Coming March 4, 2021, Samsung V/X Live is a free content-rich virtual conference and networking event for businesses of all sizes.
For today’s enterprise, where mobile devices are so prevalent, security depends heavily on wireless networks. Organizations should prioritize network security and secure device connectivity, as data in transit may be at significant risk of attack.
IT and security leaders who want to mitigate the risks associated with wireless networks need to take care to avoid wireless eavesdroppers — particularly from man-in-the-middle (MITM) attacks, which happen when someone is able to monitor wireless communications and may also attempt to modify them in real time.
Two types of man-in-the-middle attacks
Generally, MITM attacks fall into two categories: a “passive MITM,” which is purely eavesdropping, and an “active MITM,” the more advanced configuration, where someone can capture everything transmitted between two devices and even modify the data in transit.
IT managers should know that MITM attacks target more than just Wi-Fi networks. These breaches are also possible on cellular networks through the use of IMSI catchers. Administrators should be prepared with security measures for both Wi-Fi and cellular data connections on corporate mobile devices.
Turning industry knowledge upside-down
MITM attacks are particular problems for IT managers. Obviously, any unencrypted communications can be intercepted and even modified. But that’s just the start. With a MITM attack, many basic assumptions about cryptography are subverted.
Industry-standard tools such as TLS/SSL cryptography can be defeated or weakened. For example, a MITM attacker may engage in a downgraded MITM attack: During the connection for the TLS/SSL protocol, the attacker changes the client’s list of encryption algorithms to prefer weak algorithms or even the “NULL” algorithm, which results in no encryption at all. This reduces the security needed to access files or programs.
If the server is willing to use the weaker algorithm, the result may be traffic that can easily be decrypted by the attacker. Since TLS/SSL underpins most internet cryptography — including SSL virtual private networks (VPNs) — this presents a major risk for enterprises.
Mitigating the risks
Even with the risks posed by MITM attacks, these three strategies can help mitigate mobile security threats:
- Verify TLS/SSL setups: The internet adage of “be liberal in what you accept” means many out-of-the-box web servers accept older protocols and weaker encryption or authentication algorithms. MITM attackers can take advantage of this. In general, a first step is to disable older algorithms or weak encryption and authentication — such as NULL, RC4, 3DES, MD5 and SHA1 — along with older versions of protocols, such as SSL and TLS versions prior to v1.2. IT managers who are using app delivery controllers (load balancers) have a centralized point to manage TLS/SSL settings and keep cryptographic libraries updated on the server side. If each application server has its own TLS/SSL settings, it’s more difficult to keep things synchronized and patched. The Open Web Application Security Project (OWASP) provides guidelines and tips on proper configuration of TLS for web servers; the advice is equally applicable to other TLS-protected services, including SSL VPNs and email (IMAP/SMTP) servers.
How to build an effective incident response plan
- Manage enterprise-wide certificates: IT managers should ensure that only valid certificates and certification authorities (CAs) are used with enterprise applications. If a company uses a local CA, the certificate should be preloaded onto all devices using the company MDM tool. IT managers should review settings for certificate revocation, ensuring that online revocation protocols are still enabled. They should also investigate adding certificate pinning, which reduces the possibility that a fake digital certificate can be used by a MITM attacker to access their applications and web services. A final action item here is user training: ensuring that users know they should never accept an unrecognized certificate on their devices.