Professional Documents
Culture Documents
com
Inside:
Context on BYOD Integrity Verification and Compliance Assurance Lessons to learn for your enterprise deployment
CTOlabs.com
and their potential exposure to malicious code injection and cyber attacks. Finding dangerous or malicious alterations to device software proved extremely difficult as checking for variations in millions of lines of code was impractical and monitoring policy compliance across thousands of devices was manpower intensive. AutoBerry saved time and effort by comparing known good hashes of devices in a trusted state and then detecting any differences and analyzing for vulnerabilities and compromises, thereby automating mobile device compliance auditing. Through the NSA Technology Transfer Program, Fixmo expanded on AutoBerrys capabilities, ported all of the functionality to Android and much of it to iOS, and released the resulting product as a commercial-off-theshelf (COTS) solution for both government agencies and private sector organizations.
Mobile device integrity is critical to an enterprise as scan (such as the installation of an unknown threats to mobile device security are serious and growing. application), automatically lock down the Recently, the Government Accountability Office reported corporate data residing within the Fixmo on the gravity of mobile risk, calling on the Department of SafeZone secure workspace until IT can Homeland Security and the National Institute of Standards analyze the risk and make a decision on and Technology to implement measures to increase mobile what actions to take, if any device security in the public and private sectors. Mobile If a low-risk change is detected (such as devices face unique and dangerous threat environments the upgrade of a trusted application to a as users connect to cellular networks with root access to new version), notify IT but do not take any their devices and WiFi networks they do not know and immediate action trust. Mobile devices are susceptible to loss, malware, cyber attacks, phishing, hidden SMS managing applications that send expensive premium rate SMS messages, and SMiShing or phishing through SMS rather than email. Adding to this, most mobile devices used for business are now also permitted to have unverified third party applications installed on them from public app stores or third party distribution sites. Currently, most IT departments lack sufficient tools to detect tampering, compromises or potential
CTOlabs.com
non-compliance scenarios caused by unverified third party applications which may or may not be malicious in intent.
Threat Context
50% of Android users are running out of date, unpatched OS 92% of the top 50 iOS apps come from different developers 85% of the top free iOS and Android apps can access private user data 55% of smartphones used in business will be owned by employees by 2015 90% of businesses will have corporate
apps running on employe devices by 2014 Android malware similarly spies on users with infected devices. One typical, common recent instance of malware 9% of companies have a policy to wipe (known as Android.Trojan.GingerMaster), comes bundled corporate data while leaving personal with multiple non-malicious apps and runs in the data intact background to broadcast device IDs, phone numbers, and 71% of businesses plan to implement more to command and control servers. Other common a solution that separates business and infected applications (such as Android.Monitor.Sheriff ) personal data monitor users GPS coordinates. Additionally, one must 22% of IT pros have seen malware on consider the vast array of mobile applications that are not mobile devices designed to be malware, but may put your private data and devices out of compliance nonetheless. For example, a recent report suggests that 86% of the top 100 apps on the Apple App Store and Google Play marketplace request access to some type of personal information with many of them gaining access to GPS coordinates and/or the native address book on the device which houses both personal and business contacts.
While their intent may not be malicious, these types of applications may put your state of compliance at risk.
CTOlabs.com
Concluding Thoughts
Trusted mobile computing requires integrity verification and compliance assurance. The many capabilities of Fixmo deliver this to the enterprise. Fixmo capabilities are backed up with a world-class engineering team which has built solutions that can scale to the size of the global hand-held device market. Key components of their suite of solutions were initially developed by the US government and under terms of the governments agreement with Fixmo these components are free for government use.
Why Fixmo
Here is more on Fixmos key capabilities for government use: Fixmo Sentinel Desktop - No Charge to Government: Fixmo Sentinel Desktop is the commercial alternative for AutoBerry, a mobile device security and tamper detection solution that was initially developed by the U.S. National Security Agency. Fixmo Sentinel SCC - No Charge to Government: Fixmo Sentinel Server Compliance Check (SCC) is the commercial alternative for AutoBES, a solution for automatically scanning BlackBerry Enterprise Server and Good Mobile Messaging Server to ensure proper configuration and STIG compliance. Fixmo MRM: Learn more about the Fixmo MRM platform which brings Fixmo Sentinel together with the Fixmo SafeZone Secure Container to provide a holistic mobile risk management platform for protecting devices, protecting corporate data and proving regulatory compliance. Fixmo Solutions for Government: Visit the Fixmo Government Solutions page at Fixmo.com to learn more about mobile security, compliance and risk management solutions for Government agencies.
More Reading
For more federal technology and policy issues visit: CTOvision.com- A blog for enterprise technologists with a special focus on Big Data. CTOlabs.com - A reference for research and reporting on all IT issues. J.mp/ctonews - Sign up for the Government Technology Newsletters. Fixmo.com - Learn more about Fixmo today.
CTOlabs.com