Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/19/2014
06:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Is Enterprise IT Security Ready For iOS 8?

Apple bakes in more security features, but iOS 8 won't come without security ops headaches.

As Apple still reels from the sting of leaked celebrity nudes, the company hopes to up the security and privacy ante with a passel of new security features in iOS 8. However, enterprises may find that they still must work hard to secure data traversing across devices using the new mobile operating system.

Released this week for general downloads, iOS 8 brings to devices enhanced security capabilities such as the option for complex passcodes, always-on VPN for WiFi connectivity, improved control over privacy configurations, and bolstered capabilities around the TouchID biometric authentication feature on newer iPhones, for which APIs have been released to let third-party developers build use of the fingerprint reader into their applications.

This last feature could be a big win for enterprises should they put the work into folding fingerprint reading into their custom mobile apps.

"Use Touch ID as a testing ground for biometric app authentication," recommends Ojas Rege, vice president of strategy for MobileIron. "Define the role and use cases for biometrics in your broader enterprise authentication strategy."

However, some experts say not to get too cocky about the security of biometrics as a single factor of authentication. There are so many ways to spoof fingerprints and fool fingerprint scanners, including the old gummy bear trick discovered in 2010, says Paul Martini, CEO of iBoss Network Security, who warns that overconfidence in biometrics could make for riskier apps.

"If you turn that feature on and have very high confidence that the fingerprint is going to make it even more secure over a password, what if something like that gummy bear thing comes up? All of sudden you almost prefer the password or a code," he says. "I'm hoping people will use a combination of authenticators, but knowing Apple, it's a convenience thing so probably they're just going to go with the fingerprint."

Source: Apple
Source: Apple

In addition to security features, Apple is working hard to make consumers feel safe about the privacy of the information they store on their devices.

"Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay," wrote Apple CEO Tim Cook in an open letter to customers.

Apple reworked the encryption mechanism in iOS 8 so that the company does not have the power to bypass a user's passcode anymore. The company has no access to the user's encryption key and therefore no way to extract data on the device to hand over to authorities, be it personal or private corporate data. It also introduced an anti-tracking feature that randomizes MAC addresses to reduce the ability for owners of WiFi networks to track users. While that is a boon for user privacy in some respect, that feature could prove a big headache for enterprises, says Martini.

"That stands out from an infrastructure and security perspective because a lot of network access control systems are probably going to have weird issues as a result," he says. "Fundamentally the way they're designed depends on fixed MAC addresses. The industry has to prepare for this."

But the real work for enterprises hardening the iOS 8 risk profile will likely revolve around the operating system's latest non-security features. Apple has emphasized the ability of sharing documents and workflows seamlessly across devices using features like AirDrop and Handoff. However, the added level of convenience amplifies the risk of data loss and unauthorized movement of data to unapproved devices and users.

"New data-sharing mechanisms could also result in unexpected vectors of data loss," writes Rege. "Enterprises will not want corporate data to suddenly appear on unmanaged devices or in unauthorized apps. This problem is not solved by taking away these features but rather by providing the guardrails for enterprise developers to use these features effectively."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/22/2014 | 8:34:17 AM
Re: iOS 8 in the enterprise
@GonzSTL, I have no doubt that Apple would be thrilled if consumer preferences for iPhones and iPads influences corporate decision makers on the standard computer products they issue employees for use in the workplace.  But I don't see that happening in the near term. Windows is still pretty entrenched in the enterprise and Android quite popular among consumers and the BYOD crowd. Makes it hard for securityteams but over all, the compeititon is good.. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/19/2014 | 11:04:27 AM
Re: Mixed bag
"New data-sharing mechanisms could also result in unexpected vectors of data loss,"

Of everything new in iOS8 this is the piece that gives me the most heartburn.  Anytime a new method for sharing data is developed, hundreds of new vulnerabilities are introduced.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/19/2014 | 9:38:52 AM
iOS 8 in the enterprise
Nobody ever said IT security was easy, and this is certainly a big challenge. In an enterprise, it is not unusual to provision mobile devices so that they are in some sort of semi-trusted or isolated network segment, with limited or no access to enterprise resources. Many access control mechanisms key in on the MAC address for proper provisioning of the mobile device. As Paul Martini mentioned, this may be somewhat problematic, given the ability of the mobile device to randomize its MAC addresses. It may even be more complex than that, actually. Spoofing MAC addresses is a favorite tactic employed by would be intruders, and if the enterprise "trusts" a mobile device capable of randomizing its MAC address, well that opens up a huge opportunity for exploitation.

Also, in their effort to increase personal privacy, Apple reworked their device encryption strategy so that only the owner can access data on the device. Whereas that is ideal for the private owners who want to protect their privacy, it is also a huge headache for security and/or law enforcement when it comes to forensic investigations. Personally, I would not be comfortable with allowing this type of device to connect to a corporate network (enforcing the stigma that security is the "department of NO").

It almost appears that these devices are intended for offsite personal use only, but with the capability to connect to corporate networks as needed, using traditional VPN mechanisms. Then again, perhaps that is Apple's intent, because these personal mobile devices really are their cash cow anyway, and they have a separate line of computing devices suitable for corporate environments. Why not have people fall in love with their Apple handhelds and maybe they will also like the Apple traditional computers. That could be a clever marketing ploy to have those users influence their companies to allow increased Apple computer penetration into the corporate environment.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/19/2014 | 9:38:29 AM
Mixed bag
Sounds like the typical mixed bag for enterprise security.  Curious to hear about the policies and guidance to users security teams are contemplating.  Thoughts anyone?
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4301
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.
CVE-2019-7007
PUBLISHED: 2020-02-28
A directory traversal vulnerability has been found in the Avaya Equinox Management(iView)versions R9.1.9.0 and earlier. Successful exploitation could potentially allow an unauthenticated attacker to access files that are outside the restricted directory on the remote server.
CVE-2019-10803
PUBLISHED: 2020-02-28
push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable "opt.branch" is not validated before being provided to the "git" command within "index.js#L139". This could be abused by an attacker to inject arbitrary commands.
CVE-2019-10804
PUBLISHED: 2020-02-28
serial-number through 1.3.0 allows execution of arbritary commands. The "cmdPrefix" argument in serialNumber function is used by the "exec" function without any validation.
CVE-2019-10805
PUBLISHED: 2020-02-28
valib through 2.0.0 allows Internal Property Tampering. A maliciously crafted JavaScript object can bypass several inspection functions provided by valib. Valib uses a built-in function (hasOwnProperty) from the unsafe user-input to examine an object. It is possible for a crafted payload to overwrit...