerabilities. Application intelligence and control technology can extend firewall functionality to identify, categorize, control and report upon application usage over the network

8. Establish smartphone wireless access security - Most consumer smartphones have WiFi functionality and are highly vulnerable to attacks while connected to unencrypted WiFi hotspots. Security for corporate wireless networks has to be at least on par with wired networks that run deep packet inspection, by running traffic through a comprehensive firewall. For employees connecting back to the network over public hotspots, IT should apply SSL VPN connectivity and deep packet inspection at the network gateway

9. Manage smartphone VoIP traffic - As VoIP is used more frequently as a corporate communications platform, it will play an increasing role in smartphone Web traffic. VoIP traffic is susceptible to quality-of-service issues such as latency, jitter, packet loss and echo. Application-intelligent bandwidth management can dedicate throughput to latency-sensitive smartphone applications such as VoIP, as well as limit bandwidth-consuming traffic, such as video players.

10. Manage smartphone traffic bandwidth - Organizations need to protect the converged voice-and-data communications that today's smartphones feature. At the same time, corporations need to continue to optimize quality of service and bandwidth.

Organization should implement said best practice utilizing latest techonologies.

Read more...

Security Advisory 2286198

Security Advisory 2286198 is not categorized as virus, worm, Trojan or backdoor. It is a security advisory regarding a vulnerability in the Windows Shell on Windows 2008/7/Vista/2003/XP computers, which allows arbitrary code to be remotely executed in the vulnerable computer.

The Windows Shell provides users with access to a wide variety of objects necessary for running applications and managing the operating system. However, there is a vulnerability that occurs because the Windows Shell does not correctly validate specific parameters of the shortcut when it attempts to load the icon of a shortcut.

A shortcut is a link to a file or program represented by an icon.

If exploited successfully, Security Advisory 2286198 allows hackers to gain remote control of the affected computer with the same privileges as the logged on user. If this user had administrator rights, the hacker could take complete control of the system: create, modify or delete files, install programs, create new user accounts, etc.

This vulnerability can be exploited through removable drives and can be distributed over network shares or remote WebDAV shares.

Read more...

EC Framework - Part 8

Secure Applications

In part - 7 we discussed about securing network, next step is securing applications. listed below are the possible category - threat attacks to EC application.

1. Input Validation - Buffer overflow, cross-site scripting, SQL injection, canonicalization
2. Authentication - Network eavesdropping, brute force attacks, dictionary attacks, cookie replay, credential theft
3. Authorization - Eavesdropping of privileges, disclosure of confidential data, data tampering, luring attacks.
4. configuration management - Unauthorized access to administration interface, unauthorized access to configuration stores, retrieval of clear configuration text data, lack of individual accountability, over privileged process and service accounts
5. Sensitive data - access sensitive data in storage, network eavesdropping, data tampering
6. Session management - session hijacking, session replay, man in middle
7. Cryptography - Poor key generation or key management, weak or custom encryption
8. Parameter manipulation - Query string manipulation, form field manipulation, cookie manipulation, HTTP header manipulation
9. Exception management - Information disclosure, denial or service
10. Auditing and logging - User denies performing an operation, attacker exploits an application without trace, attacker covers his or her tracks

Any of attack realized can create serious damage to EC system leading to financial looses and reputation losses. there are way and means that one can secure application, those are mentioned below.

Ways and Means to protect application

1. Audit through out software development life cycle (SDLC)
2. Vulnerability Scan

• Penetration testing - carry out penetration testing through available tools to check if existing vulnerability can be exploited. Nikto is an example of such tolls.
• source code analysis tool will help to identify but in source code. Ounce 6 is an example of such tool.

In next session we will go through EC benefits

Read more...

EC Framework - Part 7

Secure Network

In Part - 6 we understood how to secure communication channel. EC Communication is vital part for EC and EC Network is media which transverse EC Communication and so avialability of Network is very important for EC.

Avialability of EC Network can be secured by adequate technology selection based on network design concepts such as -

• Layered security
• Controlling access
• Role-specific security
• Monitoring
• Keep systems patched
• Response team

Below are the Ways and Means to secure Network.

§ Design and Configuration

• Security at LAN & Perimeter level
• VLAN, QoS, Access list, POLP, packet filtering

§ Selection of device

• Firewall
• IDS / IPS
• Proxies

§ VPN Protocols

• Ipsec, L2TP / PPTP, MPLS, SSL VPN

§ Vulnerability assessment

• Scan the network for risk and mitigate to maximum possible extent.

Read more...