Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/19/2014
06:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Is Enterprise IT Security Ready For iOS 8?

Apple bakes in more security features, but iOS 8 won't come without security ops headaches.

As Apple still reels from the sting of leaked celebrity nudes, the company hopes to up the security and privacy ante with a passel of new security features in iOS 8. However, enterprises may find that they still must work hard to secure data traversing across devices using the new mobile operating system.

Released this week for general downloads, iOS 8 brings to devices enhanced security capabilities such as the option for complex passcodes, always-on VPN for WiFi connectivity, improved control over privacy configurations, and bolstered capabilities around the TouchID biometric authentication feature on newer iPhones, for which APIs have been released to let third-party developers build use of the fingerprint reader into their applications.

This last feature could be a big win for enterprises should they put the work into folding fingerprint reading into their custom mobile apps.

"Use Touch ID as a testing ground for biometric app authentication," recommends Ojas Rege, vice president of strategy for MobileIron. "Define the role and use cases for biometrics in your broader enterprise authentication strategy."

However, some experts say not to get too cocky about the security of biometrics as a single factor of authentication. There are so many ways to spoof fingerprints and fool fingerprint scanners, including the old gummy bear trick discovered in 2010, says Paul Martini, CEO of iBoss Network Security, who warns that overconfidence in biometrics could make for riskier apps.

"If you turn that feature on and have very high confidence that the fingerprint is going to make it even more secure over a password, what if something like that gummy bear thing comes up? All of sudden you almost prefer the password or a code," he says. "I'm hoping people will use a combination of authenticators, but knowing Apple, it's a convenience thing so probably they're just going to go with the fingerprint."

Source: Apple
Source: Apple

In addition to security features, Apple is working hard to make consumers feel safe about the privacy of the information they store on their devices.

"Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay," wrote Apple CEO Tim Cook in an open letter to customers.

Apple reworked the encryption mechanism in iOS 8 so that the company does not have the power to bypass a user's passcode anymore. The company has no access to the user's encryption key and therefore no way to extract data on the device to hand over to authorities, be it personal or private corporate data. It also introduced an anti-tracking feature that randomizes MAC addresses to reduce the ability for owners of WiFi networks to track users. While that is a boon for user privacy in some respect, that feature could prove a big headache for enterprises, says Martini.

"That stands out from an infrastructure and security perspective because a lot of network access control systems are probably going to have weird issues as a result," he says. "Fundamentally the way they're designed depends on fixed MAC addresses. The industry has to prepare for this."

But the real work for enterprises hardening the iOS 8 risk profile will likely revolve around the operating system's latest non-security features. Apple has emphasized the ability of sharing documents and workflows seamlessly across devices using features like AirDrop and Handoff. However, the added level of convenience amplifies the risk of data loss and unauthorized movement of data to unapproved devices and users.

"New data-sharing mechanisms could also result in unexpected vectors of data loss," writes Rege. "Enterprises will not want corporate data to suddenly appear on unmanaged devices or in unauthorized apps. This problem is not solved by taking away these features but rather by providing the guardrails for enterprise developers to use these features effectively."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/22/2014 | 8:34:17 AM
Re: iOS 8 in the enterprise
@GonzSTL, I have no doubt that Apple would be thrilled if consumer preferences for iPhones and iPads influences corporate decision makers on the standard computer products they issue employees for use in the workplace.  But I don't see that happening in the near term. Windows is still pretty entrenched in the enterprise and Android quite popular among consumers and the BYOD crowd. Makes it hard for securityteams but over all, the compeititon is good.. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/19/2014 | 11:04:27 AM
Re: Mixed bag
"New data-sharing mechanisms could also result in unexpected vectors of data loss,"

Of everything new in iOS8 this is the piece that gives me the most heartburn.  Anytime a new method for sharing data is developed, hundreds of new vulnerabilities are introduced.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/19/2014 | 9:38:52 AM
iOS 8 in the enterprise
Nobody ever said IT security was easy, and this is certainly a big challenge. In an enterprise, it is not unusual to provision mobile devices so that they are in some sort of semi-trusted or isolated network segment, with limited or no access to enterprise resources. Many access control mechanisms key in on the MAC address for proper provisioning of the mobile device. As Paul Martini mentioned, this may be somewhat problematic, given the ability of the mobile device to randomize its MAC addresses. It may even be more complex than that, actually. Spoofing MAC addresses is a favorite tactic employed by would be intruders, and if the enterprise "trusts" a mobile device capable of randomizing its MAC address, well that opens up a huge opportunity for exploitation.

Also, in their effort to increase personal privacy, Apple reworked their device encryption strategy so that only the owner can access data on the device. Whereas that is ideal for the private owners who want to protect their privacy, it is also a huge headache for security and/or law enforcement when it comes to forensic investigations. Personally, I would not be comfortable with allowing this type of device to connect to a corporate network (enforcing the stigma that security is the "department of NO").

It almost appears that these devices are intended for offsite personal use only, but with the capability to connect to corporate networks as needed, using traditional VPN mechanisms. Then again, perhaps that is Apple's intent, because these personal mobile devices really are their cash cow anyway, and they have a separate line of computing devices suitable for corporate environments. Why not have people fall in love with their Apple handhelds and maybe they will also like the Apple traditional computers. That could be a clever marketing ploy to have those users influence their companies to allow increased Apple computer penetration into the corporate environment.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/19/2014 | 9:38:29 AM
Mixed bag
Sounds like the typical mixed bag for enterprise security.  Curious to hear about the policies and guidance to users security teams are contemplating.  Thoughts anyone?
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.