Adam Radosavljevic - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can mobile certificate security risks be reduced?

According to recent research, mobile certificate usage is riddled with security issues. Expert Michael Cobb explains how to best control and secure mobile certificates in the enterprise.

A recent report from the Ponemon Institute showed that mobile certificate usage in particular is bad at validating SSL and TLS. Why is it so hard to detect anomalous mobile certificate usage? Are there any best practices to ensure proper certificate use on mobile devices?

The Ponemon Institute's 2015 Cost of Failed Trust Report includes some alarming findings, mainly that while our reliance on digital certificates to provide trust and security is growing, our ability to manage them is getting worse. For example, the report found that over the last two years, the number of keys and certificates deployed on Web servers, network appliances and cloud services has grown over 34% to almost 24,000 per enterprise -- and this number doesn't even include those used beyond the firewall with mobile devices, mobile applications or devices that are part of the Internet of Things. However, a startling 54% of organizations surveyed admitted to not knowing where all their keys and certificates are located, which means they can't know how they're being used or whether they should be trusted.

One area where this problem is particularly acute is enterprise mobile certificate usage with applications like Wi-Fi, VPN, and mobile device management (MDM) and enterprise mobile management (EMM) products. Recent Forrester Research found 77% of IT security professionals do not have complete visibility into their organizations mobile certificate inventory for use with Wi-Fi, VPN, and MDM/EMM.

The danger here is that misused or orphaned mobile certificates can provide access to Wi-Fi, VPN or data protected by MDM/EMM systems for terminated employees and contractors, or cybercriminals posing as trusted users. Mandiant's latest APT1 report showed that in every attack, hackers hijacked valid credentials such as keys and certificates. As the use of mobile devices in the enterprise continues to grow, so does the threat of key and certificate abuse -- and it needs to be mitigated.

As with any IT asset, enterprises should document an inventory of keys and certificates along with their "owner." This is vital to keep track of valid keys and can help identify duplicate, orphaned and unneeded certificates.

Clause A.12.3.2 of ISO 27001 states that "key management should be in place to support the organization's use of cryptographic techniques." Cryptographic policies should cover key length, validity period and approved certificate authorities, and be enforced by applying workflow processes to mobile certificate issuance. By mapping users to the certificates they are issued, administrators can establish a baseline of known certificates and normal usage to help detect anomalous usage. To ensure records are up to date, HR should notify IT whenever an employee changes jobs or leaves the company so that mobile and user certificates associated with that employee can be revoked to prevent unauthorized access to network resources.

Fully managing the lifecycle of mobile certificates and keys is beyond the scope of most MDM/EMM technologies, so a key and certificate reputation service such as Venafi's TrustNet may be needed to help automate the management and revocation of keys, and identify rogue or anomalous key and certificate usage. Microsoft is proposing its own solution to improve the trustworthiness of certificates called Certificate Reputation, which involves IE 11 and SmartScreen sending data to Microsoft about certificates a user encounters while browsing.

Enterprise apps that have access to sensitive data should be checked to ensure they implement encryption and certificate usage correctly. Last year, IOActive found that out of 40 iOS banking apps, 40% weren't validating SSL certificates and couldn't, therefore, stop a theoretical man-in-the-middle attack.

Administrators should also be aware that patches and certificate updates vary greatly among manufacturers, devices and even countries as local carriers play a role in the distribution of over-the-air updates. This means devices that are still awaiting critical certificate updates should be quarantined when accessing the corporate network.

Ask the Expert:
Have a question about application security? Send it via email today. (All questions are anonymous.)

Next Steps

Learn how to avoid common certificate management mistakes

This was last published in September 2015

Dig Deeper on BYOD and mobile device security best practices