Breaking and entering is easy
When the American Department of Justice in March of this year, announced that it no longer needed Apple to help them access data on an iPhone 5C belonging to someone responsible for a terrorist attack, there was much speculation surrounding who it was that provided the tools they needed to extract the data on the phone. It was speculated that Cellebrite, a Tel Aviv headquartered mobile forensics company and subsidiary of Japan’s Sun Corp, which signed a data forensics contract with the FBI in 2013, was responsible for providing the lock-picking services required.
A recent interview with the BBC demonstrates how easily and quickly a Samsung smartphone running Android 4.2 was broken into. Admittedly the demo device supplied by Cellebrite was running an older version of Android (latest version is 7.0 also known as Nougat) , however the BBC’s correspondent was allowed to take it away and set up the native security on the smartphone. As expected from a demo, the device was connected to a ‘chunky tablet-type computer’ and after a mere two button clicks the Cellebrite representative announced the phone’s lock code had been disabled. “We can pretty much pull up any of the data that resides on the phone” they said. When questioned on whether they could just as easily get data from the latest phone such as the iPhone 7, the answer was affirmative. “We can definitely extract data from an iPhone 7 as well – the question is what data.”
Securing your data
Whether at rest or in transit, data is vulnerable to cyber attack. Whilst malware on Android has become increasingly prevalent, non-jailbroken iPhones were considered almost immune to malware thanks to Apple vetting every app before it’s made available in the App Store. That was the case until March this year, when Palo Alto uncovered AceDeceiver, “the first iOS malware we’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism — namely FairPlay — to install malicious apps on iOS devices regardless of whether they are jailbroken”.
What about data in the cloud? We’ve seen numerous iCloud breaches in the last couple of years, with many of these highly personal images of celebrities being leaked. The latest high-profile example of an iCloud breach came this weekend after The Sun reported that they were approached by someone offering 3000 ‘intimate’ images belonging to Pippa Middleton for a minimum of £50k. On its website Apple provides an overview on iCloud security and privacy, stating what it does to secure your data both at rest and in transit, however given its popularity, the race between the service supplier and the attackers is not likely to end soon.
Data Loss Prevention (DLP)
Companies that need to share sensitive data, such as organisations sharing information relating to mergers & acquisitions often use ‘secure data vaults’ which offer a higher level of security and data sharing than available from the more common cloud storage services, as well as data leak prevention (DLP) technologies which detect and protect your organisation’s sensitive data by:
- i) Scanning data in motion, in use and at rest
- ii) Identifying sensitive data that requires protection
- iii) Taking remedial action—alert, prompt, quarantine, block, encrypt
- iv) Providing reporting for compliance, auditing, forensics and incident response purposes
Identified by Gartner as Leaders in their Magic Quadrant for Enterprise Data Loss Prevention, Digital Guardian offers one of the most advanced and powerful endpoint DLP agents due to its kernel-level integration for Windows, Apple OS X and Linux operating systems. Fortinet also offers built in DLP functionality with FortiOS 5, extending the same DLP capabilities to the endpoint through FortiClient as that on the Fortinet Security Fabric.
Enterprise Mobility Management (EMM)
Specifically for mobile devices, and a sector brought to the fore due to the popularity of bring-your-own-device (BYOD) policies in the workplace, Mobile devices and application management technology suites enable organisations to integrate and manage mobile devices in corporate IT infrastructures. Organizations use EMM tools to perform the following functions for their users:
- i) Provisioning: EMM suites configure devices and applications for enterprise deployment and use, manage updates, and assist with device upgrade and retirement.
- ii) Auditing, tracking and reporting: EMM suites can track device inventories, settings and usage to verify compliance with enterprise policies and manage assets.
- iii) Enterprise data protection: EMM suites mitigate data loss, theft, employee termination or other incidents by adding controls for data encryption, data access rights, shared devices, application wrapping and containment, and device lockdown.
- iv) Support: EMM suites help IT departments troubleshoot mobile device problems through inventory, analytics and remote actions.
Having the ability to restrict the gathering of location and other sensitive data from a personally-owned device helps keep employees happy while allowing them to use their own devices for company work. However it’s a careful balance that requires the ability to segment work and personal apps and data as much as possible.
What else can we do?
Like any risk, you need to work out which potential outcomes you consider to acceptable against the investment to protect them. Organisations will have a greater need for technologies like encryption, DLP etc. than individuals. For individuals, passwords are common currency but many are still very weak or reused which is why on top of best practice password use, multi-factor authentication should be taken advantage of where available.
Best practice for passwords
- ● Use a different password for each online account so that it one is breached, they are not all at risk
- ● Security is Obscurity. The longer and more complex a password is, the stronger it is.
- ● Consider using a password manager. Advanced Privilege Management is technology used by organisations to manage access for their privileged accounts. The admin username and shared password are replaced by authenticated, authorised, situation and time specific password check outs and check ins. Password managers for personal use are readily available, but it’s important to check the security strength of the password management software.
- ● Use Multi-Factor Authentication where available.
Secure your data, devices and online accounts
Companies are increasingly conscientious about any potential breach of their data, typically employing a number of controls to mitigate the risks. However as individuals, for our data residing on our own personal online accounts and devices, we need to be equally as vigilant. The demonstration by Cellebrite shows that it can be very easy to break into a password protected phone and the wealth of data it has access to, whilst the number of high profile data breaches continues to rise: from Target to TalkTalk and from Hollywood actress Jennifer Lawrence to the Duchess of Cambridge’ sister Pippa Middleton.
Infosec Partners can help
Whether you are part of a global enterprise or an individual concerned about your security, Infosec Partners can help. For more information, please complete the adjacent form or contact us today on +44 (0)1256 893662 to speak with a trusted advisor immediately.