Posts

Considering the Use of a CPaaS Provider? Look at the Inherent Risks

The rise of the communications platform as a service (CPaaS) model has many enterprises migrating from on-premises communications to cloud platforms and APIs. CPaaS and APIs offer benefits including improved productivity and third-party app integrations, but before proceeding to adopt CPaaS companies should consider the inherent risks.

Remember that the underlying technologies tend to be insecure. Even if an encrypted communications channel is used between the application that initiates the communications with the CPaaS provider, the data is not necessarily secure along the entire path.

CPaaS providers give developers and companies the ability to integrate or embed communications channels such as SMS, MMS, and voice into their applications. SMS and MMS do not define security mechanisms. Ultimately any SMS or MMS message is delivered to the remote endpoint over an unencrypted communications channel. Hence, integration with these services may not be appropriate in all circumstances, because their use may violate regulatory or contractual requirements for some types of sensitive data. In addition a sophisticated attacker may be able to modify the contents during the transmission or replay it at a later time. 

MMS also entails additional underlying risks. If a user of the integrated application receives an MMS message, the message could contain malware. So the endpoints running the CPaaS integrated applications and devices must be running anti-malware software where possible. 

VoIP and SIP services supported by CPaaS providers also have some inherent security risks. These include being subject to Denial of Service (DoS) attacks, message tampering, impersonation of servers, and registration hijacking of the authentication. 

Organizations should also remember that APIs typically add complexity and increase the attack surface area. Attackers might be able to exploit data sent into an API, including URL, query parameters, HTTP headers, and/or post content. Or an attacker might seek to exploit flaws in authentication, authorization, and session tracking. Adding multiple CPaaS providers will increase the complexity and potentially provider attackers with additional opportunities. 

Organizations should also be aware that employees might utilize CPaaS features to exfiltrate data. For example, MMS could be used to send a file containing sensitive or confidential data.

There are a variety of compensating controls that can be used. For example, a Cloud Access Security Broker (CASB) could be used to help prevent the exfiltration of sensitive or confidential information. It could also be used to help block and quarantine malware being received or sent. 

Some Web Application Firewalls (WAFs) can be used to help secure the use of a CPaaS. A WAF may be able to mitigate the risks of server impersonation, some DoS attacks, or even provide some parameter validation. For example, a WAF can be used to block very large messages, heavily nested data structures, or overly complex data structures. 

All of the communications with the CPaaS provider via the APIs should be encrypted using TLS. This can be enforced by properly configured firewall rules. 

Intrusion Detection Systems / Intrusion Protection Systems (IDS/IPS) devices should also be deployed on the network to detect and or prevent some of the potential attacks. 

Given the security issues in some of the underlying protocols, session management should not solely rely on authentication. If practical for the environment, access should be limited to specific IP address ranges, and where practical perform device authentication as well as user authentication.

8 Android security tips for IT, corporate users

By James A. Martin, CIO.com, May 20, 2015

A set of security experts shares actionable tips for IT departments and users to help reduce the risk associated with the popular mobile OS.

The security pros interviewed for our article, “Experts bust Android security myths,” offered up the following eight Android security tips for IT administrators and users:

1) Don’t root that Android device

“To do significant damage in the mobile world, malware needs to act on devices that have been altered at an administrative level,” according to Dionisio Zumerle, principal research analyst atGartner. “The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices …

While these methods allow users to access certain device resources that are normally inaccessible … they also put data in danger.”

2) Don’t overlook Android security or focus only on malware

“Perhaps one of the biggest risks of mobile malware is the fact that mobile malware, in itself, is not yet abundant,” says Domingo Guerra, president and cofounder of Appthority. “This creates a false sense of security in government and enterprise organizations.”

Guerra also identified a number of additional Android risks, including “corporate data exfiltration, poor app development practices, mismanagement of user names and passwords, poor implementation of encryption, and data harvesting and sharing for marketing purposes.

“These risks are often overlooked by shortsighted, malware-only security strategies,” Guerra says.

3) Don’t install Android software from unofficial app stores

“Only install apps from the Google Play store that are from known and trusted developers,” says Terry May, an Android developer with Detroit Labs. “It would also be a best practice to take advantage of the multiple users feature in Android and have a user account that is just for enterprise.”

4) Pay attention to Android app permission requests

Reading an app’s access requests is critical, according to Mark Huss, senior consultant at SystemExperts. For example, a flashlight app doesn’t need access to services that cost you money (such as SMS messaging), system tools, your call list or any personal information, network communication or location service, Huss says.

5) Always keep Android software and firmware updated

“Always check for available firmware updates and patches and download the latest version if possible,” says Gleb Sviripa, an Android developer at KeepSolid. “The newer the version is, the fewer the chances that hackers can attack your device.”

6) Install security and VPN apps

It’s simple to find a plethora of security apps for Android. Look for apps that scan for malware and block apps from non-approved sources, according to Geoff Sanders, cofounder and CEO of  LaunchKey. Disk encryption should be enabled, and apps that have “overreaching access to potentially sensitive data” should be denied, he says.

When surfing the Internet, Android devices should be protected with virtual private network (VPN) software such as VPN Unlimited, Sviripa says.

7) Organizations should set and enforce clear access policies

Companies need to be clear about the sensitive materials that users can access via mobile devices and ensure those devices have “the right infrastructure in place to protect against mobile threats,” according Swarup Selvaraman, senior product manager at Dell SonicWALL.

8) The four basic tenets of Android security

Troy Vennon, director of Pulse Secure’s Mobile Threat Center, says enterprise mobile security boils down to following four essential steps: Disallow rooted and jailbroken devices; ensure that devices are protected by passwords; keep devices updated; and require users to connect through a VPN.