Previously, it was easy for network administrators to identify business boundaries; they were usually where the external and internal networks meet. This made it easy for administrators to know where to place a firewall to ensure internal network security. Today, how do you separate smartphones from employees in the corporate network when they are used for multi-factor authentication and reading work emails? The boundaries of the internal and external network have become blurred.
There is a range of security policies for managing users’ smartphones, from the most restrictive approach – no access to smartphones allowed – to an open approach that allows personal phones to connect to the internal corporate network. We suggest that the right solution is somewhere in between.
You may have heard of Pegasus spyware in the news; NSO group software exploits loopholes in iOS (iPhone) to access data on the phone of an unsuspecting target. NSO sells Pegasus to governments, ostensibly to hunt down criminals, but it is often used by repressive regimes to spy on their opponents, politicians and activists.
In the past, Pegasus infections were mainly achieved by sending a link to the victim’s phone; when the target clicked on it, they would trigger an exploit that would allow attackers to gain root access to the phone. Once the spyware gets root access, it can read messages on apps like iMessage, WhatsApp, Telegram, Gmail, and others. A sophisticated command and control network can report to the operator and also control the phone.
Reduce the risk
Smartphones have removed the clearly defined boundaries between internal and external corporate networks and have become a target for threat actors. Moreover, it doesn’t take a large underground network with deep pockets to trick users into installing spyware by accidentally downloading malicious apps.
No security system can block all malicious links and exploits, but we can take steps to reduce the risk to a manageable level. So how do you prevent the smartphones that people use to communicate with their colleagues from becoming an attack vector for the corporate network?
Here are some strategies:
- Create a policy that prohibits the sending of critical keys such as passwords, private certificates, and access tokens through email or telephone services. Use alternatives that secure this information separately, such as a password manager.
- Teaching users how malicious actors take control of their phones provides the greatest return on investment. If a potential victim knows what to look for, such as a suspicious link from an unknown sender, they’ll likely identify it as malicious and protect themselves and the corporate network. Also, if they know that spyware can come from apps that users download from Google Play Store or Apple App Store, they can also scan for spyware before downloading it. You don’t have to spend a lot of money or time on user training, just keep users up to date with attack methods that might be affecting their phones. Read one of the recent articles on Pegasus spyware to use their phone on the company network. Then continue with the monthly reading of the latest spyware.
- Two basic security measures can reduce the network attack surface:
- Multi-factor authentication can protect against password theft and phishing attacks
- A zero-trust network will grant users access only to the servers they need to do their jobs and deny access to everything else. This ensures that a compromised account cannot be used for lateral movement
Some recommend allowing only unrooted or unjailbroken phones to access the corporate network. A rooted device does not verify the integrity of the phone’s operating system and makes it easier to hide malware. Unfortunately, this does not help in most of the situations where spyware infects the phone and may lead some users to believe that their phone will protect them when they cannot. Users can still download apps on their Android phones, but with downloaded apps there is the possibility of spyware.
Also, since the user owns the phone telling them that they cannot make any changes to it, it may prevent them from communicating in this way. Each business has different needs, which is why we leave it to you to assess the need for this policy.
Whether they are targeted by Pegasus spyware or mistakenly download a malicious application, you want users to identify their mistakes and report issues to the experts. We must remember that not everyone has the security expertise to identify spyware on a phone. We recommend having a policy that allows users to feel comfortable voicing their concerns. Using these methods will help fill in the gaps and create a clear and defined security barrier between the corporate network and the outside world.