It used to be easy for network administrators to identify where corporate boundaries are; they were usually where the external and internal networks meet. That made it easy for administrators to know where to place a firewall to keep the internal network safe. Nowadays, how does one separate employees’ smartphones from the corporate network when they are used for multi-factor authentication and reading work emails? The internal to external network boundaries have become blurry.
There are a range of security policies for dealing with users’ smartphones, from the most restrictive approach – no smartphone access allowed – to an open approach that allows personal phones to connect to the internal corporate network. We suggest that the right solution is somewhere in between.
You may have read about the Pegasus spyware in the news; the NSO Group’s software exploits flaws in iOS (iPhones) to gain access to data on an unsuspecting target’s phone. NSO sells Pegasus to governments, ostensibly to track criminals, but it’s often used by repressive regimes to spy on their opponents, political figures, and activists.
In the past, Pegasus infections were primarily achieved by sending a link to the victim’s phone; when the target clicked on it, they would trigger an exploit that would allow attackers to gain root access to the phone. Once the spyware obtains root access, it can read messages on apps like iMessage, WhatsApp, Telegram, Gmail and others. A sophisticated command and control network can report back to the operator and control the phone as well.
Reducing the risk
Smartphones have done away with clearly defined borders between internal and external corporate networks and have become a target for threat actors. Furthermore, it doesn’t take a large underground network with deep pockets to trick users into installing spyware by accidentally downloading malicious apps.
No security system can block all malicious links and exploits, but we can take steps to reduce the risk to a manageable level. So how do we stop smartphones used by people to communicate with coworkers from becoming an attack vector to the corporate network?
Here are a few strategies:
- Create a policy that prohibits critical keys such as passwords, private certificates and access tokens being sent over email or phone messaging services. Use alternatives that secure this information separately, like a password manager.
- Teaching users how threat actors gain control of their phones has the best return on investment. If a potential victim knows what to look for, like a suspicious link from an unknown sender, they will likely identify it as malicious and protect themselves and the corporate network. In addition, if they know that spyware can come from apps that users download from Google Play Store or the Apple App Store, they can also look out for spyware before downloading it. You don’t have to spend a lot of money or time on user education, simply keep users up to date on attack methods that could comprise their phones. Make any one of the recent articles on the Pegasus spyware required reading to use their phone on the corporate network. Then continue with monthly reading on the latest spyware.
- Two basic security measures can reduce the network’s attack surface:
- Multi-factor authentication can protect against password theft and phishing attacks
- A zero-trust network will grant users access only to the servers they need to do their jobs and deny access to everything else. This ensures a compromised account can’t be used for lateral movement
Some recommend only allowing non-rooted or non-jailbroken phones access to the corporate network. A rooted device doesn’t check the integrity of the phone’s OS and makes hiding a malware program in it easier. Unfortunately, this doesn’t help in most situations where spyware infects the phone, and could lead some users to believe their phones will keep them safe when they cannot. Users can still sideload apps onto their Android phones, but with sideloaded apps comes the possibility of spyware.
Additionally, since the user owns the phone telling them they can’t make changes to it may turn them off to the idea of communicating this way. Each company has different needs, so we leave it up to you to weigh the need for this policy.
Whether they are targeted with Pegasus spyware or mistakenly download a malicious app, you want users to identify their mistakes and bring problems up to the experts. We need to remember that not everyone has the security expertise to identify spyware on a phone. We recommend having a policy that makes users feel comfortable bringing up their concerns. Using these methods will help close holes and create a clear and defined security gate between the corporate network and the outside world.