FRAUD & SECURITY BUSINESS BRIEFING 2013: Bringing security to BYOD
13 September 2013 | Richard Irving
Later this year, Eleven Paths, Telefónica Digital’s security “spin-in”, is expected to unveil the first in a series of products that will help see the venture on its much-hyped way to earning €5 billion in revenues by 2015.
Telefónica Digital is that strange creature in the world of wholesale: a venture that draws criticisms and praise in equal measure. To some, it is a visionary telco with a Silicon Valley mindset and a clear mandate to break free of the shackles of traditional carrier-to-carrier transit, in search of disruptive technologies that will drive the future of the communications industry. To others, it is an unfocussed venture that makes up in scattergun ideals what it lacks in clarity.
There are vast investments in machine-to-machine initiatives such as smart metering and the connected car, for example: very “wholesale” business opportunities. But there are also more strategic plays, such as the recent investment in Everything.me, a simple “retail” mobile app.
And then there is Telefónica’s investment in Chema Alonso, the beanie-wearing CEO of Eleven Paths and an eminent expert in the field of cybersecurity. There is not a network in the world that Alonso – a recipient of Microsoft’s iconic “Most Valuable Professional” award for each of the last eight years – cannot hack. To prove the point, he regularly tours the speaking circuit, showing how to unpick the security around state-of-the-art telecoms architectures using simple Google searches.
Eleven Paths' CTO David Barroso (left) and CEO Chema Alonso (right)
Security rock star
You can recognise Alonso at industry events, not so much by his long, flowing black hair, but for the fact that he mostly turns up with just a pen and paper. The hacking expert is so worried that rivals will try to breach his own security systems that he routinely leaves his laptop at home.
Which is indeed ironic, because Telefónica is principally betting that Alonso will come up with a raft of new products to help beef up security around portable devices in the workplace, such as smartphones and tablets – the so-called Bring Your Own Device (BYOD) phenomenon.
And what, you might ask, has that got to do with wholesale? Well, according to Nigel Stephenson, head of marketing for cloud and managed services solutions at Juniper Networks, communications service providers not only see security – and particularly security into and out of the cloud – as a way to differentiate themselves from rivals, but as a way to expand into that all-important enterprise sector. Business customers already trust and value their network providers and draw considerable reassurance from typically very robust Service Level Agreements, he says. The opportunity to build on such relationships by offering enhanced security coverage as a value-added service to any cloud offering is compelling.
Put another way, network providers increasingly find themselves at the very heart of their customers’ businesses, providing everything from computing capacity to communications and data sharing. If they are going to assume such a powerful role and prosper in it, then they have a duty to guarantee that it will not only work, but also withstand the attacks of a growing band of pernicious cybercriminals. That might mean shouldering the burden themselves, or seeking a wholesale partner with considerable experience in the market.
Matthew Key, CEO of Telefónica Digital and Alonso’s new boss, sums it up thus: “As more and more data is held and accessed in the cloud, the integrity of this data is absolutely critical.”
Consumers face very real threats around their use of social media, while enterprises must grapple with the challenges that result from more and more employees bringing their own devices to the workplace. The thread that draws these two security threats together, Key warns, is the proliferation in smart devices and the determination of users to bring them to work.
“The more our lives meld into the digital world, the greater the need for a platform like Telefónica Digital to create security solutions that are as clever as the crooks and that can reach all layers of the network,” he suggests.
One of the biggest priorities at Eleven Paths – so named because when challenged, few CTOs can cite eleven ways in which their network might be compromised – is to test and improve Telefónica’s own security procedures.
“Obviously, one of our key customers will be Telefónica itself,” concedes David Barroso, CTO at Eleven Paths.
Both Alonso and Barroso have established formidable reputations for developing penetration-testing (pentesting) tools that simulate attacks on networks, in order to lay bare their vulnerabilities. At their previous company, Madrid-based Informatica 64, the pair built FOCA – a security audit tool that looks for and then cleans up metadata linked to any specific domain name.
Metadata is essentially data about data and it is left hanging around in any document or programme that is created using Microsoft software. It contains useful information about the system the file was created on, such as the name of the user login, the software that created the file and the operating system that the programmer used.
In the longer term, Barroso says, the new company will build on this experience to develop pentesting tools and other security solutions that can be incorporated into value-added services for its wholesale partners. Given the relatively autonomous nature of Telefónica Digital, it seems likely that Alonso will also be free to market security services to third-party service providers and products are unlikely to be specifically tied to Telefónica’s network.
Bring your own risk
In the shorter term, the company intends to concentrate on the BYOD market. According to recent research by Ovum, the London-based telecoms consultancy, there will be almost as many BYOD connections as corporate-liable devices jumping on and off a typical company network by 2017. The impact of BYODs on unmanaged networks is huge – automatic upgrades from iOS and iTunes can create bottlenecks, while the uploading and downloading of video content from recreational websites can fuel huge capacity constraints and adversely affect mission-critical business applications. When a firm rubber stamps a new BYOD policy, the amount of traffic on its network can double or even triple, prompting one senior security adviser, who declined to be named, to liken it to the network equivalent of the Wild West.
There are obvious rewards. For example, Cisco, the equipment vendor, recently published a paper suggesting that nine out of ten workplaces already allow employees to bring their own smart devices into the workplace. Cisco’s study found that companies can save around $1,300 per head on capex and other costs and squeeze anything up to an extra two hours a week in productivity from happy workers who are using their own smart devices.
But with these rewards come tremendous risks. Not least the fact that BYODs typically bypass inbound filters, which opens up the network to cyber attack, as well as outbound filters, which subsequently elevate the risks of data theft. Certainly, mobile malware has evolved from a cottage industry to a multi-billion dollar market as fraudsters have learned to – if you’ll excuse the pun – phish where the fish are. According to Juniper Networks, there were just over a quarter of a million malicious mobile apps lurking in the internet at the end of March 2013, and more than 500 third-party apps stores have been found to host malevolent software over the last twelve months alone.
Perhaps more interestingly, Android hosts 92% of all known mobile malware, an increase from just 47% in 2012 – and this despite commendable attempts by Google to plug gaps in the operating system’s security profile. So while 77% of all Android threats could be neutralised today if users were to download the latest version of Google’s operating system, only 4% have chosen so to do. That is especially significant given the latest industry predictions, which expect sales of Android-based smartphones to top the 1 billion watershed in 2017. Apple, by comparison, gets off relatively lightly, partly because Android has a greater global reach, but mainly because it is easier to get fraudulent code on to Android devices.
There are in essence three types of mobile malware that can permeate BYOD defences: fake installation applications, which mimic the behaviour of legitimate apps but require users to pay fraudsters via a premium-rate SMS text; SMS Trojans, which embed themselves into the phone’s system and send texts to premium rate revenue-sharing numbers; and spyware applications, which secretly capture data and send it back to criminals for further mining. Some mobile malware can be triggered when the user plays certain music on his phone; others, such as the so-called “Carberp” Trojan, worm their way into the guts of a smart device and plunder the user’s mobile transaction authentication number when a bank texts an up-to-date balance.
More sophisticated cyber-criminals are now looking at enterprise-wide attacks, capable of capturing high-value data on corporate networks. Historically, there has been little tangible evidence to suggest that a BYOD corporate philosophy has led directly to a fraudulent raid – indeed Verizon’s latest threat analysis, published in June, highlights just one. Malware infections have started to emerge in recent weeks, however, including the NotCompatible app, which runs unseen in the background and enslaves a mobile device to a crook’s command and control server. The minute a single device is infected, an entire company’s intranet is under threat.
“We are seeing some disturbing changes in the threat environment facing companies, and even governments,” echoes John Stewart, Cisco’s chief security officer. “Cybercrime is no longer an annoyance or another cost of doing business. We are approaching a tipping point, where the economic losses generated by cybercrime are threatening to overwhelm the economic benefits created by information technology.”