Mobile devices have changed the way business is conducted, giving enterprises and employees flexibility to stay connected, whether in the office or on the road. As mobile devices continue to play a greater role in enterprises, greater amounts of data will flow through these devices and applications. As a result, we can expect a surge in mobile traffic over the next few years. In fact, Cisco's Visual Networking Index anticipates that mobile traffic will grow at a compound annual growth rate (CAGR) of 47 percent between 2016 and 2021.
The ever-increasing use of mobile devices expands the corporate attack surface and creates serious security risks, privacy concerns and vulnerabilities, which malicious actors can exploit to steal sensitive and personal information, and impersonate unknowing victims. As the use of mobile devices and applications continues to grow, the rate and sophistication of attacks on popular mobile platforms also grows, and the need for mobile authentication becomes more prevalent.
Mobile devices and mobile applications are becoming more dangerous threat vectors against the corporate network. Indeed, the instances of mobile threats is increasing. Kaspersky mobile products and technologies detected in 2019:
- 3,503,952 malicious installation packages.
- 69,777 new mobile banking Trojans.
- 68,362 new mobile ransomware Trojans
To counter these threats, enterprises are turning to certificates to secure mobile devices, applications, and users. Digital certificates authenticate mobile users to applications, VPNs, and WiFi networks. However, many organizations have little to no control or visibility into their mobile certificate inventory and they’re unaware to which mobile certificates their users have access. And this lack of visibility results in lack of control, which means that organizations cannot fully control the access granted by certificates, risking unauthorized access.
A number of security risks from misused or orphaned mobile VPN certificates to unauthorized access by terminated employees or contractors can be easily exploited. Plus, with several different IT teams managing different parts of the mobility stack, there may often be gaps in management and security that can be exploited. These gaps will hamper your ability to detect misuse—especially if you are not equipped to detect mobile certificate anomalies, including incorrectly issued certificates. Cybercriminals take advantage of mobile certificates and pose as trusted users, thereby infiltrating your network and stealing intellectual property.
Remember that mobile certificates issued to users serve as trusted credentials for secure access to your critical networks, applications, and data. So the biggest threat to your enterprise isn’t necessarily the mobile malware, but rather the unauthorized users who may access your information.
Here are 5 ways you can prevent unauthorized access of misused mobile certificates.
- Get visibility into your entire mobile and user certificate inventory
With clear insight into your full mobile and user certificate inventory, you can identify duplicate, orphaned, and unneeded certificates. By mapping users to the certificates they are issued, you can identify certificates that are exposed to unauthorized user access. This will enable you to establish a baseline of known certificates and normal usage.
- Automatically enforce policies for mobile certificate issuance
Issuing certificates to mobile devices and mobile applications according to centralized IT security policies is paramount. By enforcing cryptographic policies that control attributes such as key length, validity period, and approved CAs and by applying workflow processes to mobile certificate issuance, you can reduce your organization’s attack surface.
- Go beyond Mobile Device Management capabilities for certificates
Although Mobile Device Management (MDM) solutions can provide capabilities such as deploying applications, remotely wiping devices, or deploying certificates for mobile devices, protecting mobile certificates and keys extends beyond the scope of MDMs. MDMs alone cannot remove potentially orphaned or compromised mobile certificates. As organization adopt new mobile applications, they must have the ability to enforce IT security policies to establish norms and detect mobile certificate-based anomalies such as orphaned or duplicate certificates. They must also respond quickly by revoking a user’s certificates across multiple CAs. Furthermore, users do not always receive mobile certificates through MDMs. They may request certificates using other tools or even multiple CAs. Therefore you must implement a solution that is capable of enforcing certificate and key policies consistently across your entire environment.
- Immediately revoke mobile certificates when authorized use is concluded
In the event that an employee is terminated, leaves the company without notice, or reassigns, you should immediately revoke all mobile and user certificates associated with that employee in order to prevent unauthorized access to your network. Also, keep in mind that wiping a mobile device using your MDM solution is not sufficient, because the employee could have made a copy of the certificate and key before leaving the company. Rapid revocation of all certificates, whether deployed through an MDM solution or some other means, is critical in these situations.
- Ensure secure end-user self service
If your organization enables users to request certificates using enrolment portals, you must provide a secure self-service portal that enables your end users to quickly request certificates for WiFi, VPN, email, browser, or other applications. You need a mechanism that governs user certificate issuance to ensure certificates comply with security policies, to eliminate guesswork on the part of inexperienced users, and to prevent errors.
As mobile devices continue to become more prevalent, it is important for you to take a strategic approach to securing your organization’s mobile device certificates. Following these 5 steps will help you to avoid misuse of these certificates and protect your organization against trust-based attacks that use mobile devices as an attack vector.
(This post has been updated. It was originally published by Patriz Regalado on May 27, 2014.)