In October 2021, Facebook (now Meta), and all its platforms (Instagram, WhatsApp and Messenger) shut down across the globe for up to six hours, leaving billions without a messaging service. While Facebook engineers scrambled to fix the problem, users pivoted to other apps to stay connected. In the wake of the outage, Telegram added 70 million users, according to the platform’s founder Pavel Durov.

While the Facebook outage was due to a routine maintenance error, the event led many to wonder about messaging app breaches and other issues. If someone switched from WhatsApp to Telegram, did they really end up with a more secure app? What makes a messenger app more secure? And what about the risks of using instant messages for business?

These questions matter, since we use messaging apps more and more in day-to-day life. This is especially relevant among international teams where rapid, affordable communication helps people work faster.

Messaging app security comparison

While there’s no consensus, messaging app security comparisons exist. But beware. What one source says is secure, another source might say otherwise.

Meanwhile, cybersecurity researcher Natalie Silvanovich from the Project Zero team at Google found a serious glitch in the Signal app. Using a modified client, she sent a peer-to-peer connect message to a device running Signal. This enabled a voice call to be answered, even though the callee never touched the device.

Silvanovich found similar gaps in Facebook Messenger, Google Duo, JioChat and Mocha. After her report, all these vulnerabilities have since been fixed.

Messaging app with privacy: What do threat actors use?

What about threat actors? What app are they chatting on? Is it secure? Recent research described a burgeoning network of cyber criminals on Telegram, where data leaks have increased in frequency. Some illicit Telegram channels host tens of thousands of subscribers, and the content looks like what one might find on darknet hubs. Still, what attracts threat actors might not be the app’s security, but rather the lack of platform moderation.

Security-wise, Telegram uses its own MTProto encryption protocol, rather than the more widely accepted Transport Layer Security (TLS) protocol. Some cryptographers consider MTProto to be a cryptographic weakness. While any encryption is better than none, the MTProto security requirement building blocks (hash functions, block ciphers, public-key encryption, etc.) are untested.

We dare you to attack us

Telegram isn’t worried about its encryption security, though. In fact, the platform recently held a contest to crack Telegram’s encryption. Despite offering a $30,000 bounty, nobody cracked the platform’s Secret Chats code. Note that the Telegram Secret Chats mode is not on by default, and it doesn’t function in group chat, either. During standard chat and group chat, end-to-end encryption remains inactivated on Telegram.

Up to 740 billion SMS messages per year exposed

What about SMS messages? Are they more secure? Syniverse is a company that routes hundreds of billions of text messages every year for hundreds of carriers, such as Verizon, T-Mobile and AT&T. In May 2021, the company told government regulators that attackers had been breaching its databases for five years. Syniverse processes over 740 billion messages each year for over 300 mobile operators worldwide.

What information did the attackers expose? The company did not say, but SMS text message content may have been targeted.

Big name messenger app security

Google Messages, Apple iMessage and Facebook Messenger (and Meta’s WhatsApp) have also been scrutinized for their application security. Google and Apple turn on encryption by default, as does WhatsApp, but Facebook Messenger does not.

Other criticisms about security surrounding Google and Facebook include the collection of user information. Since they collect user data, they must also secure it. This implies added risk. In addition, Apple uses a closed-source app and backend server code. This calls into question the quality of the code, including the strength of encryption or if vulnerabilities exist.

Get the signal?

Of all the messaging apps out there, Signal appears to be one of the more secure. Yes, it was found to be at risk for eavesdropping attacks as mentioned earlier, but that weakness has reportedly been fixed.

Meanwhile, Signal has many traits to look for in a secure messaging app, such as:

• It’s an open-source project supported by grants and donations. This means there should be no ads, affiliates or hidden tracking.
• End-to-end encryption by default means only the parties involved in the conversation can see the messages. No one else, not even the app owners, can see chat content.
• A self-destructing, disappearing messages feature removes messages forever after a set period of time.
• Minimal user data collection means messages, pictures and files are stored locally on your phone, unlike Google or Facebook apps which harvest information for other business purposes.

Messenger application hygiene

Beyond the intrinsic security of the messenger platform, how your teams interact with the app greatly affects security. For example, phishing campaigns and social engineering attacks have affected third-party messenger apps for years. Attackers simply send a tempting message to targets to get them to click on a link or download an infected file.

While breaching a corporate network from a smartphone app might be difficult, many users also install a desktop version of their messaging app. Any malicious link or download accessed from the desktop app version could open the door to malware.

No perfect messenger app

It’s likely that companies — especially ones with international teams — will continue to use popular messaging apps. While no application is 100% secure, some implement better security measures than others. End-to-end default encryption is one example of good security practice. It also pays to remind teams that online phishing scams are just as dangerous when they target you from your app.

The post Which third-party messenger app is best for secure business? appeared first on Security Intelligence.

We may be only a short time into 5G deployments, but discussions of the impact 6G technology will have on our lives have already started. In late 2020, the Alliance for Telecommunications Industry Solutions created a new group called the Next G Alliance to “advance North American mobile technology leadership over the next decade through private sector-led efforts.” 

You have certainly heard of some of the founding members of this organization, such as AT&T, Ericsson, Mitre, Verizon and Booz Allen Hamilton. In other parts of the world, such as in Korea, Samsung Research founded the Advanced Communication Research Center in 2019. Its principal engineer leads the 6G Vision Group at the International Telecommunications Union – Radiocommunication. 

What Does 6G Do? 

When we talk about 6G, we’re talking about the use of the terahertz (THz) bands, a spectrum that has previously been used in high-resolution health imaging technologies. The technological possibilities are kind of wild: holographic communications, multi-sensory extended reality, 3D coverage, minimal latency and mobile hotspots in lieu of physical towers. The difference will truly be astounding. 5G operates at four to five times the speed of 4G, for a max speed of about 20Gbps, whereas 6G is intended to work at a speed of approximately 1Tbps.  That’s 50 times faster than 5G!   

The Samsung G6 Vision White Paper gives a sense of what the hyper-connected life could look like by 2030. If history holds true, 2030 is a good estimate for 6G deployment, based on an NTT DoCoMo White Paper that outlines the timing of 3G, 4G and 5G deployments.

Elsewhere, China has openly stated that they want to be the leader in 6G networks and patents, disclosing that Huawei started investing in the technology back in 2017. And countries such as the U.S. and Japan have created investment alliances to keep pace and offer open-source alternatives to country-specific led communication infrastructure. These are all good reasons to draw the conversation into the mainstream.

The Same 5G Challenges, Just a Whole Lot More of Them

With a better sense of what the hyper-connected future could look like, it’s worth looking at the challenges, which are surprisingly similar to the significant ones that come with 5G.

• Manageability. The leap from 4G to 5G meant more data, more bandwidth, more nodes, more endpoints, more alerts and a greater need for orchestration. That’s a lot of “more”, and we can expect plenty more of it with 6G deployments. More of everything, moving faster than ever, presents a significant increase in management challenges. 
• Supply chain. If the security operations center isn’t overwhelmed already, increasing supply chain issues (both on the software and hardware sides) will likely get them there. And 6G has every reason to be a supply chain nightmare. A mechanism to certify devices still does not exist, security-by-design development lacks widespread use and even policy and governance issues, such as who is responsible for what (e.g. private sector versus government), have not been finalized.
• Usage. Who really is the consumer in a 6G world? Is it us mere humans, the traditional end-users, or all the devices and artificial intelligence trying to pump out that holographic image for us to gaze upon? Furthermore, are we looking at a possible end to the wired environment?  Depending on the number of connections, the attack surface can easily become “everywhere”, and the users can be “everyone and everything”.

Security Realities in a Connected World 

The ubiquity of technologies like 5G in our lives poses a question: once these hyper-connected networks go fully online, do they become too big to fail? Consider the following questions: 

• What does the “perimeter” currently look like? Does it even exist anymore?
• What roles does the cloud play, especially as edge computing increases its presence in the market? 
• Where is the private/public divide in terms of networks, especially if we see higher adoption rates of private 5G networks?
• What are the privacy safeguards in place, and where do they come into the process? 
• Will all the generated data ever be destroyed? If so, how? If not, where does it get stored and what are the associated security risks?

6G Security and the Human Element 

6G presents an opportunity for deep integration of artificial intelligence and networking functions, meaning that the security and privacy functions will also become more closely integrated. Just as all aspects of operations will begin to roll into one, so will risk, security and privacy operations. This truly begs the question: where is the starting point? Do you build your network around zero trust and security principles, allowing the privacy issues to flow from there? Or do you start with the privacy program and then let that shape your security program?

Currently, our operations are set up to protect the enterprise. Your organization’s most valuable currency, data, is still, for the most part, behind the fortress. But in a hyper-connected world, that data becomes further distributed, right down to the individual user and device. Therefore, the future of cybersecurity in a 6G world may no longer be about protecting the business network, but rather protecting the privacy of the individual. Cybersecurity leaders would be wise to focus on protection methods to fortify the individual’s ability to minimize risk, even if machines do end up becoming the ultimate “users” after the 6G revolution.

The post It’s Not Too Soon to Start Talking About 6G appeared first on Security Intelligence.

In the last hour, I’ve used my phone to take pictures of my teenagers, spy on my dogs while I was out of the house, pay my electric bill and watch a funny video. Then, while buying some new dish towels (yet another use), I used my phone as an identity document without even realizing it — and I may have increased my cell phone security risk at the same time.

Why Cell Phone Security Matters at Work

Because I forgot my password to the online store, I had to reset my password. When they sent a code to my cell phone for multifactor authentication, I clicked on the link without a second thought. I clicked on it and went on my merry way to buy the new towels. While I’ve been a long-time fan of two-factor authentication because research shows it reduces attacks, especially credentials and brute force attacks, I recently learned that the process has some downsides. By clicking on the link, I used my phone to verify my identity. That allowed the company to tie my phone to the account, which creates a risk.

As long as I don’t change my phone number, it’s not much of an issue. But if I do change my number, it will eventually be assigned to someone else. That someone could take over my accounts. A recent study by Princeton University found that 100 of the 259 phone numbers they tested had linked login credentials on the internet, and that mobile carriers have weaknesses that make recycled numbers vulnerable. You may think that you’d eliminate the risk by wiping your old cell phone free of data. However, you also have to delete the phone number from all the websites that are connected to it. Those could number in the hundreds.

How Abandoned Numbers Increase Risk

Reading the recent study made me start thinking about cell phone security, and specifically the risk abandoned cell phone numbers cause businesses. Any time an employee accesses the network or a business-related account from their mobile phone, their phone becomes an identity document. If an employee accessed their email, a criminal now has access to their email server. They might even have access to all customer information, if the employee updated the company customer relationship management software from their phone. Or, imagine if the employee used their phone to access a corporate account on a retail site. Now, a cyber criminal can go shopping on the company dime. Or worse, steal any credit card information that’s saved.

Why Change Phone Numbers?

When I first read about this vulnerability, I brushed it off. Most people don’t change their phone numbers very often. I’ve had the same number for 13 years and plan to have it for the rest of my life. The prospect of changing it after all these years would be a major headache. But I realized that there are some very valid reasons that people change their phone numbers, including:

• Divorce
• Being stalked or harassed
• Leaving a job where the phone number belonged to their employer.

The expected long-term increase in remote working changed everything. Employees are likely to use their personal mobile phones for business more often than they did before the pandemic. That increases many different types of cybersecurity risks for companies. Businesses need to address this cell phone security issue and create a plan for reducing their risk. It may be tempting to say employees must only use work phones to access sensitive data. But, all your employees are not likely to comply. The better route is to figure out a way that works for your employees and keeps your organization safer.

Reducing Cell Phone Security Risks From Discarded Numbers

The issue gets sticky since the employee is using their own mobile phone. You have a bit more control if you pay a portion or all of their cell phone bill or have a bring-your-own-device (BYOD) security policy. While you cannot totally eliminate the risk, here are some ways you can reduce your risk. They’ll at least have a better picture of it, in terms of abandoned phone numbers:

1. Know who is using personal phones to access work accounts. You are at the highest risk when you don’t have a full picture of possible vulnerabilities. It’s almost certain that your risk has increased in this area since the pandemic began. You can’t know for sure until you gather the data. Require each employee to report what devices they use to access business-related servers and accounts. Make sure employees know they aren’t going to be in trouble for doing this. You just need to know how they are accessing what they need for work so the business can protect itself.
2. Update your BYOD policy to include abandoning phone numbers. If you don’t yet have a BYOD policy, creating one should be your first priority. If you have a BYOD policy in place, update it with any changes that make sense based on your post-pandemic work arrangement. This is especially important if you allow a permanent fully remote or hybrid work environment. Be sure to include a requirement that employees notify the company if they are abandoning a phone number they used to access business accounts. Your cybersecurity team can meet with employees as appropriate. From there, they can evaluate the risks each employee’s phone may incur and decide the best plan to mitigate the risks.
3. Make sure corporate-owned phone numbers are only recycled internally. If some employees are using phones your business owns, you have control over what happens with them. Because the risk forms when someone outside the company obtains those phone numbers, make sure you don’t abandon those numbers. Instead, reassign them to the next person who needs a corporate phone number.
4. Park the phone number. You can also pay an outside service a few dollars a month to keep the number active. That way, the carrier cannot assign it to another person or business. While this works pretty easily for corporate phone numbers, you can also offer to pay for this service for employees who are changing their personal phone numbers.
5. Provide corporate phones for high-risk employees. If you have employees who regularly access accounts that are high-risk, such as ordering from retail sites, consider purchasing corporate phones specifically for their use. This tactic should only be used in rare situations, since most employees’ phones can be kept secure using mobile device management and other protections.

Cybersecurity often involves balancing security with productivity, which is especially true when it comes to cellphone security. You want employees to be able to work from wherever they need to, but also keep your company’s data and infrastructure secure. By taking the time to understand and prevent risks from abandoned numbers, you can reduce your vulnerabilities and risk.

Find out more about unified endpoint management solutions  

The post Are Your Employees’ Old Phone Numbers Creating Vulnerabilities? appeared first on Security Intelligence.

Employees using mobile devices for work is nothing new. From health care workers using them for patient care to a salesperson checking work email in an airport, most of us have our phones on us at all times. However, the increase in the number of remote workers due to the COVID-19 pandemic has ramped up mobile use for work even further. That includes both doing work directly on devices and connecting laptops to a network. So which is more secure for mobile work, 5G or a private LTE cellular network?

Private LTE Meets Today’s Mobile Performance Needs

Companies often used 5G as a stopgap during the quick shift to remote work, with varied results. According to the PwC U.S. Remote Work Survey released in January, there was a 22-point difference in the survey results between how employers felt they provided a mobile experience for work applications and data and how employees felt about the experience. On top of that was an increase in security issues during the pandemic, including 59% more phishing scams and a 36% increase in malware.

Overall, remote work has been a large success. The PwC survey found that 83% of employers and 71% of employees felt remote work went well, with only 6% of each group reporting it wasn’t successful. Business leaders are now planning the future of work. For many, that includes either a hybrid approach with a higher percentage of remote work than before the pandemic or 100% remote work.

A key component of designing the future of work involves enabling employees to use mobile when needed for connectivity. Both 5G and private LTE networks could be key steps on the path forward.

Why Choose 5G?

For years, 5G has been touted as the future of mobile and connectivity, while private LTE feels old-fashioned. Because of its increased speed and reliability, 5G provides many benefits. With travel restrictions opening up, employees are using their remote work status to work from anywhere. With 5G they now have the connectivity needed to work from whatever location they choose, including attending video calls over cell networks.

Companies using cellular for Internet-of-things (IoT) devices now also have the bandwidth needed to collect data reliably, such as manufacturing plants collecting real-time temperature data. If a machine is overheating, the sensor sends an alert to mobile devices so a human can take care of it. However, this only works properly with fast and consistent cellular signal. That’s why 5G is often the choice for IoT devices.

High performance is even more essential when using machine learning and artificial intelligence (AI). Processing large amounts of data quickly requires increased bandwidth and speed. Using AI over cellular requires 5G performance to perform personalization and data analytics.

Does 5G Provide Enterprise-Level Security?

However, some business leaders wonder (with good reason) if the cellular network meets their safety standards. Protocols HTTP/2 and PFCP are at risk for subscriber profile data, impersonation attacks and faking subscriber authentication. Because standalone 5G networks use these protocols, mobile connections over 5G are open to these attacks. As we’ll discuss below, a mix of 5G and private LTE may be your best bet.

Recent concerns also surfaced regarding data access and denial-of-service attacks related to network slicing. Researchers have discovered that when a 5G network uses shared and dedicated network functions, application and transport layers may be at risk, especially because of the lack of mapping. While the issue is currently only related to network slicing, the practice generates high revenue and is expected to increase.

5G networks have other problems that have been known for years. Breaking into 5G networks is very easy — often compared to being as easy as breaking into the internet. Brookings explains that the increased security risks of 5G start with the design of the network. A distributed, software-defined network is much more challenging to protect than a centralized network.

Aside from the design, the usage and scale of 5G also make the risk of attacks greater. Now that IoT devices can use AI on a cellular network, the number of devices has increased. That’s not to mention the increased use of mobile devices for more complex tasks, thanks to the improved connectivity. On top of that, the 5G network grew quickly. With that rapid expansion, the small-cell antennas used in urban areas are a bull’s-eye for threat actors.

Is Private LTE Secure?

With 5G security concerns coming to the fore as the pandemic winds down, many people are turning to private LTE networks. For some, the risks of 5G may be greater than the benefits. It might not be worth the risk for use cases that aren’t dependent on speed and performance, such as employee tasks that don’t require AI. But is LTE secure? A private LTE network is independent of cellular carriers, using its own dedicated cell sites and core network servers. This network supports only the specific company and isn’t accessible to or used by people or devices outside.

Private LTE networks provide many benefits, including accessibility even in areas not covered by cell networks. The private LTE network cost for data transfer tends to be lower than on public networks. Because the organization controls the security, private LTE networks can be way more secure than public 5G networks even when used with a virtual private network. Organizations can also set up prioritization, such as guaranteeing low latency for IoT devices, which improves the reliability and speed of the LTE network.

Combining Private LTE Architecture With Other Options

By combining a private LTE network with a zero trust strategy, the security of the network improves even further. With a zero trust approach, networks default to assuming that all users and devices attempting to access data or a network are not authorized. Every access request must be verified. Zero trust is especially useful for network configurations such as LTE, which are decentralized. Microsegmentation, which limits the access of data and apps in the event of an attack, can also boost security on a private LTE network.

As you create a new path forward in terms of networks, processes and security, LTE should be a strong consideration. For applications that require speed, performance and reliability, companies can also consider a hybrid approach. Consider using 5G for data that requires the performance but is low risk in terms of sensitivity, while using LTE for other applications. While 5G has been the hype for several years, you can take a step back and evaluate your specific needs both in terms of safety and performance. Design an approach that makes the most sense for your business needs.

The post Private LTE or 5G: Which Is More Secure? appeared first on Security Intelligence.

Home IoT device adoption has grown by leaps and bounds. It’s a time of connected gadgets everywhere, and with them, comes security risks.

McKinsey predicts the total number of IoT-connected devices will be 43 billion by 2023, with the vast majority being consumer devices.

Most of these new devices connect via home routers (another IoT device), 5G mobile broadband and satellite internet. These are new frontiers for threat actors, which means a new set of security concerns if you are not prepared.

Routers Can Be the Biggest Security Issue

The more devices connected at home, the bigger the attack surface.

One of the biggest unsolved problems is the point of access — the router that IoT, mobile and wearable devices often connect to. For one, these devices aren’t designed well enough or configured by the users properly. However, the real problem is that routers can still be breached and lead to compromise on the devices they connect.

Ever since the Mirai botnet distributed denial of service in 2016, in which a single person weaponized 400,000 IoT devices (including home routers), IoT breaches based on these seemingly harmless gadgets have been a concern. Since then, the number and kinds of attacks involving IoT security breaches have grown each year.  

Security Improvements?

A great many groups, both industry and federal, have published guidelines, recommendations and laws to address the manufacturing, provision and use of the IoT for better security. These include the European Union Agency for Cybersecurity’s (ENISA’s) recommendations, European Telecommunications Standards Institute (ETSI) standards, a California law that requires any IoT device sold in the state to offer reasonable security features (and a similar Oregon law), the IoT Security Foundation’s Best Practice Guidelines and others.

The latest is the IoT Cybersecurity Improvement Act, passed by Congress and now officially a public law. The new law requires IoT security as defined by the National Institute of Standards and Technology and sets standards for government purchases of IoT infrastructure.

To date, these standards are not consistent and overlap. They still place burdens on the user or entity for Iot security.

Emerging Solutions

So, how do you keep IoT security in mind over all those connected devices at home?

Built-In Security

While many device makers leave it up to consumers, consumers believe it should be built in. A Karamba Security survey found that 87% of consumers say that device makers, not users, should take the lead on making sure IoT devices are secure. New laws (California, Oregon and federal) focus on unique passwords and needs for the user to change authentication methods. These laws balance safety and convenience, and are not enough for enterprise use on their own.

Biometrics

Biometrics could standardize defense across devices. The mainstreaming of first fingerprint scanners and then face recognition in smartphones has gotten consumers used to this kind of interface. Scans can provide both defense and convenience. Behind the scenes, researchers have developed and nearly perfected a wide range of biometric solutions. From voice recognition to vein pattern scans to sensors tracking gait, they could help secure the future smart home.

Labeling

Another upcoming idea is the use of relevant labels on consumer devices, warning buyers about the risks of each product. This could affect product reviews and motivate creators to add better and easier security in consumer products.

How to Protect Yourself When Using Consumer Gadgets

There is no such thing as a one-button fix for IoT security threats to mobile and wearable devices for consumers. But, you can stay safe by following these best practices:

Buying IoT Devices

Choose products that emphasize digital safety. Key features to look for include how often firmware updates, data handling features, the option to turn off needless features and the option to limit access.

Using IoT Devices

• Use multifactor authentication whenever possible.
• Next, use biometric security whenever possible.
• Always change the default passwords for every device you use. Use a password-management solution, and use a different strong password for every device. In addition, change passwords often.
• Turn off devices completely when they’re not in active use.
• Always keep devices updated with the latest firmware. Your router is the most important one to check.
• Lastly, for mobile devices, including smartphones, turn on location services only for apps that truly need it.

Managing IoT Devices Across Your Network

• Use three different Wi-Fi networks if possible — one for work devices, one for home computing devices and another for IoT devices. (Follow manufacturers’ instructions for segmenting networks.) This reduces the attack surface and makes it easier to track and contain breaches. 
• Know your home routers’ features and access the admin panel only via Ethernet. Change the name of the network, disable remote access, turn on encryption and enable the router’s firewall feature.

In the era of the smart home, connected car and wearable computing device, we also see attacks plaguing consumers at a whole new level. With a mix of purchasing incentives, new tech and a new emphasis on defense by device makers, software companies and consumers alike, we can maximize consumer IoT safety going forward.

The post IoT Security: Be Aware of What You Connect at Home appeared first on Security Intelligence.

If you or your employees access protected information with authentication codes sent to a cell phone, you might want to rethink your plan. Two-factor authentication (2FA) using text messages can fall prey to phone authentication scams.

That’s not to say 2FA itself is a problem. You should keep using it, and many groups have turned to it to prevent threat actors from using stolen account credentials. Malicious actors may still try to grab authorized users’ credentials for their own purposes. In fact, the unauthorized use of credentials accounted for 29% of all attacks in 2019, X-Force IRIS observed.

So why is short-message service (SMS) 2FA not as secure as it looks? What other kinds of mobile-based multifactor authentication (MFA) can you use instead?

SIM Jacking: The Problem With SMS-Based MFA

SMS-based MFA is particularly vulnerable to a SIM swap-phone authentication scam, says Alex Weinert, group program manager for identity security and protection at Microsoft. This is one of several types of social engineering attacks. In this case, a threat actor contacts a mobile service provider and pretends they are one of their customers.

First, the attacker claims to have lost their device. They ask the cell phone carrier to transfer the targeted customer’s SIM card to a device under their control. Many mobile service providers require customers to set up PINs to protect their accounts against a SIM swap attempt. But that doesn’t prevent customer service workers from feeling the tug of compassion and agreeing to help them out anyway. If this works, the attacker can use their device along with the transferred SIM card to receive SMS-based MFA codes. This gives them all they need to compromise a protected web account.

Phone company employees can cut down on phone authentication scams on their end, too. They could check whether the caller really uses their service. Several free services online are able to look up the cell phone carrier of a mobile number.

Attackers used this tactic against a major social media company in 2018. They were able to access user emails, internal files, source code and other data. To do this, the attackers intercepted the SMS-based MFA codes for some of the company’s accounts with cloud and source code hosting providers. Further investigation showed the attackers had targeted some of the company’s employees with SIM hijacking attacks. In response, the social media company first notified a small number of users who might have been affected. Next, they worked with law enforcement to prevent a similar incident from happening in the future.

What Safe Phone Authentication Might Look Like

The threat of a SIM swap scam needs to be addressed. But it doesn’t mean users should turn away from their mobile devices for MFA. It also doesn’t mean they can’t use SMS text messages for phone authentication. Instead, they could set up a Voice over Internet Protocol (VoIP) phone using a service, such as Google Voice. This provides an alternative to using the phone number assigned by their mobile service provider. These services are free to set up, and give users the ability to use a phone number tied to a major email system like Gmail.

The advantage is that they can protect those accounts using strong passwords and their own forms of MFA that don’t depend on the fallibility of human customer support agents. That way, someone can’t just gain control over a person’s phone number with a fake sob story about having lost an account. An attacker would need to compromise their victim’s email account first.

One potential problem with this method is that not all web services accept VoIP for phone authentication purposes. In response, users can avoid SMS-based MFA altogether by turning to an authentication app, such as Google Authenticator or Microsoft Authenticator. These and other programs like them aren’t tied to a cell service provider. They’re bound to the device itself, meaning a SIM swap won’t have any effect. An attacker would essentially need to steal the user’s device to obtain an MFA code. With that fact in mind, users who choose this method should make sure they’ve removed that phone authentication app from their mobile device before they get rid of it.

Safe Phone Authentication Across the Connected Workforce

Employers can help their workers use safe MFA phone authentication methods by settling on a MFA plan and writing it into their security policies. Then, use security awareness training to educate users about these policies. At the same time, employers can use Mobile Device Management to standardize vulnerability management, MFA and other security functions across their entire connected workforce.

The post Beyond Text Messages: How to Secure 2FA Against Phone Authentication Scams appeared first on Security Intelligence.

For many of us, the last few months have drastically increased our reliance on mobile capabilities. Through the increased use of corporate mobile apps, virtual private networks (VPNs), hot spots and more, mobile communications are more ubiquitous than ever.

Because of this enhanced, unprecedented and sudden dependence on mobile capabilities, mobile security should be at the forefront of everybody’s minds — not just the minds of security professionals.

Mobile Security 101: It’s Not About the Technology

“Mobile devices have rapidly replaced the personal computer at home and in the workplace,” notes Europol. “Our phones or tablets are in fact mini-computers, and should be protected as such. They face the same or even more threats than a PC or a laptop.”

Despite this obvious fact, we still make mistakes. According to the Verizon Mobile Security Index 2020 report, 43 percent of companies surveyed admit they sacrificed security for expediency, convenience or profitability targets, or due to a lack of budget or expertise.

There’s clearly still a disconnect between leaders and team members. Organizations need to better understand and communicate what needs to be done to accomplish business and security goals, from the top down. But as endpoints proliferate in your organization’s network, so do opportunities for a security breach.

Today’s Common Threats

Assessments from companies both within and outside of IT security — from Kaspersky to CSO to Business Matters — agree that 2020 mobile security threats generally boil down to the following, in no particular order:

• Data leakage
• Insecure Wi-Fi
• Network spoofing
• Phishing and social engineering attacks
• Spyware
• Poor cyber hygiene, including weak passwords and improper or no use of multifactor authentication (MFA)
• Poor technical controls, such as improper session handling, out-of-date devices and operating systems, and cryptographic controls

For the most part, all of these issues are fixable, even as threats evolve. So, why are our networks still getting hammered? Well, go back to the Verizon report: “Speed outweighs security.” The need to meet business targets, whether related to time, money or avoiding cumbersome security tasks, is usually the reason why speed takes priority over security. This should give you a sense of why security operations centers (SOCs) are overwhelmed with alerts.

Understanding Culture and Risk Makes All the Difference

Answer this simple question: Are mobile apps, generally speaking, designed for the purpose of convenience and productivity or security and risk minimization? If we’re being honest, we know the answer is convenience and productivity.

Now apply the same question to all-around mobile usage. We don’t carry laptops, tablets and phones around because they are less vulnerable and reduce risk; in fact, they are inherently vulnerable and their use increases risk. We use them — with not necessarily the same level of care we do hardwired systems — because they make our lives easier and increase our productivity.

Therefore, how we prevent mobile security threats from harming us and our data, increasingly, has little to do with what technical solutions we come up with. Instead, it is a question of supply and demand and where we assign value.

Prioritizing What Matters: From Convenience to Data

To reduce the risk of our mobile apps and improve our mobile security posture, the first step is identifying the demand for various commodity mobile capabilities. What types of commodities are we talking about? Well, anything deemed valuable.

This list is by no means exhaustive, but commodities may include:

• Convenience
• Productivity
• Network performance, including load, downtime and upgrade
• Cross-functional collaboration between business units
• Data accessibility, including data classification
• Security
• Privacy
• Cost and maintenance

Assigning value to these various “commodities” cannot be done in a vacuum; in fact, this is where you need the organization’s stakeholders to come together to identify how each commodity satisfies business demand and assign them value.

The next natural step is to match supply to demand, and where there are gaps — or risks — address and monitor them.

Understand that when dealing with risk, perfect is often the enemy of good enough, especially in cases where risk is amorphous, such as in cybersecurity. Therefore, only after having dealt with the big issues should you start to deploy your tactics, which include, but are not limited to:

• Whitelisting vs. blacklisting of applications
• Bring-your-own-device (BYOD) usage vs. total segregation of all work and personal usage
• Network restrictions and associated costs. For example, an organization realizes it is more expensive to issue hot spots to all its employees, but it is willing to accept that cost to ensure employees only use approved network devices, preventing the use of public or even home Wi-Fi
• Endpoint detection and monitoring capabilities privacy and network performance challenges
• Mandatory VPN usage as a matter of not only written policy, but also technical policy
• Mobile device management (MDM) platform configuration, including limiting or even terminating the use of some or all mobile apps and capabilities in general

‘Mobile Security’ Is a Thing of the Past; It’s Just ‘Security’

Given our usage, “mobile security” is just security nowadays. The strategic challenges an organization faces are the same, regardless of which endpoint is accessing the data.

And therein lies the key: In order to have a secure mobile operation, you’re going to have to look at a whole series of issues that are not necessarily technical. Can the 5G supply chain be trusted? What role does the internet of things (IoT) play in the ecosystem? What potential privacy liabilities are there? Is an always-on, always-connected employee really more productive than one who can have a clean break a few hours a day?

Tackling the mobile security issue is complex. You need to start with simple solutions, like getting the basics right, understanding the demands of your business and deciding what risks you want to take on. Address those issues and everything else becomes easier.

The post The Latest Mobile Security Threats and How to Prevent Them appeared first on Security Intelligence.

2020 will see huge investments in 5G networks — Greensill estimated that the 5G rollout throughout the global supply chain will top $2.7 trillion by the end of the year. That’s not a number to sneeze at either, as it’s equal to roughly three percent of the world’s total gross domestic product. And while most of the investment will be in the infrastructure rollout, do not forget the other pieces. Hardware, software and services are also among the necessary investments.

So, with all the endpoints we can expect to see, where does mobile security fit into all of this? It’s an excellent question, because how we handle mobile security during the 5G revolution will affect the development of 6G. 5G will bring a new set of issues related to data management, hardware integration, the near ubiquity of numerous new devices connected to networks and privacy. How we handle these issues will undoubtedly influence the future of networks.

Is it too soon to talk about 6G? I’d argue it is not, as we have significantly shortened the time it takes to develop new groundbreaking technologies. Let’s theorize about what these new technologies could be, what the connectivity landscape could look like after the 5G revolution and, critically, how to ensure security in this new world.

A Packetless Internet

Despite the challenges, we may be at a point in our history where we can begin to rethink how our connectivity systems operate. Imagine having the ability to send “the entire message at once” as opposed to bits and pieces, even to mobile devices. Suddenly, current security concerns such as packet loss or data integrity take on completely different meanings.

What does a packetless type of data transfer mean for the Internet Protocol? If file size and latency are no longer issues, do not be surprised if we start having discussions about new types of transport protocols.

Increased Decentralized Computing

Suppose we end up going in the opposite direction and packets are spread all over the place, creating multiple redundancies. All of a sudden, your single point of failure or compromise is gone. When speed and connectivity are no longer serious concerns, does it matter where your data is? From a jurisdictional and privacy perspective, yes, it does. But what about from a technical perspective — does it make a difference? It’s unknown for certain, but as long as your access remains uninterrupted and reliable, it may not make any difference at all.

A Quantum Breakthrough

Quantum computing continues to show promise, but we are still far from the point where quantum mobile devices are ubiquitous in society — we haven’t even reached that stage for quantum computers yet. 5G will still rely on our current methods of encryption, but we may soon see quantum key distribution (QKD) deployed in a mass communication system for the first time. That would truly be a revolutionary security measure, as QKD makes eavesdropping impossible at best and almost instantly detectable at worst.

The Commoditization of Connectivity and Power Consumption

The breakthroughs that may have the greatest effect relate to connectivity availability and power consumption. Imagine devices that have nearly 100 percent connectivity availability and can be run with minimal power. These issues are highly important to information security because they change user habits. This is particularly true for mobile users and mobile security decisions. Why are laptops, tablets and smartphones so much more prevalent? Yes, in part it is because they are powerful devices, but the primary reason why they’re attractive is their ability to connect remotely and operate over time.

As connectivity availability increases and power consumption decreases, more and more devices are going to hit the road. Couple this with increased performance and power, and the question emerges of how many years out we are from “handheld mainframe” computers. Breakthroughs can happen when you least expect them, and they have force-multiplying capabilities.

So while we may be decades away from something so powerful by today’s technological standards, we may have a technological breakthrough five years from now that could shorten that development time considerably. Human imagination and ingenuity is a wild thing, and it may get a helping hand from some artificial intelligence (AI) too.

How to Ensure What’s Next Is Safe and Secure

The next telecommunication revolution will transcend information security and communication security issues. The next revolution will truly be a system of requirements and issues, which is another reason we need to start looking at the issue today. If not, we risk building on top of a house that is already on shaky ground.

I don’t know what 6G will look like, but if we can employ some sound principles to it and integrate new eye-popping technologies into it, then we will truly see a revolution around how we communicate and operate. By doing so, we can also continue to improve upon the current best practices and security controls for the 5G systems rolling out around the world.

The new system should be safe, secure and intelligent and should be built from the ground up using the lessons learned from the better part of 60–70 years of network connectivity. A 6G system needs to focus on a few broad areas to be both safe and secure, including the following:

• Robust mobile security measures — The system must be able to address standard mobile security concerns. It must be able to prevent the interception, manipulation and exfiltration of data. It also needs to be able to focus on multiple actors and recognize that there will always be a human element to any security concern.
• Privacy, privacy and more privacy — The security and privacy worlds are morphing into one, and unless privacy concerns are addressed at the beginning, there will be an inherent concern, which may degrade trust.
• Security by design — The system needs to be robust right from the development stage, regularly tested, and able to learn from testing and potential disruption. It should be so well-designed that there are multiple redundancies — different ways to purge itself of unwanted and malicious data — and it must demonstrate no single point of failure.
• Show me the money — Any 6G system must be economically tenable over time. Neither the unlimited pot of gold nor the money tree has been discovered yet.

When Will the Next Generation Arrive?

We have come a long way from the 1G systems unveiled in the late 1970s and early 1980s. Even then, adoption rates were relatively slow. It wasn’t until the 1990s when mobile communications took a big leap, with 2G systems opening up the door to a new world of possibilities. 3G brought us mobile broadband connectivity, and by the late 2000s, 4G was deployed. If we use these time frames as estimates, we’re looking at about 7–10 years until a 6G deployment. These days, that’s practically right around the corner.

It is quite possible that when we look back, 5G may look more like a 2G-type breakthrough — a “wow, we can really do this” leap. In hindsight, it’s safe to assume we were overwhelmed during the 3G and 4G eras. Therefore, the time is now to address the mobile security, privacy, design and economic issues of 6G development and deployment, particularly in light of the many new technological breakthroughs we can expect to see in the coming decade.

The post How Do We Ensure the Security of What Comes After the 5G Revolution? appeared first on Security Intelligence.

Over the last year, there have been several jaw-dropping fines for privacy breaches. In the U.S., the Federal Trade Commission (FTC) fined a social media giant $5 billion, and across the pond, a major airline was fined 183 million pounds for a General Data Protection Regulation (GDPR) breach.

Regardless of industry, there are numerous examples of privacy breaches and investigations, which has led many businesses to scramble to achieve compliance and protect their customers’ data. However, it is not just consumers that organizations should be concerned about; their employees’ personal information also needs protection.

What Do Data Privacy Products Do?

With the rapid increase in privacy awareness, the market for tools that protect our privacy has boomed as a number of privacy-related products have entered the market. These tools introduce benefits such as:

• Keeping browsing private — The virtual private network (VPN) market is set to be worth $54 billion by 2024.
• Protecting against profiling — In 2010, the privacy search engine DuckDuckGo had 33,000 queries a day. In 2019, queries have surpassed 35 million a day.
• Preventing targeted ads — One in 4 (~70 million) U.S. internet users say they use an ad blocker.

Consumer awareness follows in the wake of new regulations. The GDPR is one of the most notable examples. There is also a number of U.S. federal and state regulations that have been introduced. The GDPR spurred global action because, although it was passed in the European Union, it has a global reach. Case in point: A U.S.-based hotel chain incurred a fine when 339 million guests’ personal data was stolen.

Why You Need to Consider Employees’ Privacy

When employees enter the office, they don’t leave their personal information at the door. Although employers may seek to improve productivity or streamline operations, this can infringe on employees’ privacy. The business may want to use unified endpoint management (UEM) tools to track a corporate-owned asset, but the employee may be concerned about what it reveals about their personal life as it travels with them. Businesses should be aware that the data they collect for legitimate purposes may contain personal information.

Consider the following examples:

• Goldman Sachs reads any employee email that contains certain phrases as part of its real-time surveillance system.
• Amazon holds a patent to track employees using ultrasound.
• Three Square Market allowed employees to be voluntarily microchipped to get access to the building or make purchases at the office vending machine.

Mobile devices provide another way for personal information to be gathered because they are integrated into our daily lives and have an always-connected nature. Employees might be concerned with a corporate app that records their location or monitors their browsing habits. Because mobile devices travel everywhere with us, even a well-meaning asset tracking service to minimize the number of lost devices could reveal information about the user’s personal life. The potential for personal information to be embedded means that organizations should review what information and activity they record and check that they are compliant with the latest regulations.

Build a Business Privacy Plan

Protecting privacy is complex because there is a balance of business policy and technical design that needs to be applied to data across its life cycle. Considerations for how user activity is gathered are very different from how a business should decide when to delete stored data.

Business policies and processes can dramatically affect how private information is handled. Chief information officers (CIOs), chief security officers (CSOs) and privacy officers need to be able to articulate clearly to the rest of the organization how information should be managed and ensure that the right tools are in place to convert those business rules into technical execution.

Mobile devices can create policy complexity because the devices are increasingly owned or managed directly by the employee, which raises questions about what data collection businesses should do. Organizations are keen to promote mobile workflows because of the productivity uplifts they provide, but it isn’t clear what the apps that enable this record. If an employee owns the device, what data should a business be able to collect and when should the information be collected?

Businesses need a clear privacy policy that is applicable across different employee functions and methods of gathering data. A good privacy policy should contain both technical and process considerations, be applicable across the life cycle of personal data, and be easily understandable by the whole organization.

The Data Life Cycle

It is important to recognize that protecting privacy doesn’t just mean what you collect, it also includes how you store it and who you allow to access it. It sounds logical, but businesses fail to do so routinely. One social media organization revealed in March that thousands of its employees had been able to access hundreds of millions of unencrypted user passwords.

Transparency is crucial. When personal information is being collected, businesses should provide details about how it is managed. There are several key questions you should ask:

• What information is being recorded?
• Why is it being recorded?
• How is it being stored?
• Who has access to it?
• When will it be deleted?

This transparency is important when choosing business tools and setting up business processes, especially when third parties are involved. With the rise of the cloud, it is possible for outside administrators to have access to information held in the cloud. Suppliers should be able to confirm who has access to systems, as well as when and why they will access them.

4 Elements of Data Privacy

Businesses are left with the challenge of having to balance all these considerations when managing privacy. It is easy to see why consulting practices focused on privacy have sprung up to assist organizations and anxious board directors. However, it is not just boards and C-level executives that need to be aware, because employees across the business may have access to personal information or make decisions that affect it. Businesses can begin by thinking about privacy as the combination of four elements: identity, activity, policy and transparency.

1. Identity

Information about an individual can be used to identify them. The easiest way to prevent it from being inappropriately used is to collect nothing, if possible, and the minimum amount when you have to. If collected data is gathered, ensure information is encrypted and grant access to the data only when necessary.

2. Activity

Actions speak louder than words. Data gathered from individuals’ activities could reveal personal information. For example, location data could very easily reveal information about an individual’s lifestyle. To prevent profiling, potentially private data should be separated. This can be done by separating profile and activity information. Ensure that activities such as user browsing are encrypted.

3. Policy

Having a policy means more than having a document on a corporate intranet site. Business policy should be understood at all levels and be applicable to both technical systems and business processes. Businesses should make as little personal data visible as possible, and only for the stated purpose. Access to data should be governed at the user level so only the right individuals can access it.

4. Transparency

Let individuals know what you are collecting and why you are collecting it. While data is in your charge, make it clear how you will be managing it end to end. If there are any changes to how to handle data, make sure that individuals are informed.

Ensuring these elements are known across the business and kept close to heart when considering new business tools or processes is an important first step toward ensuring regulatory compliance. Businesses should also look at what systems they currently use, especially around the mobile ecosystem where overcollection is easy. Finally, sharing the privacy policy throughout the organization will help keep decision-making aligned with the business’ values.

The post Data Privacy in the Modern Workplace appeared first on Security Intelligence.

The deployment of 5G data technology in our daily lives will be revolutionary, but this blast of speed and data will burden cybersecurity management teams and create an entirely new set of risks to handle around issues such as mobile security and integration with smart cities.

One major challenge will be figuring out how to best scrutinize the wave of new data generated by 5G tech. To make it more feasible to manage security operations issues in a 5G world, analysts will need the ability to view visual representations of evolving data in real time. Those who manage a security operations center (SOC) already know the value of data visualization: With better data-representation capabilities in place, analysts can shift their focus from IP addresses, data packets and binary code to looking for associations and irregularities in data flows, bringing a whole new life to log and data point analysis.

Where can we look for a model of how managing data points and data traffic flows might evolve? Social media data visualization tools might be a good place to start, as they are built on points and connections, and the ways in which they make associations could provide significant value in managing cybersecurity incidents.

The Big Picture

Let’s look at this problem through a different lens: Instead of having a security issue to handle, imagine you have a marketing opportunity worth researching.

First, you would want to gain as much information as you could on your prospective customers from as many sources as possible. This data would need to be classified, weighted, sorted and aggregated.

There’s a bit of extra emphasis on the importance of weighting, especially for marketing firms — and metrics can make a huge difference here. If you get your metrics right, the effects can be far-reaching. Everything from your ROI, quality of product, innovation investments, growth strategies, and following and satisfaction rates could stand to see improvement. That’s why so many marketers chase down all the little pebbles of data from social media. Users are, in fact, giving this data away, and there are actors out there who are happy to use it to get to your money or nudge your voting habits.

However, more valuable than any point of data is establishing a connection. If you make the right connection, your message can spread like wildfire.

Now apply this principle to the situation of security: If the right connection is made, a whole network could be knocked down. If any one point is compromised, it could be a nuisance for your system, but a key connection could mean far more serious problems.

What Matters More: The Endpoint or the Connection?

What do social media data visualization tools offer their users? They help highlight data associations in a way that pops out. Think about all the ways these data points could be represented: They could be displayed according to temporal, hierarchical, network-based, multi-dimensional or geospatial considerations.

Everyone has seen at least one data visualization graphic or model and thought, “Wow! That’s cool!” In fact, you can see these representations being used to analyze security threats, as Checkpoint did when it mapped out connections inside an advanced persistent threat (APT) ecosystem.

This is where 5G comes in. By all reasonable accounts, managing 5G data will be a bit of an endpoint nightmare simply because there are so many endpoints. From a resource-management perspective, it may be most effective to focus on the connections rather than trying to track down every rogue device that has been hijacked. If you protect the associations, the unit as a whole receives added protection.

This is the philosophy to adopt as you go about protecting an entire cluster of devices all at once. Of course, the flip side of this coin is that if the cluster is not protected, a malicious actor can go right for any association. A connection-based approach has the potential to be more efficient and cost-effective, and if connections are not properly secured, the associations are more fragile.

Goals Versus Systems

Most IT spaces have probably seen a Dilbert cartoon. Its creator, Scott Adams, probably gives one of the best descriptions of the differences between goals and systems. If you’re going to be protecting your 5G data networks, you’re probably going to want to adhere to what he calls a systems approach as you address network issues. Otherwise, you may feel like you’re chasing yourself in circles.

NIST’s Special Publication 800-160 Vol. 1 is all about taking a systems approach to security needs, but as you work to secure your network (especially with the 5G explosion on the way), you will also want to have a visual representation of your endpoints and traffic flows. If you are a marketer, determining which social interactions and customers need extra attention is key, and marketers have figured out that social media data visualization can be an extremely valuable asset in this regard.

By following suit and adopting a visual, system-based approach to 5G data analysis, you can determine which associations you should focus on and which endpoints may need extra attention. After all, pathways to innovation can arise from any direction with the coming of 5G.

The post Does Social Media Visualization Serve as a Primer for 5G Data Visualization? appeared first on Security Intelligence.