“In the Android world, when you download an application, you as a user have the power to decide whether this application has access to certain resources,” Teller reminds us. “It gives the user the power to decide yes or no. Users who are not educated will just click ‘Yes.’ People tend to click, and then think… As soon as you click ‘Yes’ on an application, and you didn’t think about it, you’ve basically installed malware on your own computer. That happens every day in the Android [Market].”
Again, this from an evangelist whose company sells the program that many believe gave Microsoft the idea for User Account Control – the ultimate “Confirm / Deny” screen. Teller was responding to a demonstration from day 3 of the RSA conference which delivered malware to Android phones, but only after sending an SMS message telling the user to accept an over-the-air update purportedly from Verizon.
The human factor has been playing a greater role in the waves of new attacks discovered during 2011, says Teller. More socially-skewed attack vectors rely on users’ willingness to either trust something that says, “Trust me,” or confuse them with roadblocks whose easiest exit is the trigger for malware installation. The latest Check Point security management tools, some of which were demonstrated for us, aim to do a better job at avoiding presenting the same kinds of roadblocks for administrators – to educate them rather than giving them something new to exit, cancel, or ignore.
Teller suggests that enterprises use police investigation tactics to avoid being trapped in scenarios like the one that afflicted RSA itself last year. Specifically, re-create the event, and use some clever staging to see whether your own workers would fall for the same gimmicks and booby traps. “Most of the companies say, don’t focus on one exploit, because there are going to be many. Look at the technique; look at the pattern of what caused the vulnerability to be triggered.” While network analysis and analytics tools may give you a hint as to what could happen, this kind of profiling can only go so far, he points out, toward identifying and nailing the precise culprit.
In the era of the iPad, it’s impossible for a network to rely on traditional host-based antivirus. This from Michael Sutton, Vice President of Security Research at Zscaler, one of the earliest cloud-based security services. Unlike Check Point’s policy-based approach to security (though by no means a substitute for it), Zscaler’s service is a proxy through which Internet traffic is re-routed, monitored, and filtered. What’s more, Sutton says, server-centered security appliances are crippled in their ability to monitor traffic from contributing devices like 3G and 4G devices, as well as from virtual desktop platforms.
“Think of Zscaler as a man-in-the-middle,” says Sutton (unafraid to invoke a metaphor typically applied to something bad), “the first hop on the way to the Internet. Whereas traditionally your user just goes from the browser to the Web, assuming there’s no security in place, there could be ten hops along the way. Now we become that first hop. Rather than pointing your traffic directly to the Web, you’re pointing it to a Zscaler node.”
There are a number of ways this works. One is through the creation of something called a GRE tunnel from the router, that directs all Web traffic to Zscaler first. In the case of a roaming user outside the office, there may be proxy settings for her laptop. “IOS is a unique beast in that you don’t even have that level of control,” Sutton admitted, so Zscaler sets up an on-demand IPsec VPN tunnel. This way, the mobile device management system can address traffic routing patterns through profiles pushed to each iPhone or iPad. Whenever communication through the Web takes place, the VPN tunnel is instantly turned on.
“There are actually two added benefits from using a VPN tunnel instead of proxy settings,” he admits. “One, you’re also getting all traffic from any devices – we’re not just dealing with browser traffic. That’s really important in a mobile device, because more than 50% of the traffic coming from your smartphone and your tablet is actually coming from apps. Apps are really custom browsers; for the most part, they’re sending HTTP, HTTPS traffic. And they can suffer from vulnerabilities just like browser traffic can. Also, the user now has an encrypted channel for all communication, not just SSL sites.”
Usually when a user accesses Starbucks’ Wi-Fi from her iPad, most of the traffic going between those two points is unencrypted. Zscaler’s system, Sutton says, adds the benefit of traffic encryption, making Starbucks via tablet not only viable but, for many, compliant.