7 Apple Breach Business LessonsWhy iCloud Hack Should Be Enterprise Wake-Up Call
Is an iPhone or iPad, when tied to the Apple iCloud, secure enough for business use?
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
That's one question now facing enterprise information security managers in the wake of the dumps of celebrities' nude photos, which first began appearing Aug. 26 on image boards, including 4Chan and its AnonIB sister site. Both Apple and the FBI have been investigating the apparent hack attacks against iCloud that may have resulted in the theft of at least some of the images.
Most businesses, of course, don't worry about attackers stealing employees' selfies. But the same techniques used by an obsessive group of celebrity stalkers could be employed by anyone who wants to steal corporate secrets, be that for espionage of the industrial or nation-state variety. "This incident should be a wake-up call to businesses as to what potential exposure their data could face when on personal devices," says Dublin-based information security consultant Brian Honan, who heads Ireland's computer security incident response team.
Here are seven steps businesses must take to secure any mobile device - BYOD or otherwise - that's used to access or store sensitive corporate information.
1. Issue Call to Action
"This has to be taken as an immediate call to action," especially for heavily regulated financial institutions, says Alan Brill, a senior managing director at corporate investigation firm Kroll. "At the very least, put out an urgent memo reminding people not to store sensitive bank/company information on private cloud services without permission from the local information security group. It's not too late to delete content that shouldn't be there, [and] any accounts on those services should be protected by opting in to multi-factor authentication - and this should be done now."
2. Don't Just Block iCloud
Security managers may see celebrity photo hacking as cause for blocking corporate-owned iOS devices from accessing iCloud or using mobile device management tools to similarly restrict employee-owned devices. Indeed, one knee-jerk reaction has been to ask why anyone would be backing up sensitive information to a consumer-grade service:
2013: "Oh my god you idiot, why didn't you turn on backing up your photos!" 2014: "Oh my god you idiot, why did you backup your photos?"InfoSec Taylor Swift (@SwiftOnSecurity) September 1, 2014
But blocking iCloud outright may not be the right move for many businesses. "It's an option, although one that may prove unpopular with users," says independent British security expert Graham Cluley. "And if you don't use iCloud to make it easier to share content with your other devices, what will you use instead? Dropbox? Google Drive? Who is to say that those services don't have their own security issues?" Indeed, according to software developer Nik Cubrilovic, celebrity photo stalkers appear able to breach not just iCloud, but also backups of Google and Windows Mobile devices.
Consider, too, that many employees are backing up their devices to iCloud, thus providing them with offsite disaster-recovery capabilities if their mobile device gets stolen, or if both their mobile device and the computer to which it syncs get lost, stolen or damaged. Unless businesses offer a substitute backup capability, then blocking iCloud would arguably be irresponsible.
3. Understand Employees' BYOD Use Cases
Before deciding how to manage mobile devices, security managers need to know how mobile devices - and connected services - are being used. "Businesses should look at what information is stored on mobile devices," Honan says, as well as all the way in which it might be copied or synchronized with other devices, be they cloud services or for backup purposes to the user's own PC. "Based on the sensitivity of that information, it should then either be removed from the device or properly protected," says Honan, by implementing controls that restrict any copying or synchronizing of that data to only authorized devices or services.
4. Understand All Related Risks
While the celebrity stalkers stole images and videos, anything stored on a mobile device - as well as any capabilities built into the device - could potentially be remotely accessed or stolen by would-be corporate attackers, be they foreign governments or industrial espionage operators. Creating an effective BYOD security policy, accordingly, requires understanding which capabilities pose risks to your employees.
"By the way: Whoever had the passwords to the celebrities' iClouds could have used the same passwords to wipe their iPhones, iPads and Macs," says F-Secure technical manager Johan Jarl.
Don't discount more creepy possibilities too, especially for employees with physical security concerns. "It's not just nude photos celebs need to worry about - a number of the leaked images reveal their GPS location," tweets independent security and privacy researcher Ashkan Soltani.
5. Manage BYOD Tradeoffs
The celebrity photo breaches highlight the fact that data stored on any device - and services built into devices - shouldn't be considered safe, until proven otherwise. "Many companies see BYOD as a cost-effective way of solving their IT problems and keeping staff happy. However many do not take the further steps of identifying the risks BYOD can bring," Honan says. "BYOD offers many advantages, but businesses need to ensure the use of any technology, be that supplied by staff or by the business itself, is properly protected and managed in accordance with the organization's risk profile."
Businesses that aren't happy with the security situation highlighted by the celebrity photo hacking have options. For starters, they could issue all employees a work-only smart phone, perhaps with locked-down Android firmware, or a Blackphone, an Android smart phone designed to be more secure and to keep communications more private.
"We live in a world of BYOD, and unless we are in a very security-oriented organization or a government organization, and we can actually force our employees to carry two phones - or provide them with a phone for which we have firmware built - and which is dedicated to their business needs, then ... they're going to have their own devices," says Boris Gorin, head of security engineering at cloud security firm FireLayers. So long as employees use just one mobile device, "it's very difficult to separate their business needs from their personal needs, and to force their business information to stay separate from their personal information."
But even two-phone approaches aren't perfect. "My colleagues in the States tell me it's common for them to carry two phones," says Finland-based F-Secure security researcher Sean Sullivan. "They often also use their 'personal' phone for work stuff ... but at least there is some segregation."
6. Enforce Security Hygiene
Especially for employee-owned devices, adding extra layers of security becomes key. "It's always going to be hard to completely police, but I would advocate cloud services that use strong encryption, two-factor authentication and MDM solutions that help users ensure they have hard to crack passwords," Cluley says.
"I'd ensure that there is no password or credential sharing between the personal and business series the user is using, and make sure that whenever they access business information, the data is encrypted, at rest and in transit to the endpoints," Gorin says, noting that those endpoints could be everything from mobile devices and PCs to corporate or cloud servers.
Anyone storing sensitive images or data on a cloud service should consider using apps that are built for the task of securely storing and sharing files.
"It's a combination of all these that can lower the chance that something is going to affect you," Gorin says.
7. Demand More from Vendors
Finally, businesses must demand that vendors providing Internet-enabled services do more to secure those services, as well as offer security by default. Apple, for example, doesn't yet allow two-factor authentication to be used to restrict access to iCloud backups. If Apple did offer that security feature, it might have blocked celebrity photo hackers from being able to "rip" targets' iCloud backups, according to Lookout Security principal researcher Marc Rogers.
"Cloud service providers also need to look at how they secure their clients' data and design easy to use and understand security controls so they are more widely adapted," Honan says.