One of the critical areas we believe is too-frequently neglected in today’s business operations planning is security and risk.
With the amount of data flitting between hundreds of global locations and millions of servers -to how much risk are your operations, today, being exposed? How many local and regional regulations are you flouting? How does the introduction of multiple service providers and SaaS applications exacerbate the issues?
And that’s not all – what about your staff’s personal devices (and those of your providers’ staff) that get plugged into your corporate network on a daily basis? And even that trusty Apple device you use to make your own IT experience that little but more pleasant?
At HfS, we have been quietly exploring what today’s organizations are doing (or not doing) to protect themselves, which is why we brought in security and risk analyst veteran Jim Slaby last year (read some of his research here). While he’s been running the treadmill of the obvious security issues and threats, he’s also been uncovering those in areas such as your Apple device – yes – YOUR APPLE DEVICE MAY NOT BE AS SAFE AS IT APPEARS.
Over to you Mr Slaby to reveal more…
Flashback kicks the myth of Apple invincibility squarely in the jewels
Reporter: “Why do you rob banks, Mr. Sutton?”
Willie Sutton: “Because that’s where the money is.” *
Apple has long enjoyed a reputation for making computers that were largely immune to the viruses and other malware that have long afflicted Microsoft systems. Indeed, Microsoft practically created a hundred-billion-dollar security aftermarket — Symantec, McAfee, and countless other security vendors large and small owe their existence to the lousy job Microsoft did architecting its products to resist various security threats.
But good OS design was only one of Apple’s advantages; the other was that it only represented a tiny fraction of the enterprise and consumer markets for server and PC operating systems and applications. If you were a black hat, you developed malware to rob sensitive data from Microsoft machines because that’s where the money was. Of course, the world keeps spinning: Apple now has a market cap that seems destined to hit a trillion dollars, and everybody in your organization wants to connect their personal iPad or iPhone to your network. So the malware developers of the world have naturally turned their sights on Apple.
While this isn’t their first try, the bad guys are getting better at penetrating Apple’s once apparently impervious peel. They scored a big, splashy coup last week when news hit the business press about Flashback, also known as Fakeflash, malware targeting the OS X operating system that successfully compromised more than half a million Mac desktops and laptops before Apple managed to issue a patch for it this week.
In its early versions, Flashback was a trojan horse that pretends to be an Adobe Flash installer or Apple’s Software Update tool. Users agreed to install Flash (to view some online video) or run an Apple software update, but the malware instead installed a backdoor that wreaks a variety of mischief like “click fraud”, generating fake clicks to boost revenue from pay-per-click and pay-per-impression ads (for which the bad guys collect a kickback). But it could potentially do other harm, like collecting passwords and card numbers for resale to identity thieves and credit-card fraudsters. Flashback kept evolving, and now exploits a Java vulnerability to deliver its malware payload via drive-by download; now all the user has to do to get infected is visit a poisoned website.
Flashback thus joins a small but growing collection of increasingly sophisticated malware threats like last year’s DevilRobber, a backdoor that steals passwords and electronic cash tokens from infected Macs. Apple is responding with new security improvements to defeat exploits like these, but as the Windows malware and mitigation seesaw has long demonstrated, this will inevitably become an arms race — attackers will keep uncovering new vulnerabilities in Apple’s security armor as long as they smell profit in it.
Add to this the growing pressure in enterprises to support the BYOD (Bring Your Own Device) trend, to let employees and contractors connect their personally owned smartphones and tablets to enterprise applications, and it’s easy to see that there’s a whole new Pandora’s box of endpoint security issues just beginning to crack open. And they’re not all Apple OS X or iOS devices, which are still relatively exploit-free: many of them run Google’s Android OS, itself the target of a growing and already better-established boom in malware development.
The IT consumerization trend, in which business partners and customers will want to transact online business with enterprises from consumer devices and mobile applications that the CSO’s team can’t easily monitor or control, will only make this issue more urgent. HfS Research examined these trends in more detail in our recent report, “BYOD in the Age of Cloud Services and IT Consumerization”. To recap one of its recommendations, CSOs need to stop hoping this issue will just go away, or pretending they can just say no to the new welter of mobile endpoints and applications.
Likewise, as BYOD and IT consumerization gather momentum, services providers ought to be exploring the opportunity to help buyers tackle the emerging challenge of mobile endpoint management, starting with consulting and managed security services. If there’s one thing that Flashback has taught us, it’s that the 21st-century Willie Suttons have figured out that there’s gold in them Apples, they’ve already cased the joint, and they’re coming for yours.
* Sutton robbed a hundred US banks to the tune of $2M over a forty-year criminal career that began in the 1920s. He claimed his most notorious quote was actually made up by a reporter, but became so famous for it that he eventually gave up arguing the point.
James R Slaby (pictured left) is Research Director, Sourcing Security and Risk Strategies for HfS. You can view his bio and research here.
(Cross-posted @ Horses for Sources)