CTOlabs.

com

White Paper: Enabling Trusted Mobile Computing

November 2012

A White Paper providing context and guidance you can use

Inside:

Context on BYOD Integrity Verification and Compliance Assurance Lessons to learn for your enterprise deployment

CTOlabs.com

Trusted Mobile Computing Through Integrity Verification and Compliance Assurance

The use of mobile devices within government and industry is continuing to evolve at a rapid pace. Only a few years ago, enterprise mobility meant wireless email on BlackBerry. Today, organizations are embracing the latest iOS and Android devices and are constantly waiting to find out whats next. Tablets and the iPad are revolutionizing the way field employees and knowledge workers do their jobs. And mobile apps are everywhere, on every device, and are used for both personal entertainment and business productivity. The bring-your-own-device (BYOD) approach has also spread through government and industry with the promise of increased employee satisfaction and productivity as well as potential cost savings and organizational efficiencies.

Security Policies, Safeguards and Risk Management

Security policies and safeguards have not kept pace with the growth in mobility for the enterprise, resulting in rising mobile risk. A recent survey by Trend Micro found that nearly half of all companies allowing BYOD experienced data or security breaches due to employee devices accessing corporate networks. Because employee devices can carry malware, access insecure networks, track their owners, and even surreptitiously record conversations and take photos if tampered with, ensuring device integrity is now a necessity in the modern workplace. Fortunately, there is a solution that is specifically designed to monitor and maintain system integrity while still enabling choice of device and applications. Fixmo Sentinel Integrity Services provides leading integrity monitoring, tamper detection, jailbreak detection, and policy verification to ensure that mobile devices and applications start and remain in a known trusted state.

Fixmo and Its Origins

Fixmos origins lie with the U.S. National Security Agencys (NSA) internally-developed solution for verifying the integrity of their BlackBerry mobile devices, codenamed AutoBerry. While BlackBerry devices were issued for security and compliance with government security standards (FIPS 140-2), there were a growing number of reported incidents where unverified network communications and software updates were occurring on devices of employees that were traveling overseas and roaming across wireless networks. These incidents raised serious concerns over the integrity of these devices

A White Paper for the Government IT Community

and their potential exposure to malicious code injection and cyber attacks. Finding dangerous or malicious alterations to device software proved extremely difficult as checking for variations in millions of lines of code was impractical and monitoring policy compliance across thousands of devices was manpower intensive. AutoBerry saved time and effort by comparing known good hashes of devices in a trusted state and then detecting any differences and analyzing for vulnerabilities and compromises, thereby automating mobile device compliance auditing. Through the NSA Technology Transfer Program, Fixmo expanded on AutoBerrys capabilities, ported all of the functionality to Android and much of it to iOS, and released the resulting product as a commercial-off-theshelf (COTS) solution for both government agencies and private sector organizations.

Scans Can Drive Policy Changes

Fixmo empowers you with the ability to make changes to devices based on the results of scans, with a wide range of options available for you to execute. For example: If high-risk change is detected during an integrity scan (such as jailbroken OS, detection of malware or the presence of a blacklisted application), automatically lock or wipe the device If a medium-risk change is detected during a

Integrity Verification and Compliance Assurance Mitigates Risk

Mobile device integrity is critical to an enterprise as scan (such as the installation of an unknown threats to mobile device security are serious and growing. application), automatically lock down the Recently, the Government Accountability Office reported corporate data residing within the Fixmo on the gravity of mobile risk, calling on the Department of SafeZone secure workspace until IT can Homeland Security and the National Institute of Standards analyze the risk and make a decision on and Technology to implement measures to increase mobile what actions to take, if any device security in the public and private sectors. Mobile If a low-risk change is detected (such as devices face unique and dangerous threat environments the upgrade of a trusted application to a as users connect to cellular networks with root access to new version), notify IT but do not take any their devices and WiFi networks they do not know and immediate action trust. Mobile devices are susceptible to loss, malware, cyber attacks, phishing, hidden SMS managing applications that send expensive premium rate SMS messages, and SMiShing or phishing through SMS rather than email. Adding to this, most mobile devices used for business are now also permitted to have unverified third party applications installed on them from public app stores or third party distribution sites. Currently, most IT departments lack sufficient tools to detect tampering, compromises or potential

CTOlabs.com

non-compliance scenarios caused by unverified third party applications which may or may not be malicious in intent.

Mobile Threats Increasing

Mobile malware is rampant and rising. Recent analysis by Arxan Technologies found that over 90% of the top 100 paid applications for iOS and Android have copycat versions on the market that resemble legitimate applications but are instead infected. For Apple, most of those hacked apps are on unauthorized markets for jailbroken devices, though malware was recently discovered in the Apple App Store that harvests data from user address books. Researchers also claim to have snuck malware into the App Store before to demonstrate that Apples verification is not infallible.

Threat Context
50% of Android users are running out of date, unpatched OS 92% of the top 50 iOS apps come from different developers 85% of the top free iOS and Android apps can access private user data 55% of smartphones used in business will be owned by employees by 2015 90% of businesses will have corporate

apps running on employe devices by 2014 Android malware similarly spies on users with infected devices. One typical, common recent instance of malware 9% of companies have a policy to wipe (known as Android.Trojan.GingerMaster), comes bundled corporate data while leaving personal with multiple non-malicious apps and runs in the data intact background to broadcast device IDs, phone numbers, and 71% of businesses plan to implement more to command and control servers. Other common a solution that separates business and infected applications (such as Android.Monitor.Sheriff ) personal data monitor users GPS coordinates. Additionally, one must 22% of IT pros have seen malware on consider the vast array of mobile applications that are not mobile devices designed to be malware, but may put your private data and devices out of compliance nonetheless. For example, a recent report suggests that 86% of the top 100 apps on the Apple App Store and Google Play marketplace request access to some type of personal information with many of them gaining access to GPS coordinates and/or the native address book on the device which houses both personal and business contacts.

A White Paper For The Federal IT Community

While their intent may not be malicious, these types of applications may put your state of compliance at risk.

Continuous Monitoring Required

Fixmo Sentinel Integrity Services combats these potential security and compliance breaches through continuous monitoring of devices to prevent unwanted policy changes, OS rooting, unverified applications, OS tampering, and other potential compromises that can lead to a state of noncompliance. It also proves that devices are in a trusted state through auditable compliance reporting. As almost all iPhone malware comes from third party app stores accessed by jailbroken phones, and Android malware typically infects devices set to accept unverified third party applications, Fixmo Sentinel can alert IT departments if employees have made these or other changes that raise the risk for infection so that IT can proactively assess and remediate before the threat results in an actual breach. And if a device becomes infected, Fixmos Integrity Services will detect changes that indicate hidden malware may be running in the background to leak sensitive data. Fixmo Sentinel contains over 100 predefined compliance and integrity reports and scales easily across Android, iOS, and BlackBerry. It is also designed to integrate with existing mobile and IT infrastructure and leverage the safety measures your enterprise already has in place. Fixmo Sentinel also provides integrity-based policy controls which automate policy controls based on the results of an integrity scan. If the scan finds high-risk changes such as a jailbroken OS, malware, or a blacklisted application, Sentinel can automatically lock or even wipe the device. If medium-risk changes are detected, such as the installation of an unknown application, Sentinel can automatically lock down the corporate data residing within the Fixmo SafeZone container until IT can analyze the risk and decide which actions, if any, it should take. And if the changes that Sentinel finds are low-risk, like upgrading a trusted application, it will take no immediate action but will notify IT. This way threats can be countered early before they do serious damage, risks can be identified and examined further, and the enterprise is kept up to date on the significant changes across all of its mobile devices.

CTOlabs.com

Concluding Thoughts
Trusted mobile computing requires integrity verification and compliance assurance. The many capabilities of Fixmo deliver this to the enterprise. Fixmo capabilities are backed up with a world-class engineering team which has built solutions that can scale to the size of the global hand-held device market. Key components of their suite of solutions were initially developed by the US government and under terms of the governments agreement with Fixmo these components are free for government use.

Why Fixmo
Here is more on Fixmos key capabilities for government use: Fixmo Sentinel Desktop - No Charge to Government: Fixmo Sentinel Desktop is the commercial alternative for AutoBerry, a mobile device security and tamper detection solution that was initially developed by the U.S. National Security Agency. Fixmo Sentinel SCC - No Charge to Government: Fixmo Sentinel Server Compliance Check (SCC) is the commercial alternative for AutoBES, a solution for automatically scanning BlackBerry Enterprise Server and Good Mobile Messaging Server to ensure proper configuration and STIG compliance. Fixmo MRM: Learn more about the Fixmo MRM platform which brings Fixmo Sentinel together with the Fixmo SafeZone Secure Container to provide a holistic mobile risk management platform for protecting devices, protecting corporate data and proving regulatory compliance. Fixmo Solutions for Government: Visit the Fixmo Government Solutions page at Fixmo.com to learn more about mobile security, compliance and risk management solutions for Government agencies.

A White Paper For The Federal IT Community

More Reading
For more federal technology and policy issues visit: CTOvision.com- A blog for enterprise technologists with a special focus on Big Data. CTOlabs.com - A reference for research and reporting on all IT issues. J.mp/ctonews - Sign up for the Government Technology Newsletters. Fixmo.com - Learn more about Fixmo today.

About the Authors

Bob Gourley is CTO and founder of Crucial Point LLC and editor and chief of CTOvision.com He is a former federal CTO. His career included service in operational intelligence centers around the globe where his focus was operational all source intelligence analysis. He was the first director of intelligence at DoDs Joint Task Force for Computer Network Defense, served as director of technology for a division of Northrop Grumman and spent three years as the CTO of the Defense Intelligence Agency. Bob serves on numerous government and industry advisory boards. Contact Bob at bob@crucialpointllc.com Ryan Kamauff is a technology research analyst at Crucial Point LLC, focusing on disruptive technologies of interest to enterprise technologists. He writes at http://ctovision.com. He researches and writes on developments in technology and government best practices for CTOvision.com and CTOlabs.com, and has written numerous whitepapers on these subjects. Contact Ryan at Ryan@ crucialpointllc.com

For More Information

If you have questions or would like to discuss this report, please contact me. As an advocate for better IT in government, I am committed to keeping the dialogue open on technologies, processes and best practices that will keep us moving forward. Contact: Bob Gourley bob@crucialpointllc.com 703-994-0549 All information/data 2012 CTOLabs.com.

CTOlabs.com