How to build an effective incident response plan

Get this free guide on how to respond to mobile security breaches — or thwart them altogether.

Download Now
Security Threats

3 ways you can mitigate man-in-the-middle attacks

For today’s enterprise, where mobile devices are so prevalent, security depends heavily on wireless networks. Organizations should prioritize network security and secure device connectivity, as data in transit may be at significant risk of attack.

IT and security leaders who want to mitigate the risks associated with wireless networks need to take care to avoid wireless eavesdroppers — particularly from man-in-the-middle (MITM) attacks, which happen when someone is able to monitor wireless communications and may also attempt to modify them in real time.

Two types of man-in-the-middle attacks

Generally, MITM attacks fall into two categories: a “passive MITM,” which is purely eavesdropping, and an “active MITM,” the more advanced configuration, where someone can capture everything transmitted between two devices and even modify the data in transit.

How to build an effective incident response plan

white-paper

Get this free guide on how to respond to mobile security breaches — or thwart them altogether. Download Now

IT managers should know that MITM attacks target more than just Wi-Fi networks. These breaches are also possible on cellular networks through the use of IMSI catchers. Administrators should be prepared with security measures for both Wi-Fi and cellular data connections on corporate mobile devices.

Turning industry knowledge upside-down

MITM attacks are particular problems for IT managers. Obviously, any unencrypted communications can be intercepted and even modified. But that’s just the start. With a MITM attack, many basic assumptions about cryptography are subverted.

Industry-standard tools such as TLS/SSL cryptography can be defeated or weakened. For example, a MITM attacker may engage in a downgraded MITM attack: During the connection for the TLS/SSL protocol, the attacker changes the client’s list of encryption algorithms to prefer weak algorithms or even the “NULL” algorithm, which results in no encryption at all. This reduces the security needed to access files or programs.

If the server is willing to use the weaker algorithm, the result may be traffic that can easily be decrypted by the attacker. Since TLS/SSL underpins most internet cryptography (including SSL VPNs), this presents a major risk for enterprises.

Mitigating the risks

Even with the risks posed by MITM attacks, these three strategies can help mitigate mobile security threats:

  1. Employ encryption: At a minimum, every enterprise application should be encrypted — including web, email and voice traffic, not just sensitive communications. Why everything? Because if an active MITM attacker can intercept unencrypted, “unimportant” communications, they can insert data too, e.g., changing Domain Name System (DNS) responses to send a user to an impersonating server or sending down malware to their mobile device or injecting Javascript that steals cookies. A recent innovation called HTTP Strict Transport Security (HSTS) can help ensure that clients don’t even try to use unencrypted communications for enterprise websites. In extreme cases, IT managers with very low risk tolerance can use their mobile device management (MDM) tool to configure mobile devices to bring up a VPN tunnel and send all traffic, even non-corporate traffic, back to an enterprise data center or VPN provider. There’s additional overhead, but this also brings additional security and resistance to MITM attacks.
  2. Verify TLS/SSL setups: The internet adage of “be liberal in what you accept” means many out-of-the-box web servers accept older protocols and weaker encryption or authentication algorithms. MITM attackers can take advantage of this. In general, a first step is to disable older algorithms or weak encryption and authentication — such as NULL, RC4, 3DES, MD5 and SHA1 — along with older versions of protocols, such as SSL and TLS versions prior to v1.2. IT managers who are using app delivery controllers (load balancers) have a centralized point to manage TLS/SSL settings and keep cryptographic libraries updated on the server side. If each application server has its own TLS/SSL settings, it’s more difficult to keep things synchronized and patched. The Open Web Application Security Project (OWASP) provides guidelines and tips on proper configuration of TLS for web servers; the advice is equally applicable to other TLS-protected services, including SSL VPNs and email (IMAP/SMTP) servers.
  3. Manage enterprise-wide certificates: IT managers should ensure that only valid certificates and certification authorities (CAs) are used with enterprise applications. If a company uses a local CA, the certificate should be preloaded onto all devices using the company MDM tool. IT managers should review settings for certificate revocation, ensuring that online revocation protocols are still enabled. They should also investigate adding certificate pinning, which reduces the possibility that a fake digital certificate can be used by a MITM attacker to access their applications and web services. A final action item here is user training: ensuring that users know they should never accept an unrecognized certificate on their devices.

Learn best practices for thwarting mobile security breaches and responding when they occur in this free white paper. And discover the most secure biometric authentication method.

Posts By

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

View more posts by Joel Snyder